Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Starting in Rust 1.80, rustc checks that all cfg values are expected and warns if they are not. This is intended to protect against typos and other mistakes.
Change-Id: I2d6f76536b8c585796e71ef7f65550ef8d312247
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69867
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
|
|
|
|
Change-Id: Ief7eeb8b9dd1273b4cd7c72368fb574f4ea511a9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69847
Auto-Submit: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|
|
|
|
This CL moves some methods that exist in every hashing algorithm
implementation to the `Algorithm` trait; namely, `new`, `update`,
and `digest`. This allows for clients to instantiate the hashing
algorithms, and to call `update` and `digest` on objects that
have this trait. It allows a generic representation of an algorithm
that can be used.
In order to avoid users of concrete instance of `Algorithm` to have
to import `Algorithm` and every time they want to
use the functions implemented, these functions are also included in
the inherent implementation of each algorithm (as it was originally
set up, except that now the methods call the equivalent method in the
Algorithm implementation'
This CL also adds the block size as a const field in the `Algorithm`
trait.
Note: this specifically supports the hashing algorithm use in the
style of what is done in AOSP's
`packages/modules/Virtualization/libs/apkverify`, which was previously
using the rust openssl `Hasher` to instantiate algorithms specified
by their `MessageDigest`.
Redoing Ic47691ee2a4303923519b246de7d9724da90f60d which has since
been reverted.
Change-Id: Ib7c02e79952491d814bb49a1ff8f23271b716414
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69387
Commit-Queue: Ellen Arteca <emarteca@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
|
|
|
|
In DTLS 1.3, the record header length is not constant. Replace the use
of a constant for the record header length with a function that returns
the record header length.
Bug: 715
Change-Id: Ie742a7b6dd675d81c12ed1245c0b4046a84446ac
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69687
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
|
|
|
|
Fixed: 42290529
While packed tables still don't give us a speedup on GCC, they are now
within a few percent, with the updated CUrve25519 code there is a net
speedup (+9%).
A loop of 64-bit XORs did not reach performance parity, so vector
extensions it is.
/tmp/m/orig-binary-from-before-packed-tables/gcc
Did 57000 Ed25519 key generation operations in 1000871us (56950.4 ops/sec)
Did 56000 Ed25519 signing operations in 1010050us (55442.8 ops/sec)
Did 20000 Ed25519 verify operations in 1023534us (19540.1 ops/sec)
Did 59000 Curve25519 base-point multiplication operations in 1001460us (58914.0 ops/sec)
Did 23000 Curve25519 arbitrary point multiplication operations in 1025589us (22426.1 ops/sec)
/tmp/m/this-cl/gcc
Did 56000 Ed25519 key generation operations in 1014283us (55211.4 ops/sec) [-3.1%]
Did 54000 Ed25519 signing operations in 1000577us (53968.9 ops/sec) [-2.7%]
Did 21000 Ed25519 verify operations in 1047461us (20048.5 ops/sec) [+2.6%]
Did 57000 Curve25519 base-point multiplication operations in 1002519us (56856.8 ops/sec) [-3.5%]
Did 25000 Curve25519 arbitrary point multiplication operations in 1019719us (24516.6 ops/sec) [+9.3%]
/tmp/m/this-cl/clang
Did 78000 Ed25519 key generation operations in 1003047us (77763.1 ops/sec) [+36.5%]
Did 75000 Ed25519 signing operations in 1002741us (74795.0 ops/sec) [+34.9%]
Did 20000 Ed25519 verify operations in 1008417us (19833.1 ops/sec) [+1.5%]
Did 82000 Curve25519 base-point multiplication operations in 1005159us (81579.1 ops/sec) [+38.5%]
Did 30000 Curve25519 arbitrary point multiplication operations in 1006715us (29799.9 ops/sec) [+32.9%]
/tmp/m/this-cl/clang
Did 79000 Ed25519 key generation operations in 1000245us (78980.6 ops/sec) [+38.7%]
Did 76000 Ed25519 signing operations in 1000323us (75975.5 ops/sec) [+37.0%]
Did 20000 Ed25519 verify operations in 1031862us (19382.4 ops/sec) [-0.8%]
Did 83000 Curve25519 base-point multiplication operations in 1001875us (82844.7 ops/sec) [+40.6%]
Did 30000 Curve25519 arbitrary point multiplication operations in 1007550us (29775.2 ops/sec) [+32.8%]
Change-Id: I9dcaa25c5fac863cd90e31caa42f5d80b63238d6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69247
Auto-Submit: Andres Erbsen <andreser@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
|
|
|
|
Right now it's split over the SNI extractor and the code that calls the
SNI callback. But the only thing that reads it is the code to send the
ServerHello extension, so we don't need to half-compute it earlier.
Change-Id: Ia0fdd502ab21bec2ccdde99185951601a4650efe
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69747
Reviewed-by: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
|
|
|
|
This commit solves
https://bugs.chromium.org/p/boringssl/issues/detail?id=714. To
summarize, there are cases where servers will advertise ECH on hostnames
that may, in practice, be unable to actually negotiate e.g. TLS 1.3. To
gracefully handle this case, this commit adds a new return value for the
select_cert_cb that signals to the server that ECH must be disabled. To
accomplish this, we slightly rewind the state machine to instead
handshake with ClientHelloOuter, and clear ech_keys on the handshake
state such that the server hello does not include any retry_configs in
EncryptedExtensions. Clients will take this as a signal that ECH is
disabled on the hostname, and that they should instead handshake without
ECH.
Bug: 42290593
Change-Id: I1806ba052ffbc3e5c46161a1596d125cc5e5a8fc
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69087
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
|
|
|
|
Just to silence automated tools from complaining about the old
golang.org/x/net. (The GitHub repo apparently got a dependabot because
dependabot doesn't know that it's a mirror.)
Change-Id: Id25f889b4f7203ef0edee2efce1c7c289a29e3d2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69707
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
|
|
We have x/net in here purely for the fetch_ech_config_list.go script,
but Go is not very good at handling single-file scripts. The
conventional workaround seems to make a dummy package which imports the
needed packages.
Change-Id: I16c09ce5c8359c66cb86d6f07636ea41bbb49ead
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69727
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
|
|
|
|
The QEMU option is particularly useful for running RISC-V based tests,
for which there does not exist any RISC-V hardware for native execution.
This change was verified locally using the following command:
go run util/all_tests.go \
--qemu /usr/local/google/home/aknobloch/Downloads/qemu-build/usr/bin/qemu-riscv64 \
The tests took ~20 minutes to complete.
Change-Id: Ide9514d5d6a024d8c42a4a129d7e4a6582b5878a
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/68887
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: Aaron Knobloch <aknobloch@google.com>
|
|
|
|
Change-Id: I9b9c53d4f994bd0fc731c9fff3119f0d388900e9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69667
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
|
|
|
|
This reverts commit f01108e4761e1d4189cb134322c3cb01dc71ef87.
Change-Id: I323b12966ad7c15602504865ddc4a2c44b948f70
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69647
Reviewed-by: David Benjamin <davidben@google.com>
Auto-Submit: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|
|
DTLS 1.3 needs to be able to handle absolute epoch numbers (e.g. "write
data at the handshake epoch" instead of "write data at the current
epoch").
Bug: 715
Change-Id: I2aed5346afdb9a247977564105009a726f3b8c12
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69527
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: Nick Harper <nharper@chromium.org>
|
|
|
|
This reverts commit 26468aea6483135b156fb03a5693c495dbad2e0f.
Change-Id: I50951239b4b79544f7e8914a6f86d2b38c098a2d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69627
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
|
|
This makes test_fips build and link even when not building FIPS.
(as google3 does).
The module hash function is just #defined away to abort()
as we won't ever get that far when test_fips is actually
run without FIPS.
Change-Id: I5d55f0bd1b3f29298aaa6216ebee633e8b4ac6fe
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69307
Reviewed-by: David Benjamin <davidben@google.com>
|
|
|
|
There's one place in Chromium that relied on CRYPTO_library_init to have
initialized things. We can fix this by simply initializing inside the
accessor.
Bug: 40644931
Change-Id: Id6c849d350f3db16103dd118659a48710c3d05a3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69607
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
|
|
|
|
When building with a sufficiently high -march that GCC can use YMM
registers, its -Warray-bounds warning misfires on 32-byte arrays that
are initialized directly. See
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114826
Work around this by using a less safe pattern and initializing the array
with memset.
Change-Id: I3bcbdca2b749fd7a3093d5194515a04c034e7bf9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69567
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|
|
GCC 13.2.0 has a false positive in -Wstringop-overflow. Oddly, I can
only reproduce it with -O2 -march=native. The old code was also correct,
but this version seems to do a better job of avoiding the warning.
Instead of reversing the variable-length string while sign-extending, we
assemble a big-endian sign-extended version and then do a fixed-width
byte swap at the end.
Fixed: 42290598
Change-Id: I6d5de1e1d6d117f6b5947d3a2155e794764eb472
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69547
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
|
|
|
|
Now that we don't depend on external CRYPTO_library_init calls or the
static initializer to initialize CPU capabilities, we can drop a ton of
code.
This makes CRYPTO_library_init, and all its wrappers, into no-ops and
drops the (non-FIPS) static initializer. I've added an internal
OPENSSL_init_cpuid function for the places where the library actually
needs to initialize the CPU vector.
Note this slightly changes the default, previously
static-initializer-full build: previously, CRYPTO_library_init was a
no-op and we relied on the static initializer. Now we uniformly use
CRYPTO_once. This should be an atomic read in the steady state and
essentially free. We can restore the static initializer by default if
this ends up being a problem, but having only one mode is more
straightforward. This also avoids problems if an application calls into
BoringSSL during its own static initializer. Static initializers are not
coherently ordered.
Update-Note: The BORINGSSL_NO_STATIC_INITIALIZER build option and
CRYPTO_library_init are now unnecessary. Once updating past this
revision, those options can now be cleaned up from downstream projects.
Fixed: 40644931
Change-Id: Idc2e6ea7a73d6352e0360fd886c46d88dba3568c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69508
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|
|
|
|
We really should remove the ia32cap references from those files, but now
that we're down to two files, let's go ahead and remove the
CRYPTO_library_init requirement from our callers and close out the
initialization hole.
Notably, use of bssl-crypto in Chromium is slightly shaky without this.
Although I think, prior to this CL, we'd already gotten to benign races
being all that are possible because these two remaining spots don't
change any in-memory representations. (Unlike C/C++, benign races from
assembly are actually well-defined and truly benign.) But no sense in
relying on this when we can just fix it directly.
This CL just adds some explicit CRYPTO_library_init calls. A subsequent
one will update the docs and clean up all the remnants of our messy
initialization story.
Bug: 40644931
Change-Id: Ife288a4817b930473210f43a2680a60b040bf9a0
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69507
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
|
|
|
|
1. Ensure that the output is line buffered so that nothing is lost
when tests fail.
2. Check that FIPS_mode returns the expected mode so that we have
evidence for this during testing.
Change-Id: Ib294e890a21e8002d5e2a646f08b49a03e645cb2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69487
Auto-Submit: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|
|
|
|
As EDDSA is similar to ECDSA with respect to the vectors, the existing
ECDSA handling code can be used, avoiding duplications.
This modification does not support the 'run' or 'exec' commandline uses.
Change-Id: I95f5c3de063539cf881f9116c6e631f4883ef2fd
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69467
Auto-Submit: Sven Biebaut <svenbiebaut@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
|
|
|
|
Change-Id: I64c125ca8aaeacb6bc588d2b02be2a5846f481eb
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69447
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Auto-Submit: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|
|
|
|
This is copied over from the METADATA file, since Chromium's
infrastructure currently requires some duplicate work.
Bug: 347861602
Change-Id: I21ae055454c6dbe721ea99a4609d8144dd7846ad
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69407
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|
|
|
|
See draft-ietf-tls13-pkcs1-00. The code point is disabled by default
and must be configured in SSL_set_verify_algorithm_prefs and
SSL_set_signing_algorithm_prefs. It is also only defined for TLS 1.3
client certificates and otherwise ignored.
This required reworking the tests a bit since this is the first
signature algorithm that's disabled by default, and the first algorithm
that behaves differently between client and server.
Bug: 347047841
Change-Id: If4f653a456799ed9f0173159da291a9b6b6556fb
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69368
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|
|
|
|
I noticed that runner tests had a very weird test expectation on the
alerts sent around sigalg failures. I think this was an (unimportant)
bug on our end.
If the peer picks a sigalg that we didn't advertise, we send
illegal_parameter. However, it if picks an advertised sigalg that is
invalid in context (protocol version, public key), we end up catching it
very late in ssl_public_key_verify (by way of setup_ctx) and sending
decrypt_error.
Instead, have tls12_check_peer_sigalg check this so we consistently send
illegal_parameter. (Probably this should all fold into
ssl_public_key_verify with an alert out_param, but so it goes.)
Change-Id: I09fb84e9c1ee39b2683fa0b67dd6135d31f51c97
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69367
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
|
|
|
|
Tested by compiling with valgrind.
Before:
$ cmake -GNinja -B build -D CONSTANT_TIME_VALIDATION=1
$ ninja -C build
[...]
/home/tholenst/boringssl/boringssl/crypto/dilithium/dilithium.c:1199:25: error: ‘pub’ undeclared (first use in this function)
1199 | CONSTTIME_DECLASSIFY(&pub.t1, sizeof(pub.t1));
After:
$ ninja -C build
ninja: Entering directory `build'
[440/440] Linking CXX executable ssl/test/handshaker
Change-Id: I26481d69e9d033b0c23b7486970991b673132d20
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/69267
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
|