Use SHA-256 for the FIPS integrity check everywhere.
There are paperwork reasons why it's useful to use the same hash
function in all cases. Thus unify on SHA-256 because contexts where
SHA-512 is faster, are faster overall and thus less sensitive.
Change-Id: I7a782a3adba4ace3257313a24dc8bc213b9d64ec
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52165
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
index 79802c6..312c080 100644
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -437,17 +437,13 @@
)
if(FIPS_SHARED)
- set(EXTRA_INJECT_HASH_ARGS)
- if(ANDROID)
- set(EXTRA_INJECT_HASH_ARGS "-sha256")
- endif()
# Rewrite libcrypto.so to inject the correct module hash value. This assumes
# UNIX-style library naming, but we only support FIPS mode on Linux anyway.
add_custom_command(
TARGET crypto POST_BUILD
COMMAND ${GO_EXECUTABLE} run
${CMAKE_CURRENT_SOURCE_DIR}/../util/fipstools/inject_hash/inject_hash.go
- -o libcrypto.so -in-object libcrypto.so ${EXTRA_INJECT_HASH_ARGS}
+ -o libcrypto.so -in-object libcrypto.so
# The DEPENDS argument to a POST_BUILD rule appears to be ignored. Thus
# go_executable isn't used (as it doesn't get built), but we list this
# dependency anyway in case it starts working in some CMake version.
diff --git a/crypto/fipsmodule/bcm.c b/crypto/fipsmodule/bcm.c
index faff6c4..6f8f5c0 100644
--- a/crypto/fipsmodule/bcm.c
+++ b/crypto/fipsmodule/bcm.c
@@ -210,21 +210,12 @@
assert_within(rodata_start, kP256Params, rodata_end);
assert_within(rodata_start, kPKCS1SigPrefixes, rodata_end);
-#if defined(OPENSSL_AARCH64) || defined(OPENSSL_ANDROID)
uint8_t result[SHA256_DIGEST_LENGTH];
const EVP_MD *const kHashFunction = EVP_sha256();
if (!boringssl_self_test_sha256() ||
!boringssl_self_test_hmac_sha256()) {
return 0;
}
-#else
- uint8_t result[SHA512_DIGEST_LENGTH];
- const EVP_MD *const kHashFunction = EVP_sha512();
- if (!boringssl_self_test_sha512() ||
- !boringssl_self_test_hmac_sha256()) {
- return 0;
- }
-#endif
static const uint8_t kHMACKey[64] = {0};
unsigned result_len;
diff --git a/util/fipstools/delocate/delocate.go b/util/fipstools/delocate/delocate.go
index 2d92520..5d4b1f4 100644
--- a/util/fipstools/delocate/delocate.go
+++ b/util/fipstools/delocate/delocate.go
@@ -1940,7 +1940,7 @@
}
w.WriteString(".type BORINGSSL_bcm_text_hash, @object\n")
- w.WriteString(".size BORINGSSL_bcm_text_hash, 64\n")
+ w.WriteString(".size BORINGSSL_bcm_text_hash, 32\n")
w.WriteString("BORINGSSL_bcm_text_hash:\n")
for _, b := range fipscommon.UninitHashValue {
w.WriteString(".byte 0x" + strconv.FormatUint(uint64(b), 16) + "\n")
diff --git a/util/fipstools/fipscommon/const.go b/util/fipstools/fipscommon/const.go
index 5693414..f4c0b75 100644
--- a/util/fipstools/fipscommon/const.go
+++ b/util/fipstools/fipscommon/const.go
@@ -17,6 +17,6 @@
// UninitHashValue is the default hash value that we inject into the module.
// This value need only be distinct, i.e. so that we can safely
// search-and-replace it in an object file.
-var UninitHashValue = [64]byte{
- 0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b, 0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f, 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80, 0xa2, 0xd4, 0xc3, 0x66, 0x0f, 0xc2, 0x6a, 0x7b, 0xf4, 0xbe, 0x39, 0xa2, 0xd7, 0x25, 0xdb, 0x21, 0x98, 0xe9, 0xd5, 0x53, 0xbf, 0x5c, 0x32, 0x06, 0x83, 0x34, 0x0c, 0x65, 0x89, 0x52, 0xbd, 0x1f,
+var UninitHashValue = [32]byte{
+ 0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b, 0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f, 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80,
}
diff --git a/util/fipstools/inject_hash/inject_hash.go b/util/fipstools/inject_hash/inject_hash.go
index dbd5fb7..6f14982 100644
--- a/util/fipstools/inject_hash/inject_hash.go
+++ b/util/fipstools/inject_hash/inject_hash.go
@@ -21,7 +21,6 @@
"bytes"
"crypto/hmac"
"crypto/sha256"
- "crypto/sha512"
"debug/elf"
"encoding/binary"
"errors"
@@ -36,7 +35,7 @@
"boringssl.googlesource.com/boringssl/util/fipstools/fipscommon"
)
-func do(outPath, oInput string, arInput string, useSHA256 bool) error {
+func do(outPath, oInput string, arInput string) error {
var objectBytes []byte
var isStatic bool
var perm os.FileMode
@@ -216,11 +215,7 @@
}
var zeroKey [64]byte
- hashFunc := sha512.New
- if useSHA256 {
- hashFunc = sha256.New
- }
- mac := hmac.New(hashFunc, zeroKey[:])
+ mac := hmac.New(sha256.New, zeroKey[:])
if moduleROData != nil {
var lengthBytes [8]byte
@@ -257,11 +252,10 @@
arInput := flag.String("in-archive", "", "Path to a .a file")
oInput := flag.String("in-object", "", "Path to a .o file")
outPath := flag.String("o", "", "Path to output object")
- sha256 := flag.Bool("sha256", false, "Whether to use SHA-256 over SHA-512. This must match what the compiled module expects.")
flag.Parse()
- if err := do(*outPath, *oInput, *arInput, *sha256); err != nil {
+ if err := do(*outPath, *oInput, *arInput); err != nil {
fmt.Fprintf(os.Stderr, "%s\n", err)
os.Exit(1)
}