Commit Graph

4297 Commits

Author SHA1 Message Date
Adam Langley
08c9b84410 Don't get confused by comments when recognising symbol definitions.
Change-Id: I7550beef400478913336aef62107024e499f075b
Reviewed-on: https://boringssl-review.googlesource.com/15346
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:12:38 +00:00
Adam Langley
518ba0772b Switch constant-time functions to using |crypto_word_t|.
Using |size_t| was correct, except for NaCl, which is a 64-bit build
with 32-bit pointers. In that configuration, |size_t| is smaller than
the native word size.

This change adds |crypto_word_t|, an unsigned type with native size and
switches constant-time functions to using it.

Change-Id: Ib275127063d5edbb7c55d413132711b7c74206b0
Reviewed-on: https://boringssl-review.googlesource.com/15325
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:06:05 +00:00
Adam Langley
947417a159 Handle BSS sections.
In some modes the compiler will emit a section for BSS symbols and
construct the values with labels, alignment and data instructions. This
change parses these sections and emits the local versions of each symbol
needed to make this work.

Change-Id: I8d43ffe4b5b734950aa4287a3dd7c0d2f191f2e4
Reviewed-on: https://boringssl-review.googlesource.com/15206
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:06:00 +00:00
Adam Langley
b0d864ee6d Be stricter about which sections are allowed in delocate.
We might want to back off on this in the future so that we don't upset
future compiler work but, for now, it's useful to know when we hit
something that we don't understand.

Change-Id: I763830b0ddcf5da20061fad673265d4a5855479c
Reviewed-on: https://boringssl-review.googlesource.com/15205
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:05:47 +00:00
Adam Langley
c2dce9c1d5 Have delocate process lines by pulling.
In order to better handle BSS sections, rather than having a single loop
over the lines and state flags, pull lines as needed. This means that
subfunctions can process sections of the input.

Also, stop bothering to move the init_array to the end, it's already put
into its own section.

Change-Id: I0e62930c65d29baecb39ba0d8bbc21f2da3bde56
Reviewed-on: https://boringssl-review.googlesource.com/15204
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:41 +00:00
Adam Langley
11f11e6f49 Sort lists of asm files and tests.
Change-Id: Ice5d43d87fee7eda1be01c997901697170c09d83
Reviewed-on: https://boringssl-review.googlesource.com/15145
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:36 +00:00
Adam Langley
7784104dd8 Move much of rand/ into the FIPS module.
Support for platforms that we don't support FIPS on doesn't need to be
in the module. Also, functions for dealing with whether fork-unsafe
buffering is enabled are left out because they aren't implementing any
cryptography and they use global r/w state, making their inclusion
painful.

Change-Id: I71a0123db6f5449e9dfc7ec7dea0944428e661aa
Reviewed-on: https://boringssl-review.googlesource.com/15084
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:18 +00:00
David Benjamin
f3d3cee4fe Avoid messing with dummy functions in delocate.go.
With some optimisation settings, Clang was loading
BORINGSSL_bcm_text_hash with AVX2 instructions, which weren't getting
translated correctly. This seems to work and is less fragile.

The compiler just emits an leaq here. This is because it knows the
symbol is hidden (in the shared library sense), so it needn't go through
GOTPCREL. The assembler would have added a relocation, were the symbol
left undefined, but since we define the symbol later on, it all works
out without a relocation.

Were the symbol not hidden, the compiler would have emitted a movq by
way of GOTPCREL, but we can now translate those away anyway.

Change-Id: I442a22f4f8afaadaacbab7044f946a963ebfc46c
Reviewed-on: https://boringssl-review.googlesource.com/15384
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 21:42:44 +00:00
David Benjamin
23ebe09eab Return int from bn_wexpand, not BIGNUM*.
Change-Id: I47d9b1eb256099057ed1158afe76b89758c963bb
Reviewed-on: https://boringssl-review.googlesource.com/15365
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 20:07:13 +00:00
David Benjamin
6c679e1b3b Tidy up primality code.
We BN_cmp with 1 at the top, so the absolute value code never runs.
This simplifies the BN_CTX business considerably. Also add a test for
negative prime numbers.

Change-Id: I500a56bc285c2f75576947cfb518e75c9e6861ce
Reviewed-on: https://boringssl-review.googlesource.com/15367
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 19:04:21 +00:00
David Benjamin
fc674c82c3 Unexport bn_correct_top and bn_wexpand.
Thanks to Rob Sloan for clearing out Android's uses of these functions.
I forgot we can hide these now.

BUG=97

Change-Id: I9bc7bf5ca379d3345743151e606f3e911367b4ed
Reviewed-on: https://boringssl-review.googlesource.com/15364
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Robert Sloan <varomodt@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 19:03:01 +00:00
Adam Langley
778e5cedf0 Make the arguments to FIPS check_test consistent.
Change-Id: Ibd6b9b12b3b622f67f69da5c2add8b1b040882f1
Reviewed-on: https://boringssl-review.googlesource.com/15344
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 18:15:42 +00:00
Martin Kreichgauer
3975ecffc2 Add CAVP GCMVS Known Answer tests.
Change-Id: I8edf76cf608a1e94e8bfc57302ce9f8cb629b11b
Reviewed-on: https://boringssl-review.googlesource.com/15265
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 17:59:25 +00:00
David Benjamin
34a8aacb51 Remove remnants of multiprime RSA parsing.
Change-Id: Id6d0dc2a9766458bb08863111f509719ca8e5214
Reviewed-on: https://boringssl-review.googlesource.com/15369
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 17:49:46 +00:00
Adam Langley
0648129566 Move modes/ into the FIPS module
The changes to delocate.go are needed because modes/ does things like
return the address of a module function. Both of these need to be
changed from referencing the GOT to using local symbols.

Rather than testing whether |ghash| is |gcm_ghash_avx|, we can just keep
that information in a flag.

The test for |aesni_ctr32_encrypt_blocks| is more problematic, but I
believe that it's superfluous and can be dropped: if you passed in a
stream function that was semantically different from
|aesni_ctr32_encrypt_blocks| you would already have a bug because
|CRYPTO_gcm128_[en|de]crypt_ctr32| will handle a block at the end
themselves, and assume a big-endian, 32-bit counter anyway.

Change-Id: I68a84ebdab6c6006e11e9467e3362d7585461385
Reviewed-on: https://boringssl-review.googlesource.com/15064
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 17:46:37 +00:00
Adam Langley
a54ebffa76 Fix lower bound in e in FIPS RSA checking.
SP 800-89 5.3.3 references FIPS 186 for the bounds on e. I /think/
that's section B.3.1 which says:

  (b) The exponent e shall be an odd positive integer such that 2¹⁶ < e < 2²⁵⁶.

But that means that e has to be at least 17 bits. The check for
BN_is_odd ensures that 2¹⁶ itself is rejected.

Change-Id: Ib39f9d43032cbfe33317651c7b6eceb41b123291
Reviewed-on: https://boringssl-review.googlesource.com/15324
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-20 20:43:52 +00:00
Adam Langley
4b65693c7e Make runner ignore entropy warnings.
In FIPS mode we may print a message when we're waiting for additional
entropy. These warnings should not cause runner tests to fail.

Change-Id: I2beff64344fd2fce444576181f4234c4231de444
Reviewed-on: https://boringssl-review.googlesource.com/15266
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-20 19:54:04 +00:00
Martin Kreichgauer
44d40c5e2b Add NIST CAVP TMOVS Known Answer tests for TDES in CBC and ECB modes.
Specification:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-20.pdf

Also consolidate AESVS tests into fewer files.

Change-Id: I951b3c02891d6e4cb546b238831e2e093dc00645
Reviewed-on: https://boringssl-review.googlesource.com/15224
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-20 16:45:26 +00:00
Adam Langley
696b6b50b0 Fix several issues with prime numbers.
Firstly, FIPS 186-4 C.3.2 is broken for w=3. In step 4.1 it generates a
random, 2-bit number but in step 4.2 it rejects all four possible values
and loops forever.

Secondly, BN_is_prime_fasttext_ex is broken when trial division is
requested and the prime is small. It finds that the prime is a multiple
of a known prime and rejects it. We inherited this from OpenSSL.

Thirdly, we were missing a BN_CTX_start/end in
BN_enhanced_miller_rabin_primality_test, which didn't matter but could
have mattered in the future.

Change-Id: Ie988e37b14bb22acb005fc0652860be6bbd2a55f
Reviewed-on: https://boringssl-review.googlesource.com/15264
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-20 15:40:53 +00:00
Adam Langley
30bcb3bd28 Save time delocating when not using archive inputs.
If all the inputs are given as assembly files then we can skip rewriting
symbols for the first file. If this file is bcm.s (i.e. the large
compiler output), this can save a few seconds of build time.

Change-Id: I4e4ea114acb86cd93e831b23b58f8c3401bc711c
Reviewed-on: https://boringssl-review.googlesource.com/15149
Reviewed-by: Adam Langley <agl@google.com>
2017-04-19 18:52:55 +00:00
Adam Langley
1bd689d1fc Don't indirect our own BSS accessor functions.
delocate.go was adding redirector functions for the “_bss_get”
functions. (And they were going via the PLT too.)

Change-Id: I86bc9f0516a128a769068182cc280499f89b6c29
Reviewed-on: https://boringssl-review.googlesource.com/15148
Reviewed-by: Adam Langley <agl@google.com>
2017-04-19 18:52:46 +00:00
Adam Langley
e2a701ea1e Handle GOTTPOFF relocations in delocate.go
These relocations can be emitted for thread-local data. BoringSSL itself
doesn't include any thread-local variables that need linker support, but
ASAN and MSAN may inject these references in order to handle their own
bookkeeping.

Change-Id: I0c6e61d244be84d6bee5ccbf7c4ff4ea0f0b90fd
Reviewed-on: https://boringssl-review.googlesource.com/15147
Reviewed-by: Adam Langley <agl@google.com>
2017-04-19 18:36:49 +00:00
Steven Valdez
e5be1740be Add DRBG KAT for FIPS.
Change-Id: I7d54f2e01dac0d9baa5cf557efbc945955f357e7
Reviewed-on: https://boringssl-review.googlesource.com/15189
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-19 18:27:04 +00:00
Steven Valdez
13a129d301 Add 3DES KAT for FIPS.
Change-Id: Ic4ce05d1c797b8dbe3569bddd829d7c587295762
Reviewed-on: https://boringssl-review.googlesource.com/15188
Reviewed-by: Adam Langley <agl@google.com>
2017-04-19 18:09:51 +00:00
Steven Valdez
777fdd6443 Add RSA/ECDSA KAT for FIPS.
Change-Id: Ic11598d8d9f525f7859944441610f22ef1ba1e16
Reviewed-on: https://boringssl-review.googlesource.com/15187
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-19 17:38:02 +00:00
David Benjamin
378a08aa31 Add PKCS7_get_raw_certificates.
This is a version of PKCS7_get_certificates but does not require
crypto/x509.

BUG=54

Change-Id: I20152a8d1f3ed866d47e41fe576ea9f442490224
Reviewed-on: https://boringssl-review.googlesource.com/15129
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-19 17:30:31 +00:00
David Benjamin
6fdea2aba9 Move PKCS#7 functions into their own directory.
A follow-up change will add a CRYPTO_BUFFER variant. This makes the
naming match the header and doesn't require including x509.h. (Though
like ssl.h and pkcs8.h, some of the functions are implemented with code
that depends on crypto/x509.)

Change-Id: I5a7de209f4f775fe0027893f711326d89699ca1f
Reviewed-on: https://boringssl-review.googlesource.com/15128
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-19 17:24:51 +00:00
Alessandro Ghedini
de254b4c4e Enforce max_early_data_size on the server.
BUG=76

Change-Id: I8b754ba17b3e0beee425929e4b53785b2e95f0ae
Reviewed-on: https://boringssl-review.googlesource.com/15164
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-19 17:21:01 +00:00
Steven Valdez
5b6151df1d Add AES and SHA KAT for FIPS.
Change-Id: I381ea09705a8302078c40e5afcce5ebffcbe0a32
Reviewed-on: https://boringssl-review.googlesource.com/15184
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-18 23:50:12 +00:00
Matthew Braithwaite
97104afe9e generate_build_files: allow tests paths to mismatch test source paths.
This is occasioned by FIPS, which means that we now have, for example,
crypto/fipsmodule/aes_test using crypto/fipsmodule/aes/aes_test.cc.

Change-Id: I88d02cae07f05dc298c05107db28b62cefed8fe6
Reviewed-on: https://boringssl-review.googlesource.com/15207
Reviewed-by: Adam Langley <agl@google.com>
2017-04-18 23:48:31 +00:00
Steven Valdez
fc9f10f8fb Implement Enhanced Miller-Rabin primality test for FIPS.
Change-Id: I4968df9f37b450f0799ac7ca19900c7b909e7f6d
Reviewed-on: https://boringssl-review.googlesource.com/15127
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-18 20:02:28 +00:00
David Benjamin
6c7f6bfa97 Add linux_fips_noasm_asan.
Change-Id: Ie0468717da0eb876f3e3569b4733548a88bf0a02
Reviewed-on: https://boringssl-review.googlesource.com/15186
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-18 19:27:05 +00:00
Adam Langley
fb83bc32ae Fix possible infinite loop in delocate.go.
I had a brain-fart and had in mind that strings.Index(x[i:], _) would
return a value relative to the beginning of |x|, which is impossible.

Change-Id: I905ea1fa3469ea13f2e3b782c4baf2431b615a2f
Reviewed-on: https://boringssl-review.googlesource.com/15146
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-17 19:32:21 +00:00
David Benjamin
2c45fa0b90 Convert bytestring_test to GTest.
This also fixes TestGetUint to actually test CBS_get_last_u8's behavior.
Right now it can't distinguish CBS_get_last_u8 and CBS_get_u8.

BUG=129

Change-Id: Ie431bb1a828f1c6877938ba7e75c82305b54cf13
Reviewed-on: https://boringssl-review.googlesource.com/15007
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-17 14:19:47 +00:00
David Benjamin
76dd18008c Convert base64_test to GTest.
BUG=129

Change-Id: If91d97ea653177d55d5c703f091366ddce24da60
Reviewed-on: https://boringssl-review.googlesource.com/15006
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-17 14:14:17 +00:00
David Benjamin
1ddd6e5365 Make -loop survive errors.
This is otherwise rather annoying when testing things against a browser
which will usually throw up a cert error or so.

Change-Id: Ia587efae65764430e39e3eb604e434b5919530cb
Reviewed-on: https://boringssl-review.googlesource.com/15126
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-17 13:51:18 +00:00
Adam Langley
8c62d9dd8b Move AES code into the FIPS module.
Change-Id: Id94e71bce4dca25e77f52f38c07e0489ca072d2d
Reviewed-on: https://boringssl-review.googlesource.com/15027
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-14 23:28:00 +00:00
David Benjamin
536036abf4 Implement base64 in constant-time.
This is not actually sensible, but it seemed really funny. PEM files
sometimes carry private keys so, in principle, we'd probably prefer not
to leak the contents when we encode or decode them?

Change-Id: I7b056612bd7f22c28853bc89f56aee1f5103b8fb
Reviewed-on: https://boringssl-review.googlesource.com/15047
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-14 22:01:34 +00:00
Piotr Sikora
d075706ea5 Allow selecting ECDH curves in bssl tool.
Change-Id: Ie515386b7f3555a5acf42e37b49e9a831571cb4a
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/15065
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-14 21:50:04 +00:00
David Benjamin
71c21b4300 Add SSL_CTX_set_verify_algorithm_prefs.
When writing tests and BoGo isn't available, it is useful to be able to
configure the set of signature algorithms accepted on the verify side.
Add an API for this.

Change-Id: Ic873189da7f8853e412acd68614df9d9a872a0c8
Reviewed-on: https://boringssl-review.googlesource.com/15125
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-14 21:40:24 +00:00
David Benjamin
96bc12a494 Remove includeDHE from runner.go.
DHE ciphers no longer exist!

Change-Id: Id3826ae49164cc1071bc40ea4cf1c5aa451245d6
Reviewed-on: https://boringssl-review.googlesource.com/15124
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-14 21:26:04 +00:00
David Benjamin
783e095787 Recast ECDSA nonce hardening as DRBG additional data.
FIPS 186-4 prescribes a particular ECDSA nonce selection algorithm,
implemented by BN_range_range_ex. Recast our nonce hardening mechanism
as additional data to be passed into the RBG during that algorithm.

Change-Id: Ic16a10cd58fd7deb7461f0c109a698ea80faff00
Reviewed-on: https://boringssl-review.googlesource.com/15046
Reviewed-by: Adam Langley <agl@google.com>
2017-04-14 20:44:37 +00:00
David Benjamin
bc6a76b0e0 Align BN_rand_range_ex with FIPS 186-4.
Rather than comparing against both min and max, FIPS prefers comparing
with max - min and adding min. It also does not believe in using
3*range. Align with it, though our old algorithm trivially produces the
same probability distribution on values.

Change-Id: I447cc3608b92ba93706489d702b8d6a68047f491
Reviewed-on: https://boringssl-review.googlesource.com/15045
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-14 19:49:49 +00:00
Adam Langley
90ada2f4ec Implement a “continuous RNG test” in FIPS mode.
FIPS requires that the output of the entropy source be checked to ensure
that no two n-bit blocks are equal.

Change-Id: Ia086ca5c888770e0fd71ee052278f77b544b9983
Reviewed-on: https://boringssl-review.googlesource.com/14926
Reviewed-by: Adam Langley <agl@google.com>
2017-04-14 16:57:06 +00:00
Adam Langley
bc7daec4d8 In FIPS mode, block at start up until the kernel has sufficient entropy.
We already do this in the case that getrandom is supported. This change
adds a polling loop for the case where we are using /dev/urandom.

This makes FIPS imply Linux, which I think is fine for the time being.

Change-Id: I9bf5c0f51a908621655cbcc47fc86b0366168b97
Reviewed-on: https://boringssl-review.googlesource.com/14925
Reviewed-by: Adam Langley <agl@google.com>
2017-04-14 16:56:09 +00:00
Adam Langley
92f888e836 Make fork-unsafe buffering act via CTR-DRBG.
Fork-unsafe buffering was a mode that could be enabled by applications
that were sure that they didn't need to worry about state duplication.
It saved reads to urandom.

Since everything is now going through the CTR-DRBG, we can get the same
effect by simply not reading additional data from urandom in this case.

This change drops the buffering from urandom.c and, instead, implements
fork-unsafe buffering as a mode that skips reading additional data from
urandom, which only happened when RDRAND wasn't available anyway.

Since we expect the power-on self-tests to call into the PRNG, this
change also makes the flag capable of changing at any point by using a
mutex rather than a once. This is split into a separate file so that it
doesn't have to go into the FIPS module—since it uses r/w data that
would be a pain.

Change-Id: I5fd0ead0422e770e35758f080bb1cffa70d0c8da
Reviewed-on: https://boringssl-review.googlesource.com/14924
Reviewed-by: Adam Langley <agl@google.com>
2017-04-14 16:55:49 +00:00
Adam Langley
88bb8489db Switch to CTR-DRBG
Change-Id: If7c1033e0af35ad0dda17ea3b3a710b2d2aaa599
Reviewed-on: https://boringssl-review.googlesource.com/14892
Reviewed-by: Adam Langley <agl@google.com>
2017-04-14 16:54:56 +00:00
Adam Langley
730d69e159 Add CTR-DRBG.
This isn't actually used yet, but implements CTR-DRBG from SP 800-90Ar1.
Specifically, it always uses AES-256 and no derivation function.

Change-Id: Ie82b829590226addd7c165eac410a5d584858bfd
Reviewed-on: https://boringssl-review.googlesource.com/14891
Reviewed-by: Adam Langley <agl@google.com>
2017-04-14 16:54:40 +00:00
David Benjamin
11fa70396b Remove the last remnants of key_exchange_info.
DHE ciphers are gone, so we no longer need to clear drop the "group_id"
field there. That leaves static RSA, but:

- We mass-invalidated every serialized client session in
  364f7a6d21, long after we stopped
  filling in key_exchange_info on the client.

- Server sessions were not mass-invalidated, but static RSA
  key_exchange_info never worked on the server.

This means it is safe to remove this logic.

Change-Id: Id43b233cca066a81686be7c056c530ba8e89f761
Reviewed-on: https://boringssl-review.googlesource.com/15005
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-13 21:23:40 +00:00
Steven Valdez
a33e0fc932 Update Miller-Rabin iterations to use FIPS specification.
Change-Id: I73213b5d9f3ac67bab70e3d9a36a4b67c558f3f5
Reviewed-on: https://boringssl-review.googlesource.com/15044
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-13 21:21:10 +00:00