Commit Graph

1884 Commits

Author SHA1 Message Date
David Benjamin
eb599890b9 Add ECDSA2 KeyPair CAVP test driver.
Change-Id: I64533d2b4a6b075fa3ccea1abfd0ec5106673453
Reviewed-on: https://boringssl-review.googlesource.com/15704
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-01 19:17:23 +00:00
Adam Langley
b387e229a9 Add CTR-DRBG CAVP test driver.
Change-Id: I14c554eaf1e431271c5e981e2337b937c6cdf012
Reviewed-on: https://boringssl-review.googlesource.com/15645
Reviewed-by: Adam Langley <agl@google.com>
2017-05-01 18:03:52 +00:00
Adam Langley
58e449904e Move crypto/fipsoracle/ to the top-level.
This works better with util/generate_build_files.py.

Change-Id: Icb55dc74e0a004aca3e09978640455b66f0473ff
Reviewed-on: https://boringssl-review.googlesource.com/15648
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-28 23:55:42 +00:00
Steven Valdez
b8a3550f0f Add SHA CAVP test driver.
Change-Id: I1e5c209456d9fa5f1f743ffd4844b4f8f3fb777a
Reviewed-on: https://boringssl-review.googlesource.com/15665
Reviewed-by: Adam Langley <agl@google.com>
2017-04-28 23:42:46 +00:00
Martin Kreichgauer
61e8d36f84 fipsoracle: Add MCT test for AES.
Change-Id: I5e48e78f0cc9962bc0302fd9642789016c84945c
Reviewed-on: https://boringssl-review.googlesource.com/15646
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-28 23:30:29 +00:00
David Benjamin
0c292edb90 Add a CAVP tool for ECDSA2 SigVer tests.
Change-Id: If3510b207793870f330c8981ef8e996949042fdc
Reviewed-on: https://boringssl-review.googlesource.com/15668
Reviewed-by: Adam Langley <agl@google.com>
2017-04-28 21:54:29 +00:00
David Benjamin
7ed2e82e5a Consistently report an error on ECDSA verification failure.
This is a remnant of the ECDSA code returning a tri-state -1, 0, 1.

Change-Id: I8bd1fcd94e07dbffc650f414ebc19f30236378bd
Reviewed-on: https://boringssl-review.googlesource.com/15667
Reviewed-by: Adam Langley <agl@google.com>
2017-04-28 21:52:27 +00:00
David Benjamin
90801c125a Add a CAVP tool for ECDSA2 PKV tests.
Change-Id: I9729714a1f8ccae26edead33270202501559ac10
Reviewed-on: https://boringssl-review.googlesource.com/15666
Reviewed-by: Adam Langley <agl@google.com>
2017-04-28 21:51:31 +00:00
Adam Langley
aaa4045b04 Add tool to run CAVP tests.
Change-Id: If503b65de2879186b23ad148363b8ec8be4c611c
Reviewed-on: https://boringssl-review.googlesource.com/15644
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-04-28 16:49:43 +00:00
Martin Kreichgauer
7c12587994 Add crypto/fipsoracle.
This CL adds utility code to process NIST CAVP test vectors using the
existing FileTest code.

Also add binaries for processing AESAVS (AES) and GCMVS (AES-GCM) vector
files.

Change-Id: I8e5ebf751d7d4b5504bbb52f3e087b0065babbe0
Reviewed-on: https://boringssl-review.googlesource.com/15484
Reviewed-by: Adam Langley <agl@google.com>
2017-04-28 15:59:34 +00:00
Adam Langley
c1399186bf Handle pushing a pointer from the GOT.
When code wants to push a pointer from the GOT onto the stack, we don't
have any registers to play with. We do, however, know that the stack is
viable and thankfully Intel has an “xchg” instruction that avoids the
need for an intermediate register.

Change-Id: Iba7e4f0f4c9b43b3d994cf6cfc92837b312c7728
Reviewed-on: https://boringssl-review.googlesource.com/15625
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-28 15:37:39 +00:00
Adam Langley
c88f24596c Don't print message when waiting for urandom entropy.
This doesn't actually measure what we need(*) and, because of that, it's
way more noisy than expected.

(*) We want to know whether the pool has been initialised, not whether
it currently thinks it has a lot of bits, but we can't get what we want
without getrandom() support in the kernel.

Change-Id: I20accb99a592739c786a25c1656aeea050ae81a3
Reviewed-on: https://boringssl-review.googlesource.com/15624
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-27 21:38:21 +00:00
David Benjamin
def85b403d Revise OPENSSL_ia32cap_P strategy to avoid TEXTRELs.
OPENSSL_ia32cap_addr avoids any relocations within the module, at the
cost of a runtime TEXTREL, which causes problems in some cases.
(Notably, if someone links us into a binary which uses the GCC "ifunc"
attribute, the loader crashes.)

We add a OPENSSL_ia32cap_addr_delta symbol (which is reachable
relocation-free from the module) stores the difference between
OPENSSL_ia32cap_P and its own address.  Next, reference
OPENSSL_ia32cap_P in code as usual, but always doing LEAQ (or the
equivalent GOTPCREL MOVQ) into a register first. This pattern we can
then transform into a LEAQ and ADDQ on OPENSSL_ia32cap_addr_delta.

ADDQ modifies the FLAGS register, so this is only a safe transformation
if we safe and restore flags first. That, in turn, is only a safe
transformation if code always uses %rsp as a stack pointer (specifically
everything below the stack must be fair game for scribbling over). Linux
delivers signals on %rsp, so this should already be an ABI requirement.
Further, we must clear the red zone (using LEAQ to avoid touching FLAGS)
which signal handlers may not scribble over.

This also fixes the GOTTPOFF logic to clear the red zone.

Change-Id: I4ca6133ab936d5a13d5c8ef265a12ab6bd0073c9
Reviewed-on: https://boringssl-review.googlesource.com/15545
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-27 21:07:33 +00:00
David Benjamin
075875fbf6 Parse instructions more accurately.
Past the first word, the remaining arguments are usually separated by
commas. This avoids some of the awkward fixing up needed to extract
target registers, etc.

Change-Id: Id99b99e5160abf80e60afea96f2b46b53b55c9c5
Reviewed-on: https://boringssl-review.googlesource.com/15544
Reviewed-by: Adam Langley <agl@google.com>
2017-04-27 20:55:05 +00:00
David Benjamin
91871018a4 Add an OPENSSL_ia32cap_get() function for C code.
OPENSSL_ia32cap_addr avoids any relocations within the module, at the
cost of a runtime TEXTREL, which causes problems in some cases.
(Notably, if someone links us into a binary which uses the GCC "ifunc"
attribute, the loader crashes.)

Fix C references of OPENSSL_ia32cap_addr with a function. This is
analogous to the BSS getters. A follow-up commit will fix perlasm with a
different scheme which avoids calling into a function (clobbering
registers and complicating unwind directives.)

Change-Id: I09d6cda4cec35b693e16b5387611167da8c7a6de
Reviewed-on: https://boringssl-review.googlesource.com/15525
Reviewed-by: Adam Langley <agl@google.com>
2017-04-27 20:34:23 +00:00
David Benjamin
a5237972fa Don't test quite so many primes.
The test takes a little long to run. I've chopped it to primes up to
20,000. This ensures we still test some values out of range of the table
in crypto/bn/prime.c.

Also remove false comment in crypto/bn/prime.c.

Change-Id: I910015af9570b2f9f1c6c82dc61a0dbdfd24840b
Reviewed-on: https://boringssl-review.googlesource.com/15604
Reviewed-by: Adam Langley <agl@google.com>
2017-04-27 20:30:42 +00:00
David Benjamin
a684152a2f Downgrade BN_kronecker to bn_jacobi and unexport.
We only ever compute it for odd (actually, prime) modulus as part of
BN_mod_sqrt.

If we cared, we could probably drop this from most binaries. This is
used to when modular square root needs Tonelli-Shanks.  Modular square
root is only used for compressed coordinates. Of our supported curves
(I'm handwaiving away EC_GROUP_new_curve_GFp here[*]), only P-224 needs
the full Tonelli-Shanks algorithm (p is 1 mod 8). That computes the
Legendre symbol a bunch to find a non-square mod p. But p is known at
compile-time, so we can just hard-code a sample non-square.

Sadly, BN_mod_sqrt has some callers outside of crypto/ec, so there's
also that. Anyway, it's also not that large of a function.

[*] Glancing through SEC 2 and Brainpool, secp224r1 is the only curve
listed in either document whose prime is not either 3 mod 4 or 5 mod 8.
Even 5 mod 8 is rare: only secp224k1. It's unlikely anyone would notice
if we broke annoying primes. Though OpenSSL does support "WTLS" curves
which has an additional 1 mod 8 case.

Change-Id: If36aa78c0d41253ec024f2d90692949515356cd1
Reviewed-on: https://boringssl-review.googlesource.com/15425
Reviewed-by: Adam Langley <agl@google.com>
2017-04-27 20:29:47 +00:00
Matthew Braithwaite
fb383f0c3d delocate: replace "-as src1,src2,..." with "src1 src2 ...".
Not requiring the list of assembly sources to be comma-separated is
helpful to environments where the list would more naturally be
treated as a list.

Change-Id: I43b18cdbeed1dc7ad217ff61557ac55860f40733
Reviewed-on: https://boringssl-review.googlesource.com/15585
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-27 16:03:07 +00:00
David Benjamin
afd88c27f2 Allow embedders to replace gtest_main.cc.
Chromium's test infrastruction does not actually support GTest. It
requires a custom test runner in //base. Split gtest_main.cc up into a
gtest_main.h which defines a support function we maintain and a default
runner. Chromium's build will swap that file out for a custom one.

BUG=129

Change-Id: I3e39fe3a931b3051a61d5f8eef514ca6a504f11c
Reviewed-on: https://boringssl-review.googlesource.com/15564
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-26 15:47:02 +00:00
David Benjamin
d617e01cfa Fix fuzzer build.
Change-Id: Ice4e70b9b80a96c35877f1be5027ef0e7ad5513d
Reviewed-on: https://boringssl-review.googlesource.com/15504
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-25 16:42:28 +00:00
David Benjamin
01d65c27ec Convert spake25519_test to GTest.
BUG=129

Change-Id: I5f812c87d6a02f5b4de0d9153afe7399e124382b
Reviewed-on: https://boringssl-review.googlesource.com/15465
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-24 20:26:02 +00:00
David Benjamin
7d53128d35 Convert cmac_test to GTest.
BUG=129

Change-Id: I6578da36c4e9fb1464c79bf03b0a800ed25c7957
Reviewed-on: https://boringssl-review.googlesource.com/15464
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-24 20:25:22 +00:00
Alessandro Ghedini
2c1523733a Remove test vectors for old ChaCha20-Poly1305 AEAD.
Looks like this file was forgotten when the old suites were removed.

Change-Id: Ied8d82e23ae5db0257add3c18eee46ee1a366637
Reviewed-on: https://boringssl-review.googlesource.com/15444
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-24 14:43:18 +00:00
Matthew Braithwaite
f131301413 delocate: .size BORINGSSL_bcm_text_hash, not OPENSSL_ia32cap_addr.
Change-Id: I4e34dabe302f7dacdf04a89052ad9fe9254a1b81
Reviewed-on: https://boringssl-review.googlesource.com/15404
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-23 16:56:41 +00:00
David Benjamin
8da870a9e0 Fix build on android_aarch64.
Whether UCHAR_MAX expands to a signed or unsigned number appears to be a
matter of some debate. Or the Android headers are wrong. Just add a cast
and not think about it too hard.

Change-Id: I84e928bdfe459a9129cde276c82b60a318533552
Reviewed-on: https://boringssl-review.googlesource.com/15385
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:52:10 +00:00
David Benjamin
02ba1789a3 Avoid needless C gymnastics.
This can just be a bog-standard loop. The compiler should be plenty
smart enough to transform it into whatever it likes.

Change-Id: I7b782dd2a11902f6e5c9902d9624be26eee5c959
Reviewed-on: https://boringssl-review.googlesource.com/15366
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 22:51:47 +00:00
David Benjamin
1997ef22d7 Tidy up aesni_gcm_crypt logic.
CRYPTO_gcm128_init is currently assuming that it gets passed in
aesni_encrypt whenever it selects the AVX implementation. This is true,
but we can easily avoid this assumption by adding an extra boolean
input.

Change-Id: Ie7888323f0c93ff9df8f1cf3ba784fb35bb07076
Reviewed-on: https://boringssl-review.googlesource.com/15370
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:49:04 +00:00
Steven Valdez
1d134eee9a Add aes-(128|256)-gcm-fips-testonly mode for FIPS compatibility.
These modes do internal random IV generation and are unsuitable for
non-testing purposes.

Change-Id: I14b98af8f6cf43b4fc835a2b04a9b0425b7651b7
Reviewed-on: https://boringssl-review.googlesource.com/15244
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:45:39 +00:00
Steven Valdez
b1ffe0b36a Add primality checking for RSA_check_fips.
This also fixes the comments regarding BN_prime_checks to match the
security level guarantees provided by BN_prime_checks.

Change-Id: I8032e88680bf51e8876e134b4253ed26c2072617
Reviewed-on: https://boringssl-review.googlesource.com/15304
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
2017-04-21 22:38:31 +00:00
David Benjamin
7ce349ef26 Add a compiler test.
C leaves some details as implementation-defined. We only support
implementations which define things consistent with the obvious
representation on current machines.

Change-Id: I255a2e54a86c8a7d987dea51ea7168ad66ad9ddd
Reviewed-on: https://boringssl-review.googlesource.com/15305
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:33:14 +00:00
Steven Valdez
8ebc9eafec Update BN_enhanced_miller_rabin_primality_test to enforce preconditions and accept BN_prime_checks.
Change-Id: Ie4ac57d39bca46db33280c500a2092350ccdae67
Reviewed-on: https://boringssl-review.googlesource.com/15371
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 22:24:01 +00:00
Adam Langley
c86a230089 Allow raw object files to be passed into inject-hash.go.
CMake loves making archives, but that's not universal.

Change-Id: I5356b4701982748a46817e0094ad838605dcada6
Reviewed-on: https://boringssl-review.googlesource.com/15144
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:20:23 +00:00
Adam Langley
08c9b84410 Don't get confused by comments when recognising symbol definitions.
Change-Id: I7550beef400478913336aef62107024e499f075b
Reviewed-on: https://boringssl-review.googlesource.com/15346
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:12:38 +00:00
Adam Langley
518ba0772b Switch constant-time functions to using |crypto_word_t|.
Using |size_t| was correct, except for NaCl, which is a 64-bit build
with 32-bit pointers. In that configuration, |size_t| is smaller than
the native word size.

This change adds |crypto_word_t|, an unsigned type with native size and
switches constant-time functions to using it.

Change-Id: Ib275127063d5edbb7c55d413132711b7c74206b0
Reviewed-on: https://boringssl-review.googlesource.com/15325
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:06:05 +00:00
Adam Langley
947417a159 Handle BSS sections.
In some modes the compiler will emit a section for BSS symbols and
construct the values with labels, alignment and data instructions. This
change parses these sections and emits the local versions of each symbol
needed to make this work.

Change-Id: I8d43ffe4b5b734950aa4287a3dd7c0d2f191f2e4
Reviewed-on: https://boringssl-review.googlesource.com/15206
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:06:00 +00:00
Adam Langley
b0d864ee6d Be stricter about which sections are allowed in delocate.
We might want to back off on this in the future so that we don't upset
future compiler work but, for now, it's useful to know when we hit
something that we don't understand.

Change-Id: I763830b0ddcf5da20061fad673265d4a5855479c
Reviewed-on: https://boringssl-review.googlesource.com/15205
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:05:47 +00:00
Adam Langley
c2dce9c1d5 Have delocate process lines by pulling.
In order to better handle BSS sections, rather than having a single loop
over the lines and state flags, pull lines as needed. This means that
subfunctions can process sections of the input.

Also, stop bothering to move the init_array to the end, it's already put
into its own section.

Change-Id: I0e62930c65d29baecb39ba0d8bbc21f2da3bde56
Reviewed-on: https://boringssl-review.googlesource.com/15204
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:41 +00:00
Adam Langley
11f11e6f49 Sort lists of asm files and tests.
Change-Id: Ice5d43d87fee7eda1be01c997901697170c09d83
Reviewed-on: https://boringssl-review.googlesource.com/15145
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:36 +00:00
Adam Langley
7784104dd8 Move much of rand/ into the FIPS module.
Support for platforms that we don't support FIPS on doesn't need to be
in the module. Also, functions for dealing with whether fork-unsafe
buffering is enabled are left out because they aren't implementing any
cryptography and they use global r/w state, making their inclusion
painful.

Change-Id: I71a0123db6f5449e9dfc7ec7dea0944428e661aa
Reviewed-on: https://boringssl-review.googlesource.com/15084
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:18 +00:00
David Benjamin
f3d3cee4fe Avoid messing with dummy functions in delocate.go.
With some optimisation settings, Clang was loading
BORINGSSL_bcm_text_hash with AVX2 instructions, which weren't getting
translated correctly. This seems to work and is less fragile.

The compiler just emits an leaq here. This is because it knows the
symbol is hidden (in the shared library sense), so it needn't go through
GOTPCREL. The assembler would have added a relocation, were the symbol
left undefined, but since we define the symbol later on, it all works
out without a relocation.

Were the symbol not hidden, the compiler would have emitted a movq by
way of GOTPCREL, but we can now translate those away anyway.

Change-Id: I442a22f4f8afaadaacbab7044f946a963ebfc46c
Reviewed-on: https://boringssl-review.googlesource.com/15384
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 21:42:44 +00:00
David Benjamin
23ebe09eab Return int from bn_wexpand, not BIGNUM*.
Change-Id: I47d9b1eb256099057ed1158afe76b89758c963bb
Reviewed-on: https://boringssl-review.googlesource.com/15365
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 20:07:13 +00:00
David Benjamin
6c679e1b3b Tidy up primality code.
We BN_cmp with 1 at the top, so the absolute value code never runs.
This simplifies the BN_CTX business considerably. Also add a test for
negative prime numbers.

Change-Id: I500a56bc285c2f75576947cfb518e75c9e6861ce
Reviewed-on: https://boringssl-review.googlesource.com/15367
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 19:04:21 +00:00
David Benjamin
fc674c82c3 Unexport bn_correct_top and bn_wexpand.
Thanks to Rob Sloan for clearing out Android's uses of these functions.
I forgot we can hide these now.

BUG=97

Change-Id: I9bc7bf5ca379d3345743151e606f3e911367b4ed
Reviewed-on: https://boringssl-review.googlesource.com/15364
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Robert Sloan <varomodt@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 19:03:01 +00:00
Adam Langley
778e5cedf0 Make the arguments to FIPS check_test consistent.
Change-Id: Ibd6b9b12b3b622f67f69da5c2add8b1b040882f1
Reviewed-on: https://boringssl-review.googlesource.com/15344
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 18:15:42 +00:00
Martin Kreichgauer
3975ecffc2 Add CAVP GCMVS Known Answer tests.
Change-Id: I8edf76cf608a1e94e8bfc57302ce9f8cb629b11b
Reviewed-on: https://boringssl-review.googlesource.com/15265
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 17:59:25 +00:00
David Benjamin
34a8aacb51 Remove remnants of multiprime RSA parsing.
Change-Id: Id6d0dc2a9766458bb08863111f509719ca8e5214
Reviewed-on: https://boringssl-review.googlesource.com/15369
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-21 17:49:46 +00:00
Adam Langley
0648129566 Move modes/ into the FIPS module
The changes to delocate.go are needed because modes/ does things like
return the address of a module function. Both of these need to be
changed from referencing the GOT to using local symbols.

Rather than testing whether |ghash| is |gcm_ghash_avx|, we can just keep
that information in a flag.

The test for |aesni_ctr32_encrypt_blocks| is more problematic, but I
believe that it's superfluous and can be dropped: if you passed in a
stream function that was semantically different from
|aesni_ctr32_encrypt_blocks| you would already have a bug because
|CRYPTO_gcm128_[en|de]crypt_ctr32| will handle a block at the end
themselves, and assume a big-endian, 32-bit counter anyway.

Change-Id: I68a84ebdab6c6006e11e9467e3362d7585461385
Reviewed-on: https://boringssl-review.googlesource.com/15064
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 17:46:37 +00:00
Adam Langley
a54ebffa76 Fix lower bound in e in FIPS RSA checking.
SP 800-89 5.3.3 references FIPS 186 for the bounds on e. I /think/
that's section B.3.1 which says:

  (b) The exponent e shall be an odd positive integer such that 2¹⁶ < e < 2²⁵⁶.

But that means that e has to be at least 17 bits. The check for
BN_is_odd ensures that 2¹⁶ itself is rejected.

Change-Id: Ib39f9d43032cbfe33317651c7b6eceb41b123291
Reviewed-on: https://boringssl-review.googlesource.com/15324
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-20 20:43:52 +00:00
Martin Kreichgauer
44d40c5e2b Add NIST CAVP TMOVS Known Answer tests for TDES in CBC and ECB modes.
Specification:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-20.pdf

Also consolidate AESVS tests into fewer files.

Change-Id: I951b3c02891d6e4cb546b238831e2e093dc00645
Reviewed-on: https://boringssl-review.googlesource.com/15224
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-20 16:45:26 +00:00
Adam Langley
696b6b50b0 Fix several issues with prime numbers.
Firstly, FIPS 186-4 C.3.2 is broken for w=3. In step 4.1 it generates a
random, 2-bit number but in step 4.2 it rejects all four possible values
and loops forever.

Secondly, BN_is_prime_fasttext_ex is broken when trial division is
requested and the prime is small. It finds that the prime is a multiple
of a known prime and rejects it. We inherited this from OpenSSL.

Thirdly, we were missing a BN_CTX_start/end in
BN_enhanced_miller_rabin_primality_test, which didn't matter but could
have mattered in the future.

Change-Id: Ie988e37b14bb22acb005fc0652860be6bbd2a55f
Reviewed-on: https://boringssl-review.googlesource.com/15264
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-20 15:40:53 +00:00