OERV-RUNTIME/boringssl
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add a jitter entropy source.

Browse Source 
This code is not yet used outside of tests.

Change-Id: I825b7c8692985219021ef5ecf5b84ebfe8624e74
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/80367
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
This commit is contained in:
Adam Langley
2025-07-09 15:39:49 -07:00
committed by Boringssl LUCI CQ
parent b0ef87e5e3
commit edb1440439
11 changed files with 873 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
build.json
View File

@@ -72,6 +72,8 @@
"crypto/fipsmodule/ec/wnaf.cc.inc",
"crypto/fipsmodule/ecdh/ecdh.cc.inc",
"crypto/fipsmodule/ecdsa/ecdsa.cc.inc",
"crypto/fipsmodule/entropy/jitter.cc.inc",
"crypto/fipsmodule/entropy/sha512.cc.inc",
"crypto/fipsmodule/hkdf/hkdf.cc.inc",
"crypto/fipsmodule/hmac/hmac.cc.inc",
"crypto/fipsmodule/keccak/keccak.cc.inc",
@@ -528,6 +530,7 @@
"crypto/fipsmodule/ec/p256-nistz.h",
"crypto/fipsmodule/ec/p256_table.h",
"crypto/fipsmodule/ecdsa/internal.h",
"crypto/fipsmodule/entropy/internal.h",
"crypto/fipsmodule/keccak/internal.h",
"crypto/fipsmodule/rand/internal.h",
"crypto/fipsmodule/rsa/internal.h",
@@ -850,6 +853,7 @@
"crypto/fipsmodule/ec/p256-nistz_test.cc",
"crypto/fipsmodule/ec/p256_test.cc",
"crypto/fipsmodule/ecdsa/ecdsa_test.cc",
"crypto/fipsmodule/entropy/jitter_test.cc",
"crypto/fipsmodule/hkdf/hkdf_test.cc",
"crypto/fipsmodule/keccak/keccak_test.cc",
"crypto/fipsmodule/rand/ctrdrbg_test.cc",

5
crypto/fipsmodule/bcm.cc
View File

@@ -90,6 +90,7 @@
#include "ec/wnaf.cc.inc"
#include "ecdh/ecdh.cc.inc"
#include "ecdsa/ecdsa.cc.inc"
#include "entropy/jitter.cc.inc"
#include "hkdf/hkdf.cc.inc"
#include "hmac/hmac.cc.inc"
#include "keccak/keccak.cc.inc"
@@ -172,8 +173,8 @@ static void BORINGSSL_maybe_set_module_text_permissions(int permission) {}
#endif // !ASAN
static void __attribute__((constructor))
BORINGSSL_bcm_power_on_self_test(void) {
static void __attribute__((constructor)) BORINGSSL_bcm_power_on_self_test(
void) {
#if !defined(OPENSSL_ASAN)
// Integrity tests cannot run under ASAN because it involves reading the full
// .text section, which triggers the global-buffer overflow detection.

38
crypto/fipsmodule/entropy/internal.h Normal file
View File

@@ -0,0 +1,38 @@
// Copyright 2025 The BoringSSL Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_ENTROPY_INTERNAL_H
#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_ENTROPY_INTERNAL_H
#include <openssl/base.h>
#if defined(OPENSSL_LINUX) || defined(OPENSSL_MACOS)
BSSL_NAMESPACE_BEGIN
namespace entropy {
// GetSeed fills `out` with random bytes from the jitter source.
OPENSSL_EXPORT bool GetSeed(uint8_t out[48]);
// GetSamples fetches `n` raw delta time samples.
OPENSSL_EXPORT bool GetSamples(uint64_t *out, size_t n);
// GetVersion returns the version of the entropy module.
int GetVersion();
} // namespace entropy
BSSL_NAMESPACE_END
#endif // LINUX || MACOS
#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_ENTROPY_INTERNAL_H

457
crypto/fipsmodule/entropy/jitter.cc.inc Normal file
View File

@@ -0,0 +1,457 @@
// Copyright 2025 The BoringSSL Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// BoringCrypto Jitter Entropy version 20250725.
#include <openssl/base.h>
#if defined(OPENSSL_LINUX) || defined(OPENSSL_MACOS)
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <array>
#include <type_traits>
#include <utility>
#include <openssl/mem.h>
#include "internal.h"
#include "sha512.cc.inc"
#if defined(__x86_64__)
#include <x86intrin.h>
#elif defined(__aarch64__)
#include <arm_acle.h>
#endif
BSSL_NAMESPACE_BEGIN
namespace entropy {
namespace {
#if defined(__x86_64__)
static inline uint64_t GetTimestamp() { return _rdtsc(); }
#elif defined(__aarch64__)
static inline uint64_t GetTimestamp() { return __arm_rsr64("cntvct_el0"); }
#else
static inline uint64_t GetTimestamp() {
struct timespec ts;
clock_gettime(CLOCK_MONOTONIC_RAW, &ts);
return ts.tv_sec * 1000000000ULL + ts.tv_nsec;
}
#endif
class MemoryOffsetLCG {
public:
MemoryOffsetLCG() : state(GetTimestamp() & 0xFFFFFFFF) {}
uint32_t Next() {
state = state * 1664525 + 1013904223;
return state;
}
private:
uint32_t state;
};
class MemoryAccessSampler {
public:
MemoryAccessSampler(size_t array_size, unsigned num_samples)
: array_size_(array_size),
num_samples_(num_samples),
array_(reinterpret_cast<uint8_t *>(OPENSSL_malloc(array_size_))) {
if (array_ == nullptr || //
array_size_ == 0 || //
array_size_ > (1u << 26) || //
array_size_ & (array_size_ - 1)) {
abort();
}
}
~MemoryAccessSampler() { OPENSSL_free(const_cast<uint8_t *>(array_)); }
MemoryAccessSampler(const MemoryAccessSampler &) = delete;
MemoryAccessSampler &operator=(const MemoryAccessSampler &) = delete;
MemoryAccessSampler(MemoryAccessSampler &&other)
: array_size_(other.array_size_),
num_samples_(other.num_samples_),
lcg_(other.lcg_),
array_(other.array_) {
other.array_ = nullptr;
}
bool Next(uint64_t *out) {
// Perform some memory accesses and measure how long it took. The LCG is
// intended to defeat any CPU predictors and thus expose this code to as
// much system entropy as possible.
for (unsigned i = 0; i < num_samples_; i++) {
// The lower bits of an LCG tend to fall into short cycles and so are
// discarded here.
array_[(lcg_.Next() >> 6) & (array_size_ - 1)] += 1;
}
*out = GetTimestamp();
return true;
}
private:
const size_t array_size_;
const unsigned num_samples_;
MemoryOffsetLCG lcg_;
volatile uint8_t *array_;
};
template <typename T>
class DeltaSampler {
public:
explicit DeltaSampler(T &&sub_sampler)
: sub_sampler_(std::forward<T>(sub_sampler)) {}
// Next function to return the delta between two subsequent samples
bool Next(uint64_t *out) {
uint64_t sample;
if (!sub_sampler_.Next(&sample)) {
return false;
}
if (!initialized_) {
last_sample_ = sample;
if (!sub_sampler_.Next(&sample)) {
return false;
}
initialized_ = true;
}
*out = sample - last_sample_;
last_sample_ = sample;
return true;
}
private:
bool initialized_ = false;
T sub_sampler_;
uint64_t last_sample_;
};
template <typename U>
DeltaSampler(U &&sub_sampler) -> DeltaSampler<std::decay_t<U>>;
template <typename T>
class MaskSampler {
public:
explicit MaskSampler(uint8_t mask, T &&sub_sampler)
: mask_(mask), sub_sampler_(std::forward<T>(sub_sampler)) {}
bool Next(uint8_t *out) {
uint64_t sample;
if (!sub_sampler_.Next(&sample)) {
return false;
}
*out = sample & mask_;
return true;
}
private:
const uint8_t mask_;
T sub_sampler_;
};
template <typename U>
MaskSampler(uint8_t mask, U &&sub_sampler) -> MaskSampler<std::decay_t<U>>;
// The estimated entropy per sample from MaskSampler.
constexpr float kH = 0.8;
// kAlphaLog2 is log_2(alpha), where alpha is the standard false-positive
// probability from SP 800-90B.
static constexpr float kAlphaLog2 = -20;
// kAlpha is the variable of the same name from section 4.4.1 of SP 800-90B.
constexpr float kAlpha = 1.0 / (1 << static_cast<unsigned>(-kAlphaLog2));
// Ceil rounds up its non-negative argument to the next integer. (std::ceil
// isn't constexpr until C++23.)
constexpr unsigned Ceil(float val) {
auto truncated = static_cast<unsigned>(val);
if (val == static_cast<float>(truncated)) {
return truncated;
}
if (val > 0) {
return truncated + 1;
}
__builtin_unreachable();
}
template <typename T>
class RepetitionCountTest {
public:
static constexpr unsigned kThreshold = 1 + Ceil(-kAlphaLog2 / kH);
static_assert(kThreshold == 26);
explicit RepetitionCountTest(T &&sub_sampler)
: sub_sampler_(std::forward<T>(sub_sampler)) {}
bool Next(uint8_t *out) {
uint8_t sample;
if (!sub_sampler_.Next(&sample)) {
return false;
}
if (sample == last_sample_) {
count_++;
} else {
count_ = 1;
last_sample_ = sample;
}
if (count_ >= kThreshold) {
return false;
}
*out = sample;
return true;
}
private:
T sub_sampler_;
unsigned count_ = 0;
uint8_t last_sample_ = 0;
};
template <typename U>
RepetitionCountTest(U &&sub_sampler) -> RepetitionCountTest<std::decay_t<U>>;
constexpr double BinomialPMF(int64_t k, int64_t n, double p) {
if (k < 0 || k > n) {
return 0.0;
}
double result = 1.0;
for (int64_t i = 0; i < k; ++i) {
result *= (n - i);
result /= (i + 1);
}
for (int64_t i = 0; i < k; ++i) {
result *= p;
}
for (int64_t i = 0; i < n - k; ++i) {
result *= (1 - p);
}
return result;
}
// CritBinom implements the Excel function of the same name.
constexpr unsigned CritBinom(unsigned trials, double probability_s,
double alpha) {
if (probability_s < 0.0 || probability_s > 1.0 || alpha < 0.0 ||
alpha > 1.0) {
__builtin_unreachable();
}
double cumulative = 0.0;
for (unsigned k = 0; k <= trials; ++k) {
cumulative += BinomialPMF(k, trials, probability_s);
if (cumulative >= alpha) {
return k;
}
}
return trials;
}
// ExpTaylor calculates e^x using the Taylor series: e^x = 1 + x + x²/2! +
// x³/3! + ...
constexpr double ExpTaylor(double x) {
double sum = 1.0;
double term = 1.0;
for (int i = 1; i < 25; ++i) {
term *= x / i;
sum += term;
}
return sum;
}
// Power2 calculates 2^exp by calculating e^(ln(2) * exp) = e^(ln(2)) ^ exp =
// 2^exp. (std::pow isn't constexpr until C++26.)
constexpr double Power2(double exp) {
constexpr double ln2 = 0.693147180559945309417232121458;
return ExpTaylor(exp * ln2);
}
// AdaptiveProportionTestCutoff implements the function from the footnote on
// page 27 of SP 800-90B.
constexpr unsigned AdaptiveProportionTestCutoff(unsigned W, float H,
float alpha) {
return 1 + CritBinom(W, Power2(-H), 1.0 - alpha);
}
// These are the example values from table 2 of SP 800-90B, to show that
// we're calculating the values correctly.
static_assert(AdaptiveProportionTestCutoff(512, 0.5, kAlpha) == 410);
static_assert(AdaptiveProportionTestCutoff(512, 1, kAlpha) == 311);
static_assert(AdaptiveProportionTestCutoff(512, 2, kAlpha) == 177);
static_assert(AdaptiveProportionTestCutoff(512, 4, kAlpha) == 62);
static_assert(AdaptiveProportionTestCutoff(512, 8, kAlpha) == 13);
template <typename T>
class AdaptiveProportionTest {
public:
// The size of the sliding window, representing the number of recent samples
// to analyze.
static constexpr unsigned kWindowSize = 512;
// The maximum number of times any single byte value is allowed to appear
// within the sliding window.
static constexpr unsigned kThreshold =
AdaptiveProportionTestCutoff(kWindowSize, kH, kAlpha);
static_assert(kThreshold == 348);
explicit AdaptiveProportionTest(T &&sub_sampler)
: sub_sampler_(std::forward<T>(sub_sampler)) {
counts_.fill(0);
}
bool Next(uint8_t *out) {
uint8_t sample;
if (!sub_sampler_.Next(&sample)) {
return false;
}
*out = sample;
if (samples_processed_ >= kWindowSize) {
const uint8_t evicted_sample = buffer_[buffer_idx_];
counts_[evicted_sample]--;
}
buffer_[buffer_idx_] = sample;
const uint16_t new_count = ++counts_[sample];
if (new_count > kThreshold) {
return false;
}
buffer_idx_ = (buffer_idx_ + 1) % kWindowSize;
samples_processed_++;
return true;
}
private:
T sub_sampler_;
// A circular buffer to store the most recent `kWindowSize` samples.
std::array<uint8_t, kWindowSize> buffer_{};
// An array to store the frequency counts of each possible byte value (0-255)
// within the current window.
std::array<uint16_t, 256> counts_{};
// The current index for writing into the circular buffer.
size_t buffer_idx_ = 0;
// The total number of samples processed. Used to determine when the buffer
// is full and eviction should begin.
size_t samples_processed_ = 0;
};
template <typename U>
AdaptiveProportionTest(U &&sub_sampler)
-> AdaptiveProportionTest<std::decay_t<U>>;
template <typename T>
class SeedSampler {
public:
// NIST requires 1024 samples at start-up time. This code is structured so
// that the entropy generator is considered to be starting afresh for each
// seed.
static constexpr unsigned kNumSamples = 1024;
explicit SeedSampler(T &&sub_sampler)
: sub_sampler_(std::forward<T>(sub_sampler)) {}
bool Next(uint8_t out_seed[48]) {
// HMAC-SHA384 `kNumSamples` samples with an all-zero key:
SHA512_CTX ctx;
SHA384_Init(&ctx);
uint8_t block[kSHA384Block];
memset(block, 0x36, sizeof(block));
SHA384_Update(&ctx, block, sizeof(block));
static_assert(kNumSamples % sizeof(block) == 0);
for (unsigned i = 0; i < kNumSamples / sizeof(block); i++) {
for (unsigned j = 0; j < sizeof(block); j++) {
if (!sub_sampler_.Next(&block[j])) {
return false;
}
}
SHA384_Update(&ctx, block, sizeof(block));
}
SHA384_Final(out_seed, &ctx);
SHA384_Init(&ctx);
memset(block, 0x5c, sizeof(block));
SHA384_Update(&ctx, block, sizeof(block));
SHA384_Update(&ctx, out_seed, kSHA384DigestLength);
SHA384_Final(out_seed, &ctx);
return true;
}
private:
T sub_sampler_;
};
template <typename U>
SeedSampler(U &&sub_sampler) -> SeedSampler<std::decay_t<U>>;
constexpr size_t kMemorySize = 1u << 25;
constexpr size_t kMemoryAccessesPerSample = 16;
constexpr size_t kBitsPerSample = 8;
constexpr uint8_t kMask = (1u << kBitsPerSample) - 1;
} // namespace
int GetVersion() { return 20250725; }
bool GetSeed(uint8_t out[48]) {
auto sampler(SeedSampler(AdaptiveProportionTest(RepetitionCountTest(
MaskSampler(kMask, DeltaSampler(MemoryAccessSampler(
kMemorySize, kMemoryAccessesPerSample)))))));
return sampler.Next(out);
}
bool GetSamples(uint64_t *out, size_t n) {
auto sampler(
DeltaSampler(MemoryAccessSampler(kMemorySize, kMemoryAccessesPerSample)));
for (size_t i = 0; i < n; i++) {
if (!sampler.Next(&out[i])) {
return false;
}
}
return true;
}
} // namespace entropy
BSSL_NAMESPACE_END
#endif // LINUX || MACOS

27
crypto/fipsmodule/entropy/jitter_test.cc Normal file
View File

@@ -0,0 +1,27 @@
// Copyright 2025 The BoringSSL Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <gtest/gtest.h>
#include "internal.h"
#if defined(OPENSSL_LINUX) || defined(OPENSSL_MACOS)
TEST(JitterEntropy, Basic) {
uint8_t seed[48];
ASSERT_TRUE(bssl::entropy::GetSeed(seed));
}
#endif // LINUX || MACOS

324
crypto/fipsmodule/entropy/sha512.cc.inc Normal file
View File

@@ -0,0 +1,324 @@
// Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <stdint.h>
#include <string.h>
// This is a copy of the SHA-384 code for the purpose of isolating the jitter
// entropy source certification from any changes to the normal implementation.
namespace bssl::entropy {
namespace {
constexpr size_t kSHA384Block = 128;
constexpr size_t kSHA384DigestLength = (384 / 8);
struct SHA512_CTX {
uint64_t h[8];
uint64_t Nl, Nh;
uint8_t p[kSHA384Block];
unsigned num, md_len;
};
uint64_t CRYPTO_bswap8(uint64_t x) { return __builtin_bswap64(x); }
uint64_t CRYPTO_load_u64_be(const void *ptr) {
uint64_t ret;
memcpy(&ret, ptr, sizeof(ret));
return CRYPTO_bswap8(ret);
}
void CRYPTO_store_u64_be(void *out, uint64_t v) {
v = CRYPTO_bswap8(v);
memcpy(out, &v, sizeof(v));
}
uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) {
return (value >> shift) | (value << ((-shift) & 63));
}
void sha512_update(SHA512_CTX *c, const void *in_data, size_t len);
void sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha);
void SHA384_Init(SHA512_CTX *sha) {
sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8);
sha->h[1] = UINT64_C(0x629a292a367cd507);
sha->h[2] = UINT64_C(0x9159015a3070dd17);
sha->h[3] = UINT64_C(0x152fecd8f70e5939);
sha->h[4] = UINT64_C(0x67332667ffc00b31);
sha->h[5] = UINT64_C(0x8eb44a8768581511);
sha->h[6] = UINT64_C(0xdb0c2e0d64f98fa7);
sha->h[7] = UINT64_C(0x47b5481dbefa4fa4);
sha->Nl = 0;
sha->Nh = 0;
sha->num = 0;
sha->md_len = kSHA384DigestLength;
return;
}
void SHA384_Final(uint8_t out[kSHA384DigestLength], SHA512_CTX *sha) {
// This function must be paired with |SHA384_Init|, which sets
// |sha->md_len| to |kSHA384DigestLength|.
sha512_final_impl(out, kSHA384DigestLength, sha);
return;
}
void SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) {
return sha512_update(sha, data, len);
}
void sha512_block_data_order(uint64_t state[8], const uint8_t *in,
size_t num_blocks);
void sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) {
uint8_t *p = sha->p;
size_t n = sha->num;
p[n] = 0x80; // There always is a room for one
n++;
if (n > (sizeof(sha->p) - 16)) {
memset(p + n, 0, sizeof(sha->p) - n);
n = 0;
sha512_block_data_order(sha->h, p, 1);
}
memset(p + n, 0, sizeof(sha->p) - 16 - n);
CRYPTO_store_u64_be(p + sizeof(sha->p) - 16, sha->Nh);
CRYPTO_store_u64_be(p + sizeof(sha->p) - 8, sha->Nl);
sha512_block_data_order(sha->h, p, 1);
const size_t out_words = md_len / 8;
for (size_t i = 0; i < out_words; i++) {
CRYPTO_store_u64_be(out, sha->h[i]);
out += 8;
}
}
const uint64_t K512[80] = {
UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),
UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),
UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),
UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),
UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),
UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),
UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),
UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),
UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),
UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),
UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),
UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),
UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),
UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),
UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),
UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),
UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),
UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),
UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),
UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817),
};
#define Sigma0(x) \
(CRYPTO_rotr_u64((x), 28) ^ CRYPTO_rotr_u64((x), 34) ^ \
CRYPTO_rotr_u64((x), 39))
#define Sigma1(x) \
(CRYPTO_rotr_u64((x), 14) ^ CRYPTO_rotr_u64((x), 18) ^ \
CRYPTO_rotr_u64((x), 41))
#define sigma0(x) \
(CRYPTO_rotr_u64((x), 1) ^ CRYPTO_rotr_u64((x), 8) ^ ((x) >> 7))
#define sigma1(x) \
(CRYPTO_rotr_u64((x), 19) ^ CRYPTO_rotr_u64((x), 61) ^ ((x) >> 6))
#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z)))
#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
#define ROUND_00_15(i, a, b, c, d, e, f, g, h) \
do { \
T1 += h + Sigma1(e) + Ch(e, f, g) + K512[i]; \
h = Sigma0(a) + Maj(a, b, c); \
d += T1; \
h += T1; \
} while (0)
#define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X) \
do { \
s0 = X[(j + 1) & 0x0f]; \
s0 = sigma0(s0); \
s1 = X[(j + 14) & 0x0f]; \
s1 = sigma1(s1); \
T1 = X[(j) & 0x0f] += s0 + s1 + X[(j + 9) & 0x0f]; \
ROUND_00_15(i + j, a, b, c, d, e, f, g, h); \
} while (0)
void sha512_block_data_order(uint64_t state[8], const uint8_t *in, size_t num) {
uint64_t a, b, c, d, e, f, g, h, s0, s1, T1;
uint64_t X[16];
int i;
while (num--) {
a = state[0];
b = state[1];
c = state[2];
d = state[3];
e = state[4];
f = state[5];
g = state[6];
h = state[7];
T1 = X[0] = CRYPTO_load_u64_be(in);
ROUND_00_15(0, a, b, c, d, e, f, g, h);
T1 = X[1] = CRYPTO_load_u64_be(in + 8);
ROUND_00_15(1, h, a, b, c, d, e, f, g);
T1 = X[2] = CRYPTO_load_u64_be(in + 2 * 8);
ROUND_00_15(2, g, h, a, b, c, d, e, f);
T1 = X[3] = CRYPTO_load_u64_be(in + 3 * 8);
ROUND_00_15(3, f, g, h, a, b, c, d, e);
T1 = X[4] = CRYPTO_load_u64_be(in + 4 * 8);
ROUND_00_15(4, e, f, g, h, a, b, c, d);
T1 = X[5] = CRYPTO_load_u64_be(in + 5 * 8);
ROUND_00_15(5, d, e, f, g, h, a, b, c);
T1 = X[6] = CRYPTO_load_u64_be(in + 6 * 8);
ROUND_00_15(6, c, d, e, f, g, h, a, b);
T1 = X[7] = CRYPTO_load_u64_be(in + 7 * 8);
ROUND_00_15(7, b, c, d, e, f, g, h, a);
T1 = X[8] = CRYPTO_load_u64_be(in + 8 * 8);
ROUND_00_15(8, a, b, c, d, e, f, g, h);
T1 = X[9] = CRYPTO_load_u64_be(in + 9 * 8);
ROUND_00_15(9, h, a, b, c, d, e, f, g);
T1 = X[10] = CRYPTO_load_u64_be(in + 10 * 8);
ROUND_00_15(10, g, h, a, b, c, d, e, f);
T1 = X[11] = CRYPTO_load_u64_be(in + 11 * 8);
ROUND_00_15(11, f, g, h, a, b, c, d, e);
T1 = X[12] = CRYPTO_load_u64_be(in + 12 * 8);
ROUND_00_15(12, e, f, g, h, a, b, c, d);
T1 = X[13] = CRYPTO_load_u64_be(in + 13 * 8);
ROUND_00_15(13, d, e, f, g, h, a, b, c);
T1 = X[14] = CRYPTO_load_u64_be(in + 14 * 8);
ROUND_00_15(14, c, d, e, f, g, h, a, b);
T1 = X[15] = CRYPTO_load_u64_be(in + 15 * 8);
ROUND_00_15(15, b, c, d, e, f, g, h, a);
for (i = 16; i < 80; i += 16) {
ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X);
ROUND_16_80(i, 1, h, a, b, c, d, e, f, g, X);
ROUND_16_80(i, 2, g, h, a, b, c, d, e, f, X);
ROUND_16_80(i, 3, f, g, h, a, b, c, d, e, X);
ROUND_16_80(i, 4, e, f, g, h, a, b, c, d, X);
ROUND_16_80(i, 5, d, e, f, g, h, a, b, c, X);
ROUND_16_80(i, 6, c, d, e, f, g, h, a, b, X);
ROUND_16_80(i, 7, b, c, d, e, f, g, h, a, X);
ROUND_16_80(i, 8, a, b, c, d, e, f, g, h, X);
ROUND_16_80(i, 9, h, a, b, c, d, e, f, g, X);
ROUND_16_80(i, 10, g, h, a, b, c, d, e, f, X);
ROUND_16_80(i, 11, f, g, h, a, b, c, d, e, X);
ROUND_16_80(i, 12, e, f, g, h, a, b, c, d, X);
ROUND_16_80(i, 13, d, e, f, g, h, a, b, c, X);
ROUND_16_80(i, 14, c, d, e, f, g, h, a, b, X);
ROUND_16_80(i, 15, b, c, d, e, f, g, h, a, X);
}
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
state[4] += e;
state[5] += f;
state[6] += g;
state[7] += h;
in += 16 * 8;
}
}
#undef Sigma0
#undef Sigma1
#undef sigma0
#undef sigma1
#undef Ch
#undef Maj
#undef ROUND_00_15
#undef ROUND_16_80
void sha512_update(SHA512_CTX *c, const void *in_data, size_t len) {
uint64_t l;
uint8_t *p = c->p;
const uint8_t *data = reinterpret_cast<const uint8_t *>(in_data);
if (len == 0) {
return;
}
l = (c->Nl + (((uint64_t)len) << 3)) & UINT64_C(0xffffffffffffffff);
if (l < c->Nl) {
c->Nh++;
}
if (sizeof(len) >= 8) {
c->Nh += (((uint64_t)len) >> 61);
}
c->Nl = l;
if (c->num != 0) {
size_t n = sizeof(c->p) - c->num;
if (len < n) {
memcpy(p + c->num, data, len);
c->num += (unsigned int)len;
return;
} else {
memcpy(p + c->num, data, n), c->num = 0;
len -= n;
data += n;
sha512_block_data_order(c->h, p, 1);
}
}
if (len >= sizeof(c->p)) {
sha512_block_data_order(c->h, data, len / sizeof(c->p));
data += len;
len %= sizeof(c->p);
data -= len;
}
if (len != 0) {
memcpy(p, data, len);
c->num = (int)len;
}
return;
}
} // namespace
} // namespace bssl::entropy

4
gen/sources.bzl
View File

@@ -75,6 +75,8 @@ bcm_internal_headers = [
"crypto/fipsmodule/ec/wnaf.cc.inc",
"crypto/fipsmodule/ecdh/ecdh.cc.inc",
"crypto/fipsmodule/ecdsa/ecdsa.cc.inc",
"crypto/fipsmodule/entropy/jitter.cc.inc",
"crypto/fipsmodule/entropy/sha512.cc.inc",
"crypto/fipsmodule/hkdf/hkdf.cc.inc",
"crypto/fipsmodule/hmac/hmac.cc.inc",
"crypto/fipsmodule/keccak/keccak.cc.inc",
@@ -631,6 +633,7 @@ crypto_internal_headers = [
"crypto/fipsmodule/ec/p256-nistz.h",
"crypto/fipsmodule/ec/p256_table.h",
"crypto/fipsmodule/ecdsa/internal.h",
"crypto/fipsmodule/entropy/internal.h",
"crypto/fipsmodule/keccak/internal.h",
"crypto/fipsmodule/rand/internal.h",
"crypto/fipsmodule/rsa/internal.h",
@@ -750,6 +753,7 @@ crypto_test_sources = [
"crypto/fipsmodule/ec/p256-nistz_test.cc",
"crypto/fipsmodule/ec/p256_test.cc",
"crypto/fipsmodule/ecdsa/ecdsa_test.cc",
"crypto/fipsmodule/entropy/jitter_test.cc",
"crypto/fipsmodule/hkdf/hkdf_test.cc",
"crypto/fipsmodule/keccak/keccak_test.cc",
"crypto/fipsmodule/rand/ctrdrbg_test.cc",

4
gen/sources.cmake
View File

@@ -79,6 +79,8 @@ set(
crypto/fipsmodule/ec/wnaf.cc.inc
crypto/fipsmodule/ecdh/ecdh.cc.inc
crypto/fipsmodule/ecdsa/ecdsa.cc.inc
crypto/fipsmodule/entropy/jitter.cc.inc
crypto/fipsmodule/entropy/sha512.cc.inc
crypto/fipsmodule/hkdf/hkdf.cc.inc
crypto/fipsmodule/hmac/hmac.cc.inc
crypto/fipsmodule/keccak/keccak.cc.inc
@@ -649,6 +651,7 @@ set(
crypto/fipsmodule/ec/p256-nistz.h
crypto/fipsmodule/ec/p256_table.h
crypto/fipsmodule/ecdsa/internal.h
crypto/fipsmodule/entropy/internal.h
crypto/fipsmodule/keccak/internal.h
crypto/fipsmodule/rand/internal.h
crypto/fipsmodule/rsa/internal.h
@@ -774,6 +777,7 @@ set(
crypto/fipsmodule/ec/p256-nistz_test.cc
crypto/fipsmodule/ec/p256_test.cc
crypto/fipsmodule/ecdsa/ecdsa_test.cc
crypto/fipsmodule/entropy/jitter_test.cc
crypto/fipsmodule/hkdf/hkdf_test.cc
crypto/fipsmodule/keccak/keccak_test.cc
crypto/fipsmodule/rand/ctrdrbg_test.cc

4
gen/sources.gni
View File

@@ -75,6 +75,8 @@ bcm_internal_headers = [
"crypto/fipsmodule/ec/wnaf.cc.inc",
"crypto/fipsmodule/ecdh/ecdh.cc.inc",
"crypto/fipsmodule/ecdsa/ecdsa.cc.inc",
"crypto/fipsmodule/entropy/jitter.cc.inc",
"crypto/fipsmodule/entropy/sha512.cc.inc",
"crypto/fipsmodule/hkdf/hkdf.cc.inc",
"crypto/fipsmodule/hmac/hmac.cc.inc",
"crypto/fipsmodule/keccak/keccak.cc.inc",
@@ -631,6 +633,7 @@ crypto_internal_headers = [
"crypto/fipsmodule/ec/p256-nistz.h",
"crypto/fipsmodule/ec/p256_table.h",
"crypto/fipsmodule/ecdsa/internal.h",
"crypto/fipsmodule/entropy/internal.h",
"crypto/fipsmodule/keccak/internal.h",
"crypto/fipsmodule/rand/internal.h",
"crypto/fipsmodule/rsa/internal.h",
@@ -750,6 +753,7 @@ crypto_test_sources = [
"crypto/fipsmodule/ec/p256-nistz_test.cc",
"crypto/fipsmodule/ec/p256_test.cc",
"crypto/fipsmodule/ecdsa/ecdsa_test.cc",
"crypto/fipsmodule/entropy/jitter_test.cc",
"crypto/fipsmodule/hkdf/hkdf_test.cc",
"crypto/fipsmodule/keccak/keccak_test.cc",
"crypto/fipsmodule/rand/ctrdrbg_test.cc",

4
gen/sources.json
View File

@@ -60,6 +60,8 @@
"crypto/fipsmodule/ec/wnaf.cc.inc",
"crypto/fipsmodule/ecdh/ecdh.cc.inc",
"crypto/fipsmodule/ecdsa/ecdsa.cc.inc",
"crypto/fipsmodule/entropy/jitter.cc.inc",
"crypto/fipsmodule/entropy/sha512.cc.inc",
"crypto/fipsmodule/hkdf/hkdf.cc.inc",
"crypto/fipsmodule/hmac/hmac.cc.inc",
"crypto/fipsmodule/keccak/keccak.cc.inc",
@@ -613,6 +615,7 @@
"crypto/fipsmodule/ec/p256-nistz.h",
"crypto/fipsmodule/ec/p256_table.h",
"crypto/fipsmodule/ecdsa/internal.h",
"crypto/fipsmodule/entropy/internal.h",
"crypto/fipsmodule/keccak/internal.h",
"crypto/fipsmodule/rand/internal.h",
"crypto/fipsmodule/rsa/internal.h",
@@ -731,6 +734,7 @@
"crypto/fipsmodule/ec/p256-nistz_test.cc",
"crypto/fipsmodule/ec/p256_test.cc",
"crypto/fipsmodule/ecdsa/ecdsa_test.cc",
"crypto/fipsmodule/entropy/jitter_test.cc",
"crypto/fipsmodule/hkdf/hkdf_test.cc",
"crypto/fipsmodule/keccak/keccak_test.cc",
"crypto/fipsmodule/rand/ctrdrbg_test.cc",

4
gen/sources.mk
View File

@@ -74,6 +74,8 @@ boringssl_bcm_internal_headers := \
crypto/fipsmodule/ec/wnaf.cc.inc \
crypto/fipsmodule/ecdh/ecdh.cc.inc \
crypto/fipsmodule/ecdsa/ecdsa.cc.inc \
crypto/fipsmodule/entropy/jitter.cc.inc \
crypto/fipsmodule/entropy/sha512.cc.inc \
crypto/fipsmodule/hkdf/hkdf.cc.inc \
crypto/fipsmodule/hmac/hmac.cc.inc \
crypto/fipsmodule/keccak/keccak.cc.inc \
@@ -623,6 +625,7 @@ boringssl_crypto_internal_headers := \
crypto/fipsmodule/ec/p256-nistz.h \
crypto/fipsmodule/ec/p256_table.h \
crypto/fipsmodule/ecdsa/internal.h \
crypto/fipsmodule/entropy/internal.h \
crypto/fipsmodule/keccak/internal.h \
crypto/fipsmodule/rand/internal.h \
crypto/fipsmodule/rsa/internal.h \
@@ -739,6 +742,7 @@ boringssl_crypto_test_sources := \
crypto/fipsmodule/ec/p256-nistz_test.cc \
crypto/fipsmodule/ec/p256_test.cc \
crypto/fipsmodule/ecdsa/ecdsa_test.cc \
crypto/fipsmodule/entropy/jitter_test.cc \
crypto/fipsmodule/hkdf/hkdf_test.cc \
crypto/fipsmodule/keccak/keccak_test.cc \
crypto/fipsmodule/rand/ctrdrbg_test.cc \