boringssl/crypto/fipsmodule
Adam Langley a6a049a6fb Add start of infrastructure for checking constant-time properties.
Valgrind's checking of uninitialised memory behaves very much like a
check for constant-time code: branches and memory indexes based on
uninitialised memory trigger warnings. Therefore, if we can tell
Valgrind that some secret is “uninitialised”, it'll give us a warning if
we do something non-constant-time with it.

This was the idea behind https://github.com/agl/ctgrind. But tricks like
that are no longer needed because Valgrind now comes with support for
marking regions of memory as defined or not. Therefore we can use that
API to check constant-time code.

This CL defines |CONSTTIME_SECRET| and |CONSTTIME_DECLASSIFY|, which are
no-ops unless the code is built with
|BORINGSSL_CONSTANT_TIME_VALIDATION| defined, which it isn't by default.
So this CL is a no-op itself so far. But it does show that a couple of
bits of constant-time time are, in fact, constant-time—seemingly even
when compiled with optimisations, which is nice.

The annotations in the RSA code are a) probably not marking all the
secrets as secret, and b) triggers warnings that are a little
interesting:

The anti-glitch check calls |BN_mod_exp_mont| which checks that the
input is less than the modulus. Of course, it is because the input is
the RSA plaintext that we just decrypted, but the plaintext is supposed
to be secret and so branching based on its contents isn't allows by
Valgrind. The answer isn't totally clear, but I've run out of time on
this for now.

Change-Id: I1608ed0b22d201e97595fafe46127159e02d5b1b
Reviewed-on: https://boringssl-review.googlesource.com/c/33504
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
2018-12-18 22:43:02 +00:00
..
aes Patch out the XTS implementation in bsaes. 2018-12-12 22:27:13 +00:00
bn Remove cacheline striping in copy_from_prebuf. 2018-11-19 19:10:09 +00:00
cipher Eliminate |OPENSSL_ia32cap_P| in C code in the FIPS module. 2018-12-06 00:58:14 +00:00
des Move OPENSSL_FALLTHROUGH to internal headers. 2018-01-29 18:17:57 +00:00
digest Match OpenSSL's EVP_MD_CTX_reset return value. 2018-05-29 17:07:16 +00:00
ec Eliminate |OPENSSL_ia32cap_P| in C code in the FIPS module. 2018-12-06 00:58:14 +00:00
ecdh Clean up EC_POINT to byte conversions. 2018-11-13 17:27:59 +00:00
ecdsa Modernize OPENSSL_COMPILE_ASSERT, part 2. 2018-11-14 16:06:37 +00:00
hmac Switch OPENSSL_VERSION_NUMBER to 1.1.0. 2017-09-29 04:51:27 +00:00
md4 Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
md5 Mark the C version of md5_block_data_order static. 2018-09-07 20:00:12 +00:00
modes Speculatively remove __STDC_*_MACROS. 2018-11-14 16:14:37 +00:00
policydocs Include details about latest FIPS certification. 2018-11-05 19:03:25 +00:00
rand Modernize OPENSSL_COMPILE_ASSERT, part 2. 2018-11-14 16:06:37 +00:00
rsa Add start of infrastructure for checking constant-time properties. 2018-12-18 22:43:02 +00:00
self_check Always print some diagnostic information when POST fails. 2018-09-28 19:33:38 +00:00
sha Remove XOP code from sha512-x86_64.pl. 2018-12-04 01:10:32 +00:00
tls Fix include path. 2018-05-08 16:26:05 +00:00
bcm.c Always print some diagnostic information when POST fails. 2018-09-28 19:33:38 +00:00
CMakeLists.txt Revert "Revert "Speed up ECDSA verify on x86-64."" 2018-11-07 23:57:22 +00:00
delocate.h Use a pool of |rand_state| objects. 2018-07-06 21:25:37 +00:00
FIPS.md Include details about latest FIPS certification. 2018-11-05 19:03:25 +00:00
intcheck1.png
intcheck2.png Inject FIPS hash without running module. 2017-04-12 23:09:38 +00:00
intcheck3.png
is_fips.c Add some more compatibility functions. 2018-05-08 20:51:15 +00:00