Commit Graph

4270 Commits

Author SHA1 Message Date
David Benjamin
6da9eaeef1 Bound expensive opcodes in ssl_ctx_api.
The fuzzers are timing out on inputs that spam SSL_CTX_add1_chain_cert
and SSL_CTX_get0_chain_certs. In our current X509* caching
implementation, this can be quadratic. As this is an API fuzzer, not an
actual attack surface, this is not of much interest in itself, but
bounding this will let the fuzzers fuzz faster.

Change-Id: I3e27e938c413e5a0e8e6c7fad641f17c152dac39
Reviewed-on: https://boringssl-review.googlesource.com/16887
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-05 21:49:27 +00:00
David Benjamin
6758d043bb Convert bn_test to GTest.
BUG=129

Change-Id: I21570257c2f40a2c65587d30dbf249a546aa7d8e
Reviewed-on: https://boringssl-review.googlesource.com/16885
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-05 21:45:07 +00:00
David Benjamin
a51912f7fe p256-x86_64-asm.pl: minor sqr_montx cleanup.
Drop some redundant instructions in reduction in ecp_nistz256_sqr_montx.

(Imported from upstream's 8fc063dcc9668589fd95533d25932396d60987f9.)

I believe this is a no-op for us as we do not currently enable the
ADX-based optimizations.

Change-Id: I34a5f5ffb965d59c67f6b9f0ca7937e49ba6e820
Reviewed-on: https://boringssl-review.googlesource.com/16884
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-05 18:37:55 +00:00
Kári Tristan Helgason
2b56981b64 Move pkcs{7,8}_test over to gtest
BUG=129

Change-Id: I1fef45d662743e7210f93e4dc1bae0c55f75d3fe
Reviewed-on: https://boringssl-review.googlesource.com/16864
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-02 16:53:41 +00:00
Piotr Sikora
e345f9b6d5 Fix typo in comments.
Change-Id: Ie88363c4f02016ee743b37a79e76432823b948a0
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/16844
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-02 13:55:47 +00:00
Adam Langley
cd334a54ca Handle TOC offsets by giving them to the linker.
An offset > 2^15 would exceed the range of an addi immediate on ppc64le.
Thus, rather than add the offset after loading the TOC reference, have
different tocloader functions for each (symbol, offset) pair. In this
case, the linker can handle large offsets by changing the value of
foo+offset@toc@ha accordingly.

Change-Id: Iac1481bccaf55fb0c2b080eedebaf11befdae465
Reviewed-on: https://boringssl-review.googlesource.com/16784
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-01 21:29:23 +00:00
David Benjamin
733f46e84f Test unaligned input with each AEAD.
Change-Id: I6671b238a221898ccf7dc608a5ac19b991f07ab5
Reviewed-on: https://boringssl-review.googlesource.com/16805
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-01 19:08:20 +00:00
Adam Langley
c5e9ac1cac Move AES-GCM-SIV out from SMALL and handle unaligned keys.
In order to use AES-GCM-SIV in the open-source QUIC boxer, it needs to
be moved out from OPENSSL_SMALL. (Hopefully the linker can still discard
it in the vast majority of cases.)

Additionally, the input to the key schedule function comes from outside
and may not be aligned, thus we need to use unaligned instructions to
read it.

Change-Id: I02c261fe0663d13a96c428174943c7e5ac8415a7
Reviewed-on: https://boringssl-review.googlesource.com/16824
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-01 18:45:06 +00:00
David Benjamin
6757fbf8e3 Convert a number of tests to GTest.
BUG=129

Change-Id: Ifcdacb2f5f59fd03b757f88778ceb1e672208fd9
Reviewed-on: https://boringssl-review.googlesource.com/16744
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-01 17:02:13 +00:00
Adam Langley
b22e15c33c Fix platforms that don't define UINT64_MAX.
Change-Id: I4b41db30d9c5b280ce20ed4cf2812488c1275395
Reviewed-on: https://boringssl-review.googlesource.com/16785
Reviewed-by: Adam Langley <agl@google.com>
2017-06-01 02:57:52 +00:00
Adam Langley
2c84a469b0 Make test_fips more chatty.
This tool exists to demo each of the supported FIPS actions in the
module. This change just makes it more chatty so that it's more obvious
what it's doing when you run it.

Change-Id: I99add6348afd3e3d6497e7111be2de73927d87af
Reviewed-on: https://boringssl-review.googlesource.com/16767
Reviewed-by: Adam Langley <agl@google.com>
2017-06-01 00:06:39 +00:00
Adam Langley
c655cb7bf9 Break hwrand as well as urandom when FIPS_BREAK_TEST=CRNG is set.
Without this, trying to trigger the CRNGT on a system with RDRAND won't
work.

Change-Id: I0658a1f045620a2800df36277f67305bc0efff8b
Reviewed-on: https://boringssl-review.googlesource.com/16766
Reviewed-by: Adam Langley <agl@google.com>
2017-06-01 00:06:31 +00:00
Adam Langley
b89e025cfa Clarify the error message for an ECDSA power-on test failure.
We want to clarify that this isn't the PWCT that FIPS generally means,
but rather the power-on self-test. Since ECDSA is non-deterministic, we
have to implement that power-on self-test as a PWCT, but we have a
different flag to break that actual PWCT.

Change-Id: I3e27c6a6b0483a6c04e764d6af8a4a863e0b8b77
Reviewed-on: https://boringssl-review.googlesource.com/16765
Reviewed-by: Adam Langley <agl@google.com>
2017-06-01 00:05:55 +00:00
Adam Langley
0ffc795efb Clear PRNG states in FIPS mode.
FIPS requires that the CTR-DRBG state be zeroed on process exit, however
destructors for thread-local data aren't called when the process exits.

This change maintains a linked-list of thread-local state which is
walked on exit to zero each thread's PRNG state. Any concurrently
running threads block until the process finishes exiting.

Change-Id: Ie5dc18e1bb2941a569d8b309411cf20c9bdf52ef
Reviewed-on: https://boringssl-review.googlesource.com/16764
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-31 23:39:53 +00:00
Adam Langley
d79bc9d397 Echo CAVP comments in the output.
Comments in CAVP are semantically important and we need to copy them
from the input to the output.

Change-Id: Ib798c4ad79de924487d0c4a0f8fc16b757e766d8
Reviewed-on: https://boringssl-review.googlesource.com/16725
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-30 23:02:14 +00:00
Adam Langley
563924bebd Switch CAVP testing for AES-GCM to use external nonces.
Change-Id: I5a46917695d28b98cb274573d427126a2e8f7879
Reviewed-on: https://boringssl-review.googlesource.com/16724
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-30 19:14:29 +00:00
David Benjamin
592af53963 Clarify toc@ha and offsets.
At first I thought something was wrong, but some experiments with GCC
and digging into relocation definitions confirmed things were fine. In
doing so, tweak the comments so the offset is written more clearly. Both
offset+foo@toc@l and foo@toc@l+offset bind apply the @l after adding the
offset, but it's slightly less confusing with the former spelling.

Change-Id: I43b2c0b8855f64ac6ca4d95ae85bec680a19bc1c
Reviewed-on: https://boringssl-review.googlesource.com/16705
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-30 19:01:54 +00:00
David Benjamin
7f07fb2b5a Fix standalone ppc64le build.
Change-Id: Ia1e5a21ec777181a0ba4e8833b201e5a70330cf2
Reviewed-on: https://boringssl-review.googlesource.com/16684
Reviewed-by: Adam Langley <agl@google.com>
2017-05-30 18:21:37 +00:00
Adam Langley
f64a6eeaf0 Switch to new delocate tool.
Most importantly, this version of delocate works for ppc64le. It should
also work for x86-64, but will need significant testing to make sure
that it covers all the cases that the previous delocate.go covered.

It's less stringtastic than the old code, however the parser isn't as
nice as I would have liked. I thought that the reason we put up with
AT&T syntax with Intel is so that assembly syntax could be somewhat
consistent across platforms. At least for ppc64le, that does not appear
to be the case.

Change-Id: Ic7e3c6acc3803d19f2c3ff5620c5e39703d74212
Reviewed-on: https://boringssl-review.googlesource.com/16464
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-30 18:00:16 +00:00
Steven Valdez
2f3404bb81 Enforce incrementing counter for TLS 1.2 AES-GCM.
Change-Id: I7e790bc176369f2a57cc486c3dc960971faf019d
Reviewed-on: https://boringssl-review.googlesource.com/16625
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-26 20:06:36 +00:00
Matthew Braithwaite
2d04cf08cb Test with IPv6 by default, and IPv4 only if that fails.
Change-Id: I1a17860245b7726a24576f5e1bddb0645171f28e
Reviewed-on: https://boringssl-review.googlesource.com/16486
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-25 23:49:52 +00:00
Adam Langley
7c075b99e2 Change ppc64le AES code for FIPS.
The symbol “rcon” should be local in order to avoid collisions and it's
much easier on delocate if some of the expressions are evalulated in
Perl rather than left in the resulting .S file.

Also fix the perlasm style so the symbols are actually local.

Change-Id: Iddfc661fc3a6504bcc5732abaa1174da89ad805e
Reviewed-on: https://boringssl-review.googlesource.com/16524
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-25 22:02:22 +00:00
Tom Anderson
68f84f5c40 Add missing dependencies on exe_and_shlib_deps
Corresponding Chrome CL:
https://codereview.chromium.org/2899403004/

BUG=chromium:723069

Change-Id: I0ab9c104263d12e8251adf60d89ad19cf0436785
Reviewed-on: https://boringssl-review.googlesource.com/16664
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-25 17:26:44 +00:00
David Benjamin
806e18c022 Define OPENSSL_UNUSED for __clang__ as well.
Windows Clang needs this in the stack case too, but it doesn't define
__GNUC__ since it's emulating MSVC.

Change-Id: I646550ca95240e80822adddc2b53c3b58c2ec4a6
Reviewed-on: https://boringssl-review.googlesource.com/16644
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-25 17:01:16 +00:00
David Benjamin
59e1a81871 Turn off clang-format in embed_test_data.go output.
Chromium's tooling is unhappy.

Change-Id: Iefa70ceca5b62cc65f19ee46a33068139b79b3fc
Reviewed-on: https://boringssl-review.googlesource.com/16624
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-24 20:04:33 +00:00
Andreas Auernhammer
e7d3922b43 Improve Curve25519 cswap x64 assembly
This change replace the cmovq scheme with slightly faster SSE2 code.
The SSE2 code was first introduced in Go's curve25519 implementation.
See: https://go-review.googlesource.com/c/39693/

The implementation is basicly copied from the Go assembly.

Change-Id: I25931a421ba141ce33809875699f048b0941c061
Reviewed-on: https://boringssl-review.googlesource.com/16564
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-23 22:51:48 +00:00
David Benjamin
d94682dce5 Remove ex_data's dup hook.
The only place it is used is EC_KEY_{dup,copy} and no one calls that
function on an EC_KEY with ex_data. This aligns with functions like
RSAPublicKey_dup which do not copy ex_data. The logic is also somewhat
subtle in the face of malloc errors (upstream's PR 3323).

In fact, we'd even changed the function pointer signature from upstream,
so BoringSSL-only code is needed to pass this pointer in anyway. (I
haven't switched it to CRYPTO_EX_unused because there are some callers
which pass in an implementation anyway.)

Note, in upstream, the dup hook is also used for SSL_SESSIONs when those
are duplicated (for TLS 1.2 ticket renewal or TLS 1.3 resumption). Our
interpretation is that callers should treat those SSL_SESSIONs
equivalently to newly-established ones. This avoids every consumer
providing a dup hook and simplifies the interface.

(I've gone ahead and removed the TODO(fork). I don't think we'll be able
to change this API. Maybe introduce a new one, but it may not be worth
it? Then again, this API is atrocious... I've never seen anyone use argl
and argp even.)

BUG=21

Change-Id: I6c9e9d5a02347cb229d4c084c1e85125bd741d2b
Reviewed-on: https://boringssl-review.googlesource.com/16344
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-23 22:43:59 +00:00
Adam Langley
21cb0744bb Add tool for corrupting the FIPS module in a binary.
This is for demonstrating an integrity check failure.

Change-Id: I4b52b1aa5450f5dec024f381863aeed92b5e9ce0
Reviewed-on: https://boringssl-review.googlesource.com/16465
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Reviewed-by: Adam Langley <alangley@gmail.com>
2017-05-23 22:41:14 +00:00
David Benjamin
03c6fa4426 AES-GCM is not defined for empty nonces.
It shouldn't have been defined for variable-length nonces at all, but so
it goes. EVP_CIPHER rejected this by way of EVP_CTRL_GCM_SET_IVLEN
comparing <= 0, but the EVP_AEAD API did not.

I've done the test in a separate file on the assumption that aead_test
will become GTest shortly, at which point it will be easy to stick extra
tests into the same file as the FileTest ones.

Thanks to Daniel Bleichenbacher and Thanh Bui of Project Wycheproof for
the report.

Change-Id: Ic4616b39a1d7fe74a1f14fb58cccec2ce7c4f2f3
Reviewed-on: https://boringssl-review.googlesource.com/16544
Reviewed-by: Adam Langley <agl@google.com>
2017-05-23 22:36:06 +00:00
David Benjamin
e324de004a Convert various tests to GTest.
BUG=129

Change-Id: I4a501fa620b7b5b4c585731ec1ece94407e9b727
Reviewed-on: https://boringssl-review.googlesource.com/16510
Reviewed-by: Adam Langley <agl@google.com>
2017-05-23 22:34:09 +00:00
David Benjamin
8c2e8282ab Convert ed25519_test to GTest.
BUG=129

Change-Id: I784a745f102d9d09d35b27542d94b2b85dfb332e
Reviewed-on: https://boringssl-review.googlesource.com/16508
Reviewed-by: Adam Langley <agl@google.com>
2017-05-23 22:33:55 +00:00
David Benjamin
3ecd0a5fca Convert aes_test to GTest.
This introduces machinery to start embedding the test data files into
the crypto_test binary. Figuring out every CI's test data story is more
trouble than is worth it. The GTest FileTest runner is considerably
different from the old one:

- It returns void and expects failures to use the GTest EXPECT_* and
  ASSERT_* macros, rather than ExpectBytesEqual. This is more monkey
  work to convert, but ultimately less work to add new tests. I think
  it's also valuable for our FileTest and normal test patterns to align
  as much as possible. The line number is emitted via SCOPED_TRACE.

- I've intentionally omitted the Error attribute handling, since that
  doesn't work very well with the new callback. This means evp_test.cc
  will take a little more work to convert, but this is again to keep our
  two test patterns aligned.

- The callback takes a std::function rather than a C-style void pointer.
  This means we can go nuts with lambdas. It also places the path first
  so clang-format doesn't go nuts.

BUG=129

Change-Id: I0d1920a342b00e64043e3ea05f5f5af57bfe77b3
Reviewed-on: https://boringssl-review.googlesource.com/16507
Reviewed-by: Adam Langley <agl@google.com>
2017-05-23 22:33:25 +00:00
David Benjamin
8726d8fe0c Make the Windows build slightly quieter.
Change-Id: I6914691628c5ece4564be2bf60e17484081188fe
Reviewed-on: https://boringssl-review.googlesource.com/16509
Reviewed-by: Adam Langley <agl@google.com>
2017-05-22 22:50:04 +00:00
David Benjamin
1f1eeeade2 Allow FileTest to read from an abstracted line reader.
In GTest, we'll just burn the files into the binary and not worry about
this. Apparently test files is a one of computer science's great
unsolved problems and everyone has their own special-snowflake way of
doing it. Burning them into the executable is easier.

BUG=129

Change-Id: Ib39759ed4dba6eb9ba97f0282f000739ddf931fe
Reviewed-on: https://boringssl-review.googlesource.com/16506
Reviewed-by: Adam Langley <agl@google.com>
2017-05-22 22:35:49 +00:00
David Benjamin
ef374b8692 Remove ECDSA error code hack in evp_test.
This is no longer necessary as of
7ed2e82e5a.

Change-Id: I02d4df0bc92bf3c5826e9e4f27ce153ae419c258
Reviewed-on: https://boringssl-review.googlesource.com/16505
Reviewed-by: Adam Langley <agl@google.com>
2017-05-22 22:34:26 +00:00
David Benjamin
dfef2081f3 Remove FileTest::SetIgnoreUnusedAttributes.
This is no longer used.

Change-Id: I74bf2ffff5260cdbf1356e8628fa4f9a667217e8
Reviewed-on: https://boringssl-review.googlesource.com/16504
Reviewed-by: Adam Langley <agl@google.com>
2017-05-22 22:34:12 +00:00
David Benjamin
01f8a8c2d5 Convert stack.h to use inline functions.
Instead of a script which generates macros, emit static inlines in
individual header (or C files). This solves a few issues with the
original setup:

- The documentation was off. We match the documentation now.

- The stack macros did not check constness; see some of the fixes in
  crypto/x509.

- Type errors did not look like usual type errors.

- Any type which participated in STACK_OF had to be made partially
  public. This allows stack types to be defined an internal header or
  even an individual file.

- One could not pass sk_FOO_free into something which expects a function
  pointer.

Thanks to upstream's 411abf2dd37974a5baa54859c1abcd287b3c1181 for the
idea.

Change-Id: Ie5431390ccad761c17596b0e93941b0d7a68f904
Reviewed-on: https://boringssl-review.googlesource.com/16087
Reviewed-by: Adam Langley <agl@google.com>
2017-05-22 15:06:04 +00:00
Matthew Braithwaite
894e20039d Add missing #include of delocate.h.
Change-Id: I7bf485a9bfe0d7b7a3dc3081f86278fee87b8c74
Reviewed-on: https://boringssl-review.googlesource.com/16485
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-20 01:29:32 +00:00
Adam Langley
429e85b516 Have a single function for FIPS test failures.
Change-Id: Iab7a738a8981de7c56d1585050e78699cb876dab
Reviewed-on: https://boringssl-review.googlesource.com/16467
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-18 20:33:55 +00:00
Adam Langley
5f107ce4d8 Prefer RDRAND in FIPS mode.
This change causes FIPS mode to use RDRAND in preference to the kernel's
entropy pool. This prevents issues where the ioctl that we have to do
when getrandom isn't supported transiently reports that the pool is
“empty” and causes us to block.

Change-Id: Iad50e443d88b168bf0b85fe1e91e153d79ab3703
Reviewed-on: https://boringssl-review.googlesource.com/16466
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-18 20:32:45 +00:00
David Benjamin
d55bd797eb Fix SSL_COMP_get_compression_methods type signature.
We returned the wrong type, but with a typedef which made it void*. In
C++, void* to T* doesn't implicitly convert, so it doesn't quite work
right. Notably, Node passes it into sk_SSL_COMP_zero. The sk_* macros
only weakly typecheck right now, but a pending CL converts them to
proper functions.

Change-Id: I635d1e39e4f4f11b2b7bf350115a7f1b1be30e4f
Reviewed-on: https://boringssl-review.googlesource.com/16447
Reviewed-by: Adam Langley <agl@google.com>
2017-05-18 15:49:31 +00:00
David Benjamin
250542312b Convert digest_test to GTest.
BUG=129

Change-Id: I7ce961f136b9c63cd02a364d6a78fd875c240d25
Reviewed-on: https://boringssl-review.googlesource.com/16446
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-18 14:50:06 +00:00
Martin Kreichgauer
118355c6f0 fipstools: Add a sample binary that exercises methods from the FIPS module.
Also allow breaking ECDSA/RSA pair-wise consistency tests and ECDSA
self-test.

Change-Id: I1c7723f6082568ebf93158cfaa184cbdeb7480a0
Reviewed-on: https://boringssl-review.googlesource.com/16305
Reviewed-by: Adam Langley <agl@google.com>
2017-05-18 00:00:33 +00:00
David Benjamin
c49c9e7e61 Optimize constant-time base64 implementation slightly.
Rather than comparing against both endpoints, subtract the minimum and
rely on unsigned wraparound to do both comparisons at once. This seems
to be slightly faster.

In addition, constant_time_lt_8 becomes much simpler if it can assume
that |a| and |b| have the same MSB. But we can arrange that by casting
up to |crypto_word_t| (which is otherwise happening anyway).

Change-Id: I82bd676e487eb7bb079ba7286df724c1c380bbb4
Reviewed-on: https://boringssl-review.googlesource.com/16445
Reviewed-by: Adam Langley <agl@google.com>
2017-05-17 23:11:47 +00:00
David Benjamin
a4f7cc206f Don't call base64_ascii_to_bin twice on each byte.
With the constant-time base64 decode, base64_ascii_to_bin is a bit more
expensive. This check is redundant with the one in base64_decode_quad,
though it does mean syntax error reporting will be slightly deferred by
four bytes.

Change-Id: I71f23ea23feba2ee5b41df79ce09026fb56996d3
Reviewed-on: https://boringssl-review.googlesource.com/16444
Reviewed-by: Adam Langley <agl@google.com>
2017-05-17 23:09:40 +00:00
David Benjamin
b3aaffae15 Add a -no-fax option to run_cavp.
At some point we'll need to run this against an actual run, where FAX
files are unavailable.

Change-Id: I244bdb6608faf78f321d7016416bbad0486fd0b6
Reviewed-on: https://boringssl-review.googlesource.com/16424
Reviewed-by: Adam Langley <agl@google.com>
2017-05-17 23:08:50 +00:00
Steven Valdez
467d3220f8 Add FIPS-compliant key generation that calls check_fips for RSA and EC.
Change-Id: Ie466b7b55bdd679c5baf2127bd8de4a5058fc3b7
Reviewed-on: https://boringssl-review.googlesource.com/16346
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-17 16:30:48 +00:00
Alessandro Ghedini
1ac4f16fe9 tool: don't explicitly disable SSLv3 in the server
Since SSLv3 is disabled by default now this is not needed anymore, but
it makes enabling SSLv3 using -min-version impossible.

At some point this should be removed anyway (when SSLv3 support is
removed), so might as well do it now and fix this tiny problem.

Change-Id: Ie3f7453b5b5198f33fcc4d4294102f116b8843ae
Reviewed-on: https://boringssl-review.googlesource.com/16404
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-17 15:18:38 +00:00
Adam Langley
208e239371 Move OPENSSL_ASAN to base.h.
Saves having it in several places.

Change-Id: I329e1bf4dd4a7f51396e36e2604280fcca32b58c
Reviewed-on: https://boringssl-review.googlesource.com/16026
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-16 20:16:52 +00:00
David Benjamin
4dcc290eb0 Fix GOTPCREL accesses to symbols defined outside the module.
5c38c05b26 caused foo@GOTPCREL for
external foo to resolve to bcm_redirector_foo. This is morally
equivalent to using foo@PLT when a pointer to foo is needed. But this
does not work if foo is data. Notably, this ended up mangling
OPENSSL_ia32cap_P because it failed to recognize it as an symbol in the
library (but external to the module). It also mangles some things that
ASan emits.

(It also breaks non-NULL function pointer comparisons, but those are
silly.)

Instead, apply a variation of the OPENSSL_ia32cap_addr_delta trick that
works for the GOT. "addr_delta" is really weird, so I'm calling this an
"external relocation". This causes fprintf(stderr) to work and also
seems to keep ASan compiling. I was unable to reproduce the case that
5c38c05b26 added the bcm_redirector_foo
transform for.

Also tighten up the pattern. No need to reference a bit of memory twice
since we just loaded it into a register.

Change-Id: If5520fc0887e83e23a08828e40fbbed9e47d912e
Reviewed-on: https://boringssl-review.googlesource.com/16345
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-15 23:33:15 +00:00