Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Boringssl merge 5112b45ce2eae2ed253adeacb8887d42f429e27b #388

Conversation

torben-hansen
Copy link
Contributor

Use the MERGE strategy NOT the squash strategy

Description of changes:
This merges in the complete history up to Feb 10 2022 5112b45ce2eae2ed253adeacb8887d42f429e27b.

Ran the following:

git fetch [email protected]:google/boringssl.git ${5112b45ce2eae2ed253adeacb8887d42f429e27b} 
git merge --strategy recursive --allow-unrelated-histories ${5112b45ce2eae2ed253adeacb8887d42f429e27b}
python3 ./util/generate_build_files.py
git commit -m "Update build files in generated-src"
git push --set-upstream origin "boringssl-merge-${5112b45ce2eae2ed253adeacb8887d42f429e27b}"

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Adam Langley and others added 29 commits January 13, 2022 17:31
This change imports upstream's
openssl/openssl@c045224

Change-Id: Ib50ff9eb8c48d9580aa2ffcae92d3990cc987e30
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50905
Reviewed-by: David Benjamin <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
140-3 says

> the zeroisation of protected and unprotected SSPs
> shall be performed in the following scenarios:
>   ...
>   For temporary value(s) generated during the integrity test of the
>   module’s software or firmware upon completion of the integrity test.

(IG 9.7.B)

Change-Id: I911f294860bf33b13b2c997fc633c9bda777fc48
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50945
Reviewed-by: David Benjamin <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
This matches our other free functions.

Fixed: 473
Change-Id: Ie147995c2f5b429f78e95cfc9a08ed54181af94e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51005
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
Description:
Creating just a Gerrit password isn't enough.  Before you can push a
change to Gerrit, you must also create/associate a Gerrit account with
the google account used to create the password.

This avoids "git push ..." rejections like this:

  remote: PERMISSION_DENIED: The caller does not have permission
  remote: [type.googleapis.com/google.rpc.LocalizedMessage]
  remote: locale: "en-US"
  remote: message: "\'git push\' requires a Gerrit user account."

Change-Id: Id02c1a69ccb0c2b8bf4c63b77ed3064125966eb3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50985
Reviewed-by: David Benjamin <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
This is designed to be the minimal infrastructure required to support
using BoringSSL in the Rust ecosystem without fear of ABI drift. Bindgen
is used to generate Rust bindings in lockstep with the rest of the
build. `rust-openssl` can consume these generated bindings with minimal
changes.

Change-Id: I1dacd36a4131e22a930ebb01da00407e8465ad7e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49645
Reviewed-by: David Benjamin <[email protected]>
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
See https://fuchsia-review.googlesource.com/c/fuchsia/+/624684. Also
pick up the new, more specific, name for ZX_ARM64_FEATURE_ISA_SHA2.

Update-Note: This CL is written assuming we can just rely on the SDK
changes. Per go/fuchsia-sdk-age, this seems fairly safe. If this file
fails to build due to missing symbols, update your project's Fuchsia
SDK. If this blocks something, let us know.

Change-Id: I28b0c234b577cc0de90e7ef096c15bb75a4ba501
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50926
Reviewed-by: Adam Langley <[email protected]>
…ndings for the targeted Arch

Change-Id: I8ccd53bce0d73bd9d79f65770e544a75753ce4f8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51025
Reviewed-by: David Benjamin <[email protected]>
We were fetching the mac-amd64 package even on mac-arm64.

Change-Id: Iad842ebd46d467c0def9bdbd14c77698a03f58d3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51045
Reviewed-by: Adam Langley <[email protected]>
The check finds implicit conversions of integer literals to bools:
  bool b1 = 1;
  bool b2 = static_cast<bool>(1);
and transforms them to:
  bool b1 = true;
  bool b2 = true;

Bug: chromium:1290142
Change-Id: I15579e28f544d07b331a230b70a8278e0651150d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51085
Reviewed-by: David Benjamin <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
This hash table, in applications that use pooling, can dedup received
certificates in memory and thus should use a keyed hash.

Change-Id: Idc40dc8f7463025183121642b30ea0de43ebac0e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51125
Reviewed-by: Adam Langley <[email protected]>
u8 strings in C++20 are char8_t instead of char; in order to compile on
both C++17 and C++20 we need to remove the prefix.

Change-Id: I85d1a9d72d24e8fa96ca22b1d99be9982fee8fb5
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51065
Reviewed-by: David Benjamin <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
POSIX feature macros are a mess. Reportedly, FreeBSD also breaks with
_XOPEN_SOURCE, so try leaving it unset by default.

Update-Note: It's possible this will break yet another obscure UNIX.
Hopefully we can eventually find a combination that works?

Bug: 471
Change-Id: I103f8093110d343789b9c5a22eb056ab78d9cd14
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51145
Reviewed-by: Adam Langley <[email protected]>
Upstream used the macro originally, but later added a bespoke
implementation to transparently support X9.42 DH parameter serialization
(DHXPARAMS in OpenSSL) in 2ca873e8d898e8a232ea707227400213980059a4.

We don't support DHXPARAMS, so revert to the macro.

Change-Id: Ib17902c6c640bb88ee55881945ce57a032f7061b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51105
Reviewed-by: Adam Langley <[email protected]>
This matches the source, which only builds support for these tests on
Linux. Note Android sets CMAKE_SYSTEM_NAME to "Android", so this covers
the previous ANDROID check.

Bug: 476
Change-Id: I41ca408706d0d0c5bb22006f4c31d51fc1267f69
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51165
Commit-Queue: David Benjamin <[email protected]>
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: Adam Langley <[email protected]>
Description:
Mark Wooden and Franck Rondepierre noted that the square-root-mod-p
operations used in the EdDSA RFC (RFC 8032) can be simplified.  For
Ed25519, instead of computing u*v^3 * (u * v^7)^((p-5)/8), we can
compute u * (u*v)^((p-5)/8).  This saves 3 multiplications and 2
squarings.  For more details (including a proof), see the following
message from the CFRG mailing list:

  https://mailarchive.ietf.org/arch/msg/cfrg/qlKpMBqxXZYmDpXXIx6LO3Oznv4/

Testing:
Build and run the Ed25519 tests:

  mkdir build
  cd build
  cmake -GNinja ..
  ninja && ./crypto/crypto_test --gtest_filter="Ed25519Test*"

Numerical testing of the square-root computation can be done using the
following sage script:

  def legendre(x,p):
      return kronecker(x,p)

  # Ed25519
  p = 2**255-19
  # -1 is a square
  if legendre(-1,p)==1:
      print("-1 is a square")
  # 2 is a non-square
  if legendre(2,p)==-1:
      print("2 is a non-square")

  # 2 is a generator
  # this can be checked by factoring p-1
  # and then showing 2**((p-1)/q) != 1 (mod p)
  # for all primes q dividing p-1.

  # suppose u/v is a square.
  # to compute one of its square roots, find x such that
  #    x**4 == (u/v)**2 .
  # this implies
  #    x**2 ==  u/v, or
  #    x**2 == -(u/v) ,
  # which implies either x or i*x is a square-root of u/v (where i is a square root of -1).
  # we can take x equal to u * (u*v)**((p-5)/8).

  g = 2
  s = p>>2  # s = (p-1)/4
  i = power_mod(g, s, p)

  t = p>>3  # t = (p-5)/8
  COUNT = 1<<18
  while COUNT > 0:
      COUNT -= 1

      r = randint(0,p-1)   # r = u/v
      v = randint(1,p-1)
      u = mod(r*v,p)

      # compute x = u * (u*v)**((p-5)/8)
      w = mod(u*v,p)
      x = mod(u*power_mod(w, t, p), p)

      # check that x**2 == r, or (i*x)**2 == r, or r is not a square
      rr = power_mod(x, 2, p)
      if rr==r:
          continue

      rr = power_mod(mod(i*x,p), 2, p)
      if rr==r:
          continue

      if legendre(r,p) != 1:
          continue

      print("failure!")
      exit()

  print("passed!")

Change-Id: Iaa284d3365dd8c9fa18a4584121013f05a3f4cc6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/50965
Reviewed-by: David Benjamin <[email protected]>
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: Adam Langley <[email protected]>
The ECH extension is not covered in the AAD and so should not be
referenced in ech_outer_extensions. We end up rejecting this anyway when
checking for valid ClientHelloInners, but better to reject this
explicitly, as the spec suggests.

As part of this, use the more specific error in the various tests, so we
can distinguish the two cases. (DECODE_ERROR is coming from an extra,
probably unnecessary, error in ssl_decode_client_hello_inner's caller.)

Bug: 275
Change-Id: Ibeff55e5e1b7646ce9c68c5847cd1b40a47e6480
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51185
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
Both call sites end up calling them in succession. This saves a little
bit of code.

Bug: 275
Change-Id: Ib87bd9be446c368f77beb3b329deaa84ef43ac95
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51186
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
In testing out the ECH bits on the Chromium side, it is much harder to
tell what's going on without some indication that we sent a
ClientHelloInner. This CL routes it into the callback. A corresponding
CL in Chromium will add it to NetLog.

Bug: 275
Change-Id: I945ab2679614583e875a0ba90d6cf1481ed315d9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51205
Reviewed-by: Adam Langley <[email protected]>
Commit-Queue: David Benjamin <[email protected]>
This is the recommended way for detecting platforms:
https://docs.bazel.build/versions/main/platforms.html

Fixes cross-compilation with bazel-zig-cc.

Signed-off-by: Piotr Sikora <[email protected]>
Change-Id: Ifc7d2b502e01feb9cbad51127ca3ec90a54c6e90
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51265
Reviewed-by: Adam Langley <[email protected]>
https://boringssl-review.googlesource.com/c/boringssl/+/51265 broke
Linux and macOS platforms on architectures where we don't build
assembly. OPENSSL_NO_ASM needs to match the assembly selector.

While I'm here, remove the OPENSSL_C11_ATOMIC comment. We autodetect
atomics these days, so the flag is only useful if you want to force it.

Change-Id: I1f20f7577b5ca7e208dc90fb46a93b20da864ec5
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51305
Reviewed-by: Piotr Sikora <[email protected]>
Reviewed-by: Adam Langley <[email protected]>
Change-Id: I8bc146a951b77d2111b971e6472bfd7f010f8585
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51306
Reviewed-by: Adam Langley <[email protected]>
The current names are confusing because (ios, aarch64) is also used on
macOS. The various Apple platforms all use the same ABI, and aarch64 is
no longer limited to iOS. (For that matter, the iOS simulator on x86
Macs is x86 iOS.) Just call it 'apple'.

Update-Note: References to 'mac' or 'ios' source lists in downstream
builds should be renamed to 'apple'.

Change-Id: Id1a0627f8ce3241f34ffa6bb245ee5783adc7c15
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51307
Reviewed-by: Adam Langley <[email protected]>
Now that the naming for Apple platforms is aligned, we can select the
variable uniformly.

Change-Id: Id547d1a4ba0585d5f9e4ea0b5d8b255b2ab2ec38
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51345
Reviewed-by: Adam Langley <[email protected]>
Bazel can shard tests, but runner runs a lot of tests inside a single
“test”, as Go sees it. In order to shard within runner we implement
support for Bazel's environment variables[1] directly. This does mean
that the handful of other tests in runner are run in every shard.

[1]
https://docs.bazel.build/versions/1.1.0/test-encyclopedia.html#initial-conditions

Change-Id: Idaa5c6ae5225cd86951cd40f47b5f86f31664e04
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/51245
Reviewed-by: David Benjamin <[email protected]>
…l-merge-5112b45ce2eae2ed253adeacb8887d42f429e27b
@torben-hansen torben-hansen merged commit 4cf67e3 into aws:current-upstream-merge-20220210 Feb 11, 2022
@torben-hansen torben-hansen deleted the boringssl-merge-5112b45ce2eae2ed253adeacb8887d42f429e27b branch February 11, 2022 17:12
WillChilds-Klein pushed a commit to WillChilds-Klein/aws-lc that referenced this pull request Jan 8, 2025
+ With PR 376, when ACCP is set as the first provider and immediately
  new SecureRandom is used, the SecureRandom will not be backed by ACCP.
+ A unit test is modified to check that new SecureRandom immediately after
  install is backed by ACCP.
WillChilds-Klein pushed a commit to WillChilds-Klein/aws-lc that referenced this pull request Jan 8, 2025
Following reversal of PR aws#376 in PR aws#388, using the ACCP SecureRandom
algorithm `DEFAULT` (which is an alias of `LibCryptoRng`) yields lower
performance in multi-threaded settings.
See aws#376 for details.

This PR is meant to use the algorithm `LibCryptoRng` in the benchmark,
instead of its alias `DEFAULT`. This solves the performance drop in
multi-threaded settings.

This also corresponds to the most common use of ACCP SecureRandom.
Indeed, if ACCP is the first security provider and if ACCP SecureRandom
 is registered, then when instantiating SecureRandom as
 `new SecureRandom()`, the algorithm `LibCryptoRng` will be selected.

Co-authored-by: Fabrice Benhamouda <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants