first step of v2 final release

crypto/rand/md_rand.c

@@ -397,10 +397,10 @@ static int rand_bytes(unsigned char *buf, int num, int pseudo)
 
         int n = STATE_SIZE;     /* so that the complete pool gets accessed */
         while (n > 0) {
-#if MD_DIGEST_LENGTH > 20
+#if MD_DIGEST_LENGTH > 32
 # error "Please adjust DUMMY_SEED."
 #endif
-#define DUMMY_SEED "...................." /* at least MD_DIGEST_LENGTH */
+#define DUMMY_SEED "................................" /* at least MD_DIGEST_LENGTH */
             /*
              * Note that the seed does not matter, it's just that
              * rand_add expects to have something to hash.

crypto/rand/rand_extra/deterministic.c

@@ -0,0 +1,48 @@
+/* Copyright (c) 2016, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+
+#include <string.h>
+
+#include <openssl/chacha.h>
+
+#include "../internal.h"
+#include "../fipsmodule/rand/internal.h"
+
+
+/* g_num_calls is the number of calls to |CRYPTO_sysrand| that have occurred.
+ *
+ * This is intentionally not thread-safe. If the fuzzer mode is ever used in a
+ * multi-threaded program, replace this with a thread-local. (A mutex would not
+ * be deterministic.) */
+static uint64_t g_num_calls = 0;
+
+void RAND_reset_for_fuzzing(void) { g_num_calls = 0; }
+
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
+  static const uint8_t kZeroKey[32];
+
+  uint8_t nonce[12];
+  OPENSSL_memset(nonce, 0, sizeof(nonce));
+  OPENSSL_memcpy(nonce, &g_num_calls, sizeof(g_num_calls));
+
+  OPENSSL_memset(out, 0, requested);
+  CRYPTO_chacha_20(out, out, requested, kZeroKey, nonce, 0);
+  g_num_calls++;
+}
+
+#endif  /* BORINGSSL_UNSAFE_DETERMINISTIC_MODE */

crypto/rand/rand_extra/forkunsafe.c

@@ -0,0 +1,44 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#include <stdlib.h>
+
+#include "../fipsmodule/rand/internal.h"
+
+
+/* g_buffering_enabled is true if fork-unsafe buffering has been enabled. */
+static int g_buffering_enabled = 0;
+
+/* g_lock protects |g_buffering_enabled|. */
+static struct CRYPTO_STATIC_MUTEX g_lock = CRYPTO_STATIC_MUTEX_INIT;
+
+void RAND_enable_fork_unsafe_buffering(int fd) {
+  /* We no longer support setting the file-descriptor with this function. */
+  if (fd != -1) {
+    abort();
+  }
+
+  CRYPTO_STATIC_MUTEX_lock_write(&g_lock);
+  g_buffering_enabled = 1;
+  CRYPTO_STATIC_MUTEX_unlock_write(&g_lock);
+}
+
+int rand_fork_unsafe_buffering_enabled(void) {
+  CRYPTO_STATIC_MUTEX_lock_read(&g_lock);
+  const int ret = g_buffering_enabled;
+  CRYPTO_STATIC_MUTEX_unlock_read(&g_lock);
+  return ret;
+}

crypto/rand/rand_extra/fuchsia.c

@@ -0,0 +1,43 @@
+/* Copyright (c) 2017, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#if defined(OPENSSL_FUCHSIA) && !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+
+#include <limits.h>
+#include <stdlib.h>
+
+#include <magenta/syscalls.h>
+
+#include "../fipsmodule/rand/internal.h"
+
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
+  while (requested > 0) {
+    size_t output_bytes_this_pass = MX_CPRNG_DRAW_MAX_LEN;
+    if (requested < output_bytes_this_pass) {
+      output_bytes_this_pass = requested;
+    }
+    size_t bytes_drawn;
+    mx_status_t status =
+        mx_cprng_draw(out, output_bytes_this_pass, &bytes_drawn);
+    if (status != NO_ERROR) {
+      abort();
+    }
+    requested -= bytes_drawn;
+    out += bytes_drawn;
+  }
+}
+
+#endif /* OPENSSL_FUCHSIA && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE */

crypto/rand/rand_extra/windows.c

@@ -0,0 +1,53 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <openssl/rand.h>
+
+#if defined(OPENSSL_WINDOWS) && !defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE)
+
+#include <limits.h>
+#include <stdlib.h>
+
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
+
+#include <windows.h>
+
+/* #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036.  See the
+ * "Community Additions" comment on MSDN here:
+ * http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx */
+#define SystemFunction036 NTAPI SystemFunction036
+#include <ntsecapi.h>
+#undef SystemFunction036
+
+OPENSSL_MSVC_PRAGMA(warning(pop))
+
+#include "../fipsmodule/rand/internal.h"
+
+
+void CRYPTO_sysrand(uint8_t *out, size_t requested) {
+  while (requested > 0) {
+    ULONG output_bytes_this_pass = ULONG_MAX;
+    if (requested < output_bytes_this_pass) {
+      output_bytes_this_pass = (ULONG)requested;
+    }
+    if (RtlGenRandom(out, output_bytes_this_pass) == FALSE) {
+      abort();
+    }
+    requested -= output_bytes_this_pass;
+    out += output_bytes_this_pass;
+  }
+  return;
+}
+
+#endif  /* OPENSSL_WINDOWS && !BORINGSSL_UNSAFE_DETERMINISTIC_MODE */

crypto/rand/rand_lcl.h

@@ -13,13 +13,18 @@
 # define ENTROPY_NEEDED 32      /* require 256 bits = 32 bytes of randomness */
 
 # if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-#  define USE_SHA1_RAND
+#  define USE_SM3_RAND
 # endif
 
 # include <openssl/evp.h>
 # define MD_Update(a,b,c)        EVP_DigestUpdate(a,b,c)
 # define MD_Final(a,b)           EVP_DigestFinal_ex(a,b,NULL)
-# if defined(USE_MD5_RAND)
+# if defined(USE_SM3_RAND)
+#  include <openssl/sm3.h>
+#  define MD_DIGEST_LENGTH        SM3_DIGEST_LENGTH
+#  define MD_Init(a)              EVP_DigestInit_ex(a,EVP_sm3(), NULL)
+#  define MD(a,b,c)               EVP_Digest(a,b,c,NULL,EVP_sm3(), NULL)
+# elif defined(USE_MD5_RAND)
 #  include <openssl/md5.h>
 #  define MD_DIGEST_LENGTH        MD5_DIGEST_LENGTH
 #  define MD_Init(a)              EVP_DigestInit_ex(a,EVP_md5(), NULL)