Commit Graph

71 Commits

Author SHA1 Message Date
Adam Langley
7c075b99e2 Change ppc64le AES code for FIPS.
The symbol “rcon” should be local in order to avoid collisions and it's
much easier on delocate if some of the expressions are evalulated in
Perl rather than left in the resulting .S file.

Also fix the perlasm style so the symbols are actually local.

Change-Id: Iddfc661fc3a6504bcc5732abaa1174da89ad805e
Reviewed-on: https://boringssl-review.googlesource.com/16524
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-25 22:02:22 +00:00
David Benjamin
d94682dce5 Remove ex_data's dup hook.
The only place it is used is EC_KEY_{dup,copy} and no one calls that
function on an EC_KEY with ex_data. This aligns with functions like
RSAPublicKey_dup which do not copy ex_data. The logic is also somewhat
subtle in the face of malloc errors (upstream's PR 3323).

In fact, we'd even changed the function pointer signature from upstream,
so BoringSSL-only code is needed to pass this pointer in anyway. (I
haven't switched it to CRYPTO_EX_unused because there are some callers
which pass in an implementation anyway.)

Note, in upstream, the dup hook is also used for SSL_SESSIONs when those
are duplicated (for TLS 1.2 ticket renewal or TLS 1.3 resumption). Our
interpretation is that callers should treat those SSL_SESSIONs
equivalently to newly-established ones. This avoids every consumer
providing a dup hook and simplifies the interface.

(I've gone ahead and removed the TODO(fork). I don't think we'll be able
to change this API. Maybe introduce a new one, but it may not be worth
it? Then again, this API is atrocious... I've never seen anyone use argl
and argp even.)

BUG=21

Change-Id: I6c9e9d5a02347cb229d4c084c1e85125bd741d2b
Reviewed-on: https://boringssl-review.googlesource.com/16344
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-23 22:43:59 +00:00
David Benjamin
03c6fa4426 AES-GCM is not defined for empty nonces.
It shouldn't have been defined for variable-length nonces at all, but so
it goes. EVP_CIPHER rejected this by way of EVP_CTRL_GCM_SET_IVLEN
comparing <= 0, but the EVP_AEAD API did not.

I've done the test in a separate file on the assumption that aead_test
will become GTest shortly, at which point it will be easy to stick extra
tests into the same file as the FileTest ones.

Thanks to Daniel Bleichenbacher and Thanh Bui of Project Wycheproof for
the report.

Change-Id: Ic4616b39a1d7fe74a1f14fb58cccec2ce7c4f2f3
Reviewed-on: https://boringssl-review.googlesource.com/16544
Reviewed-by: Adam Langley <agl@google.com>
2017-05-23 22:36:06 +00:00
David Benjamin
3ecd0a5fca Convert aes_test to GTest.
This introduces machinery to start embedding the test data files into
the crypto_test binary. Figuring out every CI's test data story is more
trouble than is worth it. The GTest FileTest runner is considerably
different from the old one:

- It returns void and expects failures to use the GTest EXPECT_* and
  ASSERT_* macros, rather than ExpectBytesEqual. This is more monkey
  work to convert, but ultimately less work to add new tests. I think
  it's also valuable for our FileTest and normal test patterns to align
  as much as possible. The line number is emitted via SCOPED_TRACE.

- I've intentionally omitted the Error attribute handling, since that
  doesn't work very well with the new callback. This means evp_test.cc
  will take a little more work to convert, but this is again to keep our
  two test patterns aligned.

- The callback takes a std::function rather than a C-style void pointer.
  This means we can go nuts with lambdas. It also places the path first
  so clang-format doesn't go nuts.

BUG=129

Change-Id: I0d1920a342b00e64043e3ea05f5f5af57bfe77b3
Reviewed-on: https://boringssl-review.googlesource.com/16507
Reviewed-by: Adam Langley <agl@google.com>
2017-05-23 22:33:25 +00:00
Matthew Braithwaite
894e20039d Add missing #include of delocate.h.
Change-Id: I7bf485a9bfe0d7b7a3dc3081f86278fee87b8c74
Reviewed-on: https://boringssl-review.googlesource.com/16485
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-20 01:29:32 +00:00
Adam Langley
429e85b516 Have a single function for FIPS test failures.
Change-Id: Iab7a738a8981de7c56d1585050e78699cb876dab
Reviewed-on: https://boringssl-review.googlesource.com/16467
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-18 20:33:55 +00:00
Adam Langley
5f107ce4d8 Prefer RDRAND in FIPS mode.
This change causes FIPS mode to use RDRAND in preference to the kernel's
entropy pool. This prevents issues where the ioctl that we have to do
when getrandom isn't supported transiently reports that the pool is
“empty” and causes us to block.

Change-Id: Iad50e443d88b168bf0b85fe1e91e153d79ab3703
Reviewed-on: https://boringssl-review.googlesource.com/16466
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-18 20:32:45 +00:00
Martin Kreichgauer
118355c6f0 fipstools: Add a sample binary that exercises methods from the FIPS module.
Also allow breaking ECDSA/RSA pair-wise consistency tests and ECDSA
self-test.

Change-Id: I1c7723f6082568ebf93158cfaa184cbdeb7480a0
Reviewed-on: https://boringssl-review.googlesource.com/16305
Reviewed-by: Adam Langley <agl@google.com>
2017-05-18 00:00:33 +00:00
Steven Valdez
467d3220f8 Add FIPS-compliant key generation that calls check_fips for RSA and EC.
Change-Id: Ie466b7b55bdd679c5baf2127bd8de4a5058fc3b7
Reviewed-on: https://boringssl-review.googlesource.com/16346
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-17 16:30:48 +00:00
Adam Langley
208e239371 Move OPENSSL_ASAN to base.h.
Saves having it in several places.

Change-Id: I329e1bf4dd4a7f51396e36e2604280fcca32b58c
Reviewed-on: https://boringssl-review.googlesource.com/16026
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-16 20:16:52 +00:00
Martin Kreichgauer
866c219432 crypto/fipsmodule: Allow breaking CRNG self-test.
Change-Id: I3d1ddc8cca9fb1da5d0b6a68ba2125c89e5bc0ce
Reviewed-on: https://boringssl-review.googlesource.com/16304
Commit-Queue: Martin Kreichgauer <martinkr@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-12 18:43:09 +00:00
David Benjamin
391cc8c7a1 Move FIPS build tools to util/fipstools.
This makes things a little easier for some of our tooling.

Change-Id: Ia7e73daf0a5150b106cf9b03b10cae194cb8fc5a
Reviewed-on: https://boringssl-review.googlesource.com/15104
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-05-12 15:08:46 +00:00
David Benjamin
583c12ea97 Remove filename argument to x86 asm_init.
43e5a26b53 removed the .file directive
from x86asm.pl. This removes the parameter from asm_init altogether. See
also upstream's e195c8a2562baef0fdcae330556ed60b1e922b0e.

Change-Id: I65761bc962d09f9210661a38ecf6df23eae8743d
Reviewed-on: https://boringssl-review.googlesource.com/16247
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-12 14:58:27 +00:00
Martin Kreichgauer
0402f89448 crypto/fipsmodule: Make more Known Answer Tests breakable.
This allows breaking Known Answer Tests for AES-GCM, DES, SHA-1,
SHA-256, SHA-512, RSA signing and DRBG as required by FIPS.

Change-Id: I8e59698a5048656021f296195229a09ca5cd767c
Reviewed-on: https://boringssl-review.googlesource.com/16088
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-10 18:36:00 +00:00
David Benjamin
f99d2c6141 Remove obsolete TODO.
This has since been done.

Change-Id: I498f845fa4ba3d1c04a5892831be4b07f31536d4
Reviewed-on: https://boringssl-review.googlesource.com/16124
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-10 15:17:10 +00:00
Matthew Braithwaite
20d202bb0e unrandom: #define _GNU_SOURCE, for syscall().
This is needed when unrandom.c is compiled on its own.

Change-Id: Ia46e06d267c097e5fa0296092a7270a4cd0b2044
Reviewed-on: https://boringssl-review.googlesource.com/16085
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-09 17:41:17 +00:00
Adam Langley
e838cfb51f Add a way to break one of the KAT tests.
This is required by FIPS testing.

Change-Id: Ia399a0bf3d03182499c0565278a3713cebe771e3
Reviewed-on: https://boringssl-review.googlesource.com/16044
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-09 16:48:37 +00:00
David Benjamin
0d5b886ef8 Switch BN_generate_dsa_nonce's hash back to SHA-512/256.
SHA-512 is faster to calculate on 64-bit systems and that's what we were
using before. (Though, realistically, this doesn't show up at all.)

Change-Id: Id4f386ca0b5645a863b36405eef03bc62d0f29b3
Reviewed-on: https://boringssl-review.googlesource.com/16006
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-08 22:00:48 +00:00
Adam Langley
4c7b3bfd73 Switch integrity hash to SHA-512.
SHA-512 is faster to calculate on 64-bit systems and we're only
targetting 64-bit systems with FIPS.

Change-Id: I5e9b8419ad4ddc72ec682c4193ffb17975d228e5
Reviewed-on: https://boringssl-review.googlesource.com/16025
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-08 20:36:20 +00:00
Adam Langley
238148a8f6 Don't indicate FIPS mode when built with ASAN.
ASAN prevents the integrity test from running, so don't indicate FIPS
mode in that case.

Change-Id: I14c79e733e53ef16f164132bc1fded871ce3f133
Reviewed-on: https://boringssl-review.googlesource.com/16024
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-08 19:51:14 +00:00
Adam Langley
c0485d67f4 Teach delocate.go to handle loading function pointers into XMM registers.
Sadly, LEA cannot target XMM registers.

Change-Id: I5f4245b5df1625ba3ea7ebf7ccf6dcceb9dab1d9
Reviewed-on: https://boringssl-review.googlesource.com/15988
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-08 17:26:20 +00:00
David Benjamin
4323e22793 Tidy up FIPS module dependencies.
This avoids depending the FIPS module on crypto/bytestring and moves
ECDSA_SIG_{new,free} into the module.

Change-Id: I7b45ef07f1140873a0da300501141b6ae272a5d9
Reviewed-on: https://boringssl-review.googlesource.com/15984
Reviewed-by: Adam Langley <agl@google.com>
2017-05-05 23:10:24 +00:00
Matthew Braithwaite
45dd8a04f5 Add missing #includes of delocate.h.
Change-Id: I48adda9909ded195005c4f8277f153d4dbd2bfec
Reviewed-on: https://boringssl-review.googlesource.com/15987
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-05 22:41:30 +00:00
Adam Langley
2e2a226ac9 Move cipher/ into crypto/fipsmodule/
Change-Id: Id65e0988534056a72d9b40cc9ba5194e2d9b8a7c
Reviewed-on: https://boringssl-review.googlesource.com/15904
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-05 22:39:40 +00:00
Michael Ryleev
a90044a463 Bypass building fipsmodule/rand/urandom.c when builing for Trusty
Change-Id: Icf1d6ec9d3fb33a124a9f61c75d29248a2582680
Reviewed-on: https://boringssl-review.googlesource.com/15964
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-05 17:21:23 +00:00
Adam Langley
96dec443d9 Move rsa/ to fipsmodule/rsa/
Change-Id: Id20d371ae7a88a91aaba7a9e23574eccb9caeb3c
Reviewed-on: https://boringssl-review.googlesource.com/15849
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-04 21:22:39 +00:00
Adam Langley
aacb72c1b7 Move ec/ and ecdsa/ into fipsmodule/
The names in the P-224 code collided with the P-256 code and thus many
of the functions and constants in the P-224 code have been prefixed.

Change-Id: I6bcd304640c539d0483d129d5eaf1702894929a8
Reviewed-on: https://boringssl-review.googlesource.com/15847
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-04 20:27:23 +00:00
Adam Langley
73eb3a9d22 Undefine some macros in bn/
I forgot to scrub these files when they moved and their macros are
currently leaking into other files. This isn't a problem, but does
prevent ec/ code from being moved into the module at the moment.

Change-Id: I5433fb043e90a03ae3dc5c38cb3a69563aada007
Reviewed-on: https://boringssl-review.googlesource.com/15845
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-02 22:11:50 +00:00
David Benjamin
ca62bee964 Don't emit a redirector for OPENSSL_ia32cap_get.
Another synthesized function which may be referenced directly.

Change-Id: Ic75fe66ce7244246a2d4a707b6a5fee24cac6941
Reviewed-on: https://boringssl-review.googlesource.com/15831
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-02 21:23:23 +00:00
David Benjamin
fa839dcac0 Don't depend on crypto/bytestring for ECDSA self-tests.
This will let us keep CBS/CBB out of the module. It also makes the PWCT
actually use a hard-coded public key since kEC was using the
private-key-only serialization.

Change-Id: I3769fa26fc789c4797a56534df73f810cf5441c4
Reviewed-on: https://boringssl-review.googlesource.com/15830
Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 21:09:51 +00:00
David Benjamin
09ffa773dd Don't depend on crypto/bytestring for RSA self-tests.
This will let us keep CBS/CBB out of the module.

Change-Id: I780de0fa2c102cf27eee2cc242ee23740fbc16ce
Reviewed-on: https://boringssl-review.googlesource.com/15829
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-02 21:09:03 +00:00
David Benjamin
05821b0ee3 Consistently check length in RSA_add_pkcs1_prefix.
We check the length for MD5+SHA1 but not the normal cases. Instead,
EVP_PKEY_sign externally checks the length (largely because the silly
RSA-PSS padding function forces it). We especially should be checking
the length for these because otherwise the prefix built into the ASN.1
prefix is wrong.

The primary motivation is to avoid putting EVP_PKEY inside the FIPS
module. This means all logic for supported algorithms should live in
crypto/rsa.

This requires fixing up the verify_recover logic and some tests,
including bcm.c's KAT bits.

(evp_tests.txt is now this odd mixture of EVP-level and RSA-level error
codes. A follow-up change will add new APIs for RSA-PSS which will allow
p_rsa.c to be trimmed down and make things consistent.)

Change-Id: I29158e9695b28e8632b06b449234a5dded35c3e7
Reviewed-on: https://boringssl-review.googlesource.com/15824
Reviewed-by: Adam Langley <agl@google.com>
2017-05-02 20:29:47 +00:00
Adam Langley
8a3a2a99b2 Move des/ to crypto/fipsmodule/
Change-Id: I167b7045c537d95294d387936f3d7bad530e1c6f
Reviewed-on: https://boringssl-review.googlesource.com/15844
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-02 19:21:02 +00:00
Adam Langley
5c38c05b26 Move bn/ into crypto/fipsmodule/
Change-Id: I68aa4a740ee1c7f2a308a6536f408929f15b694c
Reviewed-on: https://boringssl-review.googlesource.com/15647
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-05-01 22:51:25 +00:00
Adam Langley
c1399186bf Handle pushing a pointer from the GOT.
When code wants to push a pointer from the GOT onto the stack, we don't
have any registers to play with. We do, however, know that the stack is
viable and thankfully Intel has an “xchg” instruction that avoids the
need for an intermediate register.

Change-Id: Iba7e4f0f4c9b43b3d994cf6cfc92837b312c7728
Reviewed-on: https://boringssl-review.googlesource.com/15625
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-28 15:37:39 +00:00
Adam Langley
c88f24596c Don't print message when waiting for urandom entropy.
This doesn't actually measure what we need(*) and, because of that, it's
way more noisy than expected.

(*) We want to know whether the pool has been initialised, not whether
it currently thinks it has a lot of bits, but we can't get what we want
without getrandom() support in the kernel.

Change-Id: I20accb99a592739c786a25c1656aeea050ae81a3
Reviewed-on: https://boringssl-review.googlesource.com/15624
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-27 21:38:21 +00:00
David Benjamin
def85b403d Revise OPENSSL_ia32cap_P strategy to avoid TEXTRELs.
OPENSSL_ia32cap_addr avoids any relocations within the module, at the
cost of a runtime TEXTREL, which causes problems in some cases.
(Notably, if someone links us into a binary which uses the GCC "ifunc"
attribute, the loader crashes.)

We add a OPENSSL_ia32cap_addr_delta symbol (which is reachable
relocation-free from the module) stores the difference between
OPENSSL_ia32cap_P and its own address.  Next, reference
OPENSSL_ia32cap_P in code as usual, but always doing LEAQ (or the
equivalent GOTPCREL MOVQ) into a register first. This pattern we can
then transform into a LEAQ and ADDQ on OPENSSL_ia32cap_addr_delta.

ADDQ modifies the FLAGS register, so this is only a safe transformation
if we safe and restore flags first. That, in turn, is only a safe
transformation if code always uses %rsp as a stack pointer (specifically
everything below the stack must be fair game for scribbling over). Linux
delivers signals on %rsp, so this should already be an ABI requirement.
Further, we must clear the red zone (using LEAQ to avoid touching FLAGS)
which signal handlers may not scribble over.

This also fixes the GOTTPOFF logic to clear the red zone.

Change-Id: I4ca6133ab936d5a13d5c8ef265a12ab6bd0073c9
Reviewed-on: https://boringssl-review.googlesource.com/15545
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-27 21:07:33 +00:00
David Benjamin
075875fbf6 Parse instructions more accurately.
Past the first word, the remaining arguments are usually separated by
commas. This avoids some of the awkward fixing up needed to extract
target registers, etc.

Change-Id: Id99b99e5160abf80e60afea96f2b46b53b55c9c5
Reviewed-on: https://boringssl-review.googlesource.com/15544
Reviewed-by: Adam Langley <agl@google.com>
2017-04-27 20:55:05 +00:00
David Benjamin
91871018a4 Add an OPENSSL_ia32cap_get() function for C code.
OPENSSL_ia32cap_addr avoids any relocations within the module, at the
cost of a runtime TEXTREL, which causes problems in some cases.
(Notably, if someone links us into a binary which uses the GCC "ifunc"
attribute, the loader crashes.)

Fix C references of OPENSSL_ia32cap_addr with a function. This is
analogous to the BSS getters. A follow-up commit will fix perlasm with a
different scheme which avoids calling into a function (clobbering
registers and complicating unwind directives.)

Change-Id: I09d6cda4cec35b693e16b5387611167da8c7a6de
Reviewed-on: https://boringssl-review.googlesource.com/15525
Reviewed-by: Adam Langley <agl@google.com>
2017-04-27 20:34:23 +00:00
Matthew Braithwaite
fb383f0c3d delocate: replace "-as src1,src2,..." with "src1 src2 ...".
Not requiring the list of assembly sources to be comma-separated is
helpful to environments where the list would more naturally be
treated as a list.

Change-Id: I43b18cdbeed1dc7ad217ff61557ac55860f40733
Reviewed-on: https://boringssl-review.googlesource.com/15585
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-27 16:03:07 +00:00
Matthew Braithwaite
f131301413 delocate: .size BORINGSSL_bcm_text_hash, not OPENSSL_ia32cap_addr.
Change-Id: I4e34dabe302f7dacdf04a89052ad9fe9254a1b81
Reviewed-on: https://boringssl-review.googlesource.com/15404
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-23 16:56:41 +00:00
David Benjamin
1997ef22d7 Tidy up aesni_gcm_crypt logic.
CRYPTO_gcm128_init is currently assuming that it gets passed in
aesni_encrypt whenever it selects the AVX implementation. This is true,
but we can easily avoid this assumption by adding an extra boolean
input.

Change-Id: Ie7888323f0c93ff9df8f1cf3ba784fb35bb07076
Reviewed-on: https://boringssl-review.googlesource.com/15370
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:49:04 +00:00
Adam Langley
c86a230089 Allow raw object files to be passed into inject-hash.go.
CMake loves making archives, but that's not universal.

Change-Id: I5356b4701982748a46817e0094ad838605dcada6
Reviewed-on: https://boringssl-review.googlesource.com/15144
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:20:23 +00:00
Adam Langley
08c9b84410 Don't get confused by comments when recognising symbol definitions.
Change-Id: I7550beef400478913336aef62107024e499f075b
Reviewed-on: https://boringssl-review.googlesource.com/15346
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:12:38 +00:00
Adam Langley
518ba0772b Switch constant-time functions to using |crypto_word_t|.
Using |size_t| was correct, except for NaCl, which is a 64-bit build
with 32-bit pointers. In that configuration, |size_t| is smaller than
the native word size.

This change adds |crypto_word_t|, an unsigned type with native size and
switches constant-time functions to using it.

Change-Id: Ib275127063d5edbb7c55d413132711b7c74206b0
Reviewed-on: https://boringssl-review.googlesource.com/15325
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:06:05 +00:00
Adam Langley
947417a159 Handle BSS sections.
In some modes the compiler will emit a section for BSS symbols and
construct the values with labels, alignment and data instructions. This
change parses these sections and emits the local versions of each symbol
needed to make this work.

Change-Id: I8d43ffe4b5b734950aa4287a3dd7c0d2f191f2e4
Reviewed-on: https://boringssl-review.googlesource.com/15206
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:06:00 +00:00
Adam Langley
b0d864ee6d Be stricter about which sections are allowed in delocate.
We might want to back off on this in the future so that we don't upset
future compiler work but, for now, it's useful to know when we hit
something that we don't understand.

Change-Id: I763830b0ddcf5da20061fad673265d4a5855479c
Reviewed-on: https://boringssl-review.googlesource.com/15205
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:05:47 +00:00
Adam Langley
c2dce9c1d5 Have delocate process lines by pulling.
In order to better handle BSS sections, rather than having a single loop
over the lines and state flags, pull lines as needed. This means that
subfunctions can process sections of the input.

Also, stop bothering to move the init_array to the end, it's already put
into its own section.

Change-Id: I0e62930c65d29baecb39ba0d8bbc21f2da3bde56
Reviewed-on: https://boringssl-review.googlesource.com/15204
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:41 +00:00
Adam Langley
11f11e6f49 Sort lists of asm files and tests.
Change-Id: Ice5d43d87fee7eda1be01c997901697170c09d83
Reviewed-on: https://boringssl-review.googlesource.com/15145
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:36 +00:00
Adam Langley
7784104dd8 Move much of rand/ into the FIPS module.
Support for platforms that we don't support FIPS on doesn't need to be
in the module. Also, functions for dealing with whether fork-unsafe
buffering is enabled are left out because they aren't implementing any
cryptography and they use global r/w state, making their inclusion
painful.

Change-Id: I71a0123db6f5449e9dfc7ec7dea0944428e661aa
Reviewed-on: https://boringssl-review.googlesource.com/15084
Reviewed-by: Adam Langley <agl@google.com>
2017-04-21 22:03:18 +00:00