kris
/
boringssl
1
0
Forka 0
Codice Problemi 0 Pull Requests 0 Rilasci 0 Wiki Attività
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
5691 Commit
12 Rami (Branch)
38 MiB
Albero (Tree): d8598ce03f
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da 'd8598ce03f'
${ noResults }
boringssl/crypto/fipsmodule/bcm.c

bcm.c 4.0 KiB
Originale Vista normale Cronologia

First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Move much of rand/ into the FIPS module. Support for platforms that we don't support FIPS on doesn't need to be in the module. Also, functions for dealing with whether fork-unsafe buffering is enabled are left out because they aren't implementing any cryptography and they use global r/w state, making their inclusion painful. Change-Id: I71a0123db6f5449e9dfc7ec7dea0944428e661aa Reviewed-on: https://boringssl-review.googlesource.com/15084 Reviewed-by: Adam Langley <agl@google.com>
7 anni fa
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Move much of rand/ into the FIPS module. Support for platforms that we don't support FIPS on doesn't need to be in the module. Also, functions for dealing with whether fork-unsafe buffering is enabled are left out because they aren't implementing any cryptography and they use global r/w state, making their inclusion painful. Change-Id: I71a0123db6f5449e9dfc7ec7dea0944428e661aa Reviewed-on: https://boringssl-review.googlesource.com/15084 Reviewed-by: Adam Langley <agl@google.com>
7 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Split BORINGSSL_self_test into its own file. Some non-FIPS consumers exclude bcm.c and build each fragment file separately. This means non-FIPS code cannot live in bcm.c. https://boringssl-review.googlesource.com/25044 made the self-test function exist outside of FIPS code, so it needed to be moved into is own file. To avoid confusing generate_build_files.py, this can't be named self_test.c, so I went with self_check.c. Change-Id: I337b39b158bc50d6ca0a8ad1b6e15eb851095e1e Reviewed-on: https://boringssl-review.googlesource.com/25124 Reviewed-by: Martin Kreichgauer <martinkr@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
fipstools: Add a sample binary that exercises methods from the FIPS module. Also allow breaking ECDSA/RSA pair-wise consistency tests and ECDSA self-test. Change-Id: I1c7723f6082568ebf93158cfaa184cbdeb7480a0 Reviewed-on: https://boringssl-review.googlesource.com/16305 Reviewed-by: Adam Langley <agl@google.com>
7 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Move AES code into the FIPS module. Change-Id: Id94e71bce4dca25e77f52f38c07e0489ca072d2d Reviewed-on: https://boringssl-review.googlesource.com/15027 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Move bn/ into crypto/fipsmodule/ Change-Id: I68aa4a740ee1c7f2a308a6536f408929f15b694c Reviewed-on: https://boringssl-review.googlesource.com/15647 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Move some RSA keygen support code into separate files. This was all new code. There was a request to make this available under ISC. Change-Id: Ibabbe6fbf593c2a781aac47a4de7ac378604dbcf Reviewed-on: https://boringssl-review.googlesource.com/28267 Reviewed-by: Adam Langley <agl@google.com>
6 anni fa
Move bn/ into crypto/fipsmodule/ Change-Id: I68aa4a740ee1c7f2a308a6536f408929f15b694c Reviewed-on: https://boringssl-review.googlesource.com/15647 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Move some RSA keygen support code into separate files. This was all new code. There was a request to make this available under ISC. Change-Id: Ibabbe6fbf593c2a781aac47a4de7ac378604dbcf Reviewed-on: https://boringssl-review.googlesource.com/28267 Reviewed-by: Adam Langley <agl@google.com>
6 anni fa
Move bn/ into crypto/fipsmodule/ Change-Id: I68aa4a740ee1c7f2a308a6536f408929f15b694c Reviewed-on: https://boringssl-review.googlesource.com/15647 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Move cipher/ into crypto/fipsmodule/ Change-Id: Id65e0988534056a72d9b40cc9ba5194e2d9b8a7c Reviewed-on: https://boringssl-review.googlesource.com/15904 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Move des/ to crypto/fipsmodule/ Change-Id: I167b7045c537d95294d387936f3d7bad530e1c6f Reviewed-on: https://boringssl-review.googlesource.com/15844 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Add ECDH_compute_key_fips inside the module. This change adds a function so that an ECDH and the hashing of the resulting 'x' coordinate can occur inside the FIPS boundary. Change-Id: If93c20a70dc9dcbca49056f10915d3ce064f641f Reviewed-on: https://boringssl-review.googlesource.com/30104 Reviewed-by: Adam Langley <agl@google.com>
6 anni fa
Move ec/ and ecdsa/ into fipsmodule/ The names in the P-224 code collided with the P-256 code and thus many of the functions and constants in the P-224 code have been prefixed. Change-Id: I6bcd304640c539d0483d129d5eaf1702894929a8 Reviewed-on: https://boringssl-review.googlesource.com/15847 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Add EC_FELEM for EC_POINTs and related temporaries. This introduces EC_FELEM, which is analogous to EC_SCALAR. It is used for EC_POINT's representation in the generic EC_METHOD, as well as random operations on tuned EC_METHODs that still are implemented genericly. Unlike EC_SCALAR, EC_FELEM's exact representation is awkwardly specific to the EC_METHOD, analogous to how the old values were BIGNUMs but may or may not have been in Montgomery form. This is kind of a nuisance, but no more than before. (If p224-64.c were easily convertable to Montgomery form, we could say |EC_FELEM| is always in Montgomery form. If we exposed the internal add and double implementations in each of the curves, we could give |EC_POINT| an |EC_METHOD|-specific representation and |EC_FELEM| is purely a |EC_GFp_mont_method| type. I'll leave this for later.) The generic add and doubling formulas are aligned with the formulas proved in fiat-crypto. Those only applied to a = -3, so I've proved a generic one in https://github.com/mit-plv/fiat-crypto/pull/356, in case someone uses a custom curve. The new formulas are verified, constant-time, and swap a multiply for a square. As expressed in fiat-crypto they do use more temporaries, but this seems to be fine with stack-allocated EC_FELEMs. (We can try to help the compiler later, but benchamrks below suggest this isn't necessary.) Unlike BIGNUM, EC_FELEM can be stack-allocated. It also captures the bounds in the type system and, in particular, that the width is correct, which will make it easier to select a point in constant-time in the future. (Indeed the old code did not always have the correct width. Its point formula involved halving and implemented this in variable time and variable width.) Before: Did 77274 ECDH P-256 operations in 10046087us (7692.0 ops/sec) Did 5959 ECDH P-384 operations in 10031701us (594.0 ops/sec) Did 10815 ECDSA P-384 signing operations in 10087892us (1072.1 ops/sec) Did 8976 ECDSA P-384 verify operations in 10071038us (891.3 ops/sec) Did 2600 ECDH P-521 operations in 10091688us (257.6 ops/sec) Did 4590 ECDSA P-521 signing operations in 10055195us (456.5 ops/sec) Did 3811 ECDSA P-521 verify operations in 10003574us (381.0 ops/sec) After: Did 77736 ECDH P-256 operations in 10029858us (7750.5 ops/sec) [+0.8%] Did 7519 ECDH P-384 operations in 10068076us (746.8 ops/sec) [+25.7%] Did 13335 ECDSA P-384 signing operations in 10029962us (1329.5 ops/sec) [+24.0%] Did 11021 ECDSA P-384 verify operations in 10088600us (1092.4 ops/sec) [+22.6%] Did 2912 ECDH P-521 operations in 10001325us (291.2 ops/sec) [+13.0%] Did 5150 ECDSA P-521 signing operations in 10027462us (513.6 ops/sec) [+12.5%] Did 4264 ECDSA P-521 verify operations in 10069694us (423.4 ops/sec) [+11.1%] This more than pays for removing points_make_affine previously and even speeds up ECDH P-256 slightly. (The point-on-curve check uses the generic code.) Next is to push the stack-allocating up to ec_wNAF_mul, followed by a constant-time single-point multiplication. Bug: 239 Change-Id: I44a2dff7c52522e491d0f8cffff64c4ab5cd353c Reviewed-on: https://boringssl-review.googlesource.com/27668 Reviewed-by: Adam Langley <agl@google.com>
6 anni fa
Move ec/ and ecdsa/ into fipsmodule/ The names in the P-224 code collided with the P-256 code and thus many of the functions and constants in the P-224 code have been prefixed. Change-Id: I6bcd304640c539d0483d129d5eaf1702894929a8 Reviewed-on: https://boringssl-review.googlesource.com/15847 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
ec/p256.c: fiat-crypto field arithmetic (64, 32) The fiat-crypto-generated code uses the Montgomery form implementation strategy, for both 32-bit and 64-bit code. 64-bit throughput seems slower, but the difference is smaller than noise between repetitions (-2%?) 32-bit throughput has decreased significantly for ECDH (-40%). I am attributing this to the change from varibale-time scalar multiplication to constant-time scalar multiplication. Due to the same bottleneck, ECDSA verification still uses the old code (otherwise there would have been a 60% throughput decrease). On the other hand, ECDSA signing throughput has increased slightly (+10%), perhaps due to the use of a precomputed table of multiples of the base point. 64-bit benchmarks (Google Cloud Haswell): with this change: Did 9126 ECDH P-256 operations in 1009572us (9039.5 ops/sec) Did 23000 ECDSA P-256 signing operations in 1039832us (22119.0 ops/sec) Did 8820 ECDSA P-256 verify operations in 1024242us (8611.2 ops/sec) master (40e8c921cab5cce2bc10722ecf4ebe0e380cf6c8): Did 9340 ECDH P-256 operations in 1017975us (9175.1 ops/sec) Did 23000 ECDSA P-256 signing operations in 1039820us (22119.2 ops/sec) Did 8688 ECDSA P-256 verify operations in 1021108us (8508.4 ops/sec) benchmarks on ARMv7 (LG Nexus 4): with this change: Did 150 ECDH P-256 operations in 1029726us (145.7 ops/sec) Did 506 ECDSA P-256 signing operations in 1065192us (475.0 ops/sec) Did 363 ECDSA P-256 verify operations in 1033298us (351.3 ops/sec) master (2fce1beda0f7e74e2d687860f807cf0b8d8056a4): Did 245 ECDH P-256 operations in 1017518us (240.8 ops/sec) Did 473 ECDSA P-256 signing operations in 1086281us (435.4 ops/sec) Did 360 ECDSA P-256 verify operations in 1003846us (358.6 ops/sec) 64-bit tables converted as follows: import re, sys, math p = 2**256 - 2**224 + 2**192 + 2**96 - 1 R = 2**256 def convert(t): x0, s1, x1, s2, x2, s3, x3 = t.groups() v = int(x0, 0) + 2**64 * (int(x1, 0) + 2**64*(int(x2,0) + 2**64*(int(x3, 0)) )) w = v*R%p y0 = hex(w%(2**64)) y1 = hex((w>>64)%(2**64)) y2 = hex((w>>(2*64))%(2**64)) y3 = hex((w>>(3*64))%(2**64)) ww = int(y0, 0) + 2**64 * (int(y1, 0) + 2**64*(int(y2,0) + 2**64*(int(y3, 0)) )) if ww != v*R%p: print(x0,x1,x2,x3) print(hex(v)) print(y0,y1,y2,y3) print(hex(w)) print(hex(ww)) assert 0 return '{'+y0+s1+y1+s2+y2+s3+y3+'}' fe_re = re.compile('{'+r'(\s*,\s*)'.join(r'(\d+|0x[abcdefABCDEF0123456789]+)' for i in range(4)) + '}') print (re.sub(fe_re, convert, sys.stdin.read()).rstrip('\n')) 32-bit tables converted from 64-bit tables Change-Id: I52d6e5504fcb6ca2e8b0ee13727f4500c80c1799 Reviewed-on: https://boringssl-review.googlesource.com/23244 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Move ec/ and ecdsa/ into fipsmodule/ The names in the P-224 code collided with the P-256 code and thus many of the functions and constants in the P-224 code have been prefixed. Change-Id: I6bcd304640c539d0483d129d5eaf1702894929a8 Reviewed-on: https://boringssl-review.googlesource.com/15847 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Abstract away EC_SCALAR operations. Just a little bit cleaner. Change-Id: I0ed192a531b5aa853ba082caa6088e838f12c863 Reviewed-on: https://boringssl-review.googlesource.com/27587 Reviewed-by: Adam Langley <alangley@gmail.com>
6 anni fa
Move ec/ and ecdsa/ into fipsmodule/ The names in the P-224 code collided with the P-256 code and thus many of the functions and constants in the P-224 code have been prefixed. Change-Id: I6bcd304640c539d0483d129d5eaf1702894929a8 Reviewed-on: https://boringssl-review.googlesource.com/15847 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Implement constant-time generic multiplication. This is slower, but constant-time. It intentionally omits the signed digit optimization because we cannot be sure the doubling case will be unreachable for all curves. This is a fallback generic implementation for curves which we must support for compatibility but which are not common or important enough to justify curve-specific work. Before: Did 814 ECDH P-384 operations in 1085384us (750.0 ops/sec) Did 1430 ECDSA P-384 signing operations in 1081988us (1321.6 ops/sec) Did 308 ECDH P-521 operations in 1057741us (291.2 ops/sec) Did 539 ECDSA P-521 signing operations in 1049797us (513.4 ops/sec) After: Did 715 ECDH P-384 operations in 1080161us (661.9 ops/sec) Did 1188 ECDSA P-384 verify operations in 1069567us (1110.7 ops/sec) Did 275 ECDH P-521 operations in 1060503us (259.3 ops/sec) Did 506 ECDSA P-521 signing operations in 1084739us (466.5 ops/sec) But we're still faster than the old BIGNUM implementation. EC_FELEM more than paid for both the loss of points_make_affine and this CL. Bug: 239 Change-Id: I65d71a731aad16b523928ee47618822d503ea704 Reviewed-on: https://boringssl-review.googlesource.com/27708 Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
6 anni fa
ec/p256.c: fiat-crypto field arithmetic (64, 32) The fiat-crypto-generated code uses the Montgomery form implementation strategy, for both 32-bit and 64-bit code. 64-bit throughput seems slower, but the difference is smaller than noise between repetitions (-2%?) 32-bit throughput has decreased significantly for ECDH (-40%). I am attributing this to the change from varibale-time scalar multiplication to constant-time scalar multiplication. Due to the same bottleneck, ECDSA verification still uses the old code (otherwise there would have been a 60% throughput decrease). On the other hand, ECDSA signing throughput has increased slightly (+10%), perhaps due to the use of a precomputed table of multiples of the base point. 64-bit benchmarks (Google Cloud Haswell): with this change: Did 9126 ECDH P-256 operations in 1009572us (9039.5 ops/sec) Did 23000 ECDSA P-256 signing operations in 1039832us (22119.0 ops/sec) Did 8820 ECDSA P-256 verify operations in 1024242us (8611.2 ops/sec) master (40e8c921cab5cce2bc10722ecf4ebe0e380cf6c8): Did 9340 ECDH P-256 operations in 1017975us (9175.1 ops/sec) Did 23000 ECDSA P-256 signing operations in 1039820us (22119.2 ops/sec) Did 8688 ECDSA P-256 verify operations in 1021108us (8508.4 ops/sec) benchmarks on ARMv7 (LG Nexus 4): with this change: Did 150 ECDH P-256 operations in 1029726us (145.7 ops/sec) Did 506 ECDSA P-256 signing operations in 1065192us (475.0 ops/sec) Did 363 ECDSA P-256 verify operations in 1033298us (351.3 ops/sec) master (2fce1beda0f7e74e2d687860f807cf0b8d8056a4): Did 245 ECDH P-256 operations in 1017518us (240.8 ops/sec) Did 473 ECDSA P-256 signing operations in 1086281us (435.4 ops/sec) Did 360 ECDSA P-256 verify operations in 1003846us (358.6 ops/sec) 64-bit tables converted as follows: import re, sys, math p = 2**256 - 2**224 + 2**192 + 2**96 - 1 R = 2**256 def convert(t): x0, s1, x1, s2, x2, s3, x3 = t.groups() v = int(x0, 0) + 2**64 * (int(x1, 0) + 2**64*(int(x2,0) + 2**64*(int(x3, 0)) )) w = v*R%p y0 = hex(w%(2**64)) y1 = hex((w>>64)%(2**64)) y2 = hex((w>>(2*64))%(2**64)) y3 = hex((w>>(3*64))%(2**64)) ww = int(y0, 0) + 2**64 * (int(y1, 0) + 2**64*(int(y2,0) + 2**64*(int(y3, 0)) )) if ww != v*R%p: print(x0,x1,x2,x3) print(hex(v)) print(y0,y1,y2,y3) print(hex(w)) print(hex(ww)) assert 0 return '{'+y0+s1+y1+s2+y2+s3+y3+'}' fe_re = re.compile('{'+r'(\s*,\s*)'.join(r'(\d+|0x[abcdefABCDEF0123456789]+)' for i in range(4)) + '}') print (re.sub(fe_re, convert, sys.stdin.read()).rstrip('\n')) 32-bit tables converted from 64-bit tables Change-Id: I52d6e5504fcb6ca2e8b0ee13727f4500c80c1799 Reviewed-on: https://boringssl-review.googlesource.com/23244 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Move ec/ and ecdsa/ into fipsmodule/ The names in the P-224 code collided with the P-256 code and thus many of the functions and constants in the P-224 code have been prefixed. Change-Id: I6bcd304640c539d0483d129d5eaf1702894929a8 Reviewed-on: https://boringssl-review.googlesource.com/15847 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Move modes/ into the FIPS module The changes to delocate.go are needed because modes/ does things like return the address of a module function. Both of these need to be changed from referencing the GOT to using local symbols. Rather than testing whether |ghash| is |gcm_ghash_avx|, we can just keep that information in a flag. The test for |aesni_ctr32_encrypt_blocks| is more problematic, but I believe that it's superfluous and can be dropped: if you passed in a stream function that was semantically different from |aesni_ctr32_encrypt_blocks| you would already have a bug because |CRYPTO_gcm128_[en|de]crypt_ctr32| will handle a block at the end themselves, and assume a big-endian, 32-bit counter anyway. Change-Id: I68a84ebdab6c6006e11e9467e3362d7585461385 Reviewed-on: https://boringssl-review.googlesource.com/15064 Reviewed-by: Adam Langley <agl@google.com>
7 anni fa
Add AES_128_CCM AEAD. Change-Id: I830be64209deada0f24c3b6d50dc86155085c377 Reviewed-on: https://boringssl-review.googlesource.com/25904 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 anni fa
Move modes/ into the FIPS module The changes to delocate.go are needed because modes/ does things like return the address of a module function. Both of these need to be changed from referencing the GOT to using local symbols. Rather than testing whether |ghash| is |gcm_ghash_avx|, we can just keep that information in a flag. The test for |aesni_ctr32_encrypt_blocks| is more problematic, but I believe that it's superfluous and can be dropped: if you passed in a stream function that was semantically different from |aesni_ctr32_encrypt_blocks| you would already have a bug because |CRYPTO_gcm128_[en|de]crypt_ctr32| will handle a block at the end themselves, and assume a big-endian, 32-bit counter anyway. Change-Id: I68a84ebdab6c6006e11e9467e3362d7585461385 Reviewed-on: https://boringssl-review.googlesource.com/15064 Reviewed-by: Adam Langley <agl@google.com>
7 anni fa
Move much of rand/ into the FIPS module. Support for platforms that we don't support FIPS on doesn't need to be in the module. Also, functions for dealing with whether fork-unsafe buffering is enabled are left out because they aren't implementing any cryptography and they use global r/w state, making their inclusion painful. Change-Id: I71a0123db6f5449e9dfc7ec7dea0944428e661aa Reviewed-on: https://boringssl-review.googlesource.com/15084 Reviewed-by: Adam Langley <agl@google.com>
7 anni fa
Move rsa/ to fipsmodule/rsa/ Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c Reviewed-on: https://boringssl-review.googlesource.com/15849 Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
Split BORINGSSL_self_test into its own file. Some non-FIPS consumers exclude bcm.c and build each fragment file separately. This means non-FIPS code cannot live in bcm.c. https://boringssl-review.googlesource.com/25044 made the self-test function exist outside of FIPS code, so it needed to be moved into is own file. To avoid confusing generate_build_files.py, this can't be named self_test.c, so I went with self_check.c. Change-Id: I337b39b158bc50d6ca0a8ad1b6e15eb851095e1e Reviewed-on: https://boringssl-review.googlesource.com/25124 Reviewed-by: Martin Kreichgauer <martinkr@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Fix sort order. Change-Id: I459637397429109a2314355b571a42a61cb9dd49 Reviewed-on: https://boringssl-review.googlesource.com/25024 Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
6 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Extract FIPS KAT tests into a function. This change adds |BORINGSSL_self_test|, which allows applications to run the FIPS KAT tests on demand, even in non-FIPS builds. Change-Id: I950b30a02ab030d5e05f2d86148beb4ee1b5929c Reviewed-on: https://boringssl-review.googlesource.com/25044 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: David Benjamin <davidben@google.com>
6 anni fa
Always print some diagnostic information when POST fails. Debugging a POST failure when it prints nothing is painful. The |check_test| helper already prints out information when it fails, but some other paths were not handled. This change adds printfs for those cases. Change-Id: Ife71bb292a4f69679d0fa56686863aae9423e451 Updating-Note: updates internal bug 116469121 Reviewed-on: https://boringssl-review.googlesource.com/32145 Reviewed-by: David Benjamin <davidben@google.com>
6 anni fa
Extract FIPS KAT tests into a function. This change adds |BORINGSSL_self_test|, which allows applications to run the FIPS KAT tests on demand, even in non-FIPS builds. Change-Id: I950b30a02ab030d5e05f2d86148beb4ee1b5929c Reviewed-on: https://boringssl-review.googlesource.com/25044 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: David Benjamin <davidben@google.com>
6 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Have a single function for FIPS test failures. Change-Id: Iab7a738a8981de7c56d1585050e78699cb876dab Reviewed-on: https://boringssl-review.googlesource.com/16467 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Have a single function for FIPS test failures. Change-Id: Iab7a738a8981de7c56d1585050e78699cb876dab Reviewed-on: https://boringssl-review.googlesource.com/16467 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
First part of the FIPS module. Change-Id: Ic3a91ccd2c8cdc364740f256fdb8a7ff66177947 Reviewed-on: https://boringssl-review.googlesource.com/14506 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
7 anni fa
Extract FIPS KAT tests into a function. This change adds |BORINGSSL_self_test|, which allows applications to run the FIPS KAT tests on demand, even in non-FIPS builds. Change-Id: I950b30a02ab030d5e05f2d86148beb4ee1b5929c Reviewed-on: https://boringssl-review.googlesource.com/25044 Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Reviewed-by: David Benjamin <davidben@google.com>
6 anni fa
Run the comment converter on libcrypto. crypto/{asn1,x509,x509v3,pem} were skipped as they are still OpenSSL style. Change-Id: I3cd9a60e1cb483a981aca325041f3fbce294247c Reviewed-on: https://boringssl-review.googlesource.com/19504 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
7 anni fa
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155 
  1. /* Copyright (c) 2017, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #if !defined(_GNU_SOURCE)

  16. #define _GNU_SOURCE  // needed for syscall() on Linux.

  17. #endif

  18. 

  19. #include <openssl/crypto.h>

  20. 

  21. #include <stdlib.h>

  22. 

  23. #include <openssl/digest.h>

  24. #include <openssl/hmac.h>

  25. #include <openssl/sha.h>

  26. 

  27. #include "../internal.h"

  28. 

  29. #include "aes/aes.c"

  30. #include "aes/key_wrap.c"

  31. #include "aes/mode_wrappers.c"

  32. #include "bn/add.c"

  33. #include "bn/asm/x86_64-gcc.c"

  34. #include "bn/bn.c"

  35. #include "bn/bytes.c"

  36. #include "bn/cmp.c"

  37. #include "bn/ctx.c"

  38. #include "bn/div.c"

  39. #include "bn/div_extra.c"

  40. #include "bn/exponentiation.c"

  41. #include "bn/gcd.c"

  42. #include "bn/gcd_extra.c"

  43. #include "bn/generic.c"

  44. #include "bn/jacobi.c"

  45. #include "bn/montgomery.c"

  46. #include "bn/montgomery_inv.c"

  47. #include "bn/mul.c"

  48. #include "bn/prime.c"

  49. #include "bn/random.c"

  50. #include "bn/rsaz_exp.c"

  51. #include "bn/shift.c"

  52. #include "bn/sqrt.c"

  53. #include "cipher/aead.c"

  54. #include "cipher/cipher.c"

  55. #include "cipher/e_aes.c"

  56. #include "cipher/e_des.c"

  57. #include "des/des.c"

  58. #include "digest/digest.c"

  59. #include "digest/digests.c"

  60. #include "ecdh/ecdh.c"

  61. #include "ecdsa/ecdsa.c"

  62. #include "ec/ec.c"

  63. #include "ec/ec_key.c"

  64. #include "ec/ec_montgomery.c"

  65. #include "ec/felem.c"

  66. #include "ec/oct.c"

  67. #include "ec/p224-64.c"

  68. #include "../../third_party/fiat/p256.c"

  69. #include "ec/p256-x86_64.c"

  70. #include "ec/scalar.c"

  71. #include "ec/simple.c"

  72. #include "ec/simple_mul.c"

  73. #include "ec/util.c"

  74. #include "ec/wnaf.c"

  75. #include "hmac/hmac.c"

  76. #include "md4/md4.c"

  77. #include "md5/md5.c"

  78. #include "modes/cbc.c"

  79. #include "modes/ccm.c"

  80. #include "modes/cfb.c"

  81. #include "modes/ctr.c"

  82. #include "modes/gcm.c"

  83. #include "modes/ofb.c"

  84. #include "modes/polyval.c"

  85. #include "rand/ctrdrbg.c"

  86. #include "rand/rand.c"

  87. #include "rand/urandom.c"

  88. #include "rsa/blinding.c"

  89. #include "rsa/padding.c"

  90. #include "rsa/rsa.c"

  91. #include "rsa/rsa_impl.c"

  92. #include "self_check/self_check.c"

  93. #include "sha/sha1-altivec.c"

  94. #include "sha/sha1.c"

  95. #include "sha/sha256.c"

  96. #include "sha/sha512.c"

  97. #include "tls/kdf.c"

  98. 

  99. 

  100. #if defined(BORINGSSL_FIPS)

  101. 

  102. #if !defined(OPENSSL_ASAN)

  103. // These symbols are filled in by delocate.go. They point to the start and end

  104. // of the module, and the location of the integrity hash, respectively.

  105. extern const uint8_t BORINGSSL_bcm_text_start[];

  106. extern const uint8_t BORINGSSL_bcm_text_end[];

  107. extern const uint8_t BORINGSSL_bcm_text_hash[];

  108. #endif

  109. 

  110. static void __attribute__((constructor))

  111. BORINGSSL_bcm_power_on_self_test(void) {

  112.   CRYPTO_library_init();

  113. 

  114. #if !defined(OPENSSL_ASAN)

  115.   // Integrity tests cannot run under ASAN because it involves reading the full

  116.   // .text section, which triggers the global-buffer overflow detection.

  117.   const uint8_t *const start = BORINGSSL_bcm_text_start;

  118.   const uint8_t *const end = BORINGSSL_bcm_text_end;

  119. 

  120.   static const uint8_t kHMACKey[64] = {0};

  121.   uint8_t result[SHA512_DIGEST_LENGTH];

  122. 

  123.   unsigned result_len;

  124.   if (!HMAC(EVP_sha512(), kHMACKey, sizeof(kHMACKey), start, end - start,

  125.             result, &result_len) ||

  126.       result_len != sizeof(result)) {

  127.     fprintf(stderr, "HMAC failed.\n");

  128.     goto err;

  129.   }

  130. 

  131.   const uint8_t *expected = BORINGSSL_bcm_text_hash;

  132. 

  133.   if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) {

  134.     goto err;

  135.   }

  136. #endif

  137. 

  138.   if (!BORINGSSL_self_test()) {

  139.     goto err;

  140.   }

  141. 

  142.   return;

  143. 

  144. err:

  145.   BORINGSSL_FIPS_abort();

  146. }

  147. 

  148. void BORINGSSL_FIPS_abort(void) {

  149.   for (;;) {

  150.     abort();

  151.     exit(1);

  152.   }

  153. }

  154. 

  155. #endif  // BORINGSSL_FIPS