Per BoringSSL's FIPS policy, its `main` branch is the "update branch"
for FedRAMP compliance's purposes.
This means that we can stop using a specific BoringSSL branch when
enabling FIPS, as well as a number of hacks that allowed us to build
more recent BoringSSL versions with an older pre-compiled FIPS modules.
This also required slightly updating the main BoringSSL submodule, as
the previous version had an issue when building with the FIPS option
enabled. This is turn required some changes to the PQ patch as well as
some APIs that don't seem to be exposed publicly, as well as changing
some paths in the other patches.
In order to allow a smooth upgrade of internal projects, the `fips-compat`
feature is reduced in scope and renamed to `legacy-compat-deprecated` so
that we can incrementally upgrade internal BoringSSL forks. In practice
this shouldn't really be something anyone else would need, since in
order to work it requires a specific mix of BoringSSL version and
backported patches.
* Add rerun-if-env-changed instructions for BORING_* variables
* Use X509_get0_notBefore() and X509_get0_notAfter() instead of X509_getm_notBefore() and X509_getm_notAfter().
According to
https://www.openssl.org/docs/man1.1.0/man3/X509_getm_notBefore.html,
"X509_getm_notBefore() and X509_getm_notAfter() are similar to
X509_get0_notBefore() and X509_get0_notAfter() except they return
non-constant mutable references to the associated date field of the
certificate".
* Only update boringssl submodule if BORING_BSSL_PATH not provided
* Allow BORING_BSSL_LIB_PATH to control link search
* Add fips feature
* Use X509_set_notAfter unconditionally for FIPS compatibility
This is equivalent according to
https://boringssl.googlesource.com/boringssl/+/c947efabcbc38dcf93e8ad0e6a76206cf0ec8072
The version of boringssl that's FIPS-certified doesn't have `X509_set1_notAfter`.
The only difference between that and `X509_set_notAfter` is whether they're const-correct,
which doesn't seem worth having two different code-paths.
* Check out fips commit automatically
* Verify the version of the compiler used for building boringssl
NIST specifies that it needs to be 7.0.1; I originally tried building with clang 10 and it failed.
Theoretically this should check the versions of Go and Ninja too, but they haven't given me trouble in practice.
Example error:
```
Compiling boring-sys v1.1.1 (/home/jnelson/work/boring/boring-sys)
error: failed to run custom build command for `boring-sys v1.1.1 (/home/jnelson/work/boring/boring-sys)`
Caused by:
process didn't exit successfully: `/home/jnelson/work/boring/target/debug/build/boring-sys-31b8ce53031cfd83/build-script-build` (exit status: 101)
--- stdout
cargo:rerun-if-env-changed=BORING_BSSL_PATH
--- stderr
warning: missing clang-7, trying other compilers: Permission denied (os error 13)
warning: FIPS requires clang version 7.0.1, skipping incompatible version "clang version 10.0.0-4ubuntu1 "
thread 'main' panicked at 'unsupported clang version "cc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0": FIPS requires clang 7.0.1', boring-sys/build.rs:216:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
```
* Add Github actions workflow testing FIPS
Co-authored-by: Joshua Nelson <jnelson@cloudflare.com>
* 2020-11-09 Document X509V3_add1_i2d and friends.
* 2020-11-09 Re-reformat x509.h.
* 2020-11-11 aarch64: Fix name of gnu property note section
* 2020-11-10 Reformat and convert comments in asn1.h.
* 2020-11-10 Unwind M_ASN1_* macros for primitive types.
* 2020-11-10 Switch M_ASN1_TIME macros within the library.
* 2020-11-11 Remove the legacy MSTRING M_ASN1 macros.
* 2020-11-10 Rearrange ASN1_STRING_copy slightly.
* 2020-11-09 Document some defaults for the EVP RSA interface.
* 2020-11-10 Document the basic ASN1_STRING functions.
* 2020-11-10 Remove some unnecessary pointer casts.
* 2020-09-04 Add APIs for checking ASN.1 INTEGERs.
* 2020-11-11 Const-correct and document more X509 functions.
* 2020-11-13 Fix NETSCAPE_SPKI_get_pubkey documentation.
* 2020-11-18 Always check the TLS 1.3 downgrade signal.
* 2020-11-19 Rename the master_key field in SSL_SESSION to secret.
* 2020-11-19 Add FIPS self test for the TLS KDF.
* 2020-11-19 acvp: add SHA-512/256 support.
* 2020-11-19 Document ASN1_STRING.
* 2020-11-30 Add digest.h to self_check.c
* 2020-11-30 util/fipstools/acvp/acvptool: buffer signal channel to avoid losing signal
* 2020-11-30 Poly1305: Use |size_t|; assert |poly1305_state| is large enough.
* 2020-11-25 Improve sk_dup.
* 2020-12-01 aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
* 2020-12-01 Only accept little-endian ARM and MIPS variants in base.h.
* 2020-12-02 Update FIPS.md to include latest FIPS certificate.
* 2020-12-02 draft-ietf-tls-certificate-compression is now RFC 8879.
* 2020-12-02 Get closer to Ed25519 boundary conditions.
* 2020-12-01 PWCT failures should clear the generated key.
* 2020-10-29 Fix EDIPartyName parsing and GENERAL_NAME_cmp.
* 2020-12-08 Const-correct GENERAL_NAME_cmp.
* 2020-12-07 acvp: fix subprocess_test.go
* 2020-12-07 acvp: tweak config
* 2020-12-07 acvp: add TLS KDF support
* 2020-03-11 Implement GREASE for ECH (draft-ietf-tls-esni-08).
* 2020-12-08 Reject bad ASN.1 templates with implicitly-tagged CHOICEs.
* 2020-12-08 Align armv8.pl references to OPENSSL_armcap_P.
* 2020-12-08 acvp: add support for KAS
* 2020-12-10 Add TLS_KDF to documented break tests.
* 2020-12-09 Skip ASN.1 template tests in Windows shared library builds.
* 2020-12-01 Switch to passive entropy collection for Android FIPS.
* 2020-12-11 Finish switching to NASM.
* 2020-12-11 Remove unused Netware codepaths in x86 perlasm.
* 2020-12-10 Move DH code into the FIPS module.
* 2020-12-10 acvp: add support for finite-field Diffie–Hellman.
* 2020-12-14 Include bn.h from bn/internal.h
* 2020-12-02 Fix ChaCha20-Poly1305 x86-64 asm on Windows
* 2020-12-15 Check for trailing data in X509Test.GeneralName.
* 2020-12-15 Use stdlib.h instead of cstdlib in span.h.
* 2020-12-14 Add support for the new QUIC TLS extension codepoint
* 2020-12-14 Move DH parameter generation out of the FIPS module.
* 2020-12-16 Revert "Add support for the new QUIC TLS extension codepoint"
* 2020-12-16 Use more efficient std::string::find overload.
* 2020-12-17 Export tool_sources to GN.
* 2020-12-16 Allow some non-minimal lengths in BER.
* 2020-12-17 acvp: load config later.
* 2020-12-17 acvp: fix silly errors.
* 2020-12-22 Add .text.unlikely.* pattern to fips_shared.lds.
* 2020-12-23 acvp: better document the subprocess protocol.
* 2020-12-23 Gerrit ignores <sup>; use Unicode superscript instead.
* 2020-12-21 Update ECH GREASE to draft-ietf-tls-esni-09
* 2020-12-21 Fix awkward wording in comment.
* 2021-01-05 Fix chacha20_poly1305_x86_64.pl comments.
* 2020-12-17 acvp: add tests
* 2021-01-06 Update third_party/googletest.
* 2020-12-22 delocate: support alternative comment indicators
* 2020-12-22 delocate: eliminate expression from vpaes assembly.
* 2021-01-06 Add some OpenSSL-compatibility aliases
* 2020-12-17 acvp: drop subprocess_test.go
* 2021-01-06 Update HPKE to draft-irtf-cfrg-hpke-07.
* 2021-01-07 A handful more compatibility functions.
* 2021-01-06 Optimize suffix building in FileTest::ReadNext().
* 2021-01-08 Use gai_strerrorA on Windows.
* 2020-10-19 Add ASM optimizations for Windows on Arm
* 2020-12-22 delocate: handle Aarch64 assembly in parser.
* 2020-10-29 Send ECH acceptance signal from backend server.
* 2021-01-12 Test that ALPS can be deferred to the ALPN callback.
* 2021-01-12 runner: Allow tokbind without RI/EMS in TLS 1.3.
* 2021-01-12 Fix ALPS state machine in QUIC servers.
* 2021-01-12 Make QUIC work with -async tests.
* 2021-01-12 Make QUIC tests work with early data.
* 2021-01-12 Run extension tests at all protocols.
* 2021-01-12 Replace MockQUICTransport tags with record types.
* 2020-12-22 delocate: preprocess perlasm output on Aarch64
* 2021-01-14 Add support for the new QUIC TLS extension codepoint
* 2021-01-15 doc: fix SSL_set0_rbio
* 2021-01-18 acvp: add XTS support.
* 2021-01-19 Fix client 0-RTT handling with ALPS.
* 2021-01-08 Add DH_compute_key_padded.
* 2020-12-22 delocate: support Aarch64
* 2021-01-19 Make BN_clear_free a wrapper around BN_free.
* 2021-01-20 Define TLSEXT_TYPE_quic_transport_parameters to the old code point for now.
* 2021-01-21 Fix comments that refer to old draft of HPKE.
* 2021-01-21 acvp: don't advertise SHA-1 RSA signature generation.
* 2021-01-21 acvp: drop 3DES fields from output when unused.
* 2021-01-17 Support cross-compiling AArch64 FIPS to Android.
* 2021-01-22 acvp: update test expectations in light of 8dcdcb39a7
* 2021-01-22 acvp: check that the payloadLen of cipher tests is correct.
* 2021-01-21 Add basic BLAKE2b-256 support.
* 2021-01-25 acvp: update to newer FFDH test.
* 2021-01-19 Add FFDH FIPS self-test.
* 2021-01-27 Support MOVLPS and MOVHPS in delocate.
* 2021-01-27 Benchmark BORINGSSL_self_test in FIPS mode.
* 2021-01-27 acvp: move CMAC verification into the module wrapper.
* 2021-01-28 Use ID instead of Id in Go.
* 2021-01-29 Fix TLS13SessionID-TLS13 test.
* 2021-01-29 Revert "Disable check that X.509 extensions implies v3."
* 2021-02-02 Add missing include to self_check.c.
* 2021-02-02 Add various function calls to test_fips.
* 2021-02-04 Include bn/internal.h for non-bcm.c builds.
Alessandro Ghedini