Chiebot-Mirror/boringssl - boringssl - Gitea: Git with a cup of tea

Author	SHA1	Message	Date
Adam Langley	1cf78cd290	Use passive entropy collection everywhere. Change-Id: I40513b3947fa571d2d0b918641b9917451ced3e1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47284 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>	4 years ago
Bradley Hess	c953ee4af7	Add RNG support for FreeBSD. Get entropy from /dev/urandom on FreeBSD < 12, or getrandom() on FreeBSD 12, per https://www.freebsd.org/cgi/man.cgi?query=getrandom&sektion=2&format=html Tested manually with `ninja run_tests` on both FreeBSD 11 and 12. Change-Id: I72ef54d1a83104d1fbe172fd86f6cd32dacc9819 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46188 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>	4 years ago
David Benjamin	e7b5675015	Split the FIPS mode PRNG lock in two. In FIPS mode, we maintain a lock in order to implement clearing DRBG state on process shutdown. This lock serves two purposes: 1. It protects the linked list of all DRBG states, which needs to be updated the first time a thread touches RAND_bytes, when a thread exits, and on process exit. 2. It ensures threads alive during process shutdown do not accidentally touch DRBGs after they are cleared, by way of taking a ton of read locks in RAND_bytes across some potentially time-consuming points. This means that when one of the rare events in (1) happens, it must contend with the flurry of read locks in (2). Split these uses into two locks. The second lock now only ever sees read locks until process shutdown, and the first lock is only accessed in rare cases. Change-Id: Ib856c7a3bb937bbfa5d08534031dbf4ed3315cab Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45844 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>	4 years ago
Adam Langley	a3a98944f4	Switch to passive entropy collection for Android FIPS. Rather than the FIPS module actively collecting entropy from the CPU or OS, this change configures Android FIPS to passively receive entropy. See FIPS IG 7.14 section two. Change-Id: Ibfc5c5042e560718474b89970199d35b67c21296 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44305 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>	4 years ago
David Benjamin	9bf1634b93	Move Trusty workaround to the OPENSSL_LINUX define. See b/169780122. This CL should be a no-op (the only other OPENSSL_LINUX defines are in urandom/getrandom logic, which Trusty doesn't use), but should be easier to work for future code. Change-Id: I7676ce234a20ddaf54a881f2da1e1fcd680d1c78 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43224 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>	5 years ago
Pete Bentley	6b6b66bacd	Disable fork detection on Trusty. Trusty doesn't have madvise() or sysconf() and more importantly, doesn't have fork() (confirmed chatting to ncbray), so the no-op #if branch in fork_detect.c seems appropriate. Change-Id: I41b41e79d59919bae6c6ece0e0efd3872105e9b1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43204 Commit-Queue: Pete Bentley <prb@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>	5 years ago
Adam Langley	fb0c05cac2	acvp: add CMAC-AES support. Change by Dan Janni. Change-Id: I3f059e7b1a822c6f97128ca92a693499a3f7fa8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/41984 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>	5 years ago