Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge BoringSSL through d605df5b6f8462c1f3005da82d718ec067f46b70 #1659

Merged
merged 74 commits into from
Sep 29, 2023
Merged

Merge BoringSSL through d605df5b6f8462c1f3005da82d718ec067f46b70 #1659

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
74 commits
Select commit Hold shift + click to select a range
a7f83c4
Don't make assumptions about GCM128_CONTEXT layout in aesv8-gcm-armv8.pl
davidben May 2, 2023
62f9751
Don't make assumptions about GCM128_CONTEXT layout in aesni-gcm-x86_6…
davidben May 2, 2023
e7c3f47
Remove H from GCM128_KEY
davidben May 2, 2023
85e6453
Remove unions in polyval implementation
davidben May 2, 2023
1b724a6
Align Kyber names with draft-tls-westerbaan-xyber768d00
davidben May 3, 2023
2e565ef
Clarify that X25519 also supports EVP_PKEY_new_raw_private_key, etc
davidben May 4, 2023
5e988c4
Rename EC_RAW_POINT to EC_JACOBIAN
davidben May 3, 2023
5b32e81
Remove unions in GCM implementation
davidben May 2, 2023
6d55dc3
Add APIs to support RSA keys with large e.
davidben May 5, 2023
4d30888
Add a more general mechanism for deprecating TLS ciphers
davidben Apr 21, 2023
722f5d8
Fix PKCS8Test to not rely on RSA-512
davidben May 5, 2023
b1c6f45
Add back support for TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
agl May 3, 2023
a972b78
Add APIs to query a list of possible strings for TLS features
davidben May 5, 2023
2aae3f5
Bump the minimum supported MSVC version to VS2019
davidben May 5, 2023
c6dd304
Remove unions in BLAKE2b implementation
davidben May 3, 2023
4540c3c
OpenBSD Support
bob-beck Mar 8, 2023
4137759
Update build tools
davidben May 11, 2023
bf80254
Update googletest
davidben May 11, 2023
e24491a
acvptool: implement pipelining.
Nov 25, 2022
b92fcfd
Cap the input size to the conf fuzzer
davidben May 11, 2023
c215ce7
Use a helper function to implement get_all_foo_names functions.
May 8, 2023
c1f5d79
Add a multi-threaded mode to bssl speed
davidben Mar 4, 2023
706846d
Add documentation for X509_STORE_CTX_set_verify_cb and friends
Apr 19, 2023
15a0c9a
Remove now redundant RSA test
davidben May 12, 2023
786554f
Check public components in freeze_private_key
davidben May 12, 2023
dd9ee60
Reject RSA keys under 512 bits
davidben May 11, 2023
5b845de
Use Windows Interlocked* APIs for refcounts when C11 isn't available
davidben Jan 8, 2023
8a85012
Remove the lock-based atomics fallback
davidben Jan 8, 2023
a05691d
Add an atomics library to crypto/internal.h
davidben Jan 9, 2023
1599fea
Remove read locks from PRNG steady state
davidben Jan 9, 2023
2eaf070
Add a thread test for ex_data
davidben May 13, 2023
dd52194
Fix RAND_enable_fork_unsafe_buffering when called after fork
davidben Jan 9, 2023
47b2fef
Update hkdf.c to avoid potentially vulnerable code pattern.
May 17, 2023
74a75b3
Add a comment about the Chromium sandbox for macOS sysctls
davidben May 18, 2023
8abcb6f
Don't include <stdatomic.h> in C++
davidben May 19, 2023
b0251b1
Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA by default
davidben Apr 21, 2023
f712c86
Avoid locks in CRYPTO_free_ex_data
davidben May 22, 2023
cf3851c
acvptool: clean up better.
agl May 23, 2023
8c7e925
Bound STACK_OF(T) sizes by int
davidben May 23, 2023
89a6253
Add int casts as needed around STACK_OF(T) sizes and indices
davidben May 23, 2023
7e56051
Miscellaneous size_t truncation fixes
davidben May 23, 2023
83a6ba1
Test the CONF parser more extensively
davidben May 23, 2023
5aefcba
Remove some unnecessary NULL checks in conf.c.
davidben May 23, 2023
f31b45d
Remove some unreachable character types in the CONF parser
davidben May 23, 2023
825bec8
Remove variable expansion from CONF fuzzer
davidben May 24, 2023
5fcd47d
Add prefetch to aes_hw_ctr32_encrypt_blocks
TocarIP May 22, 2023
da757e6
Add constant-time validation for curve25519
davidben May 24, 2023
e30750c
Add an ABI test for x25519_NEON
davidben May 25, 2023
b0a026f
add rust bindings for ed25519
May 12, 2023
4631ccc
Remove SSL_CIPHER_get_value
davidben May 27, 2023
2da5ba9
Align on using the "group" over "curve" for ECDH in TLS
davidben May 27, 2023
335523a
Align remaining TLS ECDH APIs on "group" terminology
davidben May 27, 2023
6cf9820
Align NIDs vs group IDs in TLS group APIs
davidben May 27, 2023
55b069d
Add a value barrier when checking for point doubling.
davidben May 26, 2023
be0fdf7
Constant-time test that X25519 has a single path.
andres-erbsen May 30, 2023
28c2409
Define TLSEXT_nid_unknown
davidben Jun 1, 2023
e106b53
Remove BN_DEC_FMT2 and test the others
davidben Jun 1, 2023
b034104
Make BN_mod_inverse() deal with repeated arguments
botovq Jun 2, 2023
4a0393f
Add SHA256 and SHA512 bindings to bssl-crypto
Jun 1, 2023
d605df5
Use packed representation for large Curve25519 table
andres-erbsen May 24, 2023
1d14b3d
Partial merge of BoringSSL 'a7f83c4': Don't make assumptions about GC…
briansmith Sep 28, 2023
1414264
Merge BoringSSL '62f9751': Don't make assumptions about GCM128_CONTEX…
briansmith Sep 28, 2023
784fa29
Merge BoringSSL 'e7c3f47': Remove H from GCM128_KEY.
briansmith Sep 28, 2023
ae630da
Ignore BoringSSL '85e6453'..'825bec8'.
briansmith Sep 29, 2023
ece6692
NFC: Remove no-longer-relevant comment.
briansmith Sep 29, 2023
e17b48d
Take BoringSSL '5fcd47d': Add prefetch to aes_hw_ctr32_encrypt_blocks.
briansmith Sep 29, 2023
30171c0
Partial merge of BoringSSL 'da757e6': Add constant-time validation fo…
briansmith Sep 29, 2023
12d7b06
Ignore BoringSSL 'e30750c'..'6cf9820'.
briansmith Sep 29, 2023
03de1fa
Merge BoringSSL '55b069d': Add a value barrier when checking for poin…
briansmith Sep 29, 2023
8e3548f
Ignore BoringSSL 'be0fdf7'..'4a0393f'
briansmith Sep 29, 2023
2270dc6
Rename crypto_word back to crypto_word_t.
briansmith Sep 29, 2023
2d8fbe0
Import currently-unused utilities in crypto/internal.h
briansmith Sep 29, 2023
7b59320
Merge BoringSSL 'd605df5': Use packed representation for large Curve2…
briansmith Sep 29, 2023
2e6d759
NFC: Remove dead code from syncing with BoringSSL.
briansmith Sep 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions crypto/constant_time_test.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,9 @@

int bssl_constant_time_test_main(void);

static int test_binary_op_w(crypto_word (*op)(crypto_word a, crypto_word b),
crypto_word a, crypto_word b, int is_true) {
crypto_word c = op(a, b);
static int test_binary_op_w(crypto_word_t (*op)(crypto_word_t a, crypto_word_t b),
crypto_word_t a, crypto_word_t b, int is_true) {
crypto_word_t c = op(a, b);
if (is_true && c != CONSTTIME_TRUE_W) {
return 1;
} else if (!is_true && c != CONSTTIME_FALSE_W) {
Expand All @@ -58,8 +58,8 @@ static int test_binary_op_w(crypto_word (*op)(crypto_word a, crypto_word b),
return 0;
}

static int test_is_zero_w(crypto_word a) {
crypto_word c = constant_time_is_zero_w(a);
static int test_is_zero_w(crypto_word_t a) {
crypto_word_t c = constant_time_is_zero_w(a);
if (a == 0 && c != CONSTTIME_TRUE_W) {
return 1;
} else if (a != 0 && c != CONSTTIME_FALSE_W) {
Expand All @@ -76,8 +76,8 @@ static int test_is_zero_w(crypto_word a) {
return 0;
}

static int test_select_w(crypto_word a, crypto_word b) {
crypto_word selected = constant_time_select_w(CONSTTIME_TRUE_W, a, b);
static int test_select_w(crypto_word_t a, crypto_word_t b) {
crypto_word_t selected = constant_time_select_w(CONSTTIME_TRUE_W, a, b);
if (selected != a) {
return 1;
}
Expand All @@ -88,7 +88,7 @@ static int test_select_w(crypto_word a, crypto_word b) {
return 0;
}

static crypto_word test_values_s[] = {
static crypto_word_t test_values_s[] = {
0,
1,
1024,
Expand All @@ -113,11 +113,11 @@ int bssl_constant_time_test_main(void) {

for (size_t i = 0;
i < sizeof(test_values_s) / sizeof(test_values_s[0]); ++i) {
crypto_word a = test_values_s[i];
crypto_word_t a = test_values_s[i];
num_failed += test_is_zero_w(a);
for (size_t j = 0;
j < sizeof(test_values_s) / sizeof(test_values_s[0]); ++j) {
crypto_word b = test_values_s[j];
crypto_word_t b = test_values_s[j];
num_failed += test_binary_op_w(&constant_time_eq_w, a, b, a == b);
num_failed += test_binary_op_w(&constant_time_eq_w, b, a, b == a);
num_failed += test_select_w(a, b);
Expand Down
81 changes: 40 additions & 41 deletions crypto/curve25519/curve25519.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,21 +180,29 @@ static void fe_0(fe *h) {
OPENSSL_memset(h, 0, sizeof(fe));
}

#if defined(OPENSSL_SMALL)

static void fe_loose_0(fe_loose *h) {
OPENSSL_memset(h, 0, sizeof(fe_loose));
}

#endif

// h = 1
static void fe_1(fe *h) {
OPENSSL_memset(h, 0, sizeof(fe));
h->v[0] = 1;
}

#if defined(OPENSSL_SMALL)

static void fe_loose_1(fe_loose *h) {
OPENSSL_memset(h, 0, sizeof(fe_loose));
h->v[0] = 1;
}

#endif

// h = f + g
// Can overlap h with f or g.
static void fe_add(fe_loose *h, const fe *f, const fe *g) {
Expand Down Expand Up @@ -319,11 +327,6 @@ static void fe_copy(fe *h, const fe *f) {
static void fe_copy_lt(fe_loose *h, const fe *f) {
fe_limbs_copy(h->v, f->v);
}
#if !defined(OPENSSL_SMALL)
static void fe_copy_ll(fe_loose *h, const fe_loose *f) {
fe_limbs_copy(h->v, f->v);
}
#endif // !defined(OPENSSL_SMALL)

static void fe_loose_invert(fe *out, const fe_loose *z) {
fe t0;
Expand Down Expand Up @@ -532,12 +535,16 @@ static void ge_p3_0(ge_p3 *h) {
fe_0(&h->T);
}

#if defined(OPENSSL_SMALL)

static void ge_precomp_0(ge_precomp *h) {
fe_loose_1(&h->yplusx);
fe_loose_1(&h->yminusx);
fe_loose_0(&h->xy2d);
}

#endif

// r = p
static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
fe_copy(&r->X, &p->X);
Expand Down Expand Up @@ -664,16 +671,6 @@ static void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
fe_add(&r->T, &trZ, &trT);
}

static uint8_t equal(signed char b, signed char c) {
uint8_t ub = b;
uint8_t uc = c;
uint8_t x = ub ^ uc; // 0: yes; 1..255: no
uint32_t y = x; // 0: yes; 1..255: no
y -= 1; // 4294967295: yes; 0..254: no
y >>= 31; // 1: yes; 0: no
return y;
}

static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) {
fe_cmov(&t->yplusx, &u->yplusx, b);
fe_cmov(&t->yminusx, &u->yminusx, b);
Expand Down Expand Up @@ -722,7 +719,7 @@ static void x25519_ge_scalarmult_small_precomp(
ge_precomp_0(&e);

for (j = 1; j < 16; j++) {
cmov(&e, &multiples[j-1], equal(index, j));
cmov(&e, &multiples[j-1], 1&constant_time_eq_w(index, j));
}

ge_cached cached;
Expand All @@ -742,35 +739,36 @@ void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) {

#else

static uint8_t negative(signed char b) {
uint32_t x = b;
x >>= 31; // 1: yes; 0: no
return x;
}
static void table_select(ge_precomp *t, const int pos, const signed char b) {
uint8_t bnegative = constant_time_msb_w(b);
uint8_t babs = b - ((bnegative & b) << 1);

static void table_select(ge_precomp *t, int pos, signed char b) {
ge_precomp minust;
uint8_t bnegative = negative(b);
uint8_t babs = b - ((uint8_t)((-bnegative) & b) << 1);
uint8_t t_bytes[3][32] = {
{constant_time_is_zero_w(b) & 1}, {constant_time_is_zero_w(b) & 1}, {0}};
#if defined(__clang__) // materialize for vectorization, 6% speedup
__asm__("" : "+m" (t_bytes) : /*no inputs*/);
#endif
OPENSSL_STATIC_ASSERT(sizeof(t_bytes) == sizeof(k25519Precomp[pos][0]), "");
for (int i = 0; i < 8; i++) {
constant_time_conditional_memxor(t_bytes, k25519Precomp[pos][i],
sizeof(t_bytes),
constant_time_eq_w(babs, 1 + i));
}

ge_precomp_0(t);
cmov(t, &k25519Precomp[pos][0], equal(babs, 1));
cmov(t, &k25519Precomp[pos][1], equal(babs, 2));
cmov(t, &k25519Precomp[pos][2], equal(babs, 3));
cmov(t, &k25519Precomp[pos][3], equal(babs, 4));
cmov(t, &k25519Precomp[pos][4], equal(babs, 5));
cmov(t, &k25519Precomp[pos][5], equal(babs, 6));
cmov(t, &k25519Precomp[pos][6], equal(babs, 7));
cmov(t, &k25519Precomp[pos][7], equal(babs, 8));
fe_copy_ll(&minust.yplusx, &t->yminusx);
fe_copy_ll(&minust.yminusx, &t->yplusx);
fe yplusx, yminusx, xy2d;
fe_frombytes_strict(&yplusx, t_bytes[0]);
fe_frombytes_strict(&yminusx, t_bytes[1]);
fe_frombytes_strict(&xy2d, t_bytes[2]);

// NOTE: the input table is canonical, but types don't encode it
fe tmp;
fe_carry(&tmp, &t->xy2d);
fe_neg(&minust.xy2d, &tmp);
fe_copy_lt(&t->yplusx, &yplusx);
fe_copy_lt(&t->yminusx, &yminusx);
fe_copy_lt(&t->xy2d, &xy2d);

cmov(t, &minust, bnegative);
ge_precomp minust;
fe_copy_lt(&minust.yplusx, &yminusx);
fe_copy_lt(&minust.yminusx, &yplusx);
fe_neg(&minust.xy2d, &xy2d);
cmov(t, &minust, bnegative>>7);
}

// h = a * B
Expand Down Expand Up @@ -1870,6 +1868,7 @@ void x25519_public_from_private_generic_masked(uint8_t out_public_value[32],
fe_loose_invert(&zminusy_inv, &zminusy);
fe_mul_tlt(&zminusy_inv, &zplusy, &zminusy_inv);
fe_tobytes(out_public_value, &zminusy_inv);
CONSTTIME_DECLASSIFY(out_public_value, 32);
}

void x25519_fe_invert(fe *out, const fe *z) {
Expand Down
Loading
Loading