1 // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H
16 #define OPENSSL_HEADER_CRYPTO_INTERNAL_H
17
18 #include <openssl/crypto.h>
19 #include <openssl/ex_data.h>
20 #include <openssl/stack.h>
21
22 #include <assert.h>
23 #include <stdlib.h>
24 #include <string.h>
25
26 #if defined(BORINGSSL_CONSTANT_TIME_VALIDATION)
27 #include <valgrind/memcheck.h>
28 #endif
29
30 #if defined(BORINGSSL_FIPS_BREAK_TESTS)
31 #include <stdlib.h>
32 #endif
33
34 #if defined(OPENSSL_THREADS) && \
35 (!defined(OPENSSL_WINDOWS) || defined(__MINGW32__))
36 #include <pthread.h>
37 #define OPENSSL_PTHREADS
38 #endif
39
40 #if defined(OPENSSL_THREADS) && !defined(OPENSSL_PTHREADS) && \
41 defined(OPENSSL_WINDOWS)
42 #define OPENSSL_WINDOWS_THREADS
43 #endif
44
45 #if defined(OPENSSL_THREADS)
46 #include <atomic>
47 #endif
48
49 #if defined(OPENSSL_WINDOWS_THREADS)
50 #include <windows.h>
51 #endif
52
53 #if defined(_M_X64) || defined(_M_IX86)
54 #include "intrin.h"
55 #endif
56
57 #if defined(__cplusplus)
58 extern "C" {
59 #endif
60
61
62 #if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_STATIC_ARMCAP) && \
63 (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \
64 defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64))
65 // x86, x86_64, and the ARMs need to record the result of a cpuid/getauxval call
66 // for the asm to work correctly, unless compiled without asm code.
67 #define NEED_CPUID
68
69 // OPENSSL_cpuid_setup initializes the platform-specific feature cache. This
70 // function should not be called directly. Call |OPENSSL_init_cpuid| instead.
71 void OPENSSL_cpuid_setup(void);
72
73 // OPENSSL_init_cpuid initializes the platform-specific feature cache, if
74 // needed. This function is idempotent and may be called concurrently.
75 void OPENSSL_init_cpuid(void);
76 #else
77 inline void OPENSSL_init_cpuid(void) {}
78 #endif
79
80 #if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \
81 !defined(OPENSSL_STATIC_ARMCAP)
82 // OPENSSL_get_armcap_pointer_for_test returns a pointer to |OPENSSL_armcap_P|
83 // for unit tests. Any modifications to the value must be made before any other
84 // function call in BoringSSL.
85 OPENSSL_EXPORT uint32_t *OPENSSL_get_armcap_pointer_for_test(void);
86 #endif
87
88
89 // On non-MSVC 64-bit targets, we expect __uint128_t support. This includes
90 // clang-cl, which defines both __clang__ and _MSC_VER.
91 #if (!defined(_MSC_VER) || defined(__clang__)) && defined(OPENSSL_64_BIT)
92 #define BORINGSSL_HAS_UINT128
93 typedef __int128_t int128_t;
94 typedef __uint128_t uint128_t;
95
96 // __uint128_t division depends on intrinsics in the compiler runtime. Those
97 // intrinsics are missing in clang-cl (https://crbug.com/787617) and nanolibc.
98 // These may be bugs in the toolchain definition, but just disable it for now.
99 // EDK2's toolchain is missing __udivti3 (b/339380897) so cannot support
100 // 128-bit division currently.
101 #if !defined(_MSC_VER) && !defined(OPENSSL_NANOLIBC) && \
102 !defined(__EDK2_BORINGSSL__)
103 #define BORINGSSL_CAN_DIVIDE_UINT128
104 #endif
105 #endif
106
107 #define OPENSSL_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
108
109 // GCC-like compilers indicate SSE2 with |__SSE2__|. MSVC leaves the caller to
110 // know that x86_64 has SSE2, and uses _M_IX86_FP to indicate SSE2 on x86.
111 // https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros?view=msvc-170
112 #if defined(__SSE2__) || defined(_M_AMD64) || defined(_M_X64) || \
113 (defined(_M_IX86_FP) && _M_IX86_FP >= 2)
114 #define OPENSSL_SSE2
115 #endif
116
117 #if defined(OPENSSL_X86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SSE2)
118 #error \
119 "x86 assembly requires SSE2. Build with -msse2 (recommended), or disable assembly optimizations with -DOPENSSL_NO_ASM."
120 #endif
121
122 // For convenience in testing the fallback code, we allow disabling SSE2
123 // intrinsics via |OPENSSL_NO_SSE2_FOR_TESTING|. We require SSE2 on x86 and
124 // x86_64, so we would otherwise need to test such code on a non-x86 platform.
125 //
126 // This does not remove the above requirement for SSE2 support with assembly
127 // optimizations. It only disables some intrinsics-based optimizations so that
128 // we can test the fallback code on CI.
129 #if defined(OPENSSL_SSE2) && defined(OPENSSL_NO_SSE2_FOR_TESTING)
130 #undef OPENSSL_SSE2
131 #endif
132
133 #if defined(__GNUC__) || defined(__clang__)
134 #define OPENSSL_ATTR_CONST __attribute__((const))
135 #else
136 #define OPENSSL_ATTR_CONST
137 #endif
138
139 #if defined(BORINGSSL_MALLOC_FAILURE_TESTING)
140 // OPENSSL_reset_malloc_counter_for_testing, when malloc testing is enabled,
141 // resets the internal malloc counter, to simulate further malloc failures. This
142 // should be called in between independent tests, at a point where failure from
143 // a previous test will not impact subsequent ones.
144 OPENSSL_EXPORT void OPENSSL_reset_malloc_counter_for_testing(void);
145
146 // OPENSSL_disable_malloc_failures_for_testing, when malloc testing is enabled,
147 // disables simulated malloc failures. Calls to |OPENSSL_malloc| will not
148 // increment the malloc counter or synthesize failures. This may be used to skip
149 // simulating malloc failures in some region of code.
150 OPENSSL_EXPORT void OPENSSL_disable_malloc_failures_for_testing(void);
151
152 // OPENSSL_enable_malloc_failures_for_testing, when malloc testing is enabled,
153 // re-enables simulated malloc failures.
154 OPENSSL_EXPORT void OPENSSL_enable_malloc_failures_for_testing(void);
155 #else
OPENSSL_reset_malloc_counter_for_testing(void)156 inline void OPENSSL_reset_malloc_counter_for_testing(void) {}
OPENSSL_disable_malloc_failures_for_testing(void)157 inline void OPENSSL_disable_malloc_failures_for_testing(void) {}
OPENSSL_enable_malloc_failures_for_testing(void)158 inline void OPENSSL_enable_malloc_failures_for_testing(void) {}
159 #endif
160
161 #if defined(__has_builtin)
162 #define OPENSSL_HAS_BUILTIN(x) __has_builtin(x)
163 #else
164 #define OPENSSL_HAS_BUILTIN(x) 0
165 #endif
166
167
168 // Pointer utility functions.
169
170 // buffers_alias returns one if |a| and |b| alias and zero otherwise.
buffers_alias(const void * a,size_t a_bytes,const void * b,size_t b_bytes)171 static inline int buffers_alias(const void *a, size_t a_bytes, const void *b,
172 size_t b_bytes) {
173 // Cast |a| and |b| to integers. In C, pointer comparisons between unrelated
174 // objects are undefined whereas pointer to integer conversions are merely
175 // implementation-defined. We assume the implementation defined it in a sane
176 // way.
177 uintptr_t a_u = (uintptr_t)a;
178 uintptr_t b_u = (uintptr_t)b;
179 return a_u + a_bytes > b_u && b_u + b_bytes > a_u;
180 }
181
182 // align_pointer returns |ptr|, advanced to |alignment|. |alignment| must be a
183 // power of two, and |ptr| must have at least |alignment - 1| bytes of scratch
184 // space.
align_pointer(void * ptr,size_t alignment)185 static inline void *align_pointer(void *ptr, size_t alignment) {
186 // |alignment| must be a power of two.
187 assert(alignment != 0 && (alignment & (alignment - 1)) == 0);
188 // Instead of aligning |ptr| as a |uintptr_t| and casting back, compute the
189 // offset and advance in pointer space. C guarantees that casting from pointer
190 // to |uintptr_t| and back gives the same pointer, but general
191 // integer-to-pointer conversions are implementation-defined. GCC does define
192 // it in the useful way, but this makes fewer assumptions.
193 uintptr_t offset = (0u - (uintptr_t)ptr) & (alignment - 1);
194 ptr = (char *)ptr + offset;
195 assert(((uintptr_t)ptr & (alignment - 1)) == 0);
196 return ptr;
197 }
198
199
200 // Constant-time utility functions.
201 //
202 // The following methods return a bitmask of all ones (0xff...f) for true and 0
203 // for false. This is useful for choosing a value based on the result of a
204 // conditional in constant time. For example,
205 //
206 // if (a < b) {
207 // c = a;
208 // } else {
209 // c = b;
210 // }
211 //
212 // can be written as
213 //
214 // crypto_word_t lt = constant_time_lt_w(a, b);
215 // c = constant_time_select_w(lt, a, b);
216
217 // crypto_word_t is the type that most constant-time functions use. Ideally we
218 // would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit
219 // pointers, which means that |size_t| can be 32 bits when |BN_ULONG| is 64
220 // bits. Since we want to be able to do constant-time operations on a
221 // |BN_ULONG|, |crypto_word_t| is defined as an unsigned value with the native
222 // word length.
223 #if defined(OPENSSL_64_BIT)
224 typedef uint64_t crypto_word_t;
225 #elif defined(OPENSSL_32_BIT)
226 typedef uint32_t crypto_word_t;
227 #else
228 #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT"
229 #endif
230
231 #define CONSTTIME_TRUE_W ~((crypto_word_t)0)
232 #define CONSTTIME_FALSE_W ((crypto_word_t)0)
233 #define CONSTTIME_TRUE_8 ((uint8_t)0xff)
234 #define CONSTTIME_FALSE_8 ((uint8_t)0)
235
236 // value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about
237 // the returned value. This is used to mitigate compilers undoing constant-time
238 // code, until we can express our requirements directly in the language.
239 //
240 // Note the compiler is aware that |value_barrier_w| has no side effects and
241 // always has the same output for a given input. This allows it to eliminate
242 // dead code, move computations across loops, and vectorize.
value_barrier_w(crypto_word_t a)243 static inline crypto_word_t value_barrier_w(crypto_word_t a) {
244 #if defined(__GNUC__) || defined(__clang__)
245 __asm__("" : "+r"(a) : /* no inputs */);
246 #endif
247 return a;
248 }
249
250 // value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|.
value_barrier_u32(uint32_t a)251 static inline uint32_t value_barrier_u32(uint32_t a) {
252 #if defined(__GNUC__) || defined(__clang__)
253 __asm__("" : "+r"(a) : /* no inputs */);
254 #endif
255 return a;
256 }
257
258 // value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|.
value_barrier_u64(uint64_t a)259 static inline uint64_t value_barrier_u64(uint64_t a) {
260 #if defined(__GNUC__) || defined(__clang__)
261 __asm__("" : "+r"(a) : /* no inputs */);
262 #endif
263 return a;
264 }
265
266 // |value_barrier_u8| could be defined as above, but compilers other than
267 // clang seem to still materialize 0x00..00MM instead of reusing 0x??..??MM.
268
269 // constant_time_msb_w returns the given value with the MSB copied to all the
270 // other bits.
constant_time_msb_w(crypto_word_t a)271 static inline crypto_word_t constant_time_msb_w(crypto_word_t a) {
272 return 0u - (a >> (sizeof(a) * 8 - 1));
273 }
274
275 // constant_time_lt_w returns 0xff..f if a < b and 0 otherwise.
constant_time_lt_w(crypto_word_t a,crypto_word_t b)276 static inline crypto_word_t constant_time_lt_w(crypto_word_t a,
277 crypto_word_t b) {
278 // Consider the two cases of the problem:
279 // msb(a) == msb(b): a < b iff the MSB of a - b is set.
280 // msb(a) != msb(b): a < b iff the MSB of b is set.
281 //
282 // If msb(a) == msb(b) then the following evaluates as:
283 // msb(a^((a^b)|((a-b)^a))) ==
284 // msb(a^((a-b) ^ a)) == (because msb(a^b) == 0)
285 // msb(a^a^(a-b)) == (rearranging)
286 // msb(a-b) (because ∀x. x^x == 0)
287 //
288 // Else, if msb(a) != msb(b) then the following evaluates as:
289 // msb(a^((a^b)|((a-b)^a))) ==
290 // msb(a^(�� | ((a-b)^a))) == (because msb(a^b) == 1 and ��
291 // represents a value s.t. msb(��) = 1)
292 // msb(a^��) == (because ORing with 1 results in 1)
293 // msb(b)
294 //
295 //
296 // Here is an SMT-LIB verification of this formula:
297 //
298 // (define-fun lt ((a (_ BitVec 32)) (b (_ BitVec 32))) (_ BitVec 32)
299 // (bvxor a (bvor (bvxor a b) (bvxor (bvsub a b) a)))
300 // )
301 //
302 // (declare-fun a () (_ BitVec 32))
303 // (declare-fun b () (_ BitVec 32))
304 //
305 // (assert (not (= (= #x00000001 (bvlshr (lt a b) #x0000001f)) (bvult a b))))
306 // (check-sat)
307 // (get-model)
308 return constant_time_msb_w(a ^ ((a ^ b) | ((a - b) ^ a)));
309 }
310
311 // constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit
312 // mask.
constant_time_lt_8(crypto_word_t a,crypto_word_t b)313 static inline uint8_t constant_time_lt_8(crypto_word_t a, crypto_word_t b) {
314 return (uint8_t)(constant_time_lt_w(a, b));
315 }
316
317 // constant_time_ge_w returns 0xff..f if a >= b and 0 otherwise.
constant_time_ge_w(crypto_word_t a,crypto_word_t b)318 static inline crypto_word_t constant_time_ge_w(crypto_word_t a,
319 crypto_word_t b) {
320 return ~constant_time_lt_w(a, b);
321 }
322
323 // constant_time_ge_8 acts like |constant_time_ge_w| but returns an 8-bit
324 // mask.
constant_time_ge_8(crypto_word_t a,crypto_word_t b)325 static inline uint8_t constant_time_ge_8(crypto_word_t a, crypto_word_t b) {
326 return (uint8_t)(constant_time_ge_w(a, b));
327 }
328
329 // constant_time_is_zero returns 0xff..f if a == 0 and 0 otherwise.
constant_time_is_zero_w(crypto_word_t a)330 static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) {
331 // Here is an SMT-LIB verification of this formula:
332 //
333 // (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32)
334 // (bvand (bvnot a) (bvsub a #x00000001))
335 // )
336 //
337 // (declare-fun a () (_ BitVec 32))
338 //
339 // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a
340 // #x00000000)))) (check-sat) (get-model)
341 return constant_time_msb_w(~a & (a - 1));
342 }
343
344 // constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an
345 // 8-bit mask.
constant_time_is_zero_8(crypto_word_t a)346 static inline uint8_t constant_time_is_zero_8(crypto_word_t a) {
347 return (uint8_t)(constant_time_is_zero_w(a));
348 }
349
350 // constant_time_eq_w returns 0xff..f if a == b and 0 otherwise.
constant_time_eq_w(crypto_word_t a,crypto_word_t b)351 static inline crypto_word_t constant_time_eq_w(crypto_word_t a,
352 crypto_word_t b) {
353 return constant_time_is_zero_w(a ^ b);
354 }
355
356 // constant_time_eq_8 acts like |constant_time_eq_w| but returns an 8-bit
357 // mask.
constant_time_eq_8(crypto_word_t a,crypto_word_t b)358 static inline uint8_t constant_time_eq_8(crypto_word_t a, crypto_word_t b) {
359 return (uint8_t)(constant_time_eq_w(a, b));
360 }
361
362 // constant_time_eq_int acts like |constant_time_eq_w| but works on int
363 // values.
constant_time_eq_int(int a,int b)364 static inline crypto_word_t constant_time_eq_int(int a, int b) {
365 return constant_time_eq_w((crypto_word_t)(a), (crypto_word_t)(b));
366 }
367
368 // constant_time_eq_int_8 acts like |constant_time_eq_int| but returns an 8-bit
369 // mask.
constant_time_eq_int_8(int a,int b)370 static inline uint8_t constant_time_eq_int_8(int a, int b) {
371 return constant_time_eq_8((crypto_word_t)(a), (crypto_word_t)(b));
372 }
373
374 // constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all
375 // 1s or all 0s (as returned by the methods above), the select methods return
376 // either |a| (if |mask| is nonzero) or |b| (if |mask| is zero).
constant_time_select_w(crypto_word_t mask,crypto_word_t a,crypto_word_t b)377 static inline crypto_word_t constant_time_select_w(crypto_word_t mask,
378 crypto_word_t a,
379 crypto_word_t b) {
380 // Clang recognizes this pattern as a select. While it usually transforms it
381 // to a cmov, it sometimes further transforms it into a branch, which we do
382 // not want.
383 //
384 // Hiding the value of the mask from the compiler evades this transformation.
385 mask = value_barrier_w(mask);
386 return (mask & a) | (~mask & b);
387 }
388
389 // constant_time_select_8 acts like |constant_time_select| but operates on
390 // 8-bit values.
constant_time_select_8(crypto_word_t mask,uint8_t a,uint8_t b)391 static inline uint8_t constant_time_select_8(crypto_word_t mask, uint8_t a,
392 uint8_t b) {
393 // |mask| is a word instead of |uint8_t| to avoid materializing 0x000..0MM
394 // Making both |mask| and its value barrier |uint8_t| would allow the compiler
395 // to materialize 0x????..?MM instead, but only clang is that clever.
396 // However, vectorization of bitwise operations seems to work better on
397 // |uint8_t| than a mix of |uint64_t| and |uint8_t|, so |m| is cast to
398 // |uint8_t| after the value barrier but before the bitwise operations.
399 uint8_t m = value_barrier_w(mask);
400 return (m & a) | (~m & b);
401 }
402
403 // constant_time_select_int acts like |constant_time_select| but operates on
404 // ints.
constant_time_select_int(crypto_word_t mask,int a,int b)405 static inline int constant_time_select_int(crypto_word_t mask, int a, int b) {
406 return (int)(constant_time_select_w(mask, (crypto_word_t)(a),
407 (crypto_word_t)(b)));
408 }
409
410 // constant_time_conditional_memcpy copies |n| bytes from |src| to |dst| if
411 // |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory
412 // ranges at |dst| and |src| must not overlap, as when calling |memcpy|.
constant_time_conditional_memcpy(void * dst,const void * src,const size_t n,const crypto_word_t mask)413 static inline void constant_time_conditional_memcpy(void *dst, const void *src,
414 const size_t n,
415 const crypto_word_t mask) {
416 assert(!buffers_alias(dst, n, src, n));
417 uint8_t *out = (uint8_t *)dst;
418 const uint8_t *in = (const uint8_t *)src;
419 for (size_t i = 0; i < n; i++) {
420 out[i] = constant_time_select_8(mask, in[i], out[i]);
421 }
422 }
423
424 // constant_time_conditional_memxor xors |n| bytes from |src| to |dst| if
425 // |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory
426 // ranges at |dst| and |src| must not overlap, as when calling |memcpy|.
constant_time_conditional_memxor(void * dst,const void * src,size_t n,const crypto_word_t mask)427 static inline void constant_time_conditional_memxor(void *dst, const void *src,
428 size_t n,
429 const crypto_word_t mask) {
430 assert(!buffers_alias(dst, n, src, n));
431 uint8_t *out = (uint8_t *)dst;
432 const uint8_t *in = (const uint8_t *)src;
433 #if defined(__GNUC__) && !defined(__clang__)
434 // gcc 13.2.0 doesn't automatically vectorize this loop regardless of barrier
435 typedef uint8_t v32u8 __attribute__((vector_size(32), aligned(1), may_alias));
436 size_t n_vec = n & ~(size_t)31;
437 v32u8 masks = ((uint8_t)mask - (v32u8){}); // broadcast
438 for (size_t i = 0; i < n_vec; i += 32) {
439 *(v32u8 *)&out[i] ^= masks & *(v32u8 *)&in[i];
440 }
441 out += n_vec;
442 n -= n_vec;
443 #endif
444 for (size_t i = 0; i < n; i++) {
445 out[i] ^= value_barrier_w(mask) & in[i];
446 }
447 }
448
449 #if defined(BORINGSSL_CONSTANT_TIME_VALIDATION)
450
451 // CONSTTIME_SECRET takes a pointer and a number of bytes and marks that region
452 // of memory as secret. Secret data is tracked as it flows to registers and
453 // other parts of a memory. If secret data is used as a condition for a branch,
454 // or as a memory index, it will trigger warnings in valgrind.
455 #define CONSTTIME_SECRET(ptr, len) VALGRIND_MAKE_MEM_UNDEFINED(ptr, len)
456
457 // CONSTTIME_DECLASSIFY takes a pointer and a number of bytes and marks that
458 // region of memory as public. Public data is not subject to constant-time
459 // rules.
460 #define CONSTTIME_DECLASSIFY(ptr, len) VALGRIND_MAKE_MEM_DEFINED(ptr, len)
461
462 #else
463
464 #define CONSTTIME_SECRET(ptr, len)
465 #define CONSTTIME_DECLASSIFY(ptr, len)
466
467 #endif // BORINGSSL_CONSTANT_TIME_VALIDATION
468
constant_time_declassify_w(crypto_word_t v)469 static inline crypto_word_t constant_time_declassify_w(crypto_word_t v) {
470 // Return |v| through a value barrier to be safe. Valgrind-based constant-time
471 // validation is partly to check the compiler has not undone any constant-time
472 // work. Any place |BORINGSSL_CONSTANT_TIME_VALIDATION| influences
473 // optimizations, this validation is inaccurate.
474 //
475 // However, by sending pointers through valgrind, we likely inhibit escape
476 // analysis. On local variables, particularly booleans, we likely
477 // significantly impact optimizations.
478 //
479 // Thus, to be safe, stick a value barrier, in hopes of comparably inhibiting
480 // compiler analysis.
481 CONSTTIME_DECLASSIFY(&v, sizeof(v));
482 return value_barrier_w(v);
483 }
484
constant_time_declassify_int(int v)485 static inline int constant_time_declassify_int(int v) {
486 static_assert(sizeof(uint32_t) == sizeof(int),
487 "int is not the same size as uint32_t");
488 // See comment above.
489 CONSTTIME_DECLASSIFY(&v, sizeof(v));
490 return value_barrier_u32(v);
491 }
492
493 // declassify_assert behaves like |assert| but declassifies the result of
494 // evaluating |expr|. This allows the assertion to branch on the (presumably
495 // public) result, but still ensures that values leading up to the computation
496 // were secret.
497 #define declassify_assert(expr) assert(constant_time_declassify_int(expr))
498
499
500 // Thread-safe initialisation.
501
502 #if !defined(OPENSSL_THREADS)
503 typedef uint32_t CRYPTO_once_t;
504 #define CRYPTO_ONCE_INIT 0
505 #elif defined(OPENSSL_WINDOWS_THREADS)
506 typedef INIT_ONCE CRYPTO_once_t;
507 #define CRYPTO_ONCE_INIT INIT_ONCE_STATIC_INIT
508 #elif defined(OPENSSL_PTHREADS)
509 typedef pthread_once_t CRYPTO_once_t;
510 #define CRYPTO_ONCE_INIT PTHREAD_ONCE_INIT
511 #else
512 #error "Unknown threading library"
513 #endif
514
515 // CRYPTO_once calls |init| exactly once per process. This is thread-safe: if
516 // concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument
517 // then they will block until |init| completes, but |init| will have only been
518 // called once.
519 //
520 // The |once| argument must be a |CRYPTO_once_t| that has been initialised with
521 // the value |CRYPTO_ONCE_INIT|.
522 OPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void));
523
524
525 // Atomics.
526 //
527 // The following functions provide an API analogous to <stdatomic.h> from C11
528 // and abstract between a few variations on atomics we need to support.
529
530 #if defined(OPENSSL_THREADS)
531
532 using CRYPTO_atomic_u32 = std::atomic<uint32_t>;
533
534 static_assert(sizeof(CRYPTO_atomic_u32) == sizeof(uint32_t));
535
CRYPTO_atomic_load_u32(const CRYPTO_atomic_u32 * val)536 inline uint32_t CRYPTO_atomic_load_u32(const CRYPTO_atomic_u32 *val) {
537 return val->load(std::memory_order_seq_cst);
538 }
539
CRYPTO_atomic_compare_exchange_weak_u32(CRYPTO_atomic_u32 * val,uint32_t * expected,uint32_t desired)540 inline bool CRYPTO_atomic_compare_exchange_weak_u32(CRYPTO_atomic_u32 *val,
541 uint32_t *expected,
542 uint32_t desired) {
543 return val->compare_exchange_weak(
544 *expected, desired, std::memory_order_seq_cst, std::memory_order_seq_cst);
545 }
546
CRYPTO_atomic_store_u32(CRYPTO_atomic_u32 * val,uint32_t desired)547 inline void CRYPTO_atomic_store_u32(CRYPTO_atomic_u32 *val, uint32_t desired) {
548 val->store(desired, std::memory_order_seq_cst);
549 }
550
551 #else
552
553 typedef uint32_t CRYPTO_atomic_u32;
554
CRYPTO_atomic_load_u32(CRYPTO_atomic_u32 * val)555 inline uint32_t CRYPTO_atomic_load_u32(CRYPTO_atomic_u32 *val) { return *val; }
556
CRYPTO_atomic_compare_exchange_weak_u32(CRYPTO_atomic_u32 * val,uint32_t * expected,uint32_t desired)557 inline int CRYPTO_atomic_compare_exchange_weak_u32(CRYPTO_atomic_u32 *val,
558 uint32_t *expected,
559 uint32_t desired) {
560 if (*val != *expected) {
561 *expected = *val;
562 return 0;
563 }
564 *val = desired;
565 return 1;
566 }
567
CRYPTO_atomic_store_u32(CRYPTO_atomic_u32 * val,uint32_t desired)568 inline void CRYPTO_atomic_store_u32(CRYPTO_atomic_u32 *val, uint32_t desired) {
569 *val = desired;
570 }
571
572 #endif
573
574 // See the comment in the |__cplusplus| section above.
575 static_assert(sizeof(CRYPTO_atomic_u32) == sizeof(uint32_t),
576 "CRYPTO_atomic_u32 does not match uint32_t size");
577 static_assert(alignof(CRYPTO_atomic_u32) == alignof(uint32_t),
578 "CRYPTO_atomic_u32 does not match uint32_t alignment");
579
580
581 // Reference counting.
582
583 // CRYPTO_REFCOUNT_MAX is the value at which the reference count saturates.
584 #define CRYPTO_REFCOUNT_MAX 0xffffffff
585
586 using CRYPTO_refcount_t = CRYPTO_atomic_u32;
587
588 // CRYPTO_refcount_inc atomically increments the value at |*count| unless the
589 // value would overflow. It's safe for multiple threads to concurrently call
590 // this or |CRYPTO_refcount_dec_and_test_zero| on the same
591 // |CRYPTO_refcount_t|.
592 OPENSSL_EXPORT void CRYPTO_refcount_inc(CRYPTO_refcount_t *count);
593
594 // CRYPTO_refcount_dec_and_test_zero tests the value at |*count|:
595 // if it's zero, it crashes the address space.
596 // if it's the maximum value, it returns zero.
597 // otherwise, it atomically decrements it and returns one iff the resulting
598 // value is zero.
599 //
600 // It's safe for multiple threads to concurrently call this or
601 // |CRYPTO_refcount_inc| on the same |CRYPTO_refcount_t|.
602 OPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count);
603
604
605 // Locks.
606
607 #if !defined(OPENSSL_THREADS)
608 typedef struct crypto_mutex_st {
609 char padding; // Empty structs have different sizes in C and C++.
610 } CRYPTO_MUTEX;
611 #define CRYPTO_MUTEX_INIT {0}
612 #elif defined(OPENSSL_WINDOWS_THREADS)
613 typedef SRWLOCK CRYPTO_MUTEX;
614 #define CRYPTO_MUTEX_INIT SRWLOCK_INIT
615 #elif defined(OPENSSL_PTHREADS)
616 typedef pthread_rwlock_t CRYPTO_MUTEX;
617 #define CRYPTO_MUTEX_INIT PTHREAD_RWLOCK_INITIALIZER
618 #else
619 #error "Unknown threading library"
620 #endif
621
622 // CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a
623 // |CRYPTO_MUTEX_INIT|.
624 OPENSSL_EXPORT void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock);
625
626 // CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a
627 // read lock, but none may have a write lock.
628 OPENSSL_EXPORT void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock);
629
630 // CRYPTO_MUTEX_lock_write locks |lock| such that no other thread has any type
631 // of lock on it.
632 OPENSSL_EXPORT void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock);
633
634 // CRYPTO_MUTEX_unlock_read unlocks |lock| for reading.
635 OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock);
636
637 // CRYPTO_MUTEX_unlock_write unlocks |lock| for writing.
638 OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock);
639
640 // CRYPTO_MUTEX_cleanup releases all resources held by |lock|.
641 OPENSSL_EXPORT void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock);
642
643 #if defined(__cplusplus)
644 extern "C++" {
645
646 BSSL_NAMESPACE_BEGIN
647
648 namespace internal {
649
650 // MutexLockBase is a RAII helper for CRYPTO_MUTEX locking.
651 template <void (*LockFunc)(CRYPTO_MUTEX *), void (*ReleaseFunc)(CRYPTO_MUTEX *)>
652 class MutexLockBase {
653 public:
MutexLockBase(CRYPTO_MUTEX * mu)654 explicit MutexLockBase(CRYPTO_MUTEX *mu) : mu_(mu) {
655 assert(mu_ != nullptr);
656 LockFunc(mu_);
657 }
~MutexLockBase()658 ~MutexLockBase() { ReleaseFunc(mu_); }
659 MutexLockBase(const MutexLockBase<LockFunc, ReleaseFunc> &) = delete;
660 MutexLockBase &operator=(const MutexLockBase<LockFunc, ReleaseFunc> &) =
661 delete;
662
663 private:
664 CRYPTO_MUTEX *const mu_;
665 };
666
667 } // namespace internal
668
669 using MutexWriteLock =
670 internal::MutexLockBase<CRYPTO_MUTEX_lock_write, CRYPTO_MUTEX_unlock_write>;
671 using MutexReadLock =
672 internal::MutexLockBase<CRYPTO_MUTEX_lock_read, CRYPTO_MUTEX_unlock_read>;
673
674 BSSL_NAMESPACE_END
675
676 } // extern "C++"
677 #endif // defined(__cplusplus)
678
679
680 // Thread local storage.
681
682 // thread_local_data_t enumerates the types of thread-local data that can be
683 // stored.
684 typedef enum {
685 OPENSSL_THREAD_LOCAL_ERR = 0,
686 OPENSSL_THREAD_LOCAL_RAND,
687 OPENSSL_THREAD_LOCAL_FIPS_COUNTERS,
688 OPENSSL_THREAD_LOCAL_FIPS_SERVICE_INDICATOR_STATE,
689 OPENSSL_THREAD_LOCAL_TEST,
690 NUM_OPENSSL_THREAD_LOCALS,
691 } thread_local_data_t;
692
693 // thread_local_destructor_t is the type of a destructor function that will be
694 // called when a thread exits and its thread-local storage needs to be freed.
695 typedef void (*thread_local_destructor_t)(void *);
696
697 // CRYPTO_get_thread_local gets the pointer value that is stored for the
698 // current thread for the given index, or NULL if none has been set.
699 OPENSSL_EXPORT void *CRYPTO_get_thread_local(thread_local_data_t value);
700
701 // CRYPTO_set_thread_local sets a pointer value for the current thread at the
702 // given index. This function should only be called once per thread for a given
703 // |index|: rather than update the pointer value itself, update the data that
704 // is pointed to.
705 //
706 // The destructor function will be called when a thread exits to free this
707 // thread-local data. All calls to |CRYPTO_set_thread_local| with the same
708 // |index| should have the same |destructor| argument. The destructor may be
709 // called with a NULL argument if a thread that never set a thread-local
710 // pointer for |index|, exits. The destructor may be called concurrently with
711 // different arguments.
712 //
713 // This function returns one on success or zero on error. If it returns zero
714 // then |destructor| has been called with |value| already.
715 OPENSSL_EXPORT int CRYPTO_set_thread_local(
716 thread_local_data_t index, void *value,
717 thread_local_destructor_t destructor);
718
719
720 // ex_data
721
722 struct crypto_ex_data_st {
723 STACK_OF(void) *sk;
724 } /* CRYPTO_EX_DATA */;
725
726 typedef struct crypto_ex_data_func_st CRYPTO_EX_DATA_FUNCS;
727
728 // CRYPTO_EX_DATA_CLASS tracks the ex_indices registered for a type which
729 // supports ex_data. It should defined as a static global within the module
730 // which defines that type.
731 typedef struct {
732 CRYPTO_MUTEX lock;
733 // funcs is a linked list of |CRYPTO_EX_DATA_FUNCS| structures. It may be
734 // traversed without serialization only up to |num_funcs|. last points to the
735 // final entry of |funcs|, or NULL if empty.
736 CRYPTO_EX_DATA_FUNCS *funcs, *last;
737 // num_funcs is the number of entries in |funcs|.
738 CRYPTO_atomic_u32 num_funcs;
739 // num_reserved is one if the ex_data index zero is reserved for legacy
740 // |TYPE_get_app_data| functions.
741 uint8_t num_reserved;
742 } CRYPTO_EX_DATA_CLASS;
743
744 #define CRYPTO_EX_DATA_CLASS_INIT {CRYPTO_MUTEX_INIT, NULL, NULL, {}, 0}
745 #define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA \
746 {CRYPTO_MUTEX_INIT, NULL, NULL, {}, 1}
747
748 // CRYPTO_get_ex_new_index_ex allocates a new index for |ex_data_class|. Each
749 // class of object should provide a wrapper function that uses the correct
750 // |CRYPTO_EX_DATA_CLASS|. It returns the new index on success and -1 on error.
751 OPENSSL_EXPORT int CRYPTO_get_ex_new_index_ex(
752 CRYPTO_EX_DATA_CLASS *ex_data_class, long argl, void *argp,
753 CRYPTO_EX_free *free_func);
754
755 // CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class
756 // of object should provide a wrapper function.
757 OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val);
758
759 // CRYPTO_get_ex_data returns an extra data pointer for a given object, or NULL
760 // if no such index exists. Each class of object should provide a wrapper
761 // function.
762 OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index);
763
764 // CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA|.
765 OPENSSL_EXPORT void CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad);
766
767 // CRYPTO_free_ex_data frees |ad|, which is an object of the given class.
768 OPENSSL_EXPORT void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class,
769 CRYPTO_EX_DATA *ad);
770
771
772 // Endianness conversions.
773
774 #if defined(__GNUC__) && __GNUC__ >= 2
CRYPTO_bswap2(uint16_t x)775 static inline uint16_t CRYPTO_bswap2(uint16_t x) {
776 return __builtin_bswap16(x);
777 }
778
CRYPTO_bswap4(uint32_t x)779 static inline uint32_t CRYPTO_bswap4(uint32_t x) {
780 return __builtin_bswap32(x);
781 }
782
CRYPTO_bswap8(uint64_t x)783 static inline uint64_t CRYPTO_bswap8(uint64_t x) {
784 return __builtin_bswap64(x);
785 }
786 #elif defined(_MSC_VER)
787 #pragma intrinsic(_byteswap_uint64, _byteswap_ulong, _byteswap_ushort)
CRYPTO_bswap2(uint16_t x)788 static inline uint16_t CRYPTO_bswap2(uint16_t x) { return _byteswap_ushort(x); }
789
CRYPTO_bswap4(uint32_t x)790 static inline uint32_t CRYPTO_bswap4(uint32_t x) { return _byteswap_ulong(x); }
791
CRYPTO_bswap8(uint64_t x)792 static inline uint64_t CRYPTO_bswap8(uint64_t x) { return _byteswap_uint64(x); }
793 #else
CRYPTO_bswap2(uint16_t x)794 static inline uint16_t CRYPTO_bswap2(uint16_t x) { return (x >> 8) | (x << 8); }
795
CRYPTO_bswap4(uint32_t x)796 static inline uint32_t CRYPTO_bswap4(uint32_t x) {
797 x = (x >> 16) | (x << 16);
798 x = ((x & 0xff00ff00) >> 8) | ((x & 0x00ff00ff) << 8);
799 return x;
800 }
801
CRYPTO_bswap8(uint64_t x)802 static inline uint64_t CRYPTO_bswap8(uint64_t x) {
803 return CRYPTO_bswap4(x >> 32) | (((uint64_t)CRYPTO_bswap4(x)) << 32);
804 }
805 #endif
806
807
808 // Language bug workarounds.
809 //
810 // Most C standard library functions are undefined if passed NULL, even when the
811 // corresponding length is zero. This gives them (and, in turn, all functions
812 // which call them) surprising behavior on empty arrays. Some compilers will
813 // miscompile code due to this rule. See also
814 // https://www.imperialviolet.org/2016/06/26/nonnull.html
815 //
816 // These wrapper functions behave the same as the corresponding C standard
817 // functions, but behave as expected when passed NULL if the length is zero.
818 //
819 // Note |OPENSSL_memcmp| is a different function from |CRYPTO_memcmp|.
820
821 // C++ defines |memchr| as a const-correct overload.
822 #if defined(__cplusplus)
823 extern "C++" {
824
OPENSSL_memchr(const void * s,int c,size_t n)825 static inline const void *OPENSSL_memchr(const void *s, int c, size_t n) {
826 if (n == 0) {
827 return NULL;
828 }
829
830 return memchr(s, c, n);
831 }
832
OPENSSL_memchr(void * s,int c,size_t n)833 static inline void *OPENSSL_memchr(void *s, int c, size_t n) {
834 if (n == 0) {
835 return NULL;
836 }
837
838 return memchr(s, c, n);
839 }
840
841 } // extern "C++"
842 #else // __cplusplus
843
OPENSSL_memchr(const void * s,int c,size_t n)844 static inline void *OPENSSL_memchr(const void *s, int c, size_t n) {
845 if (n == 0) {
846 return NULL;
847 }
848
849 return memchr(s, c, n);
850 }
851
852 #endif // __cplusplus
853
OPENSSL_memcmp(const void * s1,const void * s2,size_t n)854 static inline int OPENSSL_memcmp(const void *s1, const void *s2, size_t n) {
855 if (n == 0) {
856 return 0;
857 }
858
859 return memcmp(s1, s2, n);
860 }
861
OPENSSL_memcpy(void * dst,const void * src,size_t n)862 static inline void *OPENSSL_memcpy(void *dst, const void *src, size_t n) {
863 if (n == 0) {
864 return dst;
865 }
866
867 return memcpy(dst, src, n);
868 }
869
OPENSSL_memmove(void * dst,const void * src,size_t n)870 static inline void *OPENSSL_memmove(void *dst, const void *src, size_t n) {
871 if (n == 0) {
872 return dst;
873 }
874
875 return memmove(dst, src, n);
876 }
877
OPENSSL_memset(void * dst,int c,size_t n)878 static inline void *OPENSSL_memset(void *dst, int c, size_t n) {
879 if (n == 0) {
880 return dst;
881 }
882
883 return memset(dst, c, n);
884 }
885
886
887 // Loads and stores.
888 //
889 // The following functions load and store sized integers with the specified
890 // endianness. They use |memcpy|, and so avoid alignment or strict aliasing
891 // requirements on the input and output pointers.
892
CRYPTO_load_u16_le(const void * in)893 static inline uint16_t CRYPTO_load_u16_le(const void *in) {
894 uint16_t v;
895 OPENSSL_memcpy(&v, in, sizeof(v));
896 return v;
897 }
898
CRYPTO_store_u16_le(void * out,uint16_t v)899 static inline void CRYPTO_store_u16_le(void *out, uint16_t v) {
900 OPENSSL_memcpy(out, &v, sizeof(v));
901 }
902
CRYPTO_load_u16_be(const void * in)903 static inline uint16_t CRYPTO_load_u16_be(const void *in) {
904 uint16_t v;
905 OPENSSL_memcpy(&v, in, sizeof(v));
906 return CRYPTO_bswap2(v);
907 }
908
CRYPTO_store_u16_be(void * out,uint16_t v)909 static inline void CRYPTO_store_u16_be(void *out, uint16_t v) {
910 v = CRYPTO_bswap2(v);
911 OPENSSL_memcpy(out, &v, sizeof(v));
912 }
913
CRYPTO_load_u32_le(const void * in)914 static inline uint32_t CRYPTO_load_u32_le(const void *in) {
915 uint32_t v;
916 OPENSSL_memcpy(&v, in, sizeof(v));
917 return v;
918 }
919
CRYPTO_store_u32_le(void * out,uint32_t v)920 static inline void CRYPTO_store_u32_le(void *out, uint32_t v) {
921 OPENSSL_memcpy(out, &v, sizeof(v));
922 }
923
CRYPTO_load_u32_be(const void * in)924 static inline uint32_t CRYPTO_load_u32_be(const void *in) {
925 uint32_t v;
926 OPENSSL_memcpy(&v, in, sizeof(v));
927 return CRYPTO_bswap4(v);
928 }
929
CRYPTO_store_u32_be(void * out,uint32_t v)930 static inline void CRYPTO_store_u32_be(void *out, uint32_t v) {
931 v = CRYPTO_bswap4(v);
932 OPENSSL_memcpy(out, &v, sizeof(v));
933 }
934
CRYPTO_load_u64_le(const void * in)935 static inline uint64_t CRYPTO_load_u64_le(const void *in) {
936 uint64_t v;
937 OPENSSL_memcpy(&v, in, sizeof(v));
938 return v;
939 }
940
CRYPTO_store_u64_le(void * out,uint64_t v)941 static inline void CRYPTO_store_u64_le(void *out, uint64_t v) {
942 OPENSSL_memcpy(out, &v, sizeof(v));
943 }
944
CRYPTO_load_u64_be(const void * ptr)945 static inline uint64_t CRYPTO_load_u64_be(const void *ptr) {
946 uint64_t ret;
947 OPENSSL_memcpy(&ret, ptr, sizeof(ret));
948 return CRYPTO_bswap8(ret);
949 }
950
CRYPTO_store_u64_be(void * out,uint64_t v)951 static inline void CRYPTO_store_u64_be(void *out, uint64_t v) {
952 v = CRYPTO_bswap8(v);
953 OPENSSL_memcpy(out, &v, sizeof(v));
954 }
955
CRYPTO_load_word_le(const void * in)956 static inline crypto_word_t CRYPTO_load_word_le(const void *in) {
957 crypto_word_t v;
958 OPENSSL_memcpy(&v, in, sizeof(v));
959 return v;
960 }
961
CRYPTO_store_word_le(void * out,crypto_word_t v)962 static inline void CRYPTO_store_word_le(void *out, crypto_word_t v) {
963 OPENSSL_memcpy(out, &v, sizeof(v));
964 }
965
CRYPTO_load_word_be(const void * in)966 static inline crypto_word_t CRYPTO_load_word_be(const void *in) {
967 crypto_word_t v;
968 OPENSSL_memcpy(&v, in, sizeof(v));
969 #if defined(OPENSSL_64_BIT)
970 static_assert(sizeof(v) == 8, "crypto_word_t has unexpected size");
971 return CRYPTO_bswap8(v);
972 #else
973 static_assert(sizeof(v) == 4, "crypto_word_t has unexpected size");
974 return CRYPTO_bswap4(v);
975 #endif
976 }
977
978
979 // Bit rotation functions.
980 //
981 // Note these functions use |(-shift) & 31|, etc., because shifting by the bit
982 // width is undefined. Both Clang and GCC recognize this pattern as a rotation,
983 // but MSVC does not. Instead, we call MSVC's built-in functions.
984
CRYPTO_rotl_u32(uint32_t value,int shift)985 static inline uint32_t CRYPTO_rotl_u32(uint32_t value, int shift) {
986 #if defined(_MSC_VER)
987 return _rotl(value, shift);
988 #else
989 return (value << shift) | (value >> ((-shift) & 31));
990 #endif
991 }
992
CRYPTO_rotr_u32(uint32_t value,int shift)993 static inline uint32_t CRYPTO_rotr_u32(uint32_t value, int shift) {
994 #if defined(_MSC_VER)
995 return _rotr(value, shift);
996 #else
997 return (value >> shift) | (value << ((-shift) & 31));
998 #endif
999 }
1000
CRYPTO_rotl_u64(uint64_t value,int shift)1001 static inline uint64_t CRYPTO_rotl_u64(uint64_t value, int shift) {
1002 #if defined(_MSC_VER)
1003 return _rotl64(value, shift);
1004 #else
1005 return (value << shift) | (value >> ((-shift) & 63));
1006 #endif
1007 }
1008
CRYPTO_rotr_u64(uint64_t value,int shift)1009 static inline uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) {
1010 #if defined(_MSC_VER)
1011 return _rotr64(value, shift);
1012 #else
1013 return (value >> shift) | (value << ((-shift) & 63));
1014 #endif
1015 }
1016
1017
1018 // FIPS functions.
1019
1020 #if defined(BORINGSSL_FIPS)
1021
1022 // BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test
1023 // fails. It prevents any further cryptographic operations by the current
1024 // process.
1025 void BORINGSSL_FIPS_abort(void) __attribute__((noreturn));
1026
1027 // boringssl_self_test_startup runs all startup self tests and returns one on
1028 // success or zero on error. Startup self tests do not include lazy tests.
1029 // Call |BORINGSSL_self_test| to run every self test.
1030 int boringssl_self_test_startup(void);
1031
1032 // boringssl_ensure_rsa_self_test checks whether the RSA self-test has been run
1033 // in this address space. If not, it runs it and crashes the address space if
1034 // unsuccessful.
1035 void boringssl_ensure_rsa_self_test(void);
1036
1037 // boringssl_ensure_ecc_self_test checks whether the ECDSA and ECDH self-test
1038 // has been run in this address space. If not, it runs it and crashes the
1039 // address space if unsuccessful.
1040 void boringssl_ensure_ecc_self_test(void);
1041
1042 // boringssl_ensure_ffdh_self_test checks whether the FFDH self-test has been
1043 // run in this address space. If not, it runs it and crashes the address space
1044 // if unsuccessful.
1045 void boringssl_ensure_ffdh_self_test(void);
1046
1047 #else
1048
1049 // Outside of FIPS mode, the lazy tests are no-ops.
1050
boringssl_ensure_rsa_self_test(void)1051 inline void boringssl_ensure_rsa_self_test(void) {}
boringssl_ensure_ecc_self_test(void)1052 inline void boringssl_ensure_ecc_self_test(void) {}
boringssl_ensure_ffdh_self_test(void)1053 inline void boringssl_ensure_ffdh_self_test(void) {}
1054
1055 #endif // FIPS
1056
1057 // BORINGSSL_check_test memcmp's two values of equal length. It returns 1 on
1058 // success and, on failure, it prints an error message that includes the
1059 // hexdumps the two values and returns 0.
1060 int BORINGSSL_check_test(const void *expected, const void *actual,
1061 size_t expected_len, const char *name);
1062
1063 // boringssl_self_test_sha256 performs a SHA-256 KAT.
1064 int boringssl_self_test_sha256(void);
1065
1066 // boringssl_self_test_sha512 performs a SHA-512 KAT.
1067 int boringssl_self_test_sha512(void);
1068
1069 // boringssl_self_test_hmac_sha256 performs an HMAC-SHA-256 KAT.
1070 int boringssl_self_test_hmac_sha256(void);
1071
1072 // boringssl_self_test_mlkem performs the ML-KEM KATs.
1073 OPENSSL_EXPORT int boringssl_self_test_mlkem(void);
1074
1075 // boringssl_self_test_mldsa performs the ML-DSA KATs.
1076 OPENSSL_EXPORT int boringssl_self_test_mldsa(void);
1077
1078 // boringssl_self_test_slhdsa performs the SLH-DSA KATs.
1079 OPENSSL_EXPORT int boringssl_self_test_slhdsa(void);
1080
1081 #if defined(BORINGSSL_FIPS_COUNTERS)
1082 void boringssl_fips_inc_counter(enum fips_counter_t counter);
1083 #else
boringssl_fips_inc_counter(enum fips_counter_t counter)1084 inline void boringssl_fips_inc_counter(enum fips_counter_t counter) {}
1085 #endif
1086
1087 #if defined(BORINGSSL_FIPS_BREAK_TESTS)
boringssl_fips_break_test(const char * test)1088 inline int boringssl_fips_break_test(const char *test) {
1089 const char *const value = getenv("BORINGSSL_FIPS_BREAK_TEST");
1090 return value != NULL && strcmp(value, test) == 0;
1091 }
1092 #else
boringssl_fips_break_test(const char * test)1093 inline int boringssl_fips_break_test(const char *test) { return 0; }
1094 #endif // BORINGSSL_FIPS_BREAK_TESTS
1095
1096
1097 // Runtime CPU feature support
1098
1099 #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64)
1100 // OPENSSL_ia32cap_P contains the Intel CPUID bits when running on an x86 or
1101 // x86-64 system.
1102 //
1103 // Index 0:
1104 // EDX for CPUID where EAX = 1
1105 // Bit 30 is used to indicate an Intel CPU
1106 // Index 1:
1107 // ECX for CPUID where EAX = 1
1108 // Index 2:
1109 // EBX for CPUID where EAX = 7, ECX = 0
1110 // Bit 14 (for removed feature MPX) is used to indicate a preference for ymm
1111 // registers over zmm even when zmm registers are supported
1112 // Index 3:
1113 // ECX for CPUID where EAX = 7, ECX = 0
1114 //
1115 // Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the XMM, YMM,
1116 // and AVX512 bits in XCR0, so it is not necessary to check those. (WARNING: See
1117 // caveats in cpu_intel.c.)
1118 //
1119 // This symbol should only be accessed with |OPENSSL_get_ia32cap|.
1120 extern uint32_t OPENSSL_ia32cap_P[4];
1121
1122 // OPENSSL_get_ia32cap initializes the library if needed and returns the |idx|th
1123 // entry of |OPENSSL_ia32cap_P|. It is marked as a const function so duplicate
1124 // calls can be merged by the compiler, at least when indices match.
1125 OPENSSL_ATTR_CONST uint32_t OPENSSL_get_ia32cap(int idx);
1126
1127 // OPENSSL_adjust_ia32cap adjusts |cap|, which should contain
1128 // |OPENSSL_ia32cap_P|, based on the environment variable value in |env|. This
1129 // function is exposed for unit tests.
1130 void OPENSSL_adjust_ia32cap(uint32_t cap[4], const char *env);
1131
1132 // See Intel manual, volume 2A, table 3-11.
1133
CRYPTO_is_intel_cpu(void)1134 inline int CRYPTO_is_intel_cpu(void) {
1135 // The reserved bit 30 is used to indicate an Intel CPU.
1136 return (OPENSSL_get_ia32cap(0) & (1u << 30)) != 0;
1137 }
1138
1139 // See Intel manual, volume 2A, table 3-10.
1140
CRYPTO_is_PCLMUL_capable(void)1141 inline int CRYPTO_is_PCLMUL_capable(void) {
1142 #if defined(__PCLMUL__)
1143 return 1;
1144 #else
1145 return (OPENSSL_get_ia32cap(1) & (1u << 1)) != 0;
1146 #endif
1147 }
1148
CRYPTO_is_SSSE3_capable(void)1149 inline int CRYPTO_is_SSSE3_capable(void) {
1150 #if defined(__SSSE3__)
1151 return 1;
1152 #else
1153 return (OPENSSL_get_ia32cap(1) & (1u << 9)) != 0;
1154 #endif
1155 }
1156
CRYPTO_is_SSE4_1_capable(void)1157 inline int CRYPTO_is_SSE4_1_capable(void) {
1158 #if defined(__SSE4_1__)
1159 return 1;
1160 #else
1161 return (OPENSSL_get_ia32cap(1) & (1u << 19)) != 0;
1162 #endif
1163 }
1164
CRYPTO_is_MOVBE_capable(void)1165 inline int CRYPTO_is_MOVBE_capable(void) {
1166 #if defined(__MOVBE__)
1167 return 1;
1168 #else
1169 return (OPENSSL_get_ia32cap(1) & (1u << 22)) != 0;
1170 #endif
1171 }
1172
CRYPTO_is_AESNI_capable(void)1173 inline int CRYPTO_is_AESNI_capable(void) {
1174 #if defined(__AES__)
1175 return 1;
1176 #else
1177 return (OPENSSL_get_ia32cap(1) & (1u << 25)) != 0;
1178 #endif
1179 }
1180
1181 // We intentionally avoid defining a |CRYPTO_is_XSAVE_capable| function. See
1182 // |CRYPTO_cpu_perf_is_like_silvermont|.
1183
CRYPTO_is_AVX_capable(void)1184 inline int CRYPTO_is_AVX_capable(void) {
1185 #if defined(__AVX__)
1186 return 1;
1187 #else
1188 return (OPENSSL_get_ia32cap(1) & (1u << 28)) != 0;
1189 #endif
1190 }
1191
CRYPTO_is_RDRAND_capable(void)1192 inline int CRYPTO_is_RDRAND_capable(void) {
1193 // We intentionally do not check |__RDRND__| here. On some AMD processors, we
1194 // will act as if the hardware is RDRAND-incapable, even it actually supports
1195 // it. See cpu_intel.c.
1196 return (OPENSSL_get_ia32cap(1) & (1u << 30)) != 0;
1197 }
1198
1199 // See Intel manual, volume 2A, table 3-8.
1200
CRYPTO_is_BMI1_capable(void)1201 inline int CRYPTO_is_BMI1_capable(void) {
1202 #if defined(__BMI__)
1203 return 1;
1204 #else
1205 return (OPENSSL_get_ia32cap(2) & (1u << 3)) != 0;
1206 #endif
1207 }
1208
CRYPTO_is_AVX2_capable(void)1209 inline int CRYPTO_is_AVX2_capable(void) {
1210 #if defined(__AVX2__)
1211 return 1;
1212 #else
1213 return (OPENSSL_get_ia32cap(2) & (1u << 5)) != 0;
1214 #endif
1215 }
1216
CRYPTO_is_BMI2_capable(void)1217 inline int CRYPTO_is_BMI2_capable(void) {
1218 #if defined(__BMI2__)
1219 return 1;
1220 #else
1221 return (OPENSSL_get_ia32cap(2) & (1u << 8)) != 0;
1222 #endif
1223 }
1224
CRYPTO_is_ADX_capable(void)1225 inline int CRYPTO_is_ADX_capable(void) {
1226 #if defined(__ADX__)
1227 return 1;
1228 #else
1229 return (OPENSSL_get_ia32cap(2) & (1u << 19)) != 0;
1230 #endif
1231 }
1232
1233 // SHA-1 and SHA-256 are defined as a single extension.
CRYPTO_is_x86_SHA_capable(void)1234 inline int CRYPTO_is_x86_SHA_capable(void) {
1235 #if defined(__SHA__)
1236 return 1;
1237 #else
1238 return (OPENSSL_get_ia32cap(2) & (1u << 29)) != 0;
1239 #endif
1240 }
1241
1242 // CRYPTO_cpu_perf_is_like_silvermont returns one if, based on a heuristic, the
1243 // CPU has Silvermont-like performance characteristics. It is often faster to
1244 // run different codepaths on these CPUs than the available instructions would
1245 // otherwise select. See chacha-x86_64.pl.
1246 //
1247 // Bonnell, Silvermont's predecessor in the Atom lineup, will also be matched by
1248 // this. Goldmont (Silvermont's successor in the Atom lineup) added XSAVE so it
1249 // isn't matched by this. Various sources indicate AMD first implemented MOVBE
1250 // and XSAVE at the same time in Jaguar, so it seems like AMD chips will not be
1251 // matched by this. That seems to be the case for other x86(-64) CPUs.
CRYPTO_cpu_perf_is_like_silvermont(void)1252 inline int CRYPTO_cpu_perf_is_like_silvermont(void) {
1253 // WARNING: This MUST NOT be used to guard the execution of the XSAVE
1254 // instruction. This is the "hardware supports XSAVE" bit, not the OSXSAVE bit
1255 // that indicates whether we can safely execute XSAVE. This bit may be set
1256 // even when XSAVE is disabled (by the operating system). See how the users of
1257 // this bit use it.
1258 //
1259 // Historically, the XSAVE bit was artificially cleared on Knights Landing
1260 // and Knights Mill chips, but as Intel has removed all support from GCC,
1261 // LLVM, and SDE, we assume they are no longer worth special-casing.
1262 int hardware_supports_xsave = (OPENSSL_get_ia32cap(1) & (1u << 26)) != 0;
1263 return !hardware_supports_xsave && CRYPTO_is_MOVBE_capable();
1264 }
1265
CRYPTO_is_AVX512BW_capable(void)1266 inline int CRYPTO_is_AVX512BW_capable(void) {
1267 #if defined(__AVX512BW__)
1268 return 1;
1269 #else
1270 return (OPENSSL_get_ia32cap(2) & (1u << 30)) != 0;
1271 #endif
1272 }
1273
CRYPTO_is_AVX512VL_capable(void)1274 inline int CRYPTO_is_AVX512VL_capable(void) {
1275 #if defined(__AVX512VL__)
1276 return 1;
1277 #else
1278 return (OPENSSL_get_ia32cap(2) & (1u << 31)) != 0;
1279 #endif
1280 }
1281
1282 // CRYPTO_cpu_avoid_zmm_registers returns 1 if zmm registers (512-bit vectors)
1283 // should not be used even if the CPU supports them.
1284 //
1285 // Note that this reuses the bit for the removed MPX feature.
CRYPTO_cpu_avoid_zmm_registers(void)1286 inline int CRYPTO_cpu_avoid_zmm_registers(void) {
1287 return (OPENSSL_get_ia32cap(2) & (1u << 14)) != 0;
1288 }
1289
CRYPTO_is_VAES_capable(void)1290 inline int CRYPTO_is_VAES_capable(void) {
1291 #if defined(__VAES__)
1292 return 1;
1293 #else
1294 return (OPENSSL_get_ia32cap(3) & (1u << 9)) != 0;
1295 #endif
1296 }
1297
CRYPTO_is_VPCLMULQDQ_capable(void)1298 inline int CRYPTO_is_VPCLMULQDQ_capable(void) {
1299 #if defined(__VPCLMULQDQ__)
1300 return 1;
1301 #else
1302 return (OPENSSL_get_ia32cap(3) & (1u << 10)) != 0;
1303 #endif
1304 }
1305
1306 #endif // OPENSSL_X86 || OPENSSL_X86_64
1307
1308 #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)
1309
1310 // ARMV7_NEON indicates support for NEON.
1311 #define ARMV7_NEON (1 << 0)
1312
1313 // ARMV8_AES indicates support for hardware AES instructions.
1314 #define ARMV8_AES (1 << 2)
1315
1316 // ARMV8_SHA1 indicates support for hardware SHA-1 instructions.
1317 #define ARMV8_SHA1 (1 << 3)
1318
1319 // ARMV8_SHA256 indicates support for hardware SHA-256 instructions.
1320 #define ARMV8_SHA256 (1 << 4)
1321
1322 // ARMV8_PMULL indicates support for carryless multiplication.
1323 #define ARMV8_PMULL (1 << 5)
1324
1325 // ARMV8_SHA512 indicates support for hardware SHA-512 instructions.
1326 #define ARMV8_SHA512 (1 << 6)
1327
1328 #if defined(OPENSSL_STATIC_ARMCAP)
1329 // We assume |CRYPTO_is_*_capable| already checked static capabilities.
OPENSSL_get_armcap(void)1330 inline uint32_t OPENSSL_get_armcap(void) { return 0; }
1331 #else
1332 // OPENSSL_armcap_P contains ARM CPU capabilities as a bitmask of the above
1333 // constants. This should only be accessed with |OPENSSL_get_armcap|.
1334 extern uint32_t OPENSSL_armcap_P;
1335
1336 // OPENSSL_get_armcap initializes the library if needed and returns ARM CPU
1337 // capabilities. It is marked as a const function so duplicate calls can be
1338 // merged by the compiler.
1339 OPENSSL_ATTR_CONST uint32_t OPENSSL_get_armcap(void);
1340 #endif // OPENSSL_STATIC_ARMCAP
1341
1342 // Normalize some older feature flags to their modern ACLE values.
1343 // https://developer.arm.com/architectures/system-architectures/software-standards/acle
1344 #if defined(__ARM_NEON__) && !defined(__ARM_NEON)
1345 #define __ARM_NEON 1
1346 #endif
1347 #if defined(__ARM_FEATURE_CRYPTO)
1348 #if !defined(__ARM_FEATURE_AES)
1349 #define __ARM_FEATURE_AES 1
1350 #endif
1351 #if !defined(__ARM_FEATURE_SHA2)
1352 #define __ARM_FEATURE_SHA2 1
1353 #endif
1354 #endif
1355
1356 // CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If
1357 // this is known statically, it is a constant inline function.
CRYPTO_is_NEON_capable(void)1358 inline int CRYPTO_is_NEON_capable(void) {
1359 #if (defined(OPENSSL_STATIC_ARMCAP_NEON) || defined(__ARM_NEON)) && \
1360 !defined(OPENSSL_NO_STATIC_NEON_FOR_TESTING)
1361 return 1;
1362 #else
1363 return (OPENSSL_get_armcap() & ARMV7_NEON) != 0;
1364 #endif
1365 }
1366
CRYPTO_is_ARMv8_AES_capable(void)1367 inline int CRYPTO_is_ARMv8_AES_capable(void) {
1368 #if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_AES)
1369 return 1;
1370 #else
1371 return (OPENSSL_get_armcap() & ARMV8_AES) != 0;
1372 #endif
1373 }
1374
CRYPTO_is_ARMv8_PMULL_capable(void)1375 inline int CRYPTO_is_ARMv8_PMULL_capable(void) {
1376 #if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_AES)
1377 return 1;
1378 #else
1379 return (OPENSSL_get_armcap() & ARMV8_PMULL) != 0;
1380 #endif
1381 }
1382
CRYPTO_is_ARMv8_SHA1_capable(void)1383 inline int CRYPTO_is_ARMv8_SHA1_capable(void) {
1384 // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise
1385 // are dealt with independently.
1386 #if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_SHA2)
1387 return 1;
1388 #else
1389 return (OPENSSL_get_armcap() & ARMV8_SHA1) != 0;
1390 #endif
1391 }
1392
CRYPTO_is_ARMv8_SHA256_capable(void)1393 inline int CRYPTO_is_ARMv8_SHA256_capable(void) {
1394 // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise
1395 // are dealt with independently.
1396 #if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_SHA2)
1397 return 1;
1398 #else
1399 return (OPENSSL_get_armcap() & ARMV8_SHA256) != 0;
1400 #endif
1401 }
1402
CRYPTO_is_ARMv8_SHA512_capable(void)1403 inline int CRYPTO_is_ARMv8_SHA512_capable(void) {
1404 // There is no |OPENSSL_STATIC_ARMCAP_SHA512|.
1405 #if defined(__ARM_FEATURE_SHA512)
1406 return 1;
1407 #else
1408 return (OPENSSL_get_armcap() & ARMV8_SHA512) != 0;
1409 #endif
1410 }
1411
1412 #endif // OPENSSL_ARM || OPENSSL_AARCH64
1413
1414
1415 #if defined(BORINGSSL_DISPATCH_TEST)
1416 // Runtime CPU dispatch testing support
1417
1418 // BORINGSSL_function_hit is an array of flags. The following functions will
1419 // set these flags if BORINGSSL_DISPATCH_TEST is defined.
1420 // 0: aes_hw_ctr32_encrypt_blocks
1421 // 1: aes_hw_encrypt
1422 // 2: aesni_gcm_encrypt
1423 // 3: aes_hw_set_encrypt_key
1424 // 4: vpaes_encrypt
1425 // 5: vpaes_set_encrypt_key
1426 // 6: aes_gcm_enc_update_vaes_avx2
1427 // 7: aes_gcm_enc_update_vaes_avx512
1428 extern uint8_t BORINGSSL_function_hit[8];
1429 #endif // BORINGSSL_DISPATCH_TEST
1430
1431
1432 // OPENSSL_vasprintf_internal is just like |vasprintf(3)|. If |system_malloc| is
1433 // 0, memory will be allocated with |OPENSSL_malloc| and must be freed with
1434 // |OPENSSL_free|. Otherwise the system |malloc| function is used and the memory
1435 // must be freed with the system |free| function.
1436 OPENSSL_EXPORT int OPENSSL_vasprintf_internal(char **str, const char *format,
1437 va_list args, int system_malloc)
1438 OPENSSL_PRINTF_FORMAT_FUNC(2, 0);
1439
1440
1441 // Fuzzer mode.
1442
1443 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
1444 // CRYPTO_fuzzer_mode_enabled returns whether fuzzer mode is enabled. See
1445 // |CRYPTO_set_fuzzer_mode|. In non-fuzzer builds, this function statically
1446 // returns zero so the codepaths will be deleted by the optimizer.
1447 int CRYPTO_fuzzer_mode_enabled(void);
1448 #else
CRYPTO_fuzzer_mode_enabled(void)1449 inline int CRYPTO_fuzzer_mode_enabled(void) { return 0; }
1450 #endif
1451
1452
1453 #if defined(__cplusplus)
1454 } // extern C
1455 #endif
1456
1457 // Arithmetic functions.
1458
1459 // CRYPTO_addc_* returns |x + y + carry|, and sets |*out_carry| to the carry
1460 // bit. |carry| must be zero or one.
1461
1462 // NOTE: Unoptimized GCC builds may compile these builtins to non-constant-time
1463 // code. For correct constant-time behavior, ensure builds are optimized.
1464 #if OPENSSL_HAS_BUILTIN(__builtin_addc)
1465
CRYPTO_addc_impl(unsigned int x,unsigned int y,unsigned int carry,unsigned int * out_carry)1466 inline unsigned int CRYPTO_addc_impl(unsigned int x, unsigned int y,
1467 unsigned int carry,
1468 unsigned int *out_carry) {
1469 return __builtin_addc(x, y, carry, out_carry);
1470 }
1471
CRYPTO_addc_impl(unsigned long x,unsigned long y,unsigned long carry,unsigned long * out_carry)1472 inline unsigned long CRYPTO_addc_impl(unsigned long x, unsigned long y,
1473 unsigned long carry,
1474 unsigned long *out_carry) {
1475 return __builtin_addcl(x, y, carry, out_carry);
1476 }
1477
CRYPTO_addc_impl(unsigned long long x,unsigned long long y,unsigned long long carry,unsigned long long * out_carry)1478 inline unsigned long long CRYPTO_addc_impl(unsigned long long x,
1479 unsigned long long y,
1480 unsigned long long carry,
1481 unsigned long long *out_carry) {
1482 return __builtin_addcll(x, y, carry, out_carry);
1483 }
1484
CRYPTO_addc_u32(uint32_t x,uint32_t y,uint32_t carry,uint32_t * out_carry)1485 inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry,
1486 uint32_t *out_carry) {
1487 return CRYPTO_addc_impl(x, y, carry, out_carry);
1488 }
1489
CRYPTO_addc_u64(uint64_t x,uint64_t y,uint64_t carry,uint64_t * out_carry)1490 inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry,
1491 uint64_t *out_carry) {
1492 return CRYPTO_addc_impl(x, y, carry, out_carry);
1493 }
1494
1495 #else
1496
CRYPTO_addc_u32(uint32_t x,uint32_t y,uint32_t carry,uint32_t * out_carry)1497 static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry,
1498 uint32_t *out_carry) {
1499 declassify_assert(carry <= 1);
1500 #if defined(_M_IX86)
1501 uint32_t sum = 0;
1502 *out_carry = _addcarry_u32(carry, x, y, &sum);
1503 return sum;
1504 #else
1505 uint64_t ret = carry;
1506 ret += (uint64_t)x + y;
1507 *out_carry = (uint32_t)(ret >> 32);
1508 return (uint32_t)ret;
1509 #endif
1510 }
1511
CRYPTO_addc_u64(uint64_t x,uint64_t y,uint64_t carry,uint64_t * out_carry)1512 static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry,
1513 uint64_t *out_carry) {
1514 declassify_assert(carry <= 1);
1515 #if defined(_M_X64)
1516 uint64_t sum = 0;
1517 *out_carry = _addcarry_u64(carry, x, y, &sum);
1518 return sum;
1519 #elif defined(BORINGSSL_HAS_UINT128)
1520 uint128_t ret = carry;
1521 ret += (uint128_t)x + y;
1522 *out_carry = (uint64_t)(ret >> 64);
1523 return (uint64_t)ret;
1524 #else
1525 x += carry;
1526 carry = x < carry;
1527 uint64_t ret = x + y;
1528 carry += ret < x;
1529 *out_carry = carry;
1530 return ret;
1531 #endif
1532 }
1533 #endif
1534
1535
1536 // CRYPTO_subc_* returns |x - y - borrow|, and sets |*out_borrow| to the borrow
1537 // bit. |borrow| must be zero or one.
1538 #if OPENSSL_HAS_BUILTIN(__builtin_subc)
1539
CRYPTO_subc_impl(unsigned int x,unsigned int y,unsigned int borrow,unsigned int * out_borrow)1540 inline unsigned int CRYPTO_subc_impl(unsigned int x, unsigned int y,
1541 unsigned int borrow,
1542 unsigned int *out_borrow) {
1543 return __builtin_subc(x, y, borrow, out_borrow);
1544 }
1545
CRYPTO_subc_impl(unsigned long x,unsigned long y,unsigned long borrow,unsigned long * out_borrow)1546 inline unsigned long CRYPTO_subc_impl(unsigned long x, unsigned long y,
1547 unsigned long borrow,
1548 unsigned long *out_borrow) {
1549 return __builtin_subcl(x, y, borrow, out_borrow);
1550 }
1551
CRYPTO_subc_impl(unsigned long long x,unsigned long long y,unsigned long long borrow,unsigned long long * out_borrow)1552 inline unsigned long long CRYPTO_subc_impl(unsigned long long x,
1553 unsigned long long y,
1554 unsigned long long borrow,
1555 unsigned long long *out_borrow) {
1556 return __builtin_subcll(x, y, borrow, out_borrow);
1557 }
1558
CRYPTO_subc_u32(uint32_t x,uint32_t y,uint32_t borrow,uint32_t * out_borrow)1559 inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow,
1560 uint32_t *out_borrow) {
1561 return CRYPTO_subc_impl(x, y, borrow, out_borrow);
1562 }
1563
CRYPTO_subc_u64(uint64_t x,uint64_t y,uint64_t borrow,uint64_t * out_borrow)1564 inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
1565 uint64_t *out_borrow) {
1566 return CRYPTO_subc_impl(x, y, borrow, out_borrow);
1567 }
1568
1569 #else
1570
CRYPTO_subc_u32(uint32_t x,uint32_t y,uint32_t borrow,uint32_t * out_borrow)1571 static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow,
1572 uint32_t *out_borrow) {
1573 declassify_assert(borrow <= 1);
1574 #if defined(_M_IX86)
1575 uint32_t diff = 0;
1576 *out_borrow = _subborrow_u32(borrow, x, y, &diff);
1577 return diff;
1578 #else
1579 uint32_t ret = x - y - borrow;
1580 *out_borrow = (x < y) | ((x == y) & borrow);
1581 return ret;
1582 #endif
1583 }
1584
CRYPTO_subc_u64(uint64_t x,uint64_t y,uint64_t borrow,uint64_t * out_borrow)1585 static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow,
1586 uint64_t *out_borrow) {
1587 declassify_assert(borrow <= 1);
1588 #if defined(_M_X64)
1589 uint64_t diff = 0;
1590 *out_borrow = _subborrow_u64(borrow, x, y, &diff);
1591 return diff;
1592 #else
1593 uint64_t ret = x - y - borrow;
1594 *out_borrow = (x < y) | ((x == y) & borrow);
1595 return ret;
1596 #endif
1597 }
1598 #endif
1599
1600 #if defined(OPENSSL_64_BIT)
1601 #define CRYPTO_addc_w CRYPTO_addc_u64
1602 #define CRYPTO_subc_w CRYPTO_subc_u64
1603 #else
1604 #define CRYPTO_addc_w CRYPTO_addc_u32
1605 #define CRYPTO_subc_w CRYPTO_subc_u32
1606 #endif
1607
1608
1609 #endif // OPENSSL_HEADER_CRYPTO_INTERNAL_H
1610