yggdrasil/ring
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9,613 Commits 2 Branches 0 Tags
Commit Graph

9613 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Brian Smith
169803f490 Use distinct types for PBKDF2 and HMAC algorithms. 2019-07-07 16:47:46 -10:00
Brian Smith
6f6a150185 Limit HKDF to SHA-{256,384,512} and remove HKDF-SHA-1 tests. 2019-07-07 16:32:46 -10:00
Brian Smith
957934286d 0.15.0-alpha3. 2019-07-03 12:43:53 -10:00
Brian Smith
d8921f39a2 0.15.0-alpha2. 2019-07-03 12:20:01 -10:00
Brian Smith
f86911d3b5 Use untrusted 0.7.0-alpha1. 2019-07-03 12:20:01 -10:00
Brian Smith
89a56db450 Fix typo in Cargo.toml. 2019-07-03 12:20:00 -10:00
Brian Smith
c53955ea8a Initial wasm32-unknown-unknown support. 2019-07-03 12:20:00 -10:00
Benjamin
b14031c000 download binary from tortall.net with HTTPS instead of HTTP 2019-07-03 11:30:48 -10:00
Brian Smith
5063977560 Fix build with Rust Nightly. 2019-07-03 10:42:23 -10:00
Brian Smith
ee50f59e82 Add rand::generate(). 2019-07-03 08:30:59 -10:00
Brian Smith
33bffc7cef Minimize and update dependencies. 2019-07-03 08:28:42 -10:00
Brian Smith
4bbba957f8 Merge BoringSSL 92b7c89: Add a value barrier to constant-time selects. 2019-07-02 17:01:41 -10:00
Brian Smith
f2eaee928b Merge BoringSSL 12d9ed6: Avoid leaking intermediate states in point doubling special case. 2019-07-02 16:51:15 -10:00
Brian Smith
1e89f2e612 Ignore BoringSSL 18254e2..cef9d3f. 2019-07-02 16:45:39 -10:00
Brian Smith
544babc848 Merge BoringSSL 18254e2: Discuss the doubling case in windowed Booth representation. 2019-07-02 16:45:16 -10:00
Brian Smith
7c25bbea6e Ignore BoringSSL c37e64c..72791ef. 2019-07-02 16:43:44 -10:00
Brian Smith
ff55f29642 Merge BoringSSL 326f121: Fix various mistakes in ec_GFp_nistp_recode_scalar_bits comment. 2019-07-02 16:42:41 -10:00
Brian Smith
687446deff Replace non-x86_64 GFp_nistz256_point_add assembly with C. 
Make it easier to maintain.
 2019-07-02 16:36:24 -10:00
Brian Smith
9980176f50 Merge BoringSSL. 2019-07-02 16:30:50 -10:00
Brian Smith
b3f9a918e5 Enable NEON fallback implementation of GCM on AAarch64. 2019-07-02 16:13:32 -10:00
Brian Smith
9a99848d74 Enable VPAES fallback implementation of AES for Aarch64. 2019-07-02 16:13:32 -10:00
Brian Smith
7783933434 Ignore BoringSSL b3239c6..4ef217a. 2019-07-02 10:06:45 -10:00
Brian Smith
ac4fc52cf7 Merge BoringSSL f6eb565: Remove stray underscores. 2019-07-02 10:02:34 -10:00
Brian Smith
1902ed317c Ignore BoringSSL a486c6c..b96d470. 2019-07-02 10:01:56 -10:00
Brian Smith
ee36474775 Merge BoringSSL 586235d: Check for x18 usage in aarch64 assembly. 2019-07-02 10:01:13 -10:00
Brian Smith
88596b8d33 Merge BoringSSL c1d8c5b: Handle errors from close in perlasm scripts. 2019-07-02 10:00:48 -10:00
Brian Smith
9e863213d2 Ignore BoringSSL fdb48f9..777a239. 2019-07-02 09:56:37 -10:00
Brian Smith
0d97b47bc8 Add missing GFp_ prefix to GFp_bsaes_ctr32_encrypt_blocks. 
The prefix was accidentally removed during a merge.
 2019-07-02 09:54:51 -10:00
Brian Smith
f2f72c2203 Add stricter check for Ed25519 signature malleability. 
An approximate check was already implemnted that passed all but one of the
Wycheproof test vectors. Now the check is complete and all Wycheproof test
vectors pass.
 2019-07-01 17:54:45 -10:00
Brian Smith
65ab723a19 Move masking of scalars in Curve25519 code to Rust. 2019-07-01 17:54:45 -10:00
Brian Smith
0c21917a7f Merge BoringSSL d22578f: Adapt gcm_*_neon to aarch64. 2019-07-01 14:48:16 -10:00
Brian Smith
72c9ae0131 Ignore BoringSSL 4851041. 2019-07-01 14:46:08 -10:00
Brian Smith
bc92e6c313 Merge BoringSSL 885a63f: Patch out the aes_nohw fallback in bsaes_ctr32_encrypt_blocks. 2019-07-01 14:45:18 -10:00
Brian Smith
0097c88d6b Ignore BoringSSL aadcce3. 2019-07-01 14:43:51 -10:00
Brian Smith
d0f95b1a82 Take BoringSSL 35941f2: Make vpaes-armv8.pl compatible with XOM. 2019-07-01 14:39:32 -10:00
Brian Smith
d37abba0a8 Ignore BoringSSL f9c8d30..1d13453. 2019-07-01 14:38:51 -10:00
Brian Smith
91c4f538e0 Ignore BoringSSL b8d7b74. 2019-07-01 14:38:06 -10:00
Brian Smith
f6fe1b0b0b Ignore BoringSSL da8bb84. 2019-07-01 14:37:40 -10:00
Brian Smith
d1e9b5ba3a Take BoringSSL 8d685ec: modes/asm/ghash-armv4.pl: address "infixes are deprecated" warnings. 2019-07-01 14:35:41 -10:00
Brian Smith
a64a9f7377 Merge BoringSSL 55db667: Enable vpaes for aarch64, with CTR optimizations. 
This doesn't enable VPAES for AAarch64 in *ring* though.
 2019-07-01 14:35:01 -10:00
Brian Smith
8e658d8b89 Take BoringSSL b1b4ff9: Check in vpaes-armv8.pl from OpenSSL unused and unmodified. 2019-07-01 14:33:24 -10:00
Brian Smith
03b9d14d15 Remove array splitting from polyfill::convert. 
Lifetime elision infers the wrong bounds. The code could be fixed by using
explicit lifetime annotations, but it's safer to just avoid the issue
altogether. The problem doesn't seem to affect any of the current code; the
problem was only noticed when trying to use the removed code for new uses.
 2019-07-01 12:59:11 -10:00
Brian Smith
284619bc44 Use less unsafe in Block. 2019-07-01 12:59:11 -10:00
Brian Smith
a8d87207d9 Use explicit lifetime annotations when transmuting in Block. 
The code seems to compile the same before and after this, but this seems
safer than relying on lifetime inference.
 2019-07-01 12:58:09 -10:00
Brian Smith
3e814a4d18 Refactor SHA-1 implementation to be like the SHA-2 implementation. 2019-07-01 00:35:26 -10:00
Brian Smith
87728a783e Add Rust SHA-2 implementation. 2019-07-01 00:35:26 -10:00
Brian Smith
928f936c7b Move rsa::bigint to arithmetic/bigint. 2019-06-30 16:57:16 -10:00
Brian Smith
883379f789 Replace {TryFrom_, TryInto_} with now-stable standard versions. 2019-06-30 16:49:52 -10:00
Brian Smith
fd7d91814e Reverse order of limbs in limbs! macros & simplify implementations. 
Have the `limbs!` macros accept the limbs least-significant-first to be consistent
with how they are represented in memory. This has the nice side effect of making
them much simpler.
 2019-06-25 11:10:31 -10:00
David Benjamin
92b7c89e6e Add a value barrier to constant-time selects. 
Clang recognizes the (mask & a) | (~mask & b) pattern as a select. While
it often optimizes this into a cmov, it sometimes inserts branches
instead, particularly when it detects a string of cmovs with the same
condition.

In the long term, we need language-level support for expressing our
constraints. In the short term, introduce value barriers to prevent the
compiler from reasoning about our bit tricks. Thanks to Chandler Carruth
for suggesting this pattern. It should be reasonably robust, short of
value-based PGO or the compiler learning to reason about empty inline
assembly blocks.

Apply barriers to our various constant-time selects. We should invest
more in the valgrind-based tooling to figure out if there are other
instances.

Change-Id: Icc24ce36a61f7fec021a762c27197b9c5bd28c5d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36484
Reviewed-by: Chandler Carruth <chandlerc@google.com>
Reviewed-by: Adam Langley <agl@google.com>
 2019-06-19 17:19:13 +00:00