Google Git
Sign in
boringssl/boringssl/27ffcc6e19bbafddf1b59ec0bc6df2904de7eb2c^!/.
commit
27ffcc6e19bbafddf1b59ec0bc6df2904de7eb2c
[log]
author
Adam Langley <alangley@gmail.com>
Fri Apr 01 05:34:52 2022 -0700
committer
Adam Langley <agl@google.com>
Fri Apr 01 19:44:18 2022 +0000
tree
052757f03fe863cd80adcaa57917a8d4ab7d4b0c
parent
af34f6460f0bf99dc267818f02b2936f60a30de7 [diff]
Use SHA-256 for the FIPS integrity check everywhere.

There are paperwork reasons why it's useful to use the same hash
function in all cases. Thus unify on SHA-256 because contexts where
SHA-512 is faster, are faster overall and thus less sensitive.

Change-Id: I7a782a3adba4ace3257313a24dc8bc213b9d64ec
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52165
Reviewed-by: David Benjamin <davidben@google.com>

diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
index 79802c6..312c080 100644
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt

@@ -437,17 +437,13 @@
 )
 
 if(FIPS_SHARED)
-  set(EXTRA_INJECT_HASH_ARGS)
-  if(ANDROID)
-    set(EXTRA_INJECT_HASH_ARGS "-sha256")
-  endif()
   # Rewrite libcrypto.so to inject the correct module hash value. This assumes
   # UNIX-style library naming, but we only support FIPS mode on Linux anyway.
   add_custom_command(
     TARGET crypto POST_BUILD
     COMMAND ${GO_EXECUTABLE} run
     ${CMAKE_CURRENT_SOURCE_DIR}/../util/fipstools/inject_hash/inject_hash.go
-    -o libcrypto.so -in-object libcrypto.so ${EXTRA_INJECT_HASH_ARGS}
+    -o libcrypto.so -in-object libcrypto.so
     # The DEPENDS argument to a POST_BUILD rule appears to be ignored. Thus
     # go_executable isn't used (as it doesn't get built), but we list this
     # dependency anyway in case it starts working in some CMake version.

diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index faff6c4..6f8f5c0 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c

@@ -210,21 +210,12 @@
   assert_within(rodata_start, kP256Params, rodata_end);
   assert_within(rodata_start, kPKCS1SigPrefixes, rodata_end);
 
-#if defined(OPENSSL_AARCH64) || defined(OPENSSL_ANDROID)
   uint8_t result[SHA256_DIGEST_LENGTH];
   const EVP_MD *const kHashFunction = EVP_sha256();
   if (!boringssl_self_test_sha256() ||
       !boringssl_self_test_hmac_sha256()) {
     return 0;
   }
-#else
-  uint8_t result[SHA512_DIGEST_LENGTH];
-  const EVP_MD *const kHashFunction = EVP_sha512();
-  if (!boringssl_self_test_sha512() ||
-      !boringssl_self_test_hmac_sha256()) {
-    return 0;
-  }
-#endif
 
   static const uint8_t kHMACKey[64] = {0};
   unsigned result_len;

diff --git a/util/fipstools/delocate/delocate.go b/util/fipstools/delocate/delocate.go
index 2d92520d..5d4b1f4 100644
--- a/util/fipstools/delocate/delocate.go
+++ b/util/fipstools/delocate/delocate.go

@@ -1940,7 +1940,7 @@
 	}
 
 	w.WriteString(".type BORINGSSL_bcm_text_hash, @object\n")
-	w.WriteString(".size BORINGSSL_bcm_text_hash, 64\n")
+	w.WriteString(".size BORINGSSL_bcm_text_hash, 32\n")
 	w.WriteString("BORINGSSL_bcm_text_hash:\n")
 	for _, b := range fipscommon.UninitHashValue {
 		w.WriteString(".byte 0x" + strconv.FormatUint(uint64(b), 16) + "\n")

diff --git a/util/fipstools/fipscommon/const.go b/util/fipstools/fipscommon/const.go
index 5693414..f4c0b75 100644
--- a/util/fipstools/fipscommon/const.go
+++ b/util/fipstools/fipscommon/const.go

@@ -17,6 +17,6 @@
 // UninitHashValue is the default hash value that we inject into the module.
 // This value need only be distinct, i.e. so that we can safely
 // search-and-replace it in an object file.
-var UninitHashValue = [64]byte{
-	0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b, 0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f, 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80, 0xa2, 0xd4, 0xc3, 0x66, 0x0f, 0xc2, 0x6a, 0x7b, 0xf4, 0xbe, 0x39, 0xa2, 0xd7, 0x25, 0xdb, 0x21, 0x98, 0xe9, 0xd5, 0x53, 0xbf, 0x5c, 0x32, 0x06, 0x83, 0x34, 0x0c, 0x65, 0x89, 0x52, 0xbd, 0x1f,
+var UninitHashValue = [32]byte{
+	0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b, 0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f, 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80,
 }

diff --git a/util/fipstools/inject_hash/inject_hash.go b/util/fipstools/inject_hash/inject_hash.go
index dbd5fb7..6f14982 100644
--- a/util/fipstools/inject_hash/inject_hash.go
+++ b/util/fipstools/inject_hash/inject_hash.go

@@ -21,7 +21,6 @@
 	"bytes"
 	"crypto/hmac"
 	"crypto/sha256"
-	"crypto/sha512"
 	"debug/elf"
 	"encoding/binary"
 	"errors"
@@ -36,7 +35,7 @@
 	"boringssl.googlesource.com/boringssl/util/fipstools/fipscommon"
 )
 
-func do(outPath, oInput string, arInput string, useSHA256 bool) error {
+func do(outPath, oInput string, arInput string) error {
 	var objectBytes []byte
 	var isStatic bool
 	var perm os.FileMode
@@ -216,11 +215,7 @@
 	}
 
 	var zeroKey [64]byte
-	hashFunc := sha512.New
-	if useSHA256 {
-		hashFunc = sha256.New
-	}
-	mac := hmac.New(hashFunc, zeroKey[:])
+	mac := hmac.New(sha256.New, zeroKey[:])
 
 	if moduleROData != nil {
 		var lengthBytes [8]byte
@@ -257,11 +252,10 @@
 	arInput := flag.String("in-archive", "", "Path to a .a file")
 	oInput := flag.String("in-object", "", "Path to a .o file")
 	outPath := flag.String("o", "", "Path to output object")
-	sha256 := flag.Bool("sha256", false, "Whether to use SHA-256 over SHA-512. This must match what the compiled module expects.")
 
 	flag.Parse()
 
-	if err := do(*outPath, *oInput, *arInput, *sha256); err != nil {
+	if err := do(*outPath, *oInput, *arInput); err != nil {
 		fmt.Fprintf(os.Stderr, "%s\n", err)
 		os.Exit(1)
 	}