diff options
author | Martin Baulig <martin.baulig@xamarin.com> | 2016-10-20 04:03:55 +0300 |
---|---|---|
committer | Martin Baulig <martin.baulig@xamarin.com> | 2016-10-20 19:43:51 +0300 |
commit | eec2ca7e76c04ca41ef5bfc875ee3b0374cb7a94 (patch) | |
tree | 1ae353ad512bac182c8fa1e572beccf8a7fd1f55 /crypto/cipher/aead_test.cc | |
parent | 2bc26c2772ad0a5d6b0ad4ba2ec77c8183d8932d (diff) |
Update to chromium-stable commit 3cab5572b1fcf5a8f6018529dc30dc8d21b2a4bd.
Squashed commit of the following:
commit 3cab5572b1fcf5a8f6018529dc30dc8d21b2a4bd
Author: Adam Langley <agl@google.com>
Date: Thu Jun 16 10:43:39 2016 -0700
Don't align NEWPOLY_POLY.
The alignas in NEWPOLY_POLY told the compiler that it could assume a
certain alignment. However, values were allocated with malloc with no
specific alignment.
We could try and allocate aligned memory but the alignment doesn't have
a performance impact (on x86-64) so this is the simpler change. (Also,
Windows doesn't have |posix_memalign|. The cloest thing is
_alligned_alloc but then one has to use a special free function.)
Change-Id: I53955a88862160c02aa5436d991b1b797c3c17db
Reviewed-on: https://boringssl-review.googlesource.com/8315
Reviewed-by: David Benjamin <davidben@google.com>
commit 13603a8399cd50bdc476cf46ac8c81244aadbad9
Author: Brian Smith <brian@briansmith.org>
Date: Wed Jun 15 14:03:32 2016 -1000
Move "no inverse" test earlier in |BN_mod_inverse_no_branch|.
There's no use doing the remaining work if we're going to fail due to
there being no inverse.
Change-Id: Ic6d7c92cbbc2f7c40c51e6be2de3802980d32543
Reviewed-on: https://boringssl-review.googlesource.com/8310
Reviewed-by: David Benjamin <davidben@google.com>
commit 7975056ac1ca5917dff1943415864f12dc913657
Author: Steven Valdez <svaldez@google.com>
Date: Thu Jun 16 06:38:04 2016 -0400
Fixing iv_length for TLS 1.3.
In TLS 1.3, the iv_length is equal to the explicit AEAD nonce length,
and is required to be at least 8 bytes.
Change-Id: Ib258f227d0a02c5abfc7b65adb4e4a689feffe33
Reviewed-on: https://boringssl-review.googlesource.com/8304
Reviewed-by: David Benjamin <davidben@google.com>
commit 3675dddab9993e9c521c76c6b10176b8da7c0141
Author: Matt Braithwaite <mab@google.com>
Date: Wed May 25 10:43:39 2016 -0700
newhope_test: corrupt things harder.
This ensures that the test is not flaky after lots of iterations.
Along the way, change newhope_test.cc to C++.
Change-Id: I4ef139444b8c8a98db53d075105eb6806f6c5fc7
Reviewed-on: https://boringssl-review.googlesource.com/8110
Reviewed-by: Adam Langley <agl@google.com>
commit da7f0c65efb72556f8fc92e460e6c90cd1b1add7
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 15 18:41:51 2016 -0400
Unwind X509_LU_RETRY and fix a lot of type confusion.
(This change will be sent upstream. Since the legacy X.509 stack is just
kept around for compatibility, if they decide to fix it in a different
way, we may wish to revert this and apply their fix.)
Dating back to SSLeay, X509_LOOKUP_METHOD had this X509_LU_RETRY
machinery. But it's not documented and it appears to have never worked.
Problems with the existing logic:
- X509_LU_* is not sure whether it is a type enum (to be passed into
X509_LOOKUP_by_*) or a return enum (to be retained by those same
functions).
- X509_LOOKUP_by_* is not sure whether it returns 0/1 or an X509_LU_*
value. Looking at the functions themselves, one might think it's the
latter, but for X509_LOOKUP_by_subject returning both 0 and
X509_LU_FAIL. But looking at the call sites, some expect 0/1 (such as
X509_STORE_get1_certs) while others expect an X509_LU_* enum (such as
X509_STORE_CTX_get1_issuer). It is very fortunate that FAIL happens to
be 0 and X509 happens to be 1.
These functions primarily call to X509_LOOKUP_METHOD hooks. Looking
through OpenSSL itself and code checked into Google, I found no
evidence that any hooks have been implemented except for
get_by_subject in by_dir.c. We take that one as definitive and observe
it believes it returns 0/1. Notably, it returns 1 on success even if
asked for a type other than X509_LU_X509. (X509_LU_X509 = 1. Others are
different.) I found another piece of third-party software which corroborates
this worldview.
- X509_STORE_get_by_subject's handling of X509_LU_RETRY (it's the j < 0
check) is broken. It saves j into vs->current_method where it probably
meant to save i. (This bug has existed since SSLeay.)
It also returns j (supposedly X509_LU_RETRY) while all callers of
X509_STORE_get_by_subject expect it to return 0/1 by checking with !
instead of <= 0. (Note that all other codepaths return 0 and 1 so this
function did not actually believe it returned X509_LU_* most of the
time.)
This, in turn, gives us a free of uninitialized pointers in
X509_STORE_get1_certs and other functions which expect that *ret is
filled in if X509_STORE_get_by_subject returns success. GCC 4.9 with
optimizations from the Android NDK noticed this, which trigged this
saga.
(It's only reachable if any X509_LOOKUP_METHOD returned
X509_LU_RETRY.)
- Although the code which expects X509_STORE_get_by_subject return 0/1
does not date to SSLeay, the X509_STORE_get_by_subject call in
X509_STORE_CTX_get1_issuer *does* (though, at the time, it was inline
in X509_verify_cert. That code believes X509_STORE_get_by_subject
returns an X509_LU_* enum, but it doesn't work either! It believes
*ret is filled in on X509_LU_RETRY, thus freeing another uninitialized
pointer (GCC noticed this too).
Since this "retry" code has clearly never worked, from SSLeay onwards,
unwind it completely rather than attempt to fix it. No
X509_LOOKUP_METHOD can possibly have depended on it.
Matching all non-broken codepaths X509_LOOKUP_by_* now returns 0/1 and
X509_STORE_get_by_subject returns 0/1. X509_LU_* is purely a type enum
with X509_LU_{REJECT,FAIL} being legacy constants to keep old code
compiling. (Upstream is recommended to remove those values altogether
for 1.1.0.)
On the off chance any get_by_* X509_LOOKUP_METHOD implementations did
not return 0/1 (I have found no evidence anywhere of this, and I believe
it wouldn't have worked anyway), the X509_LOOKUP_by_* wrapper functions
will coerce the return values back to 0/1 before passing up to the
callers which want 0/1. This both avoids the error-prone -1/0/1 calling
convention and, more importantly, avoids problems with third-party
callers which expect a X509_LU_* return code. 0/1 collide with FAIL/X509
while -1 will collide with RETRY and might confuse things.
Change-Id: I98ecf6fa7342866b9124dc6f0b422cb9ce4a1ae7
Reviewed-on: https://boringssl-review.googlesource.com/8303
Reviewed-by: Adam Langley <agl@google.com>
commit 054e597670b158012a585f0f3d3bbf106211a7e9
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 16 12:08:26 2016 -0400
Include intrin.h under cover of warning pragmas.
intrin.h on MSVC seems to have the same problem as other MSVC headers.
https://build.chromium.org/p/client.boringssl/builders/win64_small/builds/455/steps/ninja/logs/stdio
Change-Id: I98e959132c2f6188727d6c432f9c85aa0a78e91e
Reviewed-on: https://boringssl-review.googlesource.com/8305
Reviewed-by: Adam Langley <agl@google.com>
commit 2b360714abf9395d85ac9b50850fcd2fc4bda442
Author: Nico Weber <thakis@chromium.org>
Date: Thu Jun 16 10:12:05 2016 +0200
win: Add an explicit intrin.h include to work around a clang-cl bug.
I did the same change in NaCl in
https://codereview.chromium.org/2070533002/. I thought NaCl is the only
place where this was needed, but at least it's due to SecureZeroMemory()
again. So it's two files now, but at least there's only one function we
know of that needs this, and it's only called in three files total in
all projects used by Chromium.
BUG=chromium:592745
Change-Id: I07ed197869e26ec70c1f4b75d91fd64abae5015e
Reviewed-on: https://boringssl-review.googlesource.com/8320
Reviewed-by: David Benjamin <davidben@google.com>
commit 80ef4333591db8eb79c654cb030142edeab181ce
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 15 17:46:31 2016 -0400
No-op change to kick the bots.
Change-Id: Ifed0b7e23bb4df191628486b0c07c888056c22a8
commit f8fcdf399c2da11e248c0b14265ed4088001c5f2
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 15:56:13 2016 -0400
Add tests for both Channel ID and NPN together.
Both messages go between CCS and Finished. We weren't testing their relative
order and one of the state machine edges. Also test resume + NPN since that too
is a different handshake shape.
Change-Id: Iaeaf6c2c9bfd133103e2fb079d0e5a86995becfd
Reviewed-on: https://boringssl-review.googlesource.com/8196
Reviewed-by: Adam Langley <agl@google.com>
commit 65dac9c8a30d6427aee988a06dcb603d09863000
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 15 17:24:20 2016 -0400
Fix the name of OPENSSL_add_all_algorithms_conf.
I named the compatibility function wrong.
Change-Id: Idc289c317c5826c338c1daf58a2d3b26b09a7e49
Reviewed-on: https://boringssl-review.googlesource.com/8301
Reviewed-by: Adam Langley <agl@google.com>
commit 41e08045f7e5150f74f5020d3f470335191d2e46
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 14 15:53:40 2016 -0400
Fix typo.
Change-Id: I7699d59e61df16f2091c3e12607c08333dcc9813
Reviewed-on: https://boringssl-review.googlesource.com/8280
Reviewed-by: Adam Langley <agl@google.com>
commit f715c423224a292d79ba0e3df373c828fbae29f7
Author: David Benjamin <davidben@google.com>
Date: Sat Jun 11 19:01:56 2016 -0400
Make SSL_set_bio's ownership easier to reason about.
SSL_set_bio has some rather complex ownership story because whether rbio/wbio
are both owning depends on whether they are equal. Moreover, whether
SSL_set_bio(ssl, rbio, wbio) frees ssl->rbio depends on whether rbio is the
existing rbio or not. The current logic doesn't even get it right; see tests.
Simplify this. First, rbio and wbio are always owning. All the weird ownership
cases which we're stuck with for compatibility will live in SSL_set_bio. It
will internally BIO_up_ref if necessary and appropriately no-op the left or
right side as needed. It will then call more well-behaved ssl_set_rbio or
ssl_set_wbio functions as necessary.
Change-Id: I6b4b34e23ed01561a8c0aead8bb905363ee413bb
Reviewed-on: https://boringssl-review.googlesource.com/8240
Reviewed-by: Adam Langley <agl@google.com>
commit 5c0fb889a1348ecaa5691f6139f9d60a610f2129
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 14 14:03:51 2016 -0400
Add tests for SSL_set_fd and friends.
Their implementations expose a lot of really weird SSL_set_bio behavior. Note
that one test must be disabled as it doesn't even work. The subsequent commit
will re-enable it.
Change-Id: I4b7acadd710b3be056951886fc3e073a5aa816de
Reviewed-on: https://boringssl-review.googlesource.com/8272
Reviewed-by: Adam Langley <agl@google.com>
commit dfdd49c9612afb928b0275d7fad34da1803062d4
Author: Matt Braithwaite <mab@google.com>
Date: Mon Jun 13 17:06:48 2016 -0700
generate_build_files: more flexible Bazel deps
Include all internal headers in |test_support_sources|, since that's
easier than enumerating the ones specifically required for each test.
This incidentally removes test headers from |crypto_internal_headers|
and |ssl_internal_headers|.
Require the crypto and ssl libraries to be passed as arguments to
create_tests(), rather than hardcoding the names :crypto and :ssl
Change-Id: Idcc522298c5baca2a84635ad3a7fdcf6e4968a5a
Reviewed-on: https://boringssl-review.googlesource.com/8260
Reviewed-by: David Benjamin <davidben@google.com>
commit 7af3140a824a4a1763609a0107a918bde02bef04
Author: David Benjamin <davidben@google.com>
Date: Sat Jun 11 19:37:21 2016 -0400
Remove ASN.1 BIOs.
These are more remnants of CMS. Nothing uses them directly. Removing them means
more code we don't have to think about when importing upstream patches.
Also take out a bunch of dead prototypes nearby.
Change-Id: Ife094d9d2078570006d1355fa4e3323f435be608
Reviewed-on: https://boringssl-review.googlesource.com/8244
Reviewed-by: David Benjamin <davidben@google.com>
commit ae0bf3b7c15d20304279ca53550b4c75876651c1
Author: David Benjamin <davidben@google.com>
Date: Sat Jun 11 19:13:58 2016 -0400
Remove ASN1_parse and ASN1_parse_dump.
These are more pretty-printers for generic ASN.1 structures. They're never
called externally and otherwise are only used in the X509V3_EXT_PARSE_UNKNOWN
mode for the X509 pretty-print functions. That makes unknown extensions
pretty-print as ASN.1 structures.
This is a rather useless feature, so have that fall through to
X509V3_EXT_DUMP_UNKNOWN which does a hexdump instead.
(The immediate trigger is I don't know what |op| is in upstream's
8c918b7b9c93ba38790ffd1a83e23c3684e66f57 and don't think it is worth the time
to puzzle that out and verify it. Better ditch this code completely.)
Change-Id: I0217906367d83056030aea64ef344d4fedf74763
Reviewed-on: https://boringssl-review.googlesource.com/8243
Reviewed-by: David Benjamin <davidben@google.com>
commit e77b16ef71a7669f166f0bdd153c512598694403
Author: David Benjamin <davidben@google.com>
Date: Sat Jun 11 19:22:10 2016 -0400
Remove ASN.1 print hooks.
These functions are never instantiated. (They're a remnant of the PKCS#7 and
CMS bits.) Next time upstream touches this code, we don't have to puzzle
through the diff and import it.
Change-Id: I67c2102ae13e8e0527d858e1c63637dd442a4ffb
Reviewed-on: https://boringssl-review.googlesource.com/8242
Reviewed-by: David Benjamin <davidben@google.com>
commit 6278e24a62c613d8c23b70eec1142af7934b1900
Author: Matt Braithwaite <mab@google.com>
Date: Tue Jun 14 08:18:22 2016 -0700
shim: fix var unused when asserts compiled out
This is not very satisfactory.
Change-Id: I7e7a86f921e66f8f830c72eac084e9fea5ffd4d9
Reviewed-on: https://boringssl-review.googlesource.com/8270
Reviewed-by: David Benjamin <davidben@google.com>
commit 54217e4d85b7d7d3ba1cd3024c54615b7fa87f3c
Author: Matt Braithwaite <mab@google.com>
Date: Mon Jun 13 13:03:47 2016 -0700
newhope: test corrupt key exchange messages.
By corrupting the X25519 and Newhope parts separately, the test shows
that both are in use. Possibly excessive?
Change-Id: Ieb10f46f8ba876faacdafe70c5561c50a5863153
Reviewed-on: https://boringssl-review.googlesource.com/8250
Reviewed-by: Adam Langley <agl@google.com>
commit d0c677cd8e2fca7fce5d77090f3616ba1d59e0c9
Author: David Benjamin <davidben@google.com>
Date: Sat Jun 11 19:12:10 2016 -0400
Avoid illegal pointers in asn1_string_canon.
(Imported from upstream's 3892b95750b6aa5ed4328a287068f7cdfb9e55bc.)
More reasonable would have been to drop |to| altogether and act on from[len-1],
but I suppose this works.
Change-Id: I280b4991042b4d330ba034f6a631f8421ddb2643
Reviewed-on: https://boringssl-review.googlesource.com/8241
Reviewed-by: Adam Langley <agl@google.com>
commit 37e01b393cd4c4d2f8b2b48fe9b2a94907a495a9
Author: David Benjamin <davidben@google.com>
Date: Mon Jun 13 13:42:04 2016 -0400
Spell C++11 as C++11, not C++0x.
We already require GCC 4.8+, so -std=c++11 should work fine.
Change-Id: I07d46d7dcccb695b5df97a702f0d5007fdff3385
Reviewed-on: https://boringssl-review.googlesource.com/8245
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit f6a74c61f7455885a514e577d69670f924b6cf6f
Author: David Benjamin <davidben@google.com>
Date: Fri Jun 10 13:12:20 2016 -0400
Document compiler and assembler requirements.
The minimum version is purely based on what we've patched out of the perlasm
files. I'm assuming they're accurate.
Change-Id: I5ae176cf793512125fa78f203a1314396e8a14d7
Reviewed-on: https://boringssl-review.googlesource.com/8238
Reviewed-by: Adam Langley <agl@google.com>
commit 171b5403ee767fa0f3aecd377867db6533c3eb8f
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 9 19:01:11 2016 -0400
Fix ssl3_do_write error handling.
The functions it calls all pass through <= 0 as error codes, not < 0.
Change-Id: I9d0d6b1df0065efc63f2d3a5e7f3497b2c28453a
Reviewed-on: https://boringssl-review.googlesource.com/8237
Reviewed-by: Adam Langley <agl@google.com>
commit 166958944506f28a87a8577cd51394ee9a53a228
Author: Matt Braithwaite <mab@google.com>
Date: Thu Jun 9 09:34:11 2016 -0700
Bazel: allow arbitrary path prefix before 'src'
Change-Id: Ifd8e6466620a92f0d4b79c179bb21e634a930f52
Reviewed-on: https://boringssl-review.googlesource.com/8220
Reviewed-by: David Benjamin <davidben@google.com>
commit a353cdb67191a6eacd3409cc642816574084b871
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 9 16:48:33 2016 -0400
Wrap MSVC-only warning pragmas in a macro.
There's a __pragma expression which allows this. Android builds us Windows with
MinGW for some reason, so we actually do have to tolerate non-MSVC-compatible
Windows compilers. (Clang for Windows is much more sensible than MinGW and
intentionally mimicks MSVC.)
MinGW doesn't understand MSVC's pragmas and warns a lot. #pragma warning is
safe to suppress, so wrap those to shush them. This also lets us do away with a
few ifdefs.
Change-Id: I1f5a8bec4940d4b2d947c4c1cc9341bc15ec4972
Reviewed-on: https://boringssl-review.googlesource.com/8236
Reviewed-by: Adam Langley <agl@google.com>
commit 2e8ba2d25d18d37ac36f5aea07b546c7221d4d1c
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 9 16:22:26 2016 -0400
Use one C99-style for loop.
Switch one for loop to the new spelling as a canary. All our compilers seem to
support it fine, except GCC needs to be told to build with -std=c99. (And, upon
doing so, it'll require _XOPEN_SOURCE=700 for pthread_rwlock_t.)
We'll let this sit for a bit until it's gotten into downstreams without issue
and then open the floodgates.
BUG=47
Change-Id: I1c69d4b2df8206e0b55f30aa59b5874d82fca893
Reviewed-on: https://boringssl-review.googlesource.com/8235
Reviewed-by: Adam Langley <agl@google.com>
commit 95d7a498cceb6a1eff93b175cad10d97c1e9fb82
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 9 16:38:00 2016 -0400
Fix the alias checks in dtls_record.c.
I forgot to save this file.
Change-Id: I8540839fac2a7f426aebd7f2cb85baba337efd37
Reviewed-on: https://boringssl-review.googlesource.com/8234
Reviewed-by: Adam Langley <agl@google.com>
commit bf1905a9106a1f1398c0c1509191f2767ad0709b
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 9 13:32:25 2016 -0400
Revert "Import chacha-x86.pl fix."
This reverts commit 762e1d039c1d85e4651700eed82801878a9a86bc. We no longer need
to support out < in. Better to keep the assembly aligned with upstream.
Change-Id: I345bf822953bd0e1e79ad5ab4d337dcb22e7676b
Reviewed-on: https://boringssl-review.googlesource.com/8232
Reviewed-by: Adam Langley <agl@google.com>
commit 2446db0f52b8697f3e131db3315de8a66fd9e0fe
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 18:31:42 2016 -0400
Require in == out for in-place encryption.
While most of OpenSSL's assembly allows out < in too, some of it doesn't.
Upstream seems to not consider this a problem (or, at least, they're failing to
make a decision on whether it is a problem, so we should assume they'll stay
their course). Accordingly, require aliased buffers to exactly align so we
don't have to keep chasing this down.
Change-Id: I00eb3df3e195b249116c68f7272442918d7077eb
Reviewed-on: https://boringssl-review.googlesource.com/8231
Reviewed-by: Adam Langley <agl@google.com>
commit 1a01e1fc88968c4db023f38967f9e81a8c42a15d
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 18:31:24 2016 -0400
Remove in-place TLS record assembly for now.
Decrypting is very easy to do in-place, but encrypting in-place is a hassle.
The rules actually were wrong due to record-splitting. The aliasing prefix and
the alignment prefix actually differ by 1. Take it out for now in preparation
for tightening the aliasing rules.
If we decide to do in-place encrypt later, probably it'd be more useful to
return header + in-place ciphertext + trailer. (That, in turn, needs a
scatter/gather thing on the AEAD thanks to TLS 1.3's padding and record type
construction.) We may also wish to rethink how record-splitting works here.
Change-Id: I0187d39c541e76ef933b7c2c193323164fd8a156
Reviewed-on: https://boringssl-review.googlesource.com/8230
Reviewed-by: Adam Langley <agl@google.com>
commit 67cb49d045f04973ddba0f92fe8a8ad483c7da89
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 9 18:57:56 2016 +0000
Fix BN_mod_word bug.
On systems where we do not have BN_ULLONG (notably Win64), BN_mod_word() can
return incorrect results if the supplied modulus is too big.
(Imported from upstream's e82fd1b4574c8908b2c3bb68e1237f057a981820 and
e4c4b2766bb97b34ea3479252276ab7c66311809.)
Change-Id: Icee8a7c5c67a8ee14c276097f43a7c491e68c2f9
Reviewed-on: https://boringssl-review.googlesource.com/8233
Reviewed-by: Adam Langley <agl@google.com>
commit 8f1e113a73e406db710479ea4d8478890c0514ea
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 12:49:36 2016 -0400
Ensure verify error is set when X509_verify_cert() fails.
Set ctx->error = X509_V_ERR_OUT_OF_MEM when verification cannot
continue due to malloc failure. Similarly for issuer lookup failures
and caller errors (bad parameters or invalid state).
Also, when X509_verify_cert() returns <= 0 make sure that the
verification status does not remain X509_V_OK, as a last resort set
it it to X509_V_ERR_UNSPECIFIED, just in case some code path returns
an error without setting an appropriate value of ctx->error.
Add new and some missing error codes to X509 error -> SSL alert switch.
(Imported from upstream's 5553a12735e11bc9aa28727afe721e7236788aab.)
Change-Id: I3231a6b2e72a3914cb9316b8e90ebaee009a1c5f
Reviewed-on: https://boringssl-review.googlesource.com/8170
Reviewed-by: David Benjamin <davidben@google.com>
commit 82d0ffbac1a892e23b63d055b67b7d93e489af3e
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 19:19:58 2016 -0400
Use the new setter for CurrentTimeCallback in bssl_shim.
Change-Id: I0aaf9d926a81c3a10e70ae3ae6605d4643419f89
Reviewed-on: https://boringssl-review.googlesource.com/8210
Reviewed-by: Taylor Brandstetter <deadbeef@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 9edb2c60559b2d1d35972de62f0d8d604c1d1e6d
Author: Taylor Brandstetter <deadbeef@webrtc.org>
Date: Wed Jun 8 15:26:59 2016 -0700
Adding function to set the "current time" callback used for DTLS.
This callback is used by BoringSSL tests in order to simulate the time,
so that the tests have repeatable results. This API will allow consumers
of BoringSSL to write the same sort of tests.
Change-Id: I79d72bce5510bbd83c307915cd2cc937579ce948
Reviewed-on: https://boringssl-review.googlesource.com/8200
Reviewed-by: David Benjamin <davidben@google.com>
commit 2e045a980caba02868f6a1e5e29f7fff358873b1
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 13:09:56 2016 -0400
Add a deterministic PRNG for runner.
It's useful, when combined with patching crypto/rand/deterministic.c in, for
debugging things. Also if we want to record fuzzer transcripts again, this
probably should be on.
Change-Id: I109cf27ebab64f01a13466f0d960def3257d8750
Reviewed-on: https://boringssl-review.googlesource.com/8192
Reviewed-by: David Benjamin <davidben@google.com>
commit 1e3376a790d044facd929205fcdf4eb30783e07f
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 14:17:18 2016 -0400
Add missing copyright header.
x25519-x86_64.c, like the rest of crypto/curve25519, is descended from
SUPERCOP. Add the usual copyright header along with the SUPERCOP attribution.
BUG=64
Change-Id: I43f3de0731f33ab2aa48492c4b742e9f23c87fe1
Reviewed-on: https://boringssl-review.googlesource.com/8195
Reviewed-by: Adam Langley <agl@google.com>
commit 1c0e1e4a33249b8a64fdf1a6f6e31b8acc9c45e9
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 14:05:29 2016 -0400
Avoid overflow in newhope.go.
Depending on bittedness of the runner, uint16 * uint16 can overflow an int.
There's other computations that can overflow a uint32 as well, so I just made
everything uint64 to avoid thinking about it too much.
Change-Id: Ia3c976987f39f78285c865a2d7688600d73c2514
Reviewed-on: https://boringssl-review.googlesource.com/8193
Reviewed-by: Adam Langley <agl@google.com>
commit 45d45c119475fe1601b2a19faf170cade262fffb
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 15:20:49 2016 -0400
Trim the DTLS write code slightly.
Change-Id: I0fb4152ed656a60fae3aa7922652df766d4978d7
Reviewed-on: https://boringssl-review.googlesource.com/8178
Reviewed-by: David Benjamin <davidben@google.com>
commit 936aada25a410cf87e0a8a4b700ea37cdb7dcbdf
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 19:09:22 2016 -0400
Move a bunch of public APIs from s3_lib.c to ssl_lib.c.
The separation is purely historical (what happened to use an SSL_ctrl hook), so
put them all in one place. Make a vague attempt to match the order of the
header file, though we're still very far from matching.
Change-Id: Iba003ff4a06684a6be342e438d34bc92cab1cd14
Reviewed-on: https://boringssl-review.googlesource.com/8189
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 01784b44b9096255a3ab7e33e7b24c4814c366f7
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 18:00:52 2016 -0400
Rename -timeout to -idle-timeout.
-timeout collides with go test's flags.
Change-Id: Icfc954915a61f1bb4d0acc8f02ec8a482ea10158
Reviewed-on: https://boringssl-review.googlesource.com/8188
Reviewed-by: David Benjamin <davidben@google.com>
commit 3dcec458f18eb0d8e463de254e71c252970d4cbc
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 17:13:28 2016 -0400
Rename SERVER_DONE to SERVER_HELLO_DONE.
Match the actual name of the type.
Change-Id: I0ad27196ee2876ce0690d13068fa95f68b05b0da
Reviewed-on: https://boringssl-review.googlesource.com/8187
Reviewed-by: David Benjamin <davidben@google.com>
commit cfec7c60b9eb2c403d923081ebc5158cc97e65e7
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 17:05:07 2016 -0400
Rename s3_{clnt,srvr}.c
Give them much more reasonable names.
Change-Id: Id14d983ab3231da21a4f987e662c2e01af7a2cd6
Reviewed-on: https://boringssl-review.googlesource.com/8185
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 9f1dc8254effa6c430618020b08e04ab3ce8157c
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 17:03:46 2016 -0400
A bit of cleanup post state machine merging.
Reorder states and functions by where they appear in the handshake. Remove
unnecessary hooks on SSL_PROTOCOL_METHOD.
Change-Id: I78dae9cf70792170abed6f38510ce870707e82ff
Reviewed-on: https://boringssl-review.googlesource.com/8184
Reviewed-by: David Benjamin <davidben@google.com>
commit df50eecfbce6c0f4614044e84869c3f43b78fc5b
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 16:49:42 2016 -0400
Fold DTLS server state machine into TLS state machine.
Change-Id: I56d3d625dbe2e338f305bc1332fb0131a20e1c16
Reviewed-on: https://boringssl-review.googlesource.com/8183
Reviewed-by: David Benjamin <davidben@google.com>
commit aa7734b81b5f4914829a25a4a798f22770de4bab
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 16:40:46 2016 -0400
Fold the DTLS client handshake into the TLS one.
Change-Id: Ib8b1c646cf1652ee1481fe73589830be8263fc20
Reviewed-on: https://boringssl-review.googlesource.com/8182
Reviewed-by: David Benjamin <davidben@google.com>
commit 0d21dcd9bb2cf06341369cfad94054af3e2aacd1
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 16:17:06 2016 -0400
Remove unnecessary sectioning in ssl.h.
There's only one thing under "SNI Extension".
Change-Id: I8d8c54c286cb5775a20c4e2623896eb9be2f0009
Reviewed-on: https://boringssl-review.googlesource.com/8181
Reviewed-by: David Benjamin <davidben@google.com>
commit 24fe4489d32e073e5fde1441e2073e52c06548bb
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 16:07:42 2016 -0400
Consolidate dtls1_start_timer calls.
Rather than reset the timer on every message, start it up immediately after
flushing one of our flights.
Change-Id: I97f8b4f572ceff62c546c94933b2700975c50a02
Reviewed-on: https://boringssl-review.googlesource.com/8180
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 2a08c8d85d9c99d1548da67627e5320646eae44f
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 15:06:39 2016 -0400
Remove ssl3_do_write's 0 case.
It's unreachable and wouldn't work anyway. We'd never bubble up to the caller
to retry. As a consequence, the TLS side doesn't actually need to pay attention
to init_off.
(For now anyway. We'll probably need state of this sort once the write half is
all reworked. All the craziness with wpend_buf ought to be limited to the
SSL_write bits.)
Change-Id: I951534f6bbeb547ce0492d5647aaf76be42108a3
Reviewed-on: https://boringssl-review.googlesource.com/8179
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit af62d61df37b50a902efb17f4ed147f6853c8bbe
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 1 20:49:50 2016 -0400
Remove dtls1_read_bytes.
It can be folded into dtls1_read_app_data. This code, since it still takes an
output pointer, does not yet process records atomically. (Though, being DTLS,
it probably should...)
Change-Id: I57d60785c9c1dd13b5b2ed158a08a8f5a518db4f
Reviewed-on: https://boringssl-review.googlesource.com/8177
Reviewed-by: David Benjamin <davidben@google.com>
commit c660417bd7a7a438eddb0bc087931671b6a849e7
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 2 16:38:35 2016 -0400
Don't use dtls1_read_bytes to read messages.
This was probably the worst offender of them all as read_bytes is the wrong
abstraction to begin with. Note this is a slight change in how processing a
record works. Rather than reading one fragment at a time, we process all
fragments in a record and return. The intent here is so that all records are
processed atomically since the connection eventually will not be able to retain
a buffer holding the record.
This loses a ton of (though not quite all yet) those a2b macros.
Change-Id: Ibe4bbcc33c496328de08d272457d2282c411b38b
Reviewed-on: https://boringssl-review.googlesource.com/8176
Reviewed-by: David Benjamin <davidben@google.com>
commit 585320c9e9fc3396ffbc0d66d3c474cfdfa24607
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 20:46:16 2016 -0400
Don't call read_bytes in read_change_cipher_spec.
Change-Id: If7d50e43c8ea28c5eed38209f31d481fb57bf225
Reviewed-on: https://boringssl-review.googlesource.com/8175
Reviewed-by: David Benjamin <davidben@google.com>
commit 4aa4081e7f21916ad17e916f558a1c5dc8531830
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 1 19:40:23 2016 -0400
Don't use ssl3_read_bytes in ssl3_read_close_notify.
read_close_notify is a very straight-forward hook and doesn't need much.
Change-Id: I7407d842321ea1bcb47838424a0d8f7550ad71ca
Reviewed-on: https://boringssl-review.googlesource.com/8174
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit a7810c12e99ed8cf2e3b2a049e124b4a3b1b274b
Author: David Benjamin <davidben@google.com>
Date: Mon Jun 6 18:54:51 2016 -0400
Make tls_open_record always in-place.
The business with ssl_record_prefix_len is rather a hassle. Instead, have
tls_open_record always decrypt in-place and give back a CBS to where the body
is.
This way the caller doesn't need to do an extra check all to avoid creating an
invalid pointer and underflow in subtraction.
Change-Id: I4e12b25a760870d8f8a503673ab00a2d774fc9ee
Reviewed-on: https://boringssl-review.googlesource.com/8173
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 728f354a2ba5653d10ebededc5acaa5ab5c4becd
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 2 15:42:01 2016 -0400
Push alert handling down into the record functions.
Alert handling is more-or-less identical across all contexts. Push it down from
read_bytes into the low-level record functions. This also deduplicates the code
shared between TLS and DTLS.
Now the only type mismatch managed by read_bytes is if we get handshake data in
read_app_data.
Change-Id: Ia8331897b304566e66d901899cfbf31d2870194e
Reviewed-on: https://boringssl-review.googlesource.com/8124
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit ac2920200baec989553b145c26ed29b6807698c7
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 14:15:46 2016 -0400
Fix typo.
Change-Id: I70499c686b955152840987ffe65d2d3436bf6f6d
Reviewed-on: https://boringssl-review.googlesource.com/8194
Reviewed-by: David Benjamin <davidben@google.com>
commit 4e9cc71a27234d8506c5b5987122188e34ece951
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 1 20:16:03 2016 -0400
Add helper functions for info_callback and msg_callback.
This is getting a little repetitive.
Change-Id: Ib0fa8ab10149557c2d728b88648381b9368221d9
Reviewed-on: https://boringssl-review.googlesource.com/8126
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 15aa895a0b6bb6d8f409cff8f1d6f47a069cd4b9
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 20:51:34 2016 -0400
Tidy up the DTLS code's blocking-mode retransmits.
Move this logic out of dtls1_read_bytes and into dtls1_get_record. Only trigger
it when reading from the buffer fails. The other one shouldn't be necessary.
This exists to handle the blocking BIO case when the
BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT signal triggers, so we only need to do it when
timeouts actually trigger.
There also doesn't seem to be a need for most of the machinery. The
BIO_set_flags call seems to be working around a deficiency in the underlying
BIO. There also shouldn't be a need to check the handshake state as there
wouldn't be a timer to restart otherwise.
Change-Id: Ic901ccfb5b82aeb409d16a9d32c04741410ad6d7
Reviewed-on: https://boringssl-review.googlesource.com/8122
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 585d7a4987126192d90d5e6d33fc400da00a863b
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 2 14:58:00 2016 -0400
Test both synchronous and asynchronous DTLS retransmit.
The two modes are quite different. One of them requires the BIO honor an
extra BIO_ctrl. Also add an explanation at the top of
addDTLSRetransmitTests for how these tests work. The description is
scattered across many different places.
BUG=63
Change-Id: Iff4cdd1fbf4f4439ae0c293f565eb6780c7c84f9
Reviewed-on: https://boringssl-review.googlesource.com/8121
Reviewed-by: David Benjamin <davidben@google.com>
commit ed9c8fcb23877e647416768e741d50f36e1c170d
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 8 09:40:32 2016 -0400
Honor exit codes in run_android_tests.go.
adb kindly doesn't forward exit codes until N
(https://code.google.com/p/android/issues/detail?id=3254), so we need to work
around it. Otherwise all our test failures have been silently ignored (oops!).
Change-Id: I03440db7dd77e6b9af5445b309b67dc719cea054
Reviewed-on: https://boringssl-review.googlesource.com/8190
Reviewed-by: David Benjamin <davidben@google.com>
commit 0a45822afee4eb4a047c7b41ad1783f31a838820
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 14:34:21 2016 -0400
Fix some missing inits
(Imported from upstream's f792c663048f19347a1bb72125e535e4fb2ecf39.)
Change-Id: If9bbb10de3ea858076bd9587d21ec331e837dd53
Reviewed-on: https://boringssl-review.googlesource.com/8171
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 26b7c35d8c78065a57c93a01d95b31eb85de51b9
Author: David Benjamin <davidben@google.com>
Date: Tue Jun 7 14:38:01 2016 -0400
Fix DSA, preserve BN_FLG_CONSTTIME
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
CVE-2016-2178
(Imported from upstream's 621eaf49a289bfac26d4cbcdb7396e796784c534 and
b7d0f2834e139a20560d64c73e2565e93715ce2b.)
We should eventually not depend on BN_FLG_CONSTTIME since it's a mess (seeing
as the original fix was wrong until we reported b7d0f2834e to them), but, for
now, go with the simplest fix.
Change-Id: I9ea15c1d1cc3a7e21ef5b591e1879ec97a179718
Reviewed-on: https://boringssl-review.googlesource.com/8172
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 0d275bdb32e22e5e75e30981976dbbc28c8805bc
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 1 20:19:34 2016 -0400
Don't call ERR_clear_system_error in so many places.
We've got it in entry points. That should be sufficient. (Do we even need it
there?)
Change-Id: I39b245a08fcde7b57e61b0bfc595c6ff4ce2a07a
Reviewed-on: https://boringssl-review.googlesource.com/8127
Reviewed-by: David Benjamin <davidben@google.com>
commit 4bea8509dacd4d637c5c77964d315172bf35d825
Author: David Benjamin <davidben@google.com>
Date: Thu May 12 09:34:55 2016 -0400
Lift an impossible check to an assert.
This cannot happen.
Change-Id: Ib1b473aa91d6479eeff43f7eaf94906d0b2c2a8f
Reviewed-on: https://boringssl-review.googlesource.com/8123
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit e90d004e007272df4dcc65a35138fe639635e5ab
Author: David Benjamin <davidben@google.com>
Date: Wed Jun 1 20:05:59 2016 -0400
Remove impossible condition.
ssl->cert is never NULL. It gets created in SSL_new unconditionally.
Change-Id: I5c54c9c73e281e61a554820d61421226d763d33a
Reviewed-on: https://boringssl-review.googlesource.com/8125
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 83042a829260f53b0f0f49e06d33bc3a73401bf0
Author: David Benjamin <davidben@google.com>
Date: Mon Jun 6 11:29:58 2016 -0400
Add a no-op OpenSSL_add_all_algorithms_conf.
More spring-cleaning of unnecessary incompatibilities. Since
OpenSSL_add_all_algorithms_conf doesn't specify a configuration file, it's
perfectly sound to have such a function.
Dear BoringSSL, please add all algorithms.
Uh, sure. They were already all there, but I have added them!
PS: Could you also load all your configuration files while you're at it.
...I don't have any. Fine. I have loaded all configuration files which I
recognize. *mutters under breath* why does everyone ask all these strange
questions...
Change-Id: I57f956933d9e519445bf22f89853bd5f56904172
Reviewed-on: https://boringssl-review.googlesource.com/8160
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit adf27430efa4062ad4585d9cf788c9ab7a164e44
Author: Adam Langley <agl@google.com>
Date: Sun Jun 5 11:01:20 2016 -0700
Be consistent about đť‘Ą_tests.txt
Some files were named đť‘Ą_test.txt and some đť‘Ą_tests.txt. This change
unifies around the latter.
Change-Id: Id6f29bad8b998f3c3466655097ef593f7f18f82f
Reviewed-on: https://boringssl-review.googlesource.com/8150
Reviewed-by: David Benjamin <davidben@google.com>
commit bbc7859817e9e6d1fee989d7ded5d5836d7efded
Author: David Benjamin <davidben@google.com>
Date: Fri Jun 3 16:56:32 2016 -0400
Match OpenSSL's values for BIO_CTRL_*.
The fake numbers collide with other numbers defined below. Also PUSH and POP
are actually used. DUP legitimately isn't though.
Change-Id: Iaa15a065d846b89b9b7958b78068393cfee2bd6f
Reviewed-on: https://boringssl-review.googlesource.com/8143
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit f4978b78a0219c1846ad3d58a53250b827b4140a
Author: David Benjamin <davidben@google.com>
Date: Fri Jun 3 16:53:15 2016 -0400
Add some getters for the old lock callbacks.
Some OpenSSL consumers use them, so provide no-op versions to make porting code
easier.
Change-Id: I4348568c1cb08d2b2c0a9ec9a17e2c0449260965
Reviewed-on: https://boringssl-review.googlesource.com/8142
Reviewed-by: David Benjamin <davidben@google.com>
commit e7b3ce58ad100adbe738eae6b38e0fa72542663e
Author: David Benjamin <davidben@google.com>
Date: Fri Jun 3 16:45:30 2016 -0400
Add BIO_set_conn_int_port.
Make building against software that expects OpenSSL easier.
Change-Id: I1af090ae8208218d6e226ee0baf51053699d85cc
Reviewed-on: https://boringssl-review.googlesource.com/8141
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit dbec90b62328e483323394f93e89fe657f4568c2
Author: David Benjamin <davidben@google.com>
Date: Fri Jun 3 17:51:36 2016 -0400
Sort out signedness issues.
Windows is, not unreasonably, complaining that taking abs() of an unsigned is
ridiculous. But these values actually are signed and fit very easily in an int
anyway.
Change-Id: I34fecaaa3616732112e3eea105a7c84bd9cd0bae
Reviewed-on: https://boringssl-review.googlesource.com/8144
Reviewed-by: Adam Langley <agl@google.com>
commit d206dfa91fce51c8e454f2dd1e17da6afac76fb9
Author: David Benjamin <davidben@google.com>
Date: Fri Jun 3 18:00:34 2016 -0400
Add missing newline in newhope.h.
doc.go is still a little unhappy.
Change-Id: I5a8f3da91dabb45d29d0e08f13b7dabdcd521c38
Reviewed-on: https://boringssl-review.googlesource.com/8145
Reviewed-by: David Benjamin <davidben@google.com>
commit aa80ff50bf1467ed522a127ffb724864ac5d6d05
Author: Adam Langley <agl@google.com>
Date: Fri Jun 3 14:45:18 2016 -0700
crypto/newhope: add OPENSSL_EXPORT to functions used by tests.
Change-Id: Ie6701d6ea809f5c590f0773cb4b733a208553879
commit a34bd8e38cf3e6908b7a0c72ad9b78e119709ada
Author: Adam Langley <agl@google.com>
Date: Fri Jun 3 14:37:03 2016 -0700
crypto/newhope: fix comment typo.
Change-Id: Ic7dc57680e8cc8306fb1541249fb356eece30999
commit 77fe71101bde819ea5e93eb2e3a8e1335548e210
Author: Adam Langley <agl@google.com>
Date: Fri Jun 3 14:32:59 2016 -0700
crypto/newhope: print values as unsigneds.
Otherwise builds fail with:
crypto/newhope/newhope_statistical_test.cc:136:27: error: format specifies type 'long' but the argument has type 'uint64_t' (aka 'unsigned long long') [-Werror,-Wformat]
Change-Id: I85d5816c1d7ee71eef362bffe983b2781ce310a4
commit 6b7436b0d29ac3018e23cfc0dd734dfd8024a80f
Author: Matt Braithwaite <mab@google.com>
Date: Thu Jun 2 17:23:29 2016 -0700
newhope: restore statistical tests.
One of these tests the distribution of noise polynomials; the other
tests that that agreed-upon keys (prior to whitening) have roughly equal
numbers of 0s and 1s.
Along the way, expose a few more API bits.
Change-Id: I6b04708d41590de45d82ea95bae1033cfccd5d67
Reviewed-on: https://boringssl-review.googlesource.com/8130
Reviewed-by: Adam Langley <agl@google.com>
commit 0fc7df55c04e439e765c32a4dd93e43387fe40be
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 2 18:36:33 2016 -0400
Add SSL_CIPHER_is_DHE.
Change-Id: I158d1fa1a6b70a278054862326562988c97911b5
Reviewed-on: https://boringssl-review.googlesource.com/8140
Reviewed-by: David Benjamin <davidben@google.com>
commit 66af3b0ebc1ed1b4e6dba6c8d399096e21e68299
Author: Steven Valdez <svaldez@google.com>
Date: Wed Jun 1 14:07:09 2016 -0400
Adding TLS 1.3 Record Layer.
In TLS 1.3, the actual record type is hidden within the encrypted data
and the record layer defaults to using a TLS 1.0 {3, 1} record version
for compatibility. Additionally the record layer no longer checks the
minor version of the record layer to maintain compatibility with the
TLS 1.3 spec.
Change-Id: If2c08e48baab170c1658e0715c33929d36c9be3a
Reviewed-on: https://boringssl-review.googlesource.com/8091
Reviewed-by: David Benjamin <davidben@google.com>
commit 1a88df13e51af83de8c1631327e942f3ca03fbe6
Author: David Benjamin <davidben@google.com>
Date: Thu Jun 2 17:14:33 2016 -0400
Update style guide note on files which match OpenSSL.
They match the new style not the old EAY style now. They're also not
likely to be reformatted. It's just the legacy ASN.1 stuff now and we're
intentionally not doing much with those. (The old text was written back
before the SSL stack had been reformatted.)
Change-Id: I4852761b013e8c2688ebc7eaf4970afbdc69e858
Reviewed-on: https://boringssl-review.googlesource.com/8129
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 3084e7b87ded165d3dab194f9b4666d02437cbb7
Author: Steven Valdez <svaldez@google.com>
Date: Thu Jun 2 12:07:20 2016 -0400
Adding ECDHE-PSK GCM Ciphersuites.
Change-Id: Iecf534ca0ebdcf34dbf4f922f5000c096a266862
Reviewed-on: https://boringssl-review.googlesource.com/8101
Reviewed-by: David Benjamin <davidben@google.com>
commit 8ca0b4127da11d766067ea6ec4122017ba0edb0e
Author: Piotr Sikora <piotrsikora@google.com>
Date: Thu Jun 2 11:59:21 2016 -0700
Fix X25519 on OS X when using build systems other than CMake.
Assembly code for X25519 wasn't included on OS X when built with
build systems other than CMake, which lead to a SIGTRAP due to a
missing x25519_x86_64.
Reported by Gurgen Hrachyan.
Change-Id: Ib6026f31cce0405ec3e75d8a52bf0940e57c62c8
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/8111
Reviewed-by: David Benjamin <davidben@google.com>
commit 27e863e711408cb20daf1125be4519d465e48d4e
Author: Matt Braithwaite <mab@google.com>
Date: Wed Jun 1 16:28:48 2016 -0700
newhope: improve test vectors.
This commit adds coverage of the "offer" (first) step, as well as
testing all outputs of the "accept" (second) step, not just the shared
key.
Change-Id: Id11fe24029abc302442484a6c01fa496a1578b3a
Reviewed-on: https://boringssl-review.googlesource.com/8100
Reviewed-by: Adam Langley <agl@google.com>
commit 686bb19ba114b3b8c87264d9a5a7a4af32587756
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 15:15:41 2016 -0400
Add a unit test for one-sided shutdown.
OpenSSL was actually super-buggy here (though known bugs on our end have been
fixed), but pyOpenSSL was confused and incorrectly documented that callers call
SSL_read after SSL_shutdown to do bidi shutdown, so we should probably support
this. Add a test that it works.
Change-Id: I2b6d012161330aeb4cf894bae3a0b6a55d53c70d
Reviewed-on: https://boringssl-review.googlesource.com/8093
Reviewed-by: Adam Langley <agl@google.com>
commit bbd43b5e90c073a3c8b719d538a273fe683b9944
Author: Steven Valdez <svaldez@google.com>
Date: Wed Jun 1 11:46:58 2016 -0400
Renaming SSL3_MT_NEWSESSION_TICKET to SSL3_MT_NEW_SESSION_TICKET.
This keeps the naming convention in line with the actual spec.
Change-Id: I34673f78dbc29c1659b4da0e49677ebe9b79636b
Reviewed-on: https://boringssl-review.googlesource.com/8090
Reviewed-by: David Benjamin <davidben@google.com>
commit db207264ad69af640f6d1d60e6489ff2896e72b9
Author: Matt Braithwaite <mab@google.com>
Date: Fri May 27 16:49:29 2016 -0700
newhope: refactor and add test vectors.
The test vectors are taken from the reference implementation, modified
to output the results of its random-number generator, and the results of
key generation prior to SHA3. This allows the interoperability of the
two implementations to be tested somewhat.
To accomplish the testing, this commit creates a new, lower-level API
that leaves the generation of random numbers and all wire encoding and
decoding up to the caller.
Change-Id: Ifae3517696dde4be4a0b7c1998bdefb789bac599
Reviewed-on: https://boringssl-review.googlesource.com/8070
Reviewed-by: Adam Langley <agl@google.com>
commit 3995a38f3b8f8c944338e94bb63d04bc323b60b4
Author: David Benjamin <davidben@google.com>
Date: Tue May 31 16:15:04 2016 -0400
Print out whether EMS was supported.
Change-Id: I3c5aa418fe767bce883fcdd0a926f922f9f8bbd3
Reviewed-on: https://boringssl-review.googlesource.com/8082
Reviewed-by: Adam Langley <agl@google.com>
commit 156edfe5361ad635c091265eb8035f2c310371d3
Author: David Benjamin <davidben@google.com>
Date: Tue May 24 15:41:11 2016 +0000
Switch Windows CRYPTO_MUTEX implementation to SRWLOCK.
Now that we no longer support Windows XP, this is available.
Unfortunately, the public header version of CRYPTO_MUTEX means we
still can't easily merge CRYPTO_MUTEX and CRYPTO_STATIC_MUTEX.
BUG=37
Change-Id: If309de3f06e0854c505083b72fd64d1dbb3f4563
Reviewed-on: https://boringssl-review.googlesource.com/8081
Reviewed-by: Adam Langley <agl@google.com>
commit 29270dea85741f69bd080bea6b28a83476c2bc91
Author: David Benjamin <davidben@google.com>
Date: Tue May 24 15:28:36 2016 +0000
Split unlock functions into read/write variants.
Windows SRWLOCK requires you call different functions here. Split
them up in preparation for switching Windows from CRITICAL_SECTION.
BUG=37
Change-Id: I7b5c6a98eab9ae5bb0734b805cfa1ff334918f35
Reviewed-on: https://boringssl-review.googlesource.com/8080
Reviewed-by: Adam Langley <agl@google.com>
commit 053931e74e42bebd129d9b35d9aceb986e873a8f
Author: Matt Braithwaite <mab@google.com>
Date: Wed May 25 12:06:05 2016 -0700
CECPQ1: change from named curve to ciphersuite.
This is easier to deploy, and more obvious. This commit reverts a few
pieces of e25775bc, but keeps most of it.
Change-Id: If8d657a4221c665349c06041bb12fffca1527a2c
Reviewed-on: https://boringssl-review.googlesource.com/8061
Reviewed-by: Adam Langley <agl@google.com>
commit d09175ffe335d9be6846b4ac5e9e622d96213a00
Author: Adam Langley <alangley@gmail.com>
Date: Fri May 20 10:51:48 2016 -0700
Replace base64 decoding.
This code has caused a long history of problems. This change rewrites it
completely with something that is, hopefully, much simplier and robust
and adds more testing.
Change-Id: Ibeef51f9386afd95d5b73316e451eb3a2d7ec4e0
Reviewed-on: https://boringssl-review.googlesource.com/8033
Reviewed-by: Adam Langley <agl@google.com>
commit 1cb405d96b11db5767446766d76516534067bbd1
Author: Adam Langley <alangley@gmail.com>
Date: Wed May 25 16:05:11 2016 -0700
Revert "Forbid calling SSL_read, SSL_peek, and SSL_do_handshake post-shutdown."
This reverts commit c7eae5a3267dfc9557314a24cc8da77d287ae885. pyOpenSSL
expects to be able to call |SSL_read| after a shutdown and get EOF.
Change-Id: Icc5faa09d644ec29aac99b181dac0db197f283e3
Reviewed-on: https://boringssl-review.googlesource.com/8060
Reviewed-by: Adam Langley <agl@google.com>
commit 494650cfcff2330652922ebd078066c2eff202cb
Author: Steven Valdez <svaldez@google.com>
Date: Tue May 24 12:43:04 2016 -0400
Adding TLS 1.3 AEAD construction.
The TLS 1.3 spec has an explicit nonce construction for AEADs that
requires xoring the IV and sequence number.
Change-Id: I77145e12f7946ffb35ebeeb9b2947aa51058cbe9
Reviewed-on: https://boringssl-review.googlesource.com/8042
Reviewed-by: Adam Langley <agl@google.com>
commit 4f94b1c19f8520273fa7751687b6daab82e02bc3
Author: Steven Valdez <svaldez@google.com>
Date: Tue May 24 12:31:07 2016 -0400
Adding TLS 1.3 constants.
Constants representing TLS 1.3 are added to allow for future work to be
flagged on TLS1_3_VERSION. To prevent BoringSSL from negotiating the
non-existent TLS 1.3 version, it is explicitly disabled using
SSL_OP_NO_TLSv1_3.
Change-Id: Ie5258a916f4c19ef21646c4073d5b4a7974d6f3f
Reviewed-on: https://boringssl-review.googlesource.com/8041
Reviewed-by: Adam Langley <agl@google.com>
commit 1eca1d3816df495e83e0d22edfbb2d380dda6984
Author: Steven Valdez <svaldez@google.com>
Date: Mon May 23 16:29:25 2016 -0400
Renaming Channel ID Encrypted Extensions.
This renames the Channel ID EncryptedExtensions message to allow for
compatibility with TLS 1.3 EncryptedExtensions.
Change-Id: I5b67d00d548518045554becb1b7213fba86731f2
Reviewed-on: https://boringssl-review.googlesource.com/8040
Reviewed-by: Adam Langley <agl@google.com>
commit 2f87112b963fe9dee6a75b23a8dae45000001063
Author: David Benjamin <davidben@google.com>
Date: Fri May 20 14:27:17 2016 -0400
Never expose ssl->bbio in the public API.
OpenSSL's bbio logic is kind of crazy. It would be good to eventually do the
buffering in a better way (notably, bbio is fragile, if not outright broken,
for DTLS). In the meantime, this fixes a number of bugs where the existence of
bbio was leaked in the public API and broke things.
- SSL_get_wbio returned the bbio during the handshake. It must always return
the BIO the consumer configured. In doing so, internal accesses of
SSL_get_wbio should be switched to ssl->wbio since those want to see bbio.
For consistency, do the same with rbio.
- The logic in SSL_set_rfd, etc. (which I doubt is quite right since
SSL_set_bio's lifetime is unclear) would get confused once wbio got wrapped.
Those want to compare to SSL_get_wbio.
- If SSL_set_bio was called mid-handshake, bbio would get disconnected and lose
state. It forgets to reattach the bbio afterwards. Unfortunately, Conscrypt
does this a lot. It just never ended up calling it at a point where the bbio
would cause problems.
- Make more explicit the invariant that any bbio's which exist are always
attached. Simplify a few things as part of that.
Change-Id: Ia02d6bdfb9aeb1e3021a8f82dcbd0629f5c7fb8d
Reviewed-on: https://boringssl-review.googlesource.com/8023
Reviewed-by: Kenny Root <kroot@google.com>
Reviewed-by: Adam Langley <agl@google.com>
commit 7e7a82d962d84b5dea95bb5dfe82616b3551e3bc
Author: David Benjamin <davidben@google.com>
Date: Fri May 20 20:12:42 2016 -0400
Rename GetConfigPtr to GetTestConfig.
GetConfigPtr was a silly name. GetTestConfig matches the type and GetTestState.
Change-Id: I9998437a7be35dbdaab6e460954acf1b95375de0
Reviewed-on: https://boringssl-review.googlesource.com/8024
Reviewed-by: Adam Langley <agl@google.com>
commit 7fcfd3b37a73ca3efde348b8bb41f37052cdd959
Author: Adam Langley <alangley@gmail.com>
Date: Fri May 20 11:02:50 2016 -0700
Add ISC license to Go files that were missing a license.
Change-Id: I1fe3bed7d5c577748c9f4c3ccd5c1b90fec3d7d7
Reviewed-on: https://boringssl-review.googlesource.com/8032
Reviewed-by: David Benjamin <davidben@google.com>
commit ce902a9bcd59c8a3ef33900d39eeb431365c34bc
Author: Steven Valdez <svaldez@google.com>
Date: Tue May 17 11:47:53 2016 -0400
Generalizing curves to groups in preparation for TLS 1.3.
The 'elliptic_curves' extension is being renamed to 'supported_groups'
in the TLS 1.3 draft, and most of the curve-specific methods are
generalized to groups/group IDs.
Change-Id: Icd1a1cf7365c8a4a64ae601993dc4273802610fb
Reviewed-on: https://boringssl-review.googlesource.com/7955
Reviewed-by: David Benjamin <davidben@google.com>
commit f1012b5c31c8dce14a0adf1566c14a87e1889ba8
Author: Steven Valdez <svaldez@google.com>
Date: Fri May 20 11:40:31 2016 -0400
Fix HKDF leak.
Change-Id: Ia83935420d38ededa699aa7f8011a2e358f6c4d3
Reviewed-on: https://boringssl-review.googlesource.com/8022
Reviewed-by: David Benjamin <davidben@google.com>
commit 2b1ca80e0908dac5f69aa12a2ec180c62004d6fa
Author: David Benjamin <davidben@google.com>
Date: Fri May 20 11:28:59 2016 -0400
Link back to the main page in documentation.
Also give the main page a title.
Change-Id: I6db588a9454d90a5974de5446d58d709f84d1906
Reviewed-on: https://boringssl-review.googlesource.com/8020
Reviewed-by: Adam Langley <agl@google.com>
commit 1aa03f07450da091b440b1f14937aa44bab4e428
Author: Adam Langley <agl@google.com>
Date: Fri May 20 08:22:33 2016 -0700
Add |EVP_dss1| as an alias for |EVP_sha1| in decrepit.
Change-Id: I51fa744c367d1f0c7044050f99c4992778e649bd
Reviewed-on: https://boringssl-review.googlesource.com/8030
Reviewed-by: David Benjamin <davidben@google.com>
commit 7cb920b6acbbddf281d9eb77ef785ec63fde3843
Author: Adam Langley <agl@google.com>
Date: Fri May 20 08:28:56 2016 -0700
Include crypto.h from pem.h.
open_iscsi assumes that it can get |OPENSSL_malloc| after including only
pem.h and err.h. Since pem.h already includes quite a lot, this change
adds crypto.h to that set so that open_iscsi is happy.
Change-Id: I6dc06c27088ce3ca46c1ab53bb29650033cba267
Reviewed-on: https://boringssl-review.googlesource.com/8031
Reviewed-by: David Benjamin <davidben@google.com>
commit 3686584d16dc5141dfab8510b116527c463d4b56
Author: Steven Valdez <svaldez@google.com>
Date: Thu May 19 12:26:42 2016 -0400
Separating HKDF into HKDFExtract and HKDFExpand.
The key schedule in TLS 1.3 requires a separate Extract and Expand phase
for the cryptographic computations.
Change-Id: Ifdac1237bda5212de5d4f7e8db54e202151d45ec
Reviewed-on: https://boringssl-review.googlesource.com/7983
Reviewed-by: David Benjamin <davidben@google.com>
commit e25775bcacb120f7f501a61d78a622ba429ba5d9
Author: Matt Braithwaite <mab@google.com>
Date: Mon May 16 16:31:05 2016 -0700
Elliptic curve + post-quantum key exchange
CECPQ1 is a new key exchange that concatenates the results of an X25519
key agreement and a NEWHOPE key agreement.
Change-Id: Ib919bdc2e1f30f28bf80c4c18f6558017ea386bb
Reviewed-on: https://boringssl-review.googlesource.com/7962
Reviewed-by: David Benjamin <davidben@google.com>
commit 61d4cdc03dd7e6920d74070a8d10a6db58c044db
Author: David Benjamin <davidben@google.com>
Date: Thu May 19 17:55:36 2016 -0400
No-op change to kick the bots.
Let's see if the Android bots work!
Change-Id: Ic4a52edcb441c26bc87d776984466e04cff93ae3
commit f0322b2abce91458f62db44dc6b777fc5e0323d9
Author: nmittler <nathanmittler@google.com>
Date: Thu May 19 08:49:59 2016 -0700
Use non-deprecated methods on windows.
Use of strdup, close, lseek, read, and write prevent linking
statically againt libcmt.lib.
Change-Id: I04f7876ec0f03f29f000bbcc6b2ccdec844452d2
Reviewed-on: https://boringssl-review.googlesource.com/8010
Reviewed-by: David Benjamin <davidben@google.com>
commit e09e579603bf7d05b5160bb9bd53eacea6cff47d
Author: Matt Braithwaite <mab@google.com>
Date: Thu May 19 10:30:52 2016 -0700
Rename NEWHOPE functions to offer/accept/finish.
This is consistent with the new convention in ssl_ecdh.c.
Along the way, change newhope_test.c to not iterate 1000 times over each
test.
Change-Id: I7a500f45b838eba8f6df96957891aa8e880ba089
Reviewed-on: https://boringssl-review.googlesource.com/8012
Reviewed-by: David Benjamin <davidben@google.com>
commit 1147be052c4e8b8a9b9ed1057e786eba5d58ba56
Author: David Benjamin <davidben@google.com>
Date: Thu May 19 13:23:11 2016 -0400
Inherit the parent environment when shelling out to Go.
The recipes need to run with a funny GOROOT and we were clearing the
environment.
BUG=26
Change-Id: If233a16e060533ad3fa6f215ce596456c2d7afa5
Reviewed-on: https://boringssl-review.googlesource.com/7988
Reviewed-by: Adam Langley <agl@google.com>
commit 3ccf4d6d652fb26b9fb2f0db519d68050d7867d7
Author: David Benjamin <davidben@google.com>
Date: Thu May 19 00:33:41 2016 -0400
Pull Chromium's android_tools as an android-only dependency.
This will be used by the bots to get adb and the NDK.
BUG=26
Change-Id: Iae07a380c49b4990f0aa7d73c4f0b399924b9784
Reviewed-on: https://boringssl-review.googlesource.com/7986
Reviewed-by: Adam Langley <agl@google.com>
commit 75021b747f2d1547553ee4f9c14e4be350c198c6
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 28 14:51:36 2016 -0400
Update Android build instructions.
We now have a copy of android-cmake. Also remove the mention of running cmake
twice. It seems to work fine once?
The API level also got specified twice somehow.
BUG=26
Change-Id: I1331b079a4d8531cd53f7de3605ac318c14b3e26
Reviewed-on: https://boringssl-review.googlesource.com/7985
Reviewed-by: Adam Langley <agl@google.com>
commit f07ba17942eaffe52763ff75487acab5d2f2d5c1
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 28 14:38:20 2016 -0400
Check in a copy of android-cmake.
BUG=26
Change-Id: I2f95740afdbc3bdb0676626679a30f1e1cc307d6
Reviewed-on: https://boringssl-review.googlesource.com/7984
Reviewed-by: Adam Langley <agl@google.com>
commit 00b1069a6b22d8ea0dc6c682b5edb39297e62398
Author: David Benjamin <davidben@google.com>
Date: Thu May 19 00:13:22 2016 -0400
Add an option to pick a different adb binary.
This will let the recipes use the copy pulled from Chromium's android_tools.
BUG=26
Change-Id: Ica6519223b9fb6daef30f3e14c72ef6422de0f6c
Reviewed-on: https://boringssl-review.googlesource.com/7982
Reviewed-by: Adam Langley <agl@google.com>
commit 5693e42ae4f8e9beb712fd0c551cc4109639e85f
Author: Tamas Berghammer <tberghammer@google.com>
Date: Thu May 19 14:28:14 2016 +0100
Fix discovery rule for perl and go for Android
We don't use find_package/find_program on android to find go/perl
because the android toolchain reconfigure the $PATH. The pervious
way of solving this was to let ninja look for go/perl on the $PATH
but this approach prevented us from specifying explicit go/perl
executables what is needed for hermetic build using prebuilts. This
CL changes the Android specific discovery rule to only set
GO_EXECUTABLE and PERL_EXECUTABLE if they are not specified on the
command line or inside the toolchain file.
Change-Id: Ib6ef69707749073f2b79244ebb301502b2a5a34a
Reviewed-on: https://boringssl-review.googlesource.com/8000
Reviewed-by: David Benjamin <davidben@google.com>
commit ea77107e9ad507708b592b64a1fb406115d9abcf
Author: David Benjamin <davidben@google.com>
Date: Wed May 18 17:40:04 2016 -0400
Remove references to non-existent BIO functions.
We don't have any of these.
Change-Id: I8d12284fbbab0ff35ac32d35a5f2eba326ab79f8
Reviewed-on: https://boringssl-review.googlesource.com/7981
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit c82b70155d9139e56190c004b257c4882ee7ea15
Author: Matt Braithwaite <mab@google.com>
Date: Tue May 17 13:06:03 2016 -0700
Go version of New Hope post-quantum key exchange.
(Code mostly due to agl.)
Change-Id: Iec77396141954e5f8e845cc261eadab77f551f08
Reviewed-on: https://boringssl-review.googlesource.com/7990
Reviewed-by: Adam Langley <agl@google.com>
commit 54092ffeaa80ed032a50b914f14e3aa41de763df
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 18:09:40 2016 -0400
Remove dead checks.
Those checks contradict an assert up in read_app_data. This is part of
shrinking read_bytes further into get_record and its callers until it goes
away. Here, this kind of policy should be controlled by the callers.
Change-Id: If8f9a45b8b95093beab1b3d4abcd31da55c65322
Reviewed-on: https://boringssl-review.googlesource.com/7954
Reviewed-by: Adam Langley <agl@google.com>
commit fce37b0debf158b5d09f8d6a2fc09c6f680d2f32
Author: David Benjamin <davidben@google.com>
Date: Sun May 15 13:51:35 2016 -0400
Add a TODO for why init_buf isn't released post-handshake.
There is no good reason why this needs to be this way. Later work should make
this all use a much more appropriate design. In the meantime, leave a note here
so this does not look accidental.
Change-Id: I7599dea7a474f54e26d9ab175b0e3cada99a974d
Reviewed-on: https://boringssl-review.googlesource.com/7951
Reviewed-by: Adam Langley <agl@google.com>
commit 1d64afda449ff63b8bd99172ed58549c8099ca81
Author: David Benjamin <davidben@google.com>
Date: Sun May 15 13:46:07 2016 -0400
Stop reseting init_num everywhere in the handshake loop.
This was needed because ssl3_get_message would get confused if init_num were
not set back to zero when reading the next message. However, ssl3_get_message
now treats init_num only as an output, not an input. (The message sending logic
and the individual handshake states still use it, so we can't get rid of it
altogether yet.)
I've kept the init_num reset at the start and end of the handshake loop alone
for now since that's more about initialization and cleanup. Though I believe
they too do not do anything.
Change-Id: I64bbdd82122498de32364e7edb3b00b166059ecd
Reviewed-on: https://boringssl-review.googlesource.com/7950
Reviewed-by: Adam Langley <agl@google.com>
commit 1e6d6df943a681eb8454cf40b9cd554519156e16
Author: David Benjamin <davidben@google.com>
Date: Fri May 13 18:28:17 2016 -0400
Remove state parameters to ssl3_get_message.
They're completely unused now. The handshake message reassembly logic should
not depend on the state machine. This should partially free it up (ugly as it
is) to be shared with a future TLS 1.3 implementation while, in parallel, it
and the layers below, get reworked. This also cuts down on the number of states
significantly.
Partially because I expect we'd want to get ssl_hash_message_t out of there
too. Having it in common code is fine, but it needs to be in the (supposed to
be) protocol-agnostic handshake state machine, not the protocol-specific
handshake message layer.
Change-Id: I12f9dc57bf433ceead0591106ab165d352ef6ee4
Reviewed-on: https://boringssl-review.googlesource.com/7949
Reviewed-by: Adam Langley <agl@google.com>
commit a6338be3fa1a08f53d6d5f80aa4f26629fd047ab
Author: David Benjamin <davidben@google.com>
Date: Fri May 13 18:12:19 2016 -0400
Simplify ssl3_get_message.
Rather than this confusing coordination with the handshake state machine and
init_num changing meaning partway through, use the length field already in
BUF_MEM. Like the new record layer parsing, is no need to keep track of whether
we are reading the header or the body. Simply keep extending the handshake
message until it's far enough along.
ssl3_get_message still needs tons of work, but this allows us to disentangle it
from the handshake state.
Change-Id: Ic2b3e7cfe6152a7e28a04980317d3c7c396d9b08
Reviewed-on: https://boringssl-review.googlesource.com/7948
Reviewed-by: Adam Langley <agl@google.com>
commit 1f9329aaf55f9beb7c95550f5f1fffc395a5f859
Author: David Benjamin <davidben@google.com>
Date: Fri May 13 17:00:49 2016 -0400
Add BUF_MEM_reserve.
BUF_MEM is actually a rather silly API for the SSL stack. There's separate
length and max fields, but init_buf effectively treats length as max and max as
nothing.
We possibly don't want to be using it long-term anyway (if nothing else, the
char*/uint8_t* thing is irritating), but in the meantime, it'll be easier to
separately fix up get_message's book-keeping and state tracking from where the
handshake gets its messages from.
Change-Id: I9e56ea008173991edc8312ec707505ead410a9ee
Reviewed-on: https://boringssl-review.googlesource.com/7947
Reviewed-by: Adam Langley <agl@google.com>
commit 4d559617cd9c0fe5c047bad610be9f6ebbbb19c9
Author: David Benjamin <davidben@google.com>
Date: Wed May 18 14:31:51 2016 -0400
Unflake Unclean-Shutdown-Alert on Windows.
On Windows, if we write to our socket and then close it, the peer sometimes
doesn't get all the data. This was working for our shimShutsDown tests because
we send close_notify in parallel with the peer and sendAlert(alertCloseNotify)
did not internally return an error.
For convenience, sendAlert returns a local error for non-close_notify alerts.
Suppress that error to avoid the race condition. This makes it behave like the
other shimShutsDown tests.
Change-Id: Iad256e3ea5223285793991e2eba9c7d61f2e3ddf
Reviewed-on: https://boringssl-review.googlesource.com/7980
Reviewed-by: Adam Langley <agl@google.com>
commit f4ce8e532476a26ba18459cbd3622f50258969fe
Author: Matt Braithwaite <mab@google.com>
Date: Mon May 16 14:27:14 2016 -0700
Refactor ECDH key exchange to make it asymmetrical
Previously, SSL_ECDH_METHOD consisted of two methods: one to produce a
public key to be sent to the peer, and another to produce the shared key
upon receipt of the peer's message.
This API does not work for NEWHOPE, because the client-to-server message
cannot be produced until the server's message has been received by the
client.
Solve this by introducing a new method which consumes data from the
server key exchange message and produces data for the client key
exchange message.
Change-Id: I1ed5a2bf198ca2d2ddb6d577888c1fa2008ef99a
Reviewed-on: https://boringssl-review.googlesource.com/7961
Reviewed-by: David Benjamin <davidben@google.com>
commit 68a533c0ef70596032e724fa6762f816e20c17dd
Author: David Benjamin <davidben@google.com>
Date: Tue May 17 17:36:47 2016 -0400
Fix line-number counting in doc.go.
There's an off-by-one when skipping blank lines. The initial logic also has an
off-by-one but since it starts lineNo 0-based and then switches to 1-based, it
cancels out.
The decl error line number also was not of where the decl began.
Change-Id: I58fd157dad3276cb9de52ac48ff8c7c73e40f337
Reviewed-on: https://boringssl-review.googlesource.com/7959
Reviewed-by: Adam Langley <agl@google.com>
commit 7f6706ce64bff23d29cdf8e1fb48e8c56f464050
Author: David Benjamin <davidben@google.com>
Date: Tue May 17 17:49:49 2016 -0400
MSVC doesn't like C bitfields.
Change-Id: I88a415e3dd7ac9ea2fa83ca3e4d835efefa7fcc6
Reviewed-on: https://boringssl-review.googlesource.com/7970
Reviewed-by: David Benjamin <davidben@google.com>
commit 47f5a1feca50e3e524ff91528e629f8d16e19309
Author: David Benjamin <davidben@google.com>
Date: Tue May 17 17:31:53 2016 -0400
Allow documentation comments to begin with A/An.
This aligns with Go style.
Change-Id: I773c6a2e8ddd8d40a8480efae86736c4b338d203
Reviewed-on: https://boringssl-review.googlesource.com/7958
Reviewed-by: Adam Langley <agl@google.com>
commit c7eae5a3267dfc9557314a24cc8da77d287ae885
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 18:00:03 2016 -0400
Forbid calling SSL_read, SSL_peek, and SSL_do_handshake post-shutdown.
This explicitly forbids an API pattern which formerly kind of worked, but was
extremely buggy (see preceding commits). Depending on how one interprets
close_notify and our API, one might wish to call SSL_shutdown only once
(morally shutdown(SHUT_WR)) and then SSL_read until EOF.
However, this exposes additional confusing states where we might try to send an
alert post-SHUT_WR, etc. Early commits made us more robust here (whether one is
allowed to touch the SSL* after an operattion failed because it read an alert
is... unclear), so we could support it if we wanted to, but this doesn't seem
worth the additional statespace. See if we can get away with not allowing it.
Change-Id: Ie7a7e5520b464360b1e6316c34ec9854b571782f
Reviewed-on: https://boringssl-review.googlesource.com/7433
Reviewed-by: David Benjamin <davidben@google.com>
commit ea65e100c7b5dc5cb44bd68fae64e67d19bde8f2
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 17:57:32 2016 -0400
Condition the read_close_notify check on type, not shutdown state.
The logic to drop records really should be in the caller. Unless
ssl3_read_bytes is broken apart, condition on the type field which is more
robust.
If we manage to call, say, SSL_read after SSL_shutdown completes at 0 (instead
of 1), this logic can incorrectly cause unknown record types to be dropped.
Change-Id: Iab90e5d9190fcccbf6ff55e17079a2704ed99901
Reviewed-on: https://boringssl-review.googlesource.com/7953
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit fa214e4a18785a4281375b56c00732b470e9cd5b
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 17:03:10 2016 -0400
Tidy up shutdown state.
The existing logic gets confused in a number of cases around close_notify vs.
fatal alert. SSL_shutdown, while still pushing to the error queue, will fail to
notice alerts. We also get confused if we try to send a fatal alert when we've
already sent something else.
Change-Id: I9b1d217fbf1ee8a9c59efbebba60165b7de9689e
Reviewed-on: https://boringssl-review.googlesource.com/7952
Reviewed-by: David Benjamin <davidben@google.com>
commit 8f73135485f376f0a08c8d54c0c0e12a5fb9a7d7
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 01:15:15 2016 -0500
Consolidate SSL_RECEIVED_SHUTDOWN checks.
SSL_RECEIVED_SHUTDOWN checks in the record layer happen in two different
places. Some operations (but not all) check it, and so does read_bytes. Move it
to get_record.
This check should be at a low-level since it is otherwise duplicated in every
operation. It is also a signal which originates from around the peer's record
layer, so it makes sense to check it near the same code. (This one's in
get_record which is technically lower-level than read_bytes, but we're trying
to get rid of read_bytes. They're very coupled functions.)
Also, if we've seen a fatal alert, replay an error, not an EOF.
Change-Id: Idec35c5068ddabe5b1a9145016d8f945da2421cf
Reviewed-on: https://boringssl-review.googlesource.com/7436
Reviewed-by: David Benjamin <davidben@google.com>
commit f448c609035d5afb83d5de4c2b3f619f793cd832
Author: Adam Langley <agl@google.com>
Date: Tue May 17 12:33:27 2016 -0700
Update INCORPORATING.md to clarify one point.
In practice it seems that it's not clear that consumers of BoringSSL
generally check in the generated files.
Change-Id: Iaa03aa62139bbcf3e7e7f68662073854954b835f
Reviewed-on: https://boringssl-review.googlesource.com/7956
Reviewed-by: David Benjamin <davidben@google.com>
commit 4fac8d0eae6eaddb45f2eef7fbe978894b96b8dd
Author: Adam Langley <agl@google.com>
Date: Mon May 16 13:44:40 2016 -0700
Add CRYPTO_has_asm.
This function will return whether BoringSSL was built with
OPENSSL_NO_ASM. This will allow us to write a test in our internal
codebase which asserts that normal builds should always have assembly
code included.
Change-Id: Ib226bf63199022f0039d590edd50c0cc823927b9
Reviewed-on: https://boringssl-review.googlesource.com/7960
Reviewed-by: David Benjamin <davidben@google.com>
commit c032dfa27ec8a9f286e3ae7e545932aac13b87d6
Author: David Benjamin <davidben@google.com>
Date: Thu May 12 14:54:57 2016 -0400
Client auth is only legal in certificate-based ciphers.
OpenSSL used to only forbid it on the server in plain PSK and allow it on the
client. Enforce it properly on both sides. My read of the rule in RFC 5246 ("A
non-anonymous server can optionally request a certificate") and in RFC 4279
("The Certificate and CertificateRequest payloads are omitted from the
response.") is that client auth happens iff we're certificate-based.
The line in RFC 4279 is under the plain PSK section, but that doesn't make a
whole lot of sense and there is only one diagram. PSK already authenticates
both sides. I think the most plausible interpretation is that this is for
certificate-based ciphers.
Change-Id: If195232c83f21e011e25318178bb45186de707e6
Reviewed-on: https://boringssl-review.googlesource.com/7942
Reviewed-by: David Benjamin <davidben@google.com>
commit 060cfb091194edf7341d91009764c64096a87157
Author: David Benjamin <davidben@google.com>
Date: Thu May 12 00:43:05 2016 -0400
Simplify handshake message size limits.
A handshake message can go up to 2^24 bytes = 16MB which is a little large for
the peer to force us to buffer. Accordingly, we bound the size of a
handshake message.
Rather than have a global limit, the existing logic uses a different limit at
each state in the handshake state machine and, for certificates, allows
configuring the maximum certificate size. This is nice in that we engage larger
limits iff the relevant state is reachable from the handshake. Servers without
client auth get a tighter limit "for free".
However, this doesn't work for DTLS due to out-of-order messages and we use a
simpler scheme for DTLS. This scheme also is tricky on optional messages and
makes the handshake <-> message layer communication complex.
Apart from an ignored 20,000 byte limit on ServerHello, the largest
non-certificate limit is the common 16k limit on ClientHello. So this
complexity wasn't buying us anything. Unify everything on the DTLS scheme
except, so as not to regress bounds on client-auth-less servers, also correctly
check for whether client auth is configured. The value of 16k was chosen based
on this value.
(The 20,000 byte ServerHello limit makes no sense. We can easily bound the
ServerHello because servers may not send extensions we don't implement. But it
gets overshadowed by the certificate anyway.)
Change-Id: I00309b16d809a3c2a1543f99fd29c4163e3add81
Reviewed-on: https://boringssl-review.googlesource.com/7941
Reviewed-by: David Benjamin <davidben@google.com>
commit 4e7a1ff055b987c9f900a2279380290cb8d9e939
Author: Brian Smith <brian@briansmith.org>
Date: Thu Apr 21 17:10:09 2016 -1000
Remove unuseful comments in |BN_mod_exp|.
The performance measurements seem to be very out-of-date. Also, the
idea for optimizing the case of an even modulus is interesting, but it
isn't useful because we never use an even modulus.
Change-Id: I012eb37638cda3c63db0e390c8c728f65b949e54
Reviewed-on: https://boringssl-review.googlesource.com/7733
Reviewed-by: David Benjamin <davidben@google.com>
commit 448fa427795c5e8a447b18a05600ad19961acf94
Author: Brian Smith <brian@briansmith.org>
Date: Thu Apr 21 17:08:29 2016 -1000
Deprecate |BN_mod_exp2_mont| and simplify its implementation.
This function is only really useful for DSA signature verification,
which is something that isn't performance-sensitive. Replace its
optimized implementation with a naĂŻve implementation that's much
simpler.
Note that it would be simpler to use |BN_mod_mul| in the new
implementation; |BN_mod_mul_montgomery| is used instead only to be
consistent with other work being done to replace uses of non-Montgomery
modular reduction with Montgomery modular reduction.
Change-Id: If587d463b73dd997acfc5b7ada955398c99cc342
Reviewed-on: https://boringssl-review.googlesource.com/7732
Reviewed-by: David Benjamin <davidben@google.com>
commit ada97998f270ad45d46a986723852db0af54736f
Author: David Benjamin <davidben@google.com>
Date: Fri May 13 13:14:28 2016 -0400
Fix stack macro const-ness.
sk_FOO_num may be called on const stacks. Given that was wrong, I suspect no
one ever uses a const STACK_OF(T)...
Other macros were correctly const, but were casting the constness a way (only
to have it come back again).
Also remove the extra newline after a group. It seems depending on which
version of clang-format was being used, we'd either lose or keep the extra
newline. The current file doesn't have them, so settle on that.
Change-Id: I19de6bc85b0a043d39c05ee3490321e9f0adec60
Reviewed-on: https://boringssl-review.googlesource.com/7946
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit c6cc6e76a6919769977046df6a72a5bd8a171cef
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 17:19:00 2016 -0400
Make kSRTPProfiles static.
It's only used in one file.
Change-Id: I5d60cbc02799b22317f5f7593faf25eb8eea0a24
Reviewed-on: https://boringssl-review.googlesource.com/7943
Reviewed-by: David Benjamin <davidben@google.com>
commit ef2dc61edd4f5bedcefd88703c4eb5786f01a0a1
Author: David Benjamin <davidben@google.com>
Date: Tue May 10 16:08:57 2016 -0400
Remove invalid comment for alert_dispatch.
The array is of size two for the level and description, not because we allow
two alerts outstanding; we don't.
Change-Id: I25e42c059ce977a947397a3dc83e9684bc8f0595
Reviewed-on: https://boringssl-review.googlesource.com/7940
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 8de8b3d23ced19c9e1fadfd31a9ada172909ca2a
Author: David Benjamin <davidben@google.com>
Date: Thu May 12 23:07:47 2016 -0400
Revise run_android_tests.go for use in recipes.
Allow running only one of the test suites. The recipe expects these happen in
two separate steps (it wants only one JSON results file per "step"). Also add
an option to extract the results file.
BUG=26
Change-Id: I0cda19bd9643b66f40a30bc8410a357da33baacc
Reviewed-on: https://boringssl-review.googlesource.com/7945
Reviewed-by: Adam Langley <agl@google.com>
commit 641f42b1a2c54f5eb2512a6d970b7b783eac7688
Author: David Benjamin <davidben@google.com>
Date: Thu May 12 23:05:57 2016 -0400
Make i2d_X509_AUX work if *pp = NULL.
When *pp is NULL, don't write garbage, return an unexpected pointer
or leak memory on error.
(Imported from upstream's 36c37944909496a123e2656ad1f651769a7cc72f.)
This calling convention...
Change-Id: Ic733092cfb942a3e1d3ceda6797222901ad55bef
Reviewed-on: https://boringssl-review.googlesource.com/7944
Reviewed-by: Adam Langley <agl@google.com>
commit 80d1b35520127a83cde953249c4533360c27a5df
Author: David Benjamin <davidben@google.com>
Date: Wed May 4 19:19:06 2016 -0400
Add a test for SCTs sent on resume.
The specification, sadly, did not say that servers MUST NOT send it, only that
they are "not expected to" do anything with the client extension. Accordingly,
we decided to tolerate this. Add a test for this so that we check this
behavior.
This test also ensures that the original session's value for it carries over.
Change-Id: I38c738f218a09367c9d8d1b0c4d68ab5cbec730e
Reviewed-on: https://boringssl-review.googlesource.com/7860
Reviewed-by: Adam Langley <agl@google.com>
commit e31d103a0ae334d0dc1de348e8177ae984d169f0
Author: Brian Smith <brian@briansmith.org>
Date: Thu Apr 21 17:08:13 2016 -1000
Deprecate |BN_mod_exp_mont_word| and simplify its implementation.
|BN_mod_exp_mont_word| is only useful when the base is a single word
in length and timing side channel protection of the exponent is not
needed. That's never the case in real life.
Keep the function in the API, but removes its single-word-base
optimized implementation with a call to |BN_mod_exp_mont|.
Change-Id: Ic25f6d4f187210b681c6ee6b87038b64a5744958
Reviewed-on: https://boringssl-review.googlesource.com/7731
Reviewed-by: David Benjamin <davidben@google.com>
commit 376a0fed24cad21752357add314f3c43e39c3bcc
Author: Taylor Brandstetter <deadbeef@google.com>
Date: Tue May 10 19:30:28 2016 -0700
Adding a method to change the initial DTLS retransmission timer value.
This allows an application to override the default of 1 second, which
is what's instructed in RFC 6347 but is not an absolute requirement.
Change-Id: I0bbb16e31990fbcab44a29325b6ec7757d5789e5
Reviewed-on: https://boringssl-review.googlesource.com/7930
Reviewed-by: David Benjamin <davidben@google.com>
commit 0e01eb534c25ccd5ce59917cd5ef37c059a94ebb
Author: Brian Smith <brian@briansmith.org>
Date: Thu Apr 21 16:30:37 2016 -1000
Call |BN_mod_exp_mont_consttime| in crypto/dh.
|BN_mod_exp_mont| will forward to |BN_mod_exp_mont_consttime|, so this
is a no-op semantically. However, this allows the linker to drop the
implementation of |BN_mod_exp_mont| even when the DH code is in use.
Change-Id: I0cb8b260224ed661ede74923bd134acb164459c1
Reviewed-on: https://boringssl-review.googlesource.com/7730
Reviewed-by: David Benjamin <davidben@google.com>
commit d229433d7537dae5723a168c64ed8c70719d3f24
Author: David Benjamin <davidben@google.com>
Date: Mon May 9 13:27:01 2016 -0400
Free any existing SRTP connection profile.
When setting a new SRTP connection profile using
SSL_CTX_set_tlsext_use_srtp() or SSL_set_tlsext_use_srtp() we should
free any existing profile first to avoid a memory leak.
(Imported from upstream's fbdf0299dc98bc611d854c0a62c6ab1810d856fc.)
Change-Id: I738e711f1c23ed4a8ac97486d94c08cc0db7aea7
Reviewed-on: https://boringssl-review.googlesource.com/7910
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 347331541536b616bf5147d6f8093a1541b77da7
Author: David Benjamin <davidben@google.com>
Date: Sat May 7 17:40:02 2016 -0400
Reimplement PKCS #3 DH parameter parsing with crypto/bytestring.
Also add a test.
This is the last of the openssl/asn1.h includes from the directories that are
to be kept in the core libcrypto library. (What remains is to finish sorting
out the crypto/obj stuff. We'll also want to retain a decoupled version of the
PKCS#12 stuff.)
Functions that need to be audited for reuse:
i2d_DHparams
BUG=54
Change-Id: Ibef030a98d3a93ae26e8e56869f14858ec75601b
Reviewed-on: https://boringssl-review.googlesource.com/7900
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit e72df93461c6d9d2b5698f10e16d3ab82f5adde3
Author: David Benjamin <davidben@google.com>
Date: Fri May 6 02:12:26 2016 -0400
Add a README.md for ssl/test.
The SSL tests are fairly different from most test suites. Add some high-level
documentation so people know where to start.
Change-Id: Ie5ea108883dca82675571a3025b3fbc4b9d66da9
Reviewed-on: https://boringssl-review.googlesource.com/7890
Reviewed-by: Adam Langley <agl@google.com>
commit e9a36421266fccc28506b1b0d2f8b0bd9b7f04f7
Author: David Benjamin <davidben@google.com>
Date: Thu May 5 21:53:00 2016 -0400
Don't reset ssl->shutdown in the state machine.
This is particularly questionable with ClientHello encompassing several states.
ssl->shutdown is already initialized to zero and further reset in
SSL_set_{connect,accept}_state. At any other state, if it manages to not be a
no-op, it will erase a close_notify we have sent or received, neither of which
is okay. (I don't think this is possible, but I'm not positive.)
This dates to the initial commit in OpenSSL, so git is not enlightening. The
state machine logic historically reset many fields it had no reason to reset,
so this is likely more of that.
Change-Id: Ie872316701720cb8ef2cfcb67b7f07a9fea3620f
Reviewed-on: https://boringssl-review.googlesource.com/7874
Reviewed-by: Adam Langley <agl@google.com>
commit b095f0f0ca4ef08de8c5b48045e20206d55173bf
Author: David Benjamin <davidben@google.com>
Date: Thu May 5 21:50:24 2016 -0400
Remove the push argument to ssl_init_wbio_buffer.
Having bbio be tri-state (not allocated, allocated but not active, and
allocated and active) is confusing.
The extra state is only used in the client handshake, where ClientHello is
special-cased to not go through the buffer while everything else is. This dates
to OpenSSL's initial commit and doesn't seem to do much. I do not believe it
can affect renego as the buffer only affects writes; although OpenSSL accepted
interleave on read (though this logic predates it slightly), it never sent
application data while it believed a handshake was active. The handshake would
always be driven to completion first.
My guess is this was to save a copy since the ClientHello is a one-message
flight so it wouldn't need to be buffered? This is probably not worth the extra
variation in the state. (Especially with the DTLS state machine going through
ClientHello twice and pushing the BIO in between the two. Though I suspect that
was a mistake in itself. If the optimization guess is correct, there was no
need to do that.)
Change-Id: I6726f866e16ee7213cab0c3e6abb133981444d47
Reviewed-on: https://boringssl-review.googlesource.com/7873
Reviewed-by: Adam Langley <agl@google.com>
commit 2730955e7449989bb982092d3301f89340dbc189
Author: David Benjamin <davidben@google.com>
Date: Thu May 5 21:17:53 2016 -0400
Check BIO_flush return value.
That we're ignoring the return value is clearly wrong when
dtls1_retransmit_message has other code that doesn't ignore it, by way of
dtls1_do_handshake_write.
Change-Id: Ie3f8c0defdf1f5e709d67af4ca6fa4f0d83c76c9
Reviewed-on: https://boringssl-review.googlesource.com/7872
Reviewed-by: Adam Langley <agl@google.com>
commit 30152fdfc116d9ef328661b59a306d6b591243af
Author: David Benjamin <davidben@google.com>
Date: Thu May 5 20:45:48 2016 -0400
Always buffer DTLS retransmits.
The DTLS bbio logic is rather problematic, but this shouldn't make things
worse. In the in-handshake case, the new code merges the per-message
(unchecked) BIO_flush calls into one call at the end but otherwise the BIO is
treated as is. Otherwise any behavior around non-block writes should be
preserved.
In the post-handshake case, we now install the buffer when we didn't
previously. On write error, the buffer will have garbage in it, but it will be
discarded, so that will preserve any existing retry behavior. (Arguably the
existing retry behavior is a bug, but that's another matter.)
Add a test for all this, otherwise it is sure to regress. Testing for
record-packing is a little fuzzy, but we can assert ChangeCipherSpec always
shares a record with something.
BUG=57
Change-Id: I8603f20811d502c71ded2943b0e72a8bdc4e46f2
Reviewed-on: https://boringssl-review.googlesource.com/7871
Reviewed-by: Adam Langley <agl@google.com>
commit 9d908ba519f2cfe5e21561bdee3e224b94d14a89
Author: David Benjamin <davidben@google.com>
Date: Thu May 5 18:54:33 2016 -0400
Add BORINGSSL_API_VERSION.
The BORINGSSL_YYYYMM #defines have served well to coordinate short-term skews
in BoringSSL's public API, but some consumers (notably wpa_supplicant in
Android) wish to build against multiple versions for an extended period of
time. Consumers should not do this unless there is no alternative, but to
accommodate this, start a BORINGSSL_API_VERSION counter. In future, instead of
BORINGSSL_YYYYMM #defines, we'll simply increment the number.
This is specifically called an "API version" rather than a plain "version" as
this number does not denote any particular point in development or stability.
It purely counts how many times we found it convenient to let the preprocessor
observe a public API change up to now.
Change-Id: I39f9740ae8e793cef4c2b5fb5707b9763b3e55ce
Reviewed-on: https://boringssl-review.googlesource.com/7870
Reviewed-by: Adam Langley <agl@google.com>
commit 598e55a795fa206571f94a7cb2e5834728b85c98
Author: Brian Smith <brian@briansmith.org>
Date: Sat Mar 26 20:17:37 2016 -1000
Do RSA blinding unless |e| is NULL and specifically requested not to.
Change-Id: I189db990df2a3cbf68f820a8f9f16142ccd7070f
Reviewed-on: https://boringssl-review.googlesource.com/7595
Reviewed-by: David Benjamin <davidben@google.com>
commit 86080c336fc9a71d600abc67ba3185390e005061
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 12:23:16 2016 -1000
Verify RSA private key operation regardless of whether CRT is used.
Previously, the verification was only done when using the CRT method,
as the CRT method has been shown to be extremely sensitive to fault
attacks. However, there's no reason to avoid doing the verification
when the non-CRT method is used (performance-sensitive applications
should always be using the CRT-capable keys).
Previously, when we detected a fault (attack) through this verification,
libcrypto would fall back to the non-CRT method and assume that the
non-CRT method would give a correct result, despite having just
detecting corruption that is likely from an attack. Instead, just give
up, like NSS does.
Previously, the code tried to handle the case where the input was not
reduced mod rsa->n. This is (was) not possible, so avoid trying to
handle that. This simplifies the equality check and lets us use
|CRYPTO_memcmp|.
Change-Id: I78d1e55520a1c8c280cae2b7256e12ff6290507d
Reviewed-on: https://boringssl-review.googlesource.com/7582
Reviewed-by: David Benjamin <davidben@google.com>
commit 8107e92a1aa71cee717450c25dace2a32233a917
Author: Adam Langley <agl@google.com>
Date: Wed May 4 10:32:37 2016 -0700
Add a comment with an SMT verification of the Barrett reductions.
Change-Id: I32dc13b16733fc09e53e3891ca68f51df6c1624c
Reviewed-on: https://boringssl-review.googlesource.com/7850
Reviewed-by: David Benjamin <davidben@google.com>
commit f0bba6166356a4dac6c1cef7a693c96cb1e3f567
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 11:35:23 2016 -0400
Fix ASN1_INTEGER handling.
Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER
tag: V_ASN1_NEG_INTEGER is an internal only value which is never used
for on the wire encoding.
(Imported from upstream's d4b25980020821d4685752ecb9105c0902109ab5.)
This is redundant with our fb2c6f8c8565e1e2d85c24408050c96521acbcdc which I
think is a much better fix (having two notions of "type" depending on whether
we're in an ASN1_TYPE or an ASN1_STRING is fragile), so I think we should keep
our restriction too. Still, this is also worth doing.
Change-Id: I6ea54aae7b517a59c6e563d8c993d0ee22e25bee
Reviewed-on: https://boringssl-review.googlesource.com/7848
Reviewed-by: Adam Langley <agl@google.com>
commit de2cf273d76e94ee47cb4ed7e9826f68175ec217
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 09:19:36 2016 -0400
Avoid theoretical overflows in EVP_EncodeUpdate.
See also upstream's 172c6e1e14defe7d49d62f5fc9ea6a79b225424f, but note our
values have different types. In particular, because we put in_len in a size_t
and C implicitly requires that all valid buffers' lengths fit in a ptrdiff_t
(signed), the overflow was impossible, assuming EVP_ENCODE_CTX::length is
untouched externally.
More importantly, this function is stuck taking an int output and has no return
value, so the only plausible contract is the caller is responsible for ensuring
the length fits anyway. Indeed, callers all call EVP_EncodeUpdate in bounded
chunks, so upstream's analysis is off.
Anyway, in theory that logic could locally overflow, so tweak it slightly. Tidy
up some of the variable names while I'm here.
Change-Id: Ifa78707cc26c11e0d67019918a028531b3d6738c
Reviewed-on: https://boringssl-review.googlesource.com/7847
Reviewed-by: Adam Langley <agl@google.com>
commit e31e0123ea331f640852dac55c072b4cec3e3ff8
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 07:55:29 2016 -0400
Add size limit to X509_NAME structure.
This adds an explicit limit to the size of an X509_NAME structure. Some
part of OpenSSL (e.g. TLS) already effectively limit the size due to
restrictions on certificate size.
See also upstream's 65cb92f4da37a3895437f0c9940ee0bcf9f28c8a, although this is
different from upstream's. Upstream's version bounds both the X509_NAME *and*
any data after it in the immediately containing structure. While adding a bound
on all of crypto/asn1 is almost certainly a good idea (will look into that for
a follow-up), it seems bizarre and unnecessary to have X509_NAME affect its
parent.
Change-Id: Ica2136bcd1455d7c501ccc6ef2a19bc5ed042501
Reviewed-on: https://boringssl-review.googlesource.com/7846
Reviewed-by: Adam Langley <agl@google.com>
commit 204dea8daeee9935b2b08da2c2dfe7b890ed36a7
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 07:42:19 2016 -0400
Fix encrypt overflow
An overflow can occur in the EVP_EncryptUpdate function. If an attacker is
able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate with a partial block then a length check can overflow
resulting in a heap corruption.
Following an analysis of all OpenSSL internal usage of the
EVP_EncryptUpdate function all usage is one of two forms.
The first form is like this:
EVP_EncryptInit()
EVP_EncryptUpdate()
i.e. where the EVP_EncryptUpdate() call is known to be the first called
function after an EVP_EncryptInit(), and therefore that specific call
must be safe.
The second form is where the length passed to EVP_EncryptUpdate() can be seen
from the code to be some small value and therefore there is no possibility of
an overflow. [BoringSSL: We also have code that calls EVP_CIPHER functions by
way of the TLS/SSL3 "AEADs". However, there we know the inputs are bounded by
2^16.]
Since all instances are one of these two forms, I believe that there can
be no overflows in internal code due to this problem.
It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate()
in certain code paths. Also EVP_CipherUpdate() is a synonym for
EVP_EncryptUpdate(). Therefore I have checked all instances of these
calls too, and came to the same conclusion, i.e. there are no instances
in internal usage where an overflow could occur.
This could still represent a security issue for end user code that calls
this function directly.
CVE-2016-2106
Issue reported by Guido Vranken.
(Imported from upstream's 3ab937bc440371fbbe74318ce494ba95021f850a.)
Change-Id: Iabde896555c39899c7f0f6baf7a163a7b3c2f3d6
Reviewed-on: https://boringssl-review.googlesource.com/7845
Reviewed-by: Adam Langley <agl@google.com>
commit a43fd90c5ddd85604f308d1664e8f2cedca28b92
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 07:40:09 2016 -0400
Sync with upstream on i2d_X509_AUX.
Upstream decided to reset *pp on error and to later fix up the other i2d
functions to behave similarly. See upstream's
c5e603ee182b40ede7713c6e229c15a8f3fdb58a.
Change-Id: I01f82b578464060d0f2be5460fe4c1b969124c8e
Reviewed-on: https://boringssl-review.googlesource.com/7844
Reviewed-by: Adam Langley <agl@google.com>
commit eb3257211e3bd7dbdbe636144b6838dd20c37ef3
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 07:38:54 2016 -0400
Don't free ret->data if malloc fails.
Issue reported by Guido Vranken.
(Imported from upstream's 64eaf6c928f4066d62aa86f805796ef05bd0b1cc.)
Change-Id: I99793abb4e1b5da5b70468b207ec03013fff674a
Reviewed-on: https://boringssl-review.googlesource.com/7843
Reviewed-by: Adam Langley <agl@google.com>
commit 52a3bf2835200a7beabe349a85cb2355e42ab599
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 07:50:44 2016 -0400
Add checks to X509_NAME_oneline()
Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.
Issue reported by Guido Vranken.
(Imported from upstream's 9b08619cb45e75541809b1154c90e1a00450e537.)
Change-Id: Ib2e1e7cd086f9c3f0d689d61947f8ec3e9220049
Reviewed-on: https://boringssl-review.googlesource.com/7842
Reviewed-by: Adam Langley <agl@google.com>
commit ddc69230f30ed53bf81e2e6755cb74f02f537b1a
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 07:35:56 2016 -0400
Sanity check buffer length.
Reject zero length buffers passed to X509_NAME_oneline().
Issue reported by Guido Vranken.
(Imported from upstream's 66e731ab09f2c652d0e179df3df10d069b407604.)
Tweaked slightly to use <= 0 instead of == 0 since the length is signed.
Change-Id: I5ee54d77170845e4699fda7df5e94538c8e55ed9
Reviewed-on: https://boringssl-review.googlesource.com/7841
Reviewed-by: Adam Langley <agl@google.com>
commit d230a0c8904c4a67ee24ead8951345042bb73979
Author: David Benjamin <davidben@google.com>
Date: Tue May 3 07:33:29 2016 -0400
Reject inappropriate private key encryption ciphers.
The traditional private key encryption algorithm doesn't function
properly if the IV length of the cipher is zero. These ciphers
(e.g. ECB mode) are not suitable for private key encryption
anyway.
(Imported from upstream's 4436299296cc10c6d6611b066b4b73dc0bdae1a6.)
Change-Id: I218c9c1d11274ef11b7c0cfce380521efa415215
Reviewed-on: https://boringssl-review.googlesource.com/7840
Reviewed-by: Adam Langley <agl@google.com>
commit b83c680d03b302a88fefcddbdce1b753c4c54ca6
Author: Adam Langley <agl@google.com>
Date: Tue May 3 09:16:21 2016 -0700
Add |CRYPTO_is_confidential_build|.
In the past we have needed the ability to deploy security fixes to our
frontend systems without leaking them in source code or in published
binaries.
This change adds a function that provides some infrastructure for
supporting this in BoringSSL while meeting our internal build needs. We
do not currently have any specific patch that requires this—this is
purely preparation.
Change-Id: I5c64839e86db4e5ea7419a38106d8f88b8e5987e
Reviewed-on: https://boringssl-review.googlesource.com/7849
Reviewed-by: David Benjamin <davidben@google.com>
commit 8368050fa9371840d76ea53ed38c3e5a1cb5e3bc
Author: David Benjamin <davidben@google.com>
Date: Mon May 2 13:15:52 2016 -0400
Clean up ssl_get_compatible_server_ciphers.
The logic is a little hairy, partly because we used to support multiple
certificate slots.
Change-Id: Iee8503e61f5e0e91b7bcb15f526e9ef7cc7ad860
Reviewed-on: https://boringssl-review.googlesource.com/7823
Reviewed-by: David Benjamin <davidben@google.com>
commit 7acd6bc07a25e85d784106fcdfda52809c09699f
Author: David Benjamin <davidben@google.com>
Date: Mon May 2 12:57:01 2016 -0400
Start assuming MSVC 2015.
BUG=43
Change-Id: I46ad1ca62b8921a03fae51f5d7bbe1c68fc0b170
Reviewed-on: https://boringssl-review.googlesource.com/7821
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 8861daa5a9f3ed85500aebcde10278f604e673ac
Author: David Benjamin <davidben@google.com>
Date: Mon May 2 15:22:34 2016 -0400
Fix vs_toolchain.py, possibly.
Sync a few changes with the upstream one, notably get_toolchain_if_necessary.py
needs GYP_MSVS_VERSION set. Also pull the variables that change up to the top.
This diverges a bit more from the upstream one, but we're already heavily
diverged. If we ever need to support two concurrent toolchains, I'll bring us
closer to parity.
Change-Id: I6db7fbaccd5dddd92ad2deee15bd6dd3e28841f7
Reviewed-on: https://boringssl-review.googlesource.com/7830
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit bbe6af0e2ab5b80de6f9cb8ebe8571a5c4b48dbb
Author: David Benjamin <davidben@google.com>
Date: Fri Apr 29 14:15:39 2016 -0400
Bump requirements to MSVC 2015.
Track the Chromium requirements. This makes our bots build with 2015 instead of
2013.
BUG=43
Change-Id: Id5329900a5d1d5fae4b5b22299ed47bc1b947dd8
Reviewed-on: https://boringssl-review.googlesource.com/7820
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 9e7efdb008f98c0e311af37ee7193de4e54dcf75
Author: David Benjamin <davidben@google.com>
Date: Mon May 2 13:03:34 2016 -0400
Update the various pinned revisions in util/bot.
See util/bot/UPDATING for where they come from.
Change-Id: Ib2eae6efc737dd8c4e5fb001fd4b478102e0ad6a
Reviewed-on: https://boringssl-review.googlesource.com/7822
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit d18cb77864dcc4b5c7cb08c2331008c01165f34f
Author: David Benjamin <davidben@google.com>
Date: Fri Apr 29 16:22:40 2016 -0400
Fix d2i_X509_AUX.
The logic to reset *pp doesn't actually work if pp is NULL. (It also doesn't
work if *pp is NULL, but that didn't work before either.) Don't bother
resetting it. This is consistent with the template-based i2d functions which do
not appear to leave *pp alone on error.
Will send this upstream.
Change-Id: I9fb5753e5d36fc1d490535720b8aa6116de69a70
Reviewed-on: https://boringssl-review.googlesource.com/7812
Reviewed-by: Adam Langley <agl@google.com>
commit 176dbf04b725b1ee53415fb84720935491c6b989
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 28 20:30:03 2016 -0400
Check for malloc failure in r2i_certpol.
See upstream's 34b9acbd3f81b46967f692c0af49020c8c405746.
Change-Id: I88d5b3cfbbe87e883323a9e6e1bf85227ed9576e
Reviewed-on: https://boringssl-review.googlesource.com/7811
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 3bb5a77205b1ea66fd7ad3d103ff15cb752fe0bd
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 28 20:28:11 2016 -0400
Fix memory leak on error in BN_mpi2bn.
See also upstream's 91fb42ddbef7a88640d1a0f853c941c20df07de7, though that has a
bug if |out| was non-NULL on entry. (I'll send them a patch.)
Change-Id: I807f23007b89063c23e02dac11c4ffb41f847fdf
Reviewed-on: https://boringssl-review.googlesource.com/7810
Reviewed-by: David Benjamin <davidben@google.com>
commit 6f621bd8f7a4fa348bc2dec62c3b5870d6708fa7
Author: Nick Harper <nharper@chromium.org>
Date: Thu Apr 28 12:13:42 2016 -0700
Merge documentation from chromium's net/der into cbs.c
Change-Id: Icfd959a168e3fce423b10dd0dcb1312ec03f0623
Reviewed-on: https://boringssl-review.googlesource.com/7800
Reviewed-by: David Benjamin <davidben@google.com>
commit 992c20aedc0e5206bfa2b6bc032fbff570c6deb3
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 28 12:56:35 2016 -0400
Another OPENSSL_NO_THREADS build fix.
GCC gets unhappy if we don't initialize the padding.
Change-Id: I084ffee1717d9025dcb10d8f32de0da2339c7f01
Reviewed-on: https://boringssl-review.googlesource.com/7797
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 0a63b96535dff86fc226e3a13e34252e702a45d0
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 28 12:17:55 2016 -0400
Make CRYPTO_is_NEON_capable aware of the buggy CPU.
If we're to allow the buggy CPU workaround to fire when __ARM_NEON__ is set,
CRYPTO_is_NEON_capable also needs to be aware of it. Also add an API to export
this value out of BoringSSL, so we can get some metrics on how prevalent this
chip is.
BUG=chromium:606629
Change-Id: I97d65a47a6130689098b32ce45a8c57c468aa405
Reviewed-on: https://boringssl-review.googlesource.com/7796
Reviewed-by: Adam Langley <agl@google.com>
commit b3be1cf97da6c0c796f0ab9aebe7232b030d32b0
Author: David Benjamin <davidben@google.com>
Date: Wed Apr 27 19:15:06 2016 -0400
Add a 'configs_exclude' option to the generated GN 'create_tests' template.
Chromium uses GN's default configs feature which makes all targets default to a
set of configs. It then expects third_party code to take one of them
(chromium_code) out and put in a different one (no_chromium_code).
Because of that, we need a way to tell the template to emit -= lines. Add a
separate option for that.
(It may be worth making us clean against the chromium_code config rather than
the no_chromium_code one, but I'll explore that separately in case making the C
code clean ends up being a rabbithole.)
BUG=chromium:607294
Change-Id: I2aa179665ab17439cc123fc86a7af9690cd4bcd6
Reviewed-on: https://boringssl-review.googlesource.com/7795
Reviewed-by: Adam Langley <agl@google.com>
commit 2b4820bd523c7ee7406537bfad1bde9bb29673bb
Author: David Benjamin <davidben@google.com>
Date: Wed Apr 27 18:27:11 2016 -0400
Don't set a default armcap state in dynamic armcap modes.
The getauxval (and friends) code would be filling that in anyway. The default
only serves to enable NEON even if the OS is old enough to be missing getauxval
(and everything else).
Notably, this unbreaks the has_buggy_neon code when __ARM_NEON__ is set, as is
the case in Chrome for Android, as of M50. Before, the default
OPENSSL_armcap_P value was getting in the way.
Arguably, this doesn't make a whole lot of sense. We're saying we'll let the
CPU run compiler-generated NEON code, but not our hand-crafted stuff. But, so
far, we only have evidence of the hand-written NEON tickling the bug and not
the compiler-generated stuff, so avoid the unintentional regression. (Naively,
I would expect the hand-crafted NEON is better at making full use of the
pipeline and is thus more likely to tickle the CPU bug.)
This is not the fix for M50, as in the associated Chromium bug, but it will fix
master and M51. M50 will instead want to revert
https://codereview.chromium.org/1730823002.
BUG=chromium:606629
Change-Id: I394f97fea2f09891dd8fa30e0ec6fc6b1adfab7a
Reviewed-on: https://boringssl-review.googlesource.com/7794
Reviewed-by: Adam Langley <agl@google.com>
commit 9478f321753fcb9b1f495abab4e57aa8f6bfce15
Author: Matt Braithwaite <mab@google.com>
Date: Wed Apr 27 11:53:18 2016 -0700
newhope: use less stack to compute client key
Change-Id: Idf500545317242c8855e67b897975e54969fea10
Reviewed-on: https://boringssl-review.googlesource.com/7782
Reviewed-by: Adam Langley <agl@google.com>
commit 862c0aa8806b226286205a3ce2482840721173d6
Author: David Benjamin <davidben@google.com>
Date: Wed Apr 27 14:59:12 2016 -0400
Revert md_len removal from SHA256_CTX and SHA512_CTX.
This reverts commits:
- 91586371422dae70481c39752e55f01f50e9a93a
- a90aa643024459c1698dbec84f4c79a3238b3db8
- c0d8b83b4462a0eb1889f32dbd7f46e83f4dbc81
It turns out code outside of BoringSSL also mismatches Init and Update/Final
functions. Since this is largely cosmetic, it's probably not worth the cost to
do this.
Change-Id: I14e7b299172939f69ced2114be45ccba1dbbb704
Reviewed-on: https://boringssl-review.googlesource.com/7793
Reviewed-by: Adam Langley <agl@google.com>
commit 88e27bcbe08210666b1e05c3daa12ff9faed2564
Author: David Benjamin <davidben@google.com>
Date: Wed Apr 27 14:51:17 2016 -0400
Don't mismatch Init and Update/Final hash functions.
Fixes the ASan bot.
Change-Id: I29b9b98680b634c5e486a734afa38f9d4e458518
Reviewed-on: https://boringssl-review.googlesource.com/7792
Reviewed-by: Adam Langley <agl@google.com>
commit 91586371422dae70481c39752e55f01f50e9a93a
Author: David Benjamin <davidben@google.com>
Date: Tue Apr 19 23:56:41 2016 -0400
Make SHA256_Final actually only return one.
As with SHA512_Final, use the different APIs rather than store md_len.
Change-Id: Ie1150de6fefa96f283d47aa03de0f18de38c93eb
Reviewed-on: https://boringssl-review.googlesource.com/7722
Reviewed-by: Adam Langley <agl@google.com>
commit a90aa643024459c1698dbec84f4c79a3238b3db8
Author: David Benjamin <davidben@google.com>
Date: Tue Apr 19 23:51:11 2016 -0400
Pull HASH_MAKE_STRING out of md32_common.h.
This is in preparation for taking md_len out of SHA256_CTX by allowing us to do
something similar to SHA512_CTX. md32_common.h now emits a static "finish"
function which Final composes with the extraction step.
Change-Id: I314fb31e2482af642fd280500cc0e4716aef1ac6
Reviewed-on: https://boringssl-review.googlesource.com/7721
Reviewed-by: Adam Langley <agl@google.com>
commit e3118b8dc4c05abc8ed822a181e81a2a070ebe61
Author: David Benjamin <davidben@google.com>
Date: Wed Apr 27 14:44:22 2016 -0400
Fix Windows build.
Change-Id: Ie35b8d0e2da0f7d2588c4a436fc4b2b2596aaf18
Reviewed-on: https://boringssl-review.googlesource.com/7791
Reviewed-by: David Benjamin <davidben@google.com>
commit c0d8b83b4462a0eb1889f32dbd7f46e83f4dbc81
Author: David Benjamin <davidben@google.com>
Date: Tue Apr 19 17:39:28 2016 -0400
Make SHA512_Final actually only return one.
Rather than store md_len, factor out the common parts of SHA384_Final and
SHA512_Final and then extract the right state. Also add a missing
SHA384_Transform and be consistent about "1" vs "one" in comments.
This also removes the NULL output special-case which no other hash function
had.
Change-Id: If60008bae7d7d5b123046a46d8fd64139156a7c5
Reviewed-on: https://boringssl-review.googlesource.com/7720
Reviewed-by: Adam Langley <agl@google.com>
commit 3baee2a495df5aa212b13c5948da829332b75b24
Author: David Benjamin <davidben@google.com>
Date: Fri Apr 1 18:37:07 2016 -0400
Banish SSL_add_dir_cert_subjects_to_stack and OPENSSL_DIR_CTX to decrepit.
There was only one function that required BoringSSL to know how to read
directories. Unfortunately, it does have some callers and it's not immediately
obvious whether the code is unreachable. Rather than worry about that, just
toss it all into decrepit.
In doing so, do away with the Windows and PNaCl codepaths. Only implement
OPENSSL_DIR_CTX on Linux.
Change-Id: Ie64d20254f2f632fadc3f248bbf5a8293ab2b451
Reviewed-on: https://boringssl-review.googlesource.com/7661
Reviewed-by: Adam Langley <agl@google.com>
commit 724dcbf5e209f118b9e6af82997d144b9c692b19
Author: Adam Langley <agl@google.com>
Date: Wed Apr 27 11:08:13 2016 -0700
Correct markdown misinterpretation.
The term “#define”, when the line breaking happens to put at the
beginning of a line, confuses markdown. This change escapes the '#'.
Change-Id: I8300324f9e8c7561f32aba6fa29c0132a188a58b
commit a08142380981b366fb4f5eb61f9888f49342d388
Author: Adam Langley <agl@google.com>
Date: Wed Apr 27 10:24:11 2016 -0700
Add document about incorporating BoringSSL into a project.
Change-Id: Ia825300bae236e3133dd9a19313b7f5450f0c8e2
Reviewed-on: https://boringssl-review.googlesource.com/7781
Reviewed-by: David Benjamin <davidben@google.com>
commit a9959f2f5083ed72a80800d7c8f8287122473be6
Author: David Benjamin <davidben@google.com>
Date: Tue Apr 26 20:12:52 2016 -0400
Work around Android mingw issues.
The copy of mingw-w64 used by Android isn't new enough and is missing half of
the INIT_ONCE definitions. (But not the other half, strangely.) Work around
this for now.
Change-Id: I5c7e89db481f932e03477e50cfb3cbacaeb630e6
Reviewed-on: https://boringssl-review.googlesource.com/7790
Reviewed-by: Adam Langley <agl@google.com>
commit 7909aa7c23f04dc5dd471824ea04443d96189618
Author: Adam Langley <agl@google.com>
Date: Tue Apr 26 16:31:38 2016 -0700
Pass array by reference in newhope speed test.
This is another thing that MSVC can't cope with:
..\tool\speed.cc(537) : error C2536: 'SpeedNewHope::<â‹Ż>::SpeedNewHope::<â‹Ż>::clientmsg' : cannot specify explicit initializer for arrays
Change-Id: I6b4cb430895f7794e9cef1b1c12b57ba5d537c64
commit e75f0530a009efac5519053ff6c342ad0da50eea
Author: Adam Langley <agl@google.com>
Date: Tue Apr 26 16:25:31 2016 -0700
More fixes for MSVC.
Change-Id: I2cde4d99974a28126452bb66c6e176b92b7f0bc9
commit bc57d55c9fe88d3c4f41dd204ec25a8dcf606a5e
Author: Adam Langley <agl@google.com>
Date: Tue Apr 26 16:10:53 2016 -0700
Corrupt the newhope secret key directly.
Rather than use an internal function in a test (which would need an
OPENSSL_EXPORT to work in a shared-library build), this change corrupts
the secret key directly.
Change-Id: Iee501910b23a0affaa0639dcc773d6ea2d0c5a82
Reviewed-on: https://boringssl-review.googlesource.com/7780
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: Adam Langley <agl@google.com>
commit 945cf9a131d52069dfec6488f901cef475732584
Author: Matt Braithwaite <mab@google.com>
Date: Tue Apr 26 16:03:47 2016 -0700
newhope: MSVC can't size array using static size_t
Change-Id: I5060b1a3e800db21d2205f11951b4ad8a5986133
Reviewed-on: https://boringssl-review.googlesource.com/7770
Reviewed-by: Adam Langley <agl@google.com>
commit 045a0ffe358b81609e5b93e1f02e948b581304a3
Author: Matt Braithwaite <mab@google.com>
Date: Mon Apr 18 11:30:19 2016 -0700
Import `newhope' (post-quantum key exchange).
This derives from the reference implementation:
Source: https://github.com/tpoeppelmann/newhope/tree/master/ref at bc06c1ac
Paper: https://eprint.iacr.org/2015/1092
However, it does not interoperate, due to the replacement of SHAKE-128
with AES-CTR (for polynomial generation) and the replacement of SHA-3
with SHA-256 (for key whitening).
Change-Id: I6a55507aea85331245e2fbd41bae5cc049fdca3c
Reviewed-on: https://boringssl-review.googlesource.com/7690
Reviewed-by: Adam Langley <agl@google.com>
commit c25d2e63795f7af7db5b1ca120f3f158a357f014
Author: David Benjamin <davidben@google.com>
Date: Tue Apr 26 18:04:36 2016 -0400
Resolve -Wextern-c-compat warnings with OPENSSL_NO_THREADS.
C and C++ disagree on the sizes of empty structs, which can be rather bad for
structs embedded in public headers. Stick a char in them to avoid issues. (It
doesn't really matter for CRYPTO_STATIC_MUTEX, but it's easier to add a char in
there too.)
Thanks to Andrew Chi for reporting this issue.
Change-Id: Ic54fff710b688decaa94848e9c7e1e73f0c58fd3
Reviewed-on: https://boringssl-review.googlesource.com/7760
Reviewed-by: David Benjamin <davidben@google.com>
commit ede2e2c5cec6a4ac40a247f7588fd8ccf625d182
Author: Steven Valdez <svaldez@google.com>
Date: Tue Apr 26 12:51:18 2016 -0400
Fix buffer overrun in ASN1_parse() and signed/unsigned warning.
(Imported from upstream's 2442382e11c022aaab4fdc6975bd15d5a75c4db2 and
0ca67644ddedfd656d43a6639d89a6236ff64652)
Change-Id: I601ef07e39f936e8f3e30412fd90cd339d712dc4
Reviewed-on: https://boringssl-review.googlesource.com/7742
Reviewed-by: David Benjamin <davidben@google.com>
commit b32a9151da35c12136299a3bf4e21c8c77d13866
Author: Steven Valdez <svaldez@google.com>
Date: Tue Apr 26 12:57:22 2016 -0400
Ensure we check i2d_X509 return val
The i2d_X509() function can return a negative value on error. Therefore
we should make sure we check it.
Issue reported by Yuan Jochen Kang.
(Imported from upstream's 8f43c80bfac15544820739bf035df946eeb603e8)
Change-Id: If247d5bf1d792eb7c6dc179b606ed21ea0ccdbb8
Reviewed-on: https://boringssl-review.googlesource.com/7743
Reviewed-by: David Benjamin <davidben@google.com>
commit 14b07a02a6b16f24e6bd6cbb11f9904e9ee50442
Author: Steven Valdez <svaldez@google.com>
Date: Tue Apr 26 12:43:39 2016 -0400
Harden ASN.1 BIO handling of large amounts of data.
If the ASN.1 BIO is presented with a large length field read it in
chunks of increasing size checking for EOF on each read. This prevents
small files allocating excessive amounts of data.
CVE-2016-2109
Thanks to Brian Carpenter for reporting this issue.
(Imported from upstream's f32774087f7b3db1f789688368d16d917757421e)
Change-Id: Id1b0d4436c4879d0ba7d3b7482b937cafffa28f7
Reviewed-on: https://boringssl-review.googlesource.com/7741
Reviewed-by: David Benjamin <davidben@google.com>
commit f040d3c7e1a2da2cd1902ef90fd4b6daed061296
Author: David Benjamin <davidben@google.com>
Date: Tue Apr 26 11:52:29 2016 -0400
Fix build.
Forgot to mark something static.
Change-Id: I497075d0ad27e2062f84528fb568b333e72a7d3b
Reviewed-on: https://boringssl-review.googlesource.com/7753
Reviewed-by: David Benjamin <davidben@google.com>
commit dc9194f78b120fddb6a63daa2ce53d48381b545a
Author: David Benjamin <davidben@google.com>
Date: Sun Apr 24 12:17:46 2016 -0400
Fix a bug in obj_dat.pl and add basic crypto/obj tests.
It's not possible to encode an OID with only one component, so some of
the NIDs do not have encodings. The logic to actually encode OIDs checks
for this (before calling der_it), but not the logic to compute the
sorted OID list.
Without this, OBJ_obj2nid, when given an empty OID, returns something
arbitrary based on the binary search implementation instead of
NID_undef.
Change-Id: Ib68bae349f66eff3d193616eb26491b6668d4b0a
Reviewed-on: https://boringssl-review.googlesource.com/7752
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit f13444a5ad92974005df38c4344c922af2449ca3
Author: David Benjamin <davidben@google.com>
Date: Mon Apr 25 13:22:22 2016 -0400
Use different bit tricks to extend the LSB.
C gets grumpy when you shift into a sign bit. Replace it with a different bit
trick.
BUG=chromium:603502
Change-Id: Ia4cc2e2d68675528b7c0155882ff4d6230df482b
Reviewed-on: https://boringssl-review.googlesource.com/7740
Reviewed-by: Adam Langley <agl@google.com>
commit 1fc7564ba7dd985f311d5fccd1de4b01ee368b43
Author: David Benjamin <davidben@google.com>
Date: Fri Apr 22 00:43:20 2016 -0400
Add standalone PKCS#8 and SPKI fuzzers.
We already had coverage for our new EVP_PKEY parsers, but it's good to have
some that cover them directly. The initial corpus was generated manually with
der-ascii and should cover most of the insanity around EC key serialization.
BUG=15
Change-Id: I7aaf56876680bfd5a89f5e365c5052eee03ba862
Reviewed-on: https://boringssl-review.googlesource.com/7728
Reviewed-by: Adam Langley <agl@google.com>
commit af18cdd733a05a088518e5adb01704c1980fff3b
Author: David Benjamin <davidben@google.com>
Date: Sat Apr 23 01:40:03 2016 -0400
Add a copyright header to run_android_tests.go.
Change-Id: Ifd60964e4074fa7900e9ebfbb669864bae0821dd
Reviewed-on: https://boringssl-review.googlesource.com/7729
Reviewed-by: Adam Langley <agl@google.com>
commit 6e96d2be3d86f81abc230309821691c0cf48343c
Author: David Benjamin <davidben@google.com>
Date: Mon Apr 25 15:07:53 2016 -0400
Remove stale wpa_supplicant hacks.
aosp-master has been updated past the point that this is necessary. Sadly, all
the other hacks still are. I'll try to get things rolling so we can ditch the
others in time.
Change-Id: If7b3aad271141fb26108a53972d2d3273f956e8d
Reviewed-on: https://boringssl-review.googlesource.com/7751
Reviewed-by: Adam Langley <agl@google.com>
commit 1be6a7e4428181e750bf00955df52a8155578ef0
Author: David Benjamin <davidben@google.com>
Date: Mon Apr 25 14:41:19 2016 -0400
Add another temporary hack for wpa_supplicant.
Due to Android's complex branching scheme, we have to keep building against a
snapshotted version of wpa_supplicant. wpa_supplicant, in preparation for
OpenSSL 1.1.0, added compatibility versions of some accessors that we, in
working towards opaquification, have imported. This causes a conflict (C does
not like having static and non-static functions share a name).
Add a hack in the headers to suppress the conflicting accessors when
BORINGSSL_SUPPRESS_ACCESSORS is defined. Android releases which include an
updated BoringSSL will also locally carry this #define in wpa_supplicant build
files. Once we can be sure releases of BoringSSL will only see a new enough
wpa_supplicant (one which includes a to-be-submitted patch), we can ditch this.
Change-Id: I3e27fde86bac1e59077498ee5cbd916cd880821e
Reviewed-on: https://boringssl-review.googlesource.com/7750
Reviewed-by: Adam Langley <agl@google.com>
commit b70cd92c82b4626b8ea69e22e8044fc486fe17bd
Author: Adam Langley <agl@google.com>
Date: Mon Apr 25 10:48:19 2016 -0700
Add licenses to fuzz tests.
These source files previously didn't have the ISC license on them.
Change-Id: Ic0a2047d23b28d9d7f0a85b2fedb67574bdcab25
Reviewed-on: https://boringssl-review.googlesource.com/7735
Reviewed-by: David Benjamin <davidben@google.com>
commit 3d907ed964c721a395c82c5733e7d6dd7fcdd1fb
Author: Adam Langley <agl@google.com>
Date: Fri Apr 22 14:06:50 2016 -0700
Remove RC4_options from rc4-586.pl.
The x86-64 version of this assembly doesn't include this function. It's
in decrepit/rc4 as a compatibility backfill but that means that 32-bit
builds end up with two definitions of this symbol.
Change-Id: Ib6da6b91aded8efc679ebbae6d60c96a78f3dc4e
Reviewed-on: https://boringssl-review.googlesource.com/7734
Reviewed-by: David Benjamin <davidben@google.com>
commit 38d01c6b95df135875c2b2d50448c068e5b090e8
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 21 18:47:57 2016 -0400
Improve generate_build_files.py gn support.
Split gn and gyp generators apart. Since we're pre-generating files, there's no
need to make BoringSSL's build depend on the gypi_to_gn.py script. Also emit
the tests and a list of fuzzers so we don't need to manually update BUILD.gn
each time.
The new gn generator is based on the bazel one since they're fairly similar.
BUG=chromium:429246
Change-Id: I5a819a964d6ac6e56e9251bb3fd3de1db08214a4
Reviewed-on: https://boringssl-review.googlesource.com/7726
Reviewed-by: Adam Langley <agl@google.com>
commit 818aff01fb41b1e46aed9b9ec3bcfc76ae6cf0dd
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 21 16:58:49 2016 -0400
Add SSL_SESSION_get_master_key.
Opaquifying SSL_SESSION is less important than the other structs, but this will
cause less turbulence in wpa_supplicant if we add this API too. Semantics and
name taken from OpenSSL 1.1.0 to match.
BUG=6
Change-Id: Ic39f58d74640fa19a60aafb434dd2c4cb43cdea9
Reviewed-on: https://boringssl-review.googlesource.com/7725
Reviewed-by: Adam Langley <agl@google.com>
commit 7fadfc6135aecb4ae44543bf94950593979c3547
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 21 16:28:19 2016 -0400
Move TLS-specific "AEAD" functions to the bottom of aead.h.
Probably better to keep it out of the way for someone just trying to figure out
how to use the library. Notably, we don't really want people to think they need
to use the directioned init function.
Change-Id: Icacc2061071581abf46e38eb1d7a52e7b1f8361b
Reviewed-on: https://boringssl-review.googlesource.com/7724
Reviewed-by: Adam Langley <agl@google.com>
commit 325664eec4f33b8adecdeb6f151d10d2c57689c9
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 21 16:07:49 2016 -0400
Add hkdf.h to doc.config.
It has all of one function in there.
Change-Id: I86f0fbb76d267389c62b63ac01df685acb70535e
Reviewed-on: https://boringssl-review.googlesource.com/7723
Reviewed-by: Adam Langley <agl@google.com>
commit f01fb5dc0e9d2227a20fe33f7bf76c2160ecf9c9
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 14:34:03 2016 -1000
Avoid minor waste in |ec_GFp_nistp256_point_get_affine_coordinates|.
Avoid calculating the affine Y coordinate when the caller didn't ask
for it, as occurs, for example, in ECDH.
For symmetry and clarity, avoid calculating the affine X coordinate in
the hypothetical case where the caller only asked for the Y coordinate.
Change-Id: I69f5993fa0dfac8b010c38e695b136cefc277fed
Reviewed-on: https://boringssl-review.googlesource.com/7590
Reviewed-by: David Benjamin <davidben@google.com>
commit 3f3358ac150465fafffaf1c51c2928dd2b2018a9
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 14:29:52 2016 -1000
Save one call to |ecp_nistz256_from_mont| in |ecp_nistz256_get_affine|.
Change-Id: I38faa5c4e9101c100614ebadf421bde0a05af360
Reviewed-on: https://boringssl-review.googlesource.com/7589
Reviewed-by: David Benjamin <davidben@google.com>
commit a7aa2bb8f86f9891bba9d05544e2b9796b2da864
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 14:22:40 2016 -1000
Avoid a multiplication in |ecp_nistz256_get_affine| when |x| is NULL.
This is purely hypothetical, as in real life nobody cares about the
|y| component without also caring about the |x| component, but it
clarifies the code and makes a future change clearer.
Change-Id: Icaa4de83c87b82a8e68cd2942779a06e5db300c3
Reviewed-on: https://boringssl-review.googlesource.com/7588
Reviewed-by: David Benjamin <davidben@google.com>
commit d860b7b1cdefa22b2d42074aa5c8ce2a8ec1da5c
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 14:19:42 2016 -1000
Set output coordinates' |neg| field in |ecp_nistz256_get_affine|.
The result would not be correct if, on input, |x->neg != 0| or
|y->neg != 0|.
Change-Id: I645566a78c2e18e42492fbfca1df17baa05240f7
Reviewed-on: https://boringssl-review.googlesource.com/7587
Reviewed-by: David Benjamin <davidben@google.com>
commit 97770d17d8dad60295cf0090f498472907ffd738
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 11 14:04:14 2016 -1000
Use only Montgomery math in |ec_GFp_mont_point_get_affine_coordinates|.
Use only Montgomery math in |ec_GFp_mont_point_get_affine_coordinates|.
In particular, avoid |BN_mod_sqr| and |BN_mod_mul|.
Change-Id: I05c8f831d2865d1b105cda3871e9ae67083f8399
Reviewed-on: https://boringssl-review.googlesource.com/7586
Reviewed-by: David Benjamin <davidben@google.com>
commit f3835839b1f3f7a922748153ca5aa17132220407
Author: David Benjamin <davidben@google.com>
Date: Tue Apr 19 17:48:11 2016 -0400
Use nanosleep instead of usleep.
usleep is guarded by feature macro insanity. Use nanosleep which looks to be
less unfriendly.
Change-Id: I75cb2284f26cdedabb19871610761ec7440b6ad3
Reviewed-on: https://boringssl-review.googlesource.com/7710
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 9dadc3b6e1c2d5e2e8a3b1188c905d5541a75df7
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 30 19:04:28 2016 -0400
Replace CRYPTO_once_t on Windows with INIT_ONCE.
Now that we no longer support Windows XP, this function is available. In doing
so, remove the odd run_once_arg_t union and pass in a pointer to a function
pointer which is cleaner and still avoids C's silly rule where function
pointers can't be placed in a void*.
BUG=37
Change-Id: I44888bb3779dacdb660706debd33888ca389ebd5
Reviewed-on: https://boringssl-review.googlesource.com/7613
Reviewed-by: David Benjamin <davidben@google.com>
commit 3ed24f0502ea3f38fa79306dfe263527f0491230
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 30 19:03:45 2016 -0400
Test CRYPTO_once_t collisions.
The existing tests never actually tested this case.
Change-Id: Idb9cf0cbbe32fdf5cd353656a95fbedbaac09376
Reviewed-on: https://boringssl-review.googlesource.com/7612
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 582d2847eda65671883649347f60f6916838a3d1
Author: David Benjamin <davidben@google.com>
Date: Sat Apr 16 17:10:01 2016 -0400
Reimplement PKCS#12 key derivation.
This is avoids pulling in BIGNUM for doing a straight-forward addition on a
block-sized value, and avoids a ton of mallocs. It's also -Wconversion-clean,
unlike the old one.
In doing so, this replaces the HMAC_MAX_MD_CBLOCK with EVP_MAX_MD_BLOCK_SIZE.
By having the maximum block size available, most of the temporary values in the
key derivation don't need to be malloc'd.
BUG=22
Change-Id: I940a62bba4ea32bf82b1190098f3bf185d4cc7fe
Reviewed-on: https://boringssl-review.googlesource.com/7688
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 0e21f41fe884bedf708d3d4d6ab2ce9f53712bb8
Author: David Benjamin <davidben@google.com>
Date: Sat Apr 16 15:20:07 2016 -0400
Switch all 'num' parameters in crypto/modes to unsigned.
Also switch the EVP_CIPHER copy to cut down on how frequently we need to cast
back and forth.
BUG=22
Change-Id: I9af1e586ca27793a4ee6193bbb348cf2b28a126e
Reviewed-on: https://boringssl-review.googlesource.com/7689
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 1a0a8b6760a9bc21c1c14a07c88fe63d637464ea
Author: David Benjamin <davidben@google.com>
Date: Sat Apr 16 15:23:54 2016 -0400
Make EVP_MD_CTX size functions return size_t.
The EVP_MD versions do, so the types should bubble up.
BUG=22
Change-Id: Ibccbc9ff35bbfd3d164fc28bcdd53ed97c0ab338
Reviewed-on: https://boringssl-review.googlesource.com/7687
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 86361a391062e02012c92d1eefa20df3deb897f3
Author: Brian Smith <brian@briansmith.org>
Date: Sat Mar 26 19:42:31 2016 -1000
Require the public exponent to be available in RSA blinding.
Require the public exponent to be available unless
|RSA_FLAG_NO_BLINDING| is set on the key. Also, document this.
If the public exponent |e| is not available, then we could compute it
from |p|, |q|, and |d|. However, there's no reasonable situation in
which we'd have |p| or |q| but not |e|; either we have all the CRT
parameters, or we have (e, d, n), or we have only (d, n). The
calculation to compute |e| exposes the private key to risk of side
channel attacks.
Also, it was particularly wasteful to compute |e| for each
|BN_BLINDING| created, instead of just once before the first
|BN_BLINDING| was created.
|BN_BLINDING| now no longer needs to contain a duplicate copy of |e|,
so it is now more space-efficient.
Note that the condition |b->e != NULL| in |bn_blinding_update| was
always true since commit cbf56a5683ddda831ff91c46ea48d1fba545db66.
Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4
Reviewed-on: https://boringssl-review.googlesource.com/7594
Reviewed-by: David Benjamin <davidben@google.com>
commit d035730ac7ebb82fbf1895fea50c29048bb6edb2
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 10:11:04 2016 -1000
Make return value of |BN_MONT_CTX_set_locked| int.
This reduces the chance of double-frees.
BUG=10
Change-Id: I11a240e2ea5572effeddc05acb94db08c54a2e0b
Reviewed-on: https://boringssl-review.googlesource.com/7583
Reviewed-by: David Benjamin <davidben@google.com>
commit 51b0d5b1e86590c6e828b11ede90db04916e9ff1
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 13:15:39 2016 -1000
Do not use the CRT when |rsa->e == NULL|.
When |rsa->e == NULL| we cannot verify the result, so using the CRT
would leave the key too vulnerable to fault attacks.
Change-Id: I154622cf6205ba4d5fb219143db6072a787c2d1f
Reviewed-on: https://boringssl-review.googlesource.com/7581
Reviewed-by: David Benjamin <davidben@google.com>
commit 69f0532c8530ef3b26a63f6fbf819bb006c13222
Author: Brian Smith <brian@briansmith.org>
Date: Tue Mar 15 12:44:36 2016 -1000
Use |memcmp| instead of |CRYPTO_memcmp| in |RSA_verify|.
|CRYPTO_memcmp| isn't necessary because there is no secret data being
acted on here.
Change-Id: Ib678d5d4fc16958aca409a93df139bdff8cb73fb
Reviewed-on: https://boringssl-review.googlesource.com/7465
Reviewed-by: David Benjamin <davidben@google.com>
commit 2a92031bb4dceef47b8ee49a9184d7e572fb841b
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 4 13:42:47 2016 -1000
Clarify |RSA_verify_raw| error handling & cleanup.
Use the common pattern of returning early instead of |goto err;| when
there's no cleanup to do yet. Also, move the error checking of
|BN_CTX_get| failure closer to the the calls to |BN_CTX_get|. Avoid
calling |OPENSSL_cleanse| on public data. Clarify when/why |buf| is not
freed.
Change-Id: I9df833db7eb7041c5af9349c461297372b988f98
Reviewed-on: https://boringssl-review.googlesource.com/7464
Reviewed-by: David Benjamin <davidben@google.com>
commit 9902262af6fa38acd9bf4e55f2a6d3389faba7e8
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 4 09:20:07 2016 -1000
Remove redundant check of |sig_len| in |RSA_verify|.
The same check is already done in |RSA_verify_raw|, so |RSA_verify|
doesn't need to do it.
Also, move the |RSA_verify_raw| check earlier.
Change-Id: I15f7db0aad386c0f764bba53e77dfc46574f7635
Reviewed-on: https://boringssl-review.googlesource.com/7463
Reviewed-by: David Benjamin <davidben@google.com>
commit c0b196d4ebc75c9f9cb61411b8fe291e70059d58
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 4 08:54:07 2016 -1000
Drop support for engines-provided signature verification.
We do not need to support engine-provided verification methods.
Change-Id: Iaad8369d403082b728c831167cc386fdcabfb067
Reviewed-on: https://boringssl-review.googlesource.com/7311
Reviewed-by: David Benjamin <davidben@google.com>
commit 9b611e28e42761527c700506194a33b1dd1b90db
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 3 08:48:30 2016 -0500
Simplify server_name extension parsing.
Although the server_name extension was intended to be extensible to new name
types, OpenSSL 1.0.x had a bug which meant different name types will cause an
error. Further, RFC 4366 originally defined syntax inextensibly. RFC 6066
corrected this mistake, but adding new name types is no longer feasible.
Act as if the extensibility does not exist to simplify parsing. This also
aligns with OpenSSL 1.1.x's behavior. See upstream's
062178678f5374b09f00d70796f6e692e8775aca and
https://www.ietf.org/mail-archive/web/tls/current/msg19425.html
Change-Id: I5af26516e8f777ddc1dab5581ff552daf2ea59b5
Reviewed-on: https://boringssl-review.googlesource.com/7294
Reviewed-by: David Benjamin <davidben@google.com>
commit 4c5ddb80477738d8063d3b65038b5879b20f8e84
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 11 22:56:19 2016 -0500
Set rwstate consistently.
We reset it to SSL_NOTHING at the start of ever SSL_get_error-using operation.
Then we only set it to a non-NOTHING value in the rest of the stack on error
paths.
Currently, ssl->rwstate is set all over the place. Sometimes the pattern is:
ssl->rwstate = SSL_WRITING;
if (BIO_write(...) <= 0) {
goto err;
}
ssl->rwstate = SSL_NOTHING;
Sometimes we only set it to the non-NOTHING value on error.
if (BIO_write(...) <= 0) {
ssl->rwstate = SSL_WRITING;
}
ssl->rwstate = SSL_NOTHING;
Sometimes we just set it to SSL_NOTHING far from any callback in random places.
The third case is arbitrary and clearly should be removed.
But, in the second case, we sometimes forget to undo it afterwards. This is
largely harmless since an error in the error queue overrides rwstate, but we
don't always put something in the error queue (falling back to
SSL_ERROR_SYSCALL for "I'm not sure why it failed. Perhaps it was one of your
callbacks? Check your errno equivalent."), but in that case a stray rwstate
value will cause it to be wrong.
We could fix the cases where we fail to set SSL_NOTHING on success cases, but
this doesn't account for there being multiple SSL_get_error operations. The
consumer may have an SSL_read and an SSL_write running concurrently. Instead,
it seems the best option is to lift the SSL_NOTHING reset to the operations and
set SSL_WRITING and friends as in the second case.
(Someday hopefully we can fix this to just be an enum that is internally
returned. It can convert to something stateful at the API layer.)
Change-Id: I54665ec066a64eb0e48a06e2fcd0d2681a42df7f
Reviewed-on: https://boringssl-review.googlesource.com/7453
Reviewed-by: David Benjamin <davidben@google.com>
commit c6972eb1f090adc26046859ce3424221de8e210e
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 11 22:43:53 2016 -0500
Remove the no_renegotiation special case.
The concern is if the peer denies our renegotiation attempt, but we will never
initiate renegotiation. We only support server-initiated renegotiation when we
are acting as the client.
(Strictly speaking, only the client ever initiates renegotiation. The server
sends a HelloRequest to ask the client to initiate it. But we forbid
application data interleave as soon as we see the HelloRequest, so we treat it
as part of the handshake.)
Change-Id: I1a625130de32a7227e4471f2f889255aba962ce4
Reviewed-on: https://boringssl-review.googlesource.com/7452
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 0d3a8c6ac0f83bd38221bfbb4d83c3c315b5c4ce
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 11 22:25:18 2016 -0500
Don't allow alert records with multiple alerts.
This is just kind of a silly thing to do. NSS doesn't allow them either. Fatal
alerts would kill the connection regardless and warning alerts are useless. We
previously stopped accepting fragmented alerts but still allowed them doubled
up.
This is in preparation for pulling the shared alert processing code between TLS
and DTLS out of read_bytes into some common place.
Change-Id: Idbef04e39ad135f9601f5686d41f54531981e0cf
Reviewed-on: https://boringssl-review.googlesource.com/7451
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 56703d91bf18f66867ed7f3fc8ed06fbf13fb18a
Author: David Benjamin <davidben@google.com>
Date: Mon Apr 18 15:39:33 2016 -0400
Make err_data_generator.go silent by default.
I don't think I ever look at that output. This way our builds are nice and
silent.
Change-Id: Idb215e3702f530a8b8661622c726093530885c91
Reviewed-on: https://boringssl-review.googlesource.com/7700
Reviewed-by: Adam Langley <agl@google.com>
commit 26993ad55eda0763990fdd11db929043761b56e1
Author: David Benjamin <davidben@google.com>
Date: Fri Apr 15 16:12:19 2016 -0400
Only use recv/send for socket BIOs on Windows.
In OpenSSL, socket BIOs only used recv/send on Windows and read/write on POSIX.
Align our socket BIOs with that behavior. This should be a no-op, but avoids
frustrating consumers overly sensitive to the syscalls used now that SSL_set_fd
has switched to socket BIOs to align with OpenSSL. b/28138582.
Change-Id: Id4870ef8e668e587d6ef51c5b5f21e03af66a288
Reviewed-on: https://boringssl-review.googlesource.com/7686
Reviewed-by: Adam Langley <agl@google.com>
commit 919610b4c43ab394977eba70ceec66aaa0070472
Author: David Benjamin <davidben@google.com>
Date: Fri Apr 15 15:34:30 2016 -0400
Fix memory leak on invalid ecPublicKey parameters.
One of the codepaths didn't free the group. Found by libFuzzer.
BUG=chromium:603893
Change-Id: Icb81f2f89a8c1a52e29069321498986b193a0e56
Reviewed-on: https://boringssl-review.googlesource.com/7685
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: Adam Langley <agl@google.com>
commit 4365c3f522f2fc57fa0c87bde5f25ea98dd9a59c
Author: Daniel Bathgate <dbathgate@google.com>
Date: Thu Apr 14 17:18:02 2016 -0400
Send an error rather than assert when decrypt_len != rsa_size.
With SSL_PRIVATE_KEY_METHOD, decryption can happen outside of BoringSSL. Rather than crash the process, it would be nicer if BoringSSL handled the error gracefully.
Change-Id: I3f24d066f7a329d41420b208a7e13c82ec966710
Reviewed-on: https://boringssl-review.googlesource.com/7683
Reviewed-by: David Benjamin <davidben@google.com>
commit 0fe4d8bef5918f84a7f260c34c26dd13c0d70ade
Author: David Benjamin <davidben@google.com>
Date: Wed Apr 13 17:28:35 2016 -0400
chacha/asm/chacha-armv8.pl: fix intermittent build failures.
(Imported from b9077d85b0042d3d5d877d5cf7f06a8a8c035673.)
Change-Id: I6df3b3d0913b001712a78671c69b9468e059047f
Reviewed-on: https://boringssl-review.googlesource.com/7682
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 9980ce1dcd1a90990e7e922979ef4445032aa383
Author: Steven Valdez <svaldez@google.com>
Date: Thu Apr 14 16:35:26 2016 -0400
Add BORINGSSL_PREFIX for prefixing symbols
This currently doesn't prefix assembly symbols since they don't pull in
openssl/base.h
BUG=5
Change-Id: Ie0fdc79ae73099f84ecbf3f17604a1e615569b3b
Reviewed-on: https://boringssl-review.googlesource.com/7681
Reviewed-by: David Benjamin <davidben@google.com>
commit a82e8dd9d28705eef77e47762f06626c9134dd6a
Author: David Benjamin <davidben@google.com>
Date: Thu Apr 14 09:48:39 2016 -0400
Tweak X25519 documentation.
Both the header-level and section-level documentation define curve25519 which
is a little odd.
Change-Id: I81aa2b74e8028d3cfd5635e1d3cfda402ba1ae38
Reviewed-on: https://boringssl-review.googlesource.com/7680
Reviewed-by: Adam Langley <agl@google.com>
commit aaccbfec04a09d6711e0ead04e5bef612b8fa65e
Author: Adam Langley <agl@google.com>
Date: Wed Apr 13 08:19:03 2016 -0700
Export RSA_padding_add_PKCS1_OAEP[_mgf1]
This is needed by trousers. As with the PSS function, the version that
assumes SHA-1 is put into decrepit.
Change-Id: I153e8ea0150e48061b978384b600a7b990d21d03
Reviewed-on: https://boringssl-review.googlesource.com/7670
Reviewed-by: David Benjamin <davidben@google.com>
commit 188487faadcda73e80ce84a3e113d2c9de9bbb3b
Author: Max Moroz <mmoroz@google.com>
Date: Mon Apr 11 15:36:49 2016 +0200
Remove .options files for libFuzzers and update FUZZING.md documentation.
Due to https://codereview.chromium.org/1867833002/ replacing .options files.
Change-Id: I17f0d5b8b1784fdcf163791e72f6b58b29657e95
Reviewed-on: https://boringssl-review.googlesource.com/7640
Reviewed-by: David Benjamin <davidben@google.com>
commit e4c678adda26367e1195cf1aca2af66cb7c3d650
Author: David Benjamin <davidben@google.com>
Date: Mon Apr 11 18:04:18 2016 -0400
Revert "Banish SSL_add_dir_cert_subjects_to_stack and OPENSSL_DIR_CTX to decrepit."
This reverts commit 112c4dd1ff895bf5af0d64488234b0fc40b616bc. Accidentally used
the wrong push line.
commit 112c4dd1ff895bf5af0d64488234b0fc40b616bc
Author: David Benjamin <davidben@google.com>
Date: Fri Apr 1 18:37:07 2016 -0400
Banish SSL_add_dir_cert_subjects_to_stack and OPENSSL_DIR_CTX to decrepit.
There was only one function that required BoringSSL to know how to read
directories. Unfortunately, it does have some callers and it's not immediately
obvious whether the code is unreachable. Rather than worry about that, just
toss it all into decrepit.
In doing so, do away with the Windows and PNaCl codepaths. Only implement
OPENSSL_DIR_CTX on Linux.
Change-Id: I3eb55b098e3aa042b422bb7da115c0812685553e
commit 2a187a43169ec4855f549972e01b7b34d704be41
Author: David Benjamin <davidben@google.com>
Date: Mon Apr 11 17:26:50 2016 -0400
No-op change to test bugdroid.
Making sure the BUG= line works correctly.
BUG=41
Change-Id: Icedf5f1ec8211696c74d9e9f9d322483c43444fc
commit 14420e91e0d6b5e2b5d2c39b2315151ae5837fb1
Author: David Benjamin <davidben@google.com>
Date: Mon Apr 11 13:25:37 2016 -0400
Remove EVP_aead_chacha20_poly1305_rfc7539 alias.
This slipped through, but all the callers are now using
EVP_aead_chacha20_poly1305, so we can remove this version.
Change-Id: I76eb3a4481aae4d18487ca96ebe3776e60d6abe8
Reviewed-on: https://boringssl-review.googlesource.com/7650
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit a13ad73cee6e7c490e91daba6971e45ea42ac8dd
Author: Piotr Sikora <piotrsikora@google.com>
Date: Fri Apr 8 17:23:10 2016 -0700
Use UINT64_C instead of unsigned long long integer constant.
Change-Id: Id181957956ccaacc6c29b641a1f1144886d442c0
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7630
Reviewed-by: David Benjamin <davidben@google.com>
commit dcb3383463fa2c70bbafefff53004f6896dbc504
Author: Gabriel Redner <gredner@google.com>
Date: Wed Apr 6 15:47:28 2016 -0400
Modify 'bssl client' to print the cert subject and issuer
This is the one piece of functionality I miss from the openssl tool -
the ability to see some basic information about the server cert.
Sample output:
==========
$ bssl client -connect www.google.com
Connecting to [2607:f8b0:4006:80d::1010]:443
Connected.
Version: TLSv1.2
Resumed session: no
Cipher: ECDHE-RSA-AES128-GCM-SHA256
ECDHE curve: P-256
Secure renegotiation: yes
Next protocol negotiated:
ALPN protocol:
Cert subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
Cert issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
==========
Change-Id: I758682784752a616628138e420f52586d5a1bb31
Reviewed-on: https://boringssl-review.googlesource.com/7620
Reviewed-by: David Benjamin <davidben@google.com>
commit d44a9431112d37430b3a686bbf4fb6211be69848
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 31 18:15:27 2016 -0400
Fix docs typo.
Change-Id: Idb786ee2ca6354dcf2f665e9229aef4a43e05dd4
Reviewed-on: https://boringssl-review.googlesource.com/7614
Reviewed-by: David Benjamin <davidben@google.com>
commit 046b27815ec4804695f8eed093d4fe5b4589aabc
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 25 18:07:16 2016 -0400
Decouple crypto/evp from the OID table.
BUG=chromium:499653
Change-Id: I4e8d4af3129dbf61d4a8846ec9db685e83999d5e
Reviewed-on: https://boringssl-review.googlesource.com/7565
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 0d76c402b81507e13ac628ee04990b1c5ce892e8
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 25 18:07:15 2016 -0400
Decouple crypto/ec from the OID table.
Instead, embed the (very short) encoding of the OID into built_in_curve.
BUG=chromium:499653
Change-Id: I0db36f83c71fbd3321831f54fa5022f8304b30cd
Reviewed-on: https://boringssl-review.googlesource.com/7564
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 981936791eb76c52daedb18310fced187252ed30
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 25 18:07:11 2016 -0400
Remove some easy obj.h dependencies.
A lot of consumers of obj.h only want the NID values. Others didn't need
it at all. This also removes some OBJ_nid2sn and OBJ_nid2ln calls in EVP
error paths which isn't worth pulling a large table in for.
BUG=chromium:499653
Change-Id: Id6dff578f993012e35b740a13b8e4f9c2edc0744
Reviewed-on: https://boringssl-review.googlesource.com/7563
Reviewed-by: David Benjamin <davidben@google.com>
commit 5d38f78e2987be876e3023808b4eed57c84ce23c
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 25 18:07:08 2016 -0400
Rename obj_mac.h to nid.h and make it a multiply-includable header.
obj_mac.h is missing #include guards, so one cannot use NIDs without
pulling in the OBJ_* functions which depend on the giant OID table. Give
it #include guards, tidy up the style slightly, and also rename it to
nid.h which is a much more reasonable name.
obj_mac.h is kept as a forwarding header as, despite it being a little
screwy, some code #includes it anyway.
BUG=chromium:499653
Change-Id: Iec0b3f186c02e208ff1f7437bf27ee3a5ad004b7
Reviewed-on: https://boringssl-review.googlesource.com/7562
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 66ec5c90667a32030d64af6d3da426924fbc732a
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 30 14:26:46 2016 -0400
Also re-serialize X509 objects in fuzz/cert.cc.
This is a fairly common operation on an X509.
Change-Id: I1820f20b555f75c98ab7e3283b5530bc1c200e2a
Reviewed-on: https://boringssl-review.googlesource.com/7611
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 20568e7a4f028782fb76df5407ca9ceaf16de59e
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 30 14:23:31 2016 -0400
Remove inaccurate comments in fuzz/{client,server}.cc.
They now fuzz a lot more than just the initial flow.
Change-Id: Ib0b7eb66969442e539a937d7d87f5ba031fcbef3
Reviewed-on: https://boringssl-review.googlesource.com/7610
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 9e5eb63d011cbc6730b4fbc05c4dd3ae6021e97f
Author: David Benjamin <davidben@google.com>
Date: Sat Mar 26 00:58:38 2016 -0400
Document that CRYPTO_library_init may be called concurrently.
This was fixed in 93a5b442964d9770b5faa0fb381a8c4f43e65abe, but it wasn't
documented. Now that there are no pre-init functions to call like
CRYPTO_set_neon_capable, one instance of BoringSSL may be safely shared between
multiple consumers. As part of that, multiple consumers need to be able to call
CRYPTO_library_init possibly redundantlyand possibly on different threads
without synchronization.
(Though there is still that static initializer nuisance. It would be nice to
replace this with internal CRYPTO_once_t's and then CRYPTO_library_init need
only be called to prime armcap for a sandbox. But one thing at a time.)
Change-Id: I48430182d3649c8cf19082e34da24dee48e6119e
Reviewed-on: https://boringssl-review.googlesource.com/7571
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit d879e299366895d7d80d83cfbbe05bc6a09e2a27
Author: Brian Smith <brian@briansmith.org>
Date: Tue Mar 22 17:30:42 2016 -1000
Further optimize Montgomery math in RSA blinding.
Change-Id: I830c6115ce2515a7b9d1dcb153c4cd8928fb978f
Reviewed-on: https://boringssl-review.googlesource.com/7591
Reviewed-by: David Benjamin <davidben@google.com>
commit bfefc27c2bb4af62e09569e36b018d60da98a680
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 29 19:00:33 2016 -0400
Avoid doing arithmetic on void pointers.
Whatever compiler settings AOSP is using warns that this is a GNU extension.
Change-Id: Ife395d2b206b607b14c713cbb5a94d479816dad0
Reviewed-on: https://boringssl-review.googlesource.com/7604
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 4b7b048417d8ff92c993da9dbb3d9df20455fc1d
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 30 00:42:17 2016 -0400
Spell __attribute__((format(printf, ...))) with more underscores.
They may be spelled with or without underscores. Alas, a lot of C code (adb,
cURL) seems to find it a popular pasttime to #define printf *before* including
external headers. This is completely nonsense and invalid, but working around
it is easy and is what we (and OpenSSL) were doing before
061332f21643a910941c32cbfc40e577c380e342.
I'll be sending a patch to cURL tomorrow to make them at least do their macro
trickery after external #includes for sanity. adb's sysdeps.h is a lot longer
and consistently #included first so I'll probably leave that be for lack of
time.
Change-Id: I03a0a253f2c902eb45f45faace1e5c5df4335ebf
Reviewed-on: https://boringssl-review.googlesource.com/7605
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit aa0bea7bc1927b737f46c41ceb1f1508c9a3ff11
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 25 13:27:30 2016 -0400
Add additional poly1305 tests.
Thanks to Hanno Boeck for reporting them in
https://rt.openssl.org/Ticket/Display.html?id=4483
Change-Id: Ic902c0ceea32c76cad924a1ffc462d39ae6ca3de
Reviewed-on: https://boringssl-review.googlesource.com/7603
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 3c4a5cbb71453c5d61314a3f76a5ca6f123dbf94
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 29 17:43:31 2016 -0400
Revert "Enable upstream's Poly1305 code."
This reverts commit 6f0c4db90e47437ed87a2d385c7797e692a2cf65 except for the
imported assembly files, which are left as-is but unused. Until upstream fixes
https://rt.openssl.org/Ticket/Display.html?id=4483, we shouldn't ship this
code. Once that bug has been fixed, we'll restore it.
Change-Id: I74aea18ce31a4b79657d04f8589c18d6b17f1578
Reviewed-on: https://boringssl-review.googlesource.com/7602
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit f08c1c68957024ced93d35d757daeb373de8f073
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 13:24:46 2016 -1000
Drop support for custom |mod_exp| hooks in |RSA_METHOD|.
The documentation in |RSA_METHOD| says that the |ctx| parameter to
|mod_exp| can be NULL, however the default implementation doesn't
handle that case. That wouldn't matter since internally it is always
called with a non-NULL |ctx| and it is static, but an external
application could get a pointer to |mod_exp| by extracting it from
the default |RSA_METHOD|. That's unlikely, but making that impossible
reduces the chances that future refactorings will cause unexpected
trouble.
Change-Id: Ie0e35e9f107551a16b49c1eb91d0d3386604e594
Reviewed-on: https://boringssl-review.googlesource.com/7580
Reviewed-by: David Benjamin <davidben@google.com>
commit 3426d1011946b26ff1bb2fd98a081ba4753c9cc8
Author: Brian Smith <brian@briansmith.org>
Date: Thu Mar 17 16:10:04 2016 -1000
Convert RSA blinding to use Montgomery multiplication.
|BN_mod_mul_montgomery| has better constant-time behavior (usually)
than |BN_mod_mul| and |BN_mod_sqr| and on platforms where we have
assembly language optimizations (when |OPENSSL_BN_ASM_MONT| is set in
crypto/bn/montgomery.c) it is faster. While doing so, reorder and
rename the |BN_MONT_CTX| parameters of the blinding functions to match
the order normally used in Montgomery math functions.
As a bonus, remove a redundant copy of the RSA public modulus from the
|BN_BLINDING| structure, which reduces memory usage.
Change-Id: I70597e40246429c7964947a1dc46d0d81c7530ef
Reviewed-on: https://boringssl-review.googlesource.com/7524
Reviewed-by: David Benjamin <davidben@google.com>
commit feaa57d13daa0b5bf3c068ce18d24870d50bfae9
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 29 14:17:27 2016 -0400
Only call thread-local destructors on DLL_THREAD_DETACH.
In VS2015's debug runtime, the C runtime has been unloaded by the time
DLL_PROCESS_DETACH is called and things crash. Instead, don't run destructors
at that point.
This means we do *not* free memory associated with any remaining thread-locals
on application shutdown, only shutdown of individual threads. This is actually
desirable since it's consistent with pthreads. If an individual thread calls
pthread_exit, destructors are run. If the entire process exits, they are not.
(It's also consistent with thread_none.c which never bothers to free
anything.)
BUG=chromium:595795
Change-Id: I3e64d46ea03158fefff583c1e3e12dfa0c0e172d
Reviewed-on: https://boringssl-review.googlesource.com/7601
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 1e4ae00ac2beb893aa59b9a98eb70908332904ba
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 25 18:56:10 2016 -0400
Add a comment about final empty extension intolerance.
We reordered extensions some time ago to ensure a non-empty extension was last,
but the comment was since lost (or I forgot to put one in in the first place).
Add one now so we don't regress.
Change-Id: I2f6e2c3777912eb2c522a54bbbee579ee37ee58a
Reviewed-on: https://boringssl-review.googlesource.com/7570
Reviewed-by: David Benjamin <davidben@google.com>
commit 44477c03b96d2ca8f25111ef25e71e6405ee4f22
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 18:12:13 2016 -1000
Fix |BN_CTX_get| error checking in |BN_from_montgomery|.
In the case |BN_CTX_get| failed, the function returned without calling
|BN_CTX_end|. Fix that.
Change-Id: Ia24cba3256e2cec106b539324e9679d690048780
Reviewed-on: https://boringssl-review.googlesource.com/7592
Reviewed-by: David Benjamin <davidben@google.com>
commit 9d354693ff3365f2fb0a7848dc19c6a06db0cb4f
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 23:09:26 2016 -1000
Small tweak to P-256-x86-64 inversion.
Change-Id: I2a55db93e6140a0adc741b4ee5ee090d524605e0
Reviewed-on: https://boringssl-review.googlesource.com/7593
Reviewed-by: David Benjamin <davidben@google.com>
commit 040ff622dcf2e7cea2bc1f8d16f6e7a22500f758
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 28 13:54:48 2016 -0400
Remove duplicate BN_from_montgomery_word implementation.
It looks like we started reformatting that function and adding curly braces,
etc., but forget to finish it. This is corroborated by the diff. Although git
thinks I removed the EAY-style one and tweaked the #if-0'd one, I actually
clang-formatted the EAY-style one anew and deleted the #if-0'd one after
tweaking the style to match. Only difference is the alignment stuff is
uintptr_t rather than intptr_t since the old logic was using unsigned
arithmetic.
Change-Id: Ia244e4082a6b6aed3ef587d392d171382c32db33
Reviewed-on: https://boringssl-review.googlesource.com/7574
Reviewed-by: David Benjamin <davidben@google.com>
commit 95cc3bea3b4817698ab0f62a29c906e7c85b8796
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 11 13:19:14 2016 -1000
Remove dead code from |ec_GFp_mont_point_get_affine_coordinates|.
This code is only used in ec_montgomery.c, so |field_encode| and
|field_decode| are never NULL.
Change-Id: I42a3ad5744d4ed6f0be1707494411e7efcf930ff
Reviewed-on: https://boringssl-review.googlesource.com/7585
Reviewed-by: David Benjamin <davidben@google.com>
commit a00f8454341f9d089da96e8cd3960d926e8c6599
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 11 13:12:11 2016 -1000
Move & rename |ec_GFp_simple_point_get_affine_coordinates|.
It is only used in ec_montgomery.c, so move it there.
Change-Id: Ib189d5579d6363bdc1da89b775ad3df824129758
Reviewed-on: https://boringssl-review.googlesource.com/7584
Reviewed-by: David Benjamin <davidben@google.com>
commit b7c5e84847f6b92aee8d5825cd46d316db318a00
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 28 09:59:10 2016 -0400
Fix some malloc test failures.
These only affect the tests.
Change-Id: If22d047dc98023501c771787b485276ece92d4a2
Reviewed-on: https://boringssl-review.googlesource.com/7573
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit e29ea166a6ec44bbfce81d1c93f064b9aca0f443
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 23 16:10:44 2016 -0400
Use ssl3_is_version_enabled to skip offering sessions.
We do an ad-hoc upper-bound check, but if the version is too low, we also
shouldn't offer the session. This isn't fatal to the connection and doesn't
have issues (we'll check the version later regardless), but offering a session
we're never going to accept is pointless. The check should match what we do in
ServerHello.
Credit to Matt Caswell for noticing the equivalent issue in an OpenSSL pull
request.
Change-Id: I17a4efd37afa63b34fca53f4c9b7ac3ae2fa3336
Reviewed-on: https://boringssl-review.googlesource.com/7543
Reviewed-by: David Benjamin <davidben@google.com>
commit 762e1d039c1d85e4651700eed82801878a9a86bc
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 24 20:40:22 2016 -0400
Import chacha-x86.pl fix.
Patch from https://mta.openssl.org/pipermail/openssl-dev/2016-March/005625.html.
Upstream has yet to make a decision on aliasing requirements for their
assembly. If they choose to go with the stricter aliasing requirement rather
than land this patch, we'll probably want to tweak EVP_AEAD's API guarantees
accordingly and then undiverge.
In the meantime, import this to avoid a regression on x86 from when we had
compiler-vectorized code on GCC platforms. Per our assembly coverage tools and
pending multi-CPU-variant tests, we have good coverage here. Unlike Poly1305
(which is currently waiting on yet another upstream bugfix), where there is
risk of missed carries everywhere, it is much more difficult to accidentally
make a ChaCha20 implementation that fails based on the data passed into it.
This restores a sizeable speed improvement on x86.
Before:
Did 1131000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000205us (1130768.2 ops/sec): 18.1 MB/s
Did 161000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1006136us (160018.1 ops/sec): 216.0 MB/s
Did 28000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1023264us (27363.4 ops/sec): 224.2 MB/s
Did 1166000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000447us (1165479.0 ops/sec): 18.6 MB/s
Did 160000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1004818us (159232.8 ops/sec): 215.0 MB/s
Did 30000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1016977us (29499.2 ops/sec): 241.7 MB/s
After:
Did 2208000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000031us (2207931.6 ops/sec): 35.3 MB/s
Did 402000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1001717us (401310.9 ops/sec): 541.8 MB/s
Did 97000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1005394us (96479.6 ops/sec): 790.4 MB/s
Did 2444000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000089us (2443782.5 ops/sec): 39.1 MB/s
Did 459000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1000563us (458741.7 ops/sec): 619.3 MB/s
Did 97000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1007942us (96235.7 ops/sec): 788.4 MB/s
Change-Id: I976da606dae062a776e0cc01229ec03a074035d1
Reviewed-on: https://boringssl-review.googlesource.com/7561
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 17d729e61b9193c16f45c344d96b8c3537a5aada
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 25 18:07:18 2016 -0400
Remove unnecessary include.
Change-Id: I24d0179ca5019e82ca1494c8773f373f8c09ce82
Reviewed-on: https://boringssl-review.googlesource.com/7566
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 2aca226412fd3b5f1bd0bb3daddfe6c89f0d05f0
Author: David Benjamin <davidben@google.com>
Date: Sun Mar 27 10:34:01 2016 -0400
Fix typo in comment.
Change-Id: I0effe99d244c4ccdbb0e34db6e01a59c9463cb15
Reviewed-on: https://boringssl-review.googlesource.com/7572
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit baca950e8e1de1399849d54a827b89fc24c1da14
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 01:29:44 2016 -0500
Remove in_handshake.
The removes the last of OpenSSL's variables that count occurrences of a
function on the stack.
Change-Id: I1722c6d47bedb47b1613c4a5da01375b5c4cc220
Reviewed-on: https://boringssl-review.googlesource.com/7450
Reviewed-by: David Benjamin <davidben@google.com>
commit c79845c2a8c52c31ccf6ba2fa2a48f1814568fff
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 01:28:00 2016 -0500
Move implicit handshake driving out of read_bytes.
This removes the final use of in_handshake. Note that there is still a
rentrant call of read_bytes -> handshake_func when we see a
HelloRequest. That will need to be signaled up to ssl_read_impl
separately out of read_app_data.
Change-Id: I823de243f75e6b73eb40c6cf44157b4fc21eb8fb
Reviewed-on: https://boringssl-review.googlesource.com/7439
Reviewed-by: David Benjamin <davidben@google.com>
commit b2a73188584b6555656c539137052420257c054f
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 01:25:26 2016 -0500
Switch some 0s to NULLs.
Change-Id: Id89c982f8f524720f189b528c987c9e58ca06ddf
Reviewed-on: https://boringssl-review.googlesource.com/7438
Reviewed-by: David Benjamin <davidben@google.com>
commit d7ac1438140d3bb05376d57b0b5d73e53fa11cdc
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 00:41:25 2016 -0500
Lift the handshake driving in write_bytes up to SSL_write.
This removes one use of in_handshake and consolidates some DTLS and TLS
code.
Change-Id: Ibbdd38360a983dabfb7b18c7bd59cb5e316b2adb
Reviewed-on: https://boringssl-review.googlesource.com/7435
Reviewed-by: David Benjamin <davidben@google.com>
commit 282511d7eb7ef506c68d21be483f888cac913bb9
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 00:23:55 2016 -0500
Consolidate shutdown state.
fatal_alert isn't read at all right now, and warn_alert is only checked
for close_notify. We only need three states:
- Not shutdown.
- Got a fatal alert (don't care which).
- Got a warning close_notify.
Leave ssl->shutdown alone for now as it's tied up with SSL_set_shutdown
and friends. To distinguish the remaining two, we only need a boolean.
Change-Id: I5877723af82b76965c75cefd67ec1f981242281b
Reviewed-on: https://boringssl-review.googlesource.com/7434
Reviewed-by: David Benjamin <davidben@google.com>
commit a2d4c0c426caf2b212dea39d7bc05868d780eb34
Author: David Benjamin <davidben@google.com>
Date: Sun Mar 20 17:53:34 2016 -0400
Work around Android devices without AT_HWCAP2.
Some ARMv8 Android devices don't have AT_HWCAP2. This means, when running in
32-bit mode (ARM capability APIs on Linux are different between AArch32 and
AArch64), we can't discover the various nice instructions.
On a Nexus 6P, this gives a, uh, minor performance win when running in 32-bit
mode.
Before:
Did 1085000 AES-128-GCM (16 bytes) seal operations in 1000003us (1084996.7 ops/sec): 17.4 MB/s
Did 60000 AES-128-GCM (1350 bytes) seal operations in 1013416us (59205.7 ops/sec): 79.9 MB/s
Did 11000 AES-128-GCM (8192 bytes) seal operations in 1019778us (10786.7 ops/sec): 88.4 MB/s
Did 1009000 AES-256-GCM (16 bytes) seal operations in 1000650us (1008344.6 ops/sec): 16.1 MB/s
Did 49000 AES-256-GCM (1350 bytes) seal operations in 1015698us (48242.7 ops/sec): 65.1 MB/s
Did 9394 AES-256-GCM (8192 bytes) seal operations in 1071104us (8770.4 ops/sec): 71.8 MB/s
Did 1557000 SHA-1 (16 bytes) operations in 1000317us (1556506.6 ops/sec): 24.9 MB/s
Did 762000 SHA-1 (256 bytes) operations in 1000527us (761598.6 ops/sec): 195.0 MB/s
Did 45000 SHA-1 (8192 bytes) operations in 1013773us (44388.6 ops/sec): 363.6 MB/s
Did 1459000 SHA-256 (16 bytes) operations in 1000271us (1458604.7 ops/sec): 23.3 MB/s
Did 538000 SHA-256 (256 bytes) operations in 1000990us (537467.9 ops/sec): 137.6 MB/s
Did 26000 SHA-256 (8192 bytes) operations in 1008403us (25783.3 ops/sec): 211.2 MB/s
After:
Did 1890000 AES-128-GCM (16 bytes) seal operations in 1000068us (1889871.5 ops/sec): 30.2 MB/s
Did 509000 AES-128-GCM (1350 bytes) seal operations in 1000112us (508943.0 ops/sec): 687.1 MB/s
Did 110000 AES-128-GCM (8192 bytes) seal operations in 1007966us (109130.7 ops/sec): 894.0 MB/s
Did 1960000 AES-256-GCM (16 bytes) seal operations in 1000303us (1959406.3 ops/sec): 31.4 MB/s
Did 460000 AES-256-GCM (1350 bytes) seal operations in 1001873us (459140.0 ops/sec): 619.8 MB/s
Did 97000 AES-256-GCM (8192 bytes) seal operations in 1005337us (96485.1 ops/sec): 790.4 MB/s
Did 1927000 SHA-1 (16 bytes) operations in 1000429us (1926173.7 ops/sec): 30.8 MB/s
Did 1151000 SHA-1 (256 bytes) operations in 1000425us (1150511.0 ops/sec): 294.5 MB/s
Did 87000 SHA-1 (8192 bytes) operations in 1003089us (86732.1 ops/sec): 710.5 MB/s
Did 2357390 SHA-256 (16 bytes) operations in 1000116us (2357116.6 ops/sec): 37.7 MB/s
Did 1410000 SHA-256 (256 bytes) operations in 1000176us (1409751.9 ops/sec): 360.9 MB/s
Did 101000 SHA-256 (8192 bytes) operations in 1007007us (100297.2 ops/sec): 821.6 MB/s
BUG=chromium:596156
Change-Id: Iacc1f8d8a07e991d4615f2e12c5c54923fb31aa2
Reviewed-on: https://boringssl-review.googlesource.com/7507
Reviewed-by: David Benjamin <davidben@google.com>
commit 054e151b16be6ada891ee8fd71915088dda30886
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 1 17:35:47 2016 -0500
Rewrite ARM feature detection.
This removes the thread-unsafe SIGILL-based detection and the
multi-consumer-hostile CRYPTO_set_NEON_capable API. (Changing
OPENSSL_armcap_P after initialization is likely to cause problems.)
The right way to detect ARM features on Linux is getauxval. On aarch64,
we should be able to rely on this, so use it straight. Split this out
into its own file. The #ifdefs in the old cpu-arm.c meant it shared all
but no code with its arm counterpart anyway.
Unfortunately, various versions of Android have different missing APIs, so, on
arm, we need a series of workarounds. Previously, we used a SIGILL fallback
based on OpenSSL's logic, but this is inherently not thread-safe. (SIGILL also
does not tell us if the OS knows how to save and restore NEON state.) Instead,
base the behavior on Android NDK's cpu-features library, what Chromium
currently uses with CRYPTO_set_NEON_capable:
- Android before API level 20 does not provide getauxval. Where missing,
we can read from /proc/self/auxv.
- On some versions of Android, /proc/self/auxv is also not readable, so
use /proc/cpuinfo's Features line.
- Linux only advertises optional features in /proc/cpuinfo. ARMv8 makes NEON
mandatory, so /proc/cpuinfo can't be used without additional effort.
Finally, we must blacklist a particular chip because the NEON unit is broken
(https://crbug.com/341598).
Unfortunately, this means CRYPTO_library_init now depends on /proc being
available, which will require some care with Chromium's sandbox. The
simplest solution is to just call CRYPTO_library_init before entering
the sandbox.
It's worth noting that Chromium's current EnsureOpenSSLInit function already
depends on /proc/cpuinfo to detect the broken CPU, by way of base::CPU.
android_getCpuFeatures also interally depends on it. We were already relying on
both of those being stateful and primed prior to entering the sandbox.
BUG=chromium:589200
Change-Id: Ic5d1c341aab5a614eb129d8aa5ada2809edd6af8
Reviewed-on: https://boringssl-review.googlesource.com/7506
Reviewed-by: David Benjamin <davidben@google.com>
commit dc6c1b83819cb3788c60dd669241adc6752a4604
Author: Brian Smith <brian@briansmith.org>
Date: Sun Jan 17 22:21:42 2016 -1000
Fix build when using Visual Studio 2015 Update 1.
Many of the compatibility issues are described at
https://msdn.microsoft.com/en-us/library/mt612856.aspx. The macros
that suppressed warnings on a per-function basis no longer work in
Update 1, so replace them with #pragmas. Update 1 warns when |size_t|
arguments to |printf| are casted, so stop doing that casting.
Unfortunately, this requires an ugly hack to continue working in
MSVC 2013 as MSVC 2013 doesn't support "%zu". Finally, Update 1 has new
warnings, some of which need to be suppressed.
---
Updated by davidben to give up on suppressing warnings in crypto/x509 and
crypto/x509v3 as those directories aren't changed much from upstream. In each
of these cases, upstream opted just blindly initialize the variable, so do the
same. Also switch C4265 to level 4, per Microsoft's recommendation and work
around a bug in limits.h that happens to get fixed by Google include order
style.
(limits.h is sensitive to whether corecrt.h, pulled in by stddef.h and some
other headers, is included before it. The reason it affected just one file is
we often put the file's header first, which means base.h is pulling in
stddef.h. Relying on this is ugly, but it's no worse than what everything else
is doing and this doesn't seem worth making something as tame as limits.h so
messy to use.)
Change-Id: I02d1f935356899f424d3525d03eca401bfa3e6cd
Reviewed-on: https://boringssl-review.googlesource.com/7480
Reviewed-by: David Benjamin <davidben@google.com>
commit db50299b247bb7eab4df8c8fdd82fc727e8f67c8
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 25 16:18:19 2016 -0400
Add tests for RSA objects with only n and d.
Conscrypt, thanks to Java's RSAPrivateKeySpec API, must be able to use RSA keys
with only modulus and exponent. This is kind of silly and breaks the blinding
code so they, both in OpenSSL and BoringSSL, had to explicitly turn blinding
off.
Add a test for this as we're otherwise sure to break it on accident.
We may wish to avoid the silly rsa->flags modification, I'm not sure. For now,
keep the requirement in so other consumers do not accidentally rely on this.
(Also add a few missing ERR_clear_error calls. Functions which are expected to
fail should be followed by an ERR_clear_error so later unexpected failures
don't get confused.)
BUG=boringssl:12
Change-Id: I674349821f1f59292b8edd085f21dc37e8bcaa75
Reviewed-on: https://boringssl-review.googlesource.com/7560
Reviewed-by: David Benjamin <davidben@google.com>
commit cbf56a5683ddda831ff91c46ea48d1fba545db66
Author: Brian Smith <brian@briansmith.org>
Date: Mon Mar 21 11:25:39 2016 -1000
Clarify lifecycle of |BN_BLINDING|.
In |bn_blinding_update| the condition |b->e != NULL| would never be
true (probably), but the test made reasoning about the correctness of
the code confusing. That confusion was amplified by the circuitous and
unusual way in which |BN_BLINDING|s are constructed. Clarify all this
by simplifying the construction of |BN_BLINDING|s, making it more like
the construction of other structures.
Also, make counter unsigned as it is no longer ever negative.
Change-Id: I6161dcfeae19a80c780ccc6762314079fca1088b
Reviewed-on: https://boringssl-review.googlesource.com/7530
Reviewed-by: David Benjamin <davidben@google.com>
commit 24493a4ff4909616b6d95ad1e968ff485af0d4c4
Author: Brian Smith <brian@briansmith.org>
Date: Fri Mar 25 09:12:48 2016 -1000
Always cache Montgomery contexts in RSA.
Simplify the code by always caching Montgomery contexts in the RSA
structure, regardless of the |RSA_FLAG_CACHE_PUBLIC| and
|RSA_FLAG_CACHE_PRIVATE| flags. Deprecate those flags.
Now that we do this no more than once per key per RSA exponent, the
private key exponents better because the initialization of the
Montgomery contexts isn't perfectly side-channel protected.
Change-Id: I4fbcfec0f2f628930bfeb811285b0ae3d103ac5e
Reviewed-on: https://boringssl-review.googlesource.com/7521
Reviewed-by: David Benjamin <davidben@google.com>
commit 4339552fbb2257156ce5c5bf49da2614d7c5a9a9
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 17 16:10:58 2016 -0400
Flip the arguments to ExpectBytesEqual in poly1305_test.
The function wants the expected value first.
Change-Id: I6d3e21ebfa55d6dd99a34fe8380913641b4f5ff6
Reviewed-on: https://boringssl-review.googlesource.com/7501
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 270f0a77617ef2a00eb3e3a50a00f2fe58827e38
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 17 14:41:36 2016 -0400
Print an error if no tests match in runner.
Otherwise it's confusing if you mistype the test name.
Change-Id: Idf32081958f85f3b5aeb8993a07f6975c27644f8
Reviewed-on: https://boringssl-review.googlesource.com/7500
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 4c34026d12eb92406d07ef15f9a151f3913098e9
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 17 16:27:41 2016 -0400
Fix poly1305-x86.pl.
Imported from patch attached to
https://rt.openssl.org/Ticket/Display.html?id=4439.
But with the extra vs $extra typo fixed.
The root problem appears to be that lazy_reduction tries to use paddd instead
of paddq when they believe the sum will not overflow a u32. In the final call
to lazy_reduction, this is not true. svaldez and I attempted to work through
the bounds, but the bounds derived from the cited paper imply paddd is always
fine. Empirically in a debugger, the bounds are exceeded in the test case.
I requested more comments from upstream on the bug. When upstream lands their
final fix (hopefully with comments), I will update this code. In the meantime,
let's stop carrying known-broken stuff.
(vlazy_reduction is probably something similar, but since we don't enable that
code, we haven't bothered analyzing it.)
Also add the smaller of the two test cases that catch the bug. (The other uses
an update pattern which isn't quite what poly1305_test does.)
Change-Id: I446ed47c21f10b41a0745de96ab119a3f6fd7801
Reviewed-on: https://boringssl-review.googlesource.com/7544
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit fdb88ba2e9ae9e4ebc8c2053ae53160e048efa57
Author: Piotr Sikora <piotrsikora@google.com>
Date: Wed Mar 23 18:34:10 2016 -0700
Fix build with -Wwrite-strings.
Change-Id: If76154c8d255600e925a408acdc674fc7dad0359
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7526
Reviewed-by: David Benjamin <davidben@google.com>
commit 897be6afe34d1c5839e5bba8f2c67d56485d6a5d
Author: Matt Mueller <mattm@google.com>
Date: Wed Mar 23 12:06:12 2016 -0700
Add CBS_ASN1_UTF8STRING define.
Change-Id: I34384feb46c15c4f443f506d724ad500a4cf0f36
Reviewed-on: https://boringssl-review.googlesource.com/7525
Reviewed-by: David Benjamin <davidben@google.com>
commit 0a0f83d308f30f71af115960af7dda064ad734a4
Author: Steven Valdez <svaldez@google.com>
Date: Tue Mar 22 17:32:45 2016 -0400
Fixing assembly coverage
We failed to correctly parse files that executed from the very start of
the file due to a missing '- line XXX'. We now use the 'Ir' indicator to
recognize the beginning of a file.
Change-Id: I529fae9458ac634bf7bf8af61ef18f080e808535
Reviewed-on: https://boringssl-review.googlesource.com/7542
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit afd6d9d61aa27cdba0506f9525e32823e543ba6e
Author: Brian Smith <brian@briansmith.org>
Date: Tue Mar 15 13:32:46 2016 -1000
Use |size_t| and |int| consistently in p{224,256}-64.c.
Use |size_t| for array indexes. Use |int| for boolean flags. Declare
the variables that had their types changed closer to where they are
used.
Previously, some `for` loops depended on `i` being signed, so their
structure had to be changed to work with the unsigned type.
Change-Id: I247e4f04468419466733b6818d81d28666da0ad3
Reviewed-on: https://boringssl-review.googlesource.com/7468
Reviewed-by: David Benjamin <davidben@google.com>
commit 9539ebbf7042f8eaf8c6ddac25ad01aa4017634e
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 21 18:24:53 2016 -0400
Update FUZZING documentation about max_len.
Maintain the max_len values in foo.options files which ClusterFuzz can process.
Also recompute the recommended client and server lengths as they've since
gotten much more extensive.
Change-Id: Ie87a80d8a4a0c41e215f0537c8ccf82b38c4de09
Reviewed-on: https://boringssl-review.googlesource.com/7509
Reviewed-by: Mike Aizatsky <aizatsky@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
commit 78f8aabe44da43d03ecf82d8d81f4251cd4bfe4a
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 16:33:58 2016 -0500
ssl->ctx cannot be NULL.
Most code already dereferences it directly.
Change-Id: I227fa91ecbf25a19077f7cfba21b0abd2bc2bd1d
Reviewed-on: https://boringssl-review.googlesource.com/7422
Reviewed-by: David Benjamin <davidben@google.com>
commit c087c332f89b86b7fc6768e461c97a5ef24b1670
Author: Steven Valdez <svaldez@google.com>
Date: Tue Mar 22 11:14:22 2016 -0400
Fix potential double free in EVP_DigestInit_ex
There is a potential double free in EVP_DigestInit_ex. This is believed
to be reached only as a result of programmer error - but we should fix it
anyway.
(Imported from upstream's e78dc7e279ed98e1ab9845a70d14dafdfdc88f58)
Change-Id: I1da7be7db7afcbe9f30f168df000d64ed73d7edd
Reviewed-on: https://boringssl-review.googlesource.com/7541
Reviewed-by: David Benjamin <davidben@google.com>
commit be1224882962b63b716ef717377db75f0a805de5
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 21 18:32:16 2016 -0400
Fix aarch64 build.
We recently gained -Werror=missing-prototypes. (See also, we really need to get
those Android bots...)
Change-Id: I3962d3050bccf5f5a057d029b5cbff1695ca1a03
Reviewed-on: https://boringssl-review.googlesource.com/7540
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 95b97693403d5c8f09b2870ad9a6d7d198246da4
Author: Brian Smith <brian@briansmith.org>
Date: Sun Mar 20 00:33:11 2016 -1000
Fix error handling in |bn_blinding_update|.
The fields of the |bn_blinding_st| are not updated atomically.
Consequently, one field (|A| or |Ai|) might get updated while the
other field (|Ai| or |A|) doesn't get updated, if an error occurs in
the middle of updating. Deal with this by reseting the counter so that
|A| and |Ai| will both get recreated the next time the blinding is
used.
Fix a separate but related issue by resetting the counter to zero after
calling |bn_blinding_create_param| only if |bn_blinding_create_param|
succeeded. Previously, regardless of whether an error occured in
|bn_blinding_create_param|, |b->counter| would get reset to zero. The
consequence of this was that potentially-bad blinding values would get
used 32 times instead of (32 - |b->counter|) times.
Change-Id: I236cdb6120870ef06cba129ed86619f593cbcf3d
Reviewed-on: https://boringssl-review.googlesource.com/7520
Reviewed-by: David Benjamin <davidben@google.com>
commit e11988f5116831969af56d1ffeaa8b82ad19ef2e
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 21 15:55:19 2016 -0400
Tweak FUZZING.md and minimise_corpuses.sh.
Change-Id: If312ce3783bcc39ebd2047470251334aa0897d3d
Reviewed-on: https://boringssl-review.googlesource.com/7508
Reviewed-by: David Benjamin <davidben@google.com>
commit fdc955cf14c79fb5399652f3a166e7fc4dec0767
Author: Brian Smith <brian@briansmith.org>
Date: Tue Mar 15 13:10:11 2016 -1000
Fix parameter type of p256-64.c's |select_point|.
Make it match how it is done in p224-64.c. Note in particular that
|size| may be 17, so presumably |pre_comp[16]| is accessed, which one
would not expect when it was declared |precomp[16][3]|.
Change-Id: I54c1555f9e20ccaacbd4cd75a7154b483b4197b7
Reviewed-on: https://boringssl-review.googlesource.com/7467
Reviewed-by: David Benjamin <davidben@google.com>
commit df1201e6eefc920fd70d693db4bfb5f76f177b95
Author: Brian Smith <brian@briansmith.org>
Date: Tue Mar 15 15:35:53 2016 -1000
Remove unnecessary |BN_CTX_start|/|BN_CTX_end| in |BN_mod_exp_mont_consttime|.
Since the function doesn't call |BN_CTX_get|, it doesn't need to call
|BN_CTX_start|/|BN_CTX_end|.
Change-Id: I6cb954d3fee2959bdbc81b9b97abc52bb6f7704c
Reviewed-on: https://boringssl-review.googlesource.com/7469
Reviewed-by: David Benjamin <davidben@google.com>
commit 7cf6085b00e194877b88b72d710d1aea6cb03e20
Author: Brian Smith <brian@briansmith.org>
Date: Sat Mar 19 22:39:37 2016 -1000
Check for |BN_CTX_new| failure in |mod_exp|.
As far as I can tell, this is the last place within libcrypto where
this type of check is missing.
Change-Id: I3d09676abab8c9f6c4e87214019a382ec2ba90ee
Reviewed-on: https://boringssl-review.googlesource.com/7519
Reviewed-by: David Benjamin <davidben@google.com>
commit 35673b945dcbf240093f1f0b286e889d31c4d8f9
Author: Piotr Sikora <piotrsikora@google.com>
Date: Fri Mar 18 18:25:28 2016 -0700
Build with -Wmissing-prototypes -Wmissing-declarations.
Change-Id: Ieba81f114483095f3657e87f669c7562ff75b58c
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7516
Reviewed-by: David Benjamin <davidben@google.com>
commit f932894c7f379a74327afca6bd283d842f2ebee2
Author: Piotr Sikora <piotrsikora@google.com>
Date: Fri Mar 18 18:24:50 2016 -0700
Move function declarations to internal header.
Partially fixes build with -Wmissing-declarations.
Change-Id: Ia563063fb077cda79244c21f02fd1c0f550353c2
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7515
Reviewed-by: David Benjamin <davidben@google.com>
commit f188f9dce8878bd4ac7f1d792b34a15c1496ff3e
Author: Piotr Sikora <piotrsikora@google.com>
Date: Fri Mar 18 18:23:50 2016 -0700
Fix typo in function name.
Partially fixes build with -Wmissing-prototypes.
Change-Id: I828bcfb49b23c5a9ea403038bc3fb76750556ef8
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7514
Reviewed-by: David Benjamin <davidben@google.com>
commit cd4cf9a12eceaeb22460c3d45d53fd067508fc39
Author: David Benjamin <davidben@google.com>
Date: Sun Mar 20 12:45:54 2016 -0400
Fix Windows build
Change-Id: I66ecb9f89ec13e432e888e3825d01a015b117568
Reviewed-on: https://boringssl-review.googlesource.com/7505
Reviewed-by: David Benjamin <davidben@google.com>
commit 8b0fe8c0ac629ed7b87755f2aebb4d07b78c24df
Author: Piotr Sikora <piotrsikora@google.com>
Date: Fri Mar 18 18:22:54 2016 -0700
Add missing prototypes.
Partially fixes build with -Wmissing-prototypes.
Change-Id: If04d8fe7cbf068883485e95bd5ea6cdab6743e46
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7513
Reviewed-by: David Benjamin <davidben@google.com>
commit c6d3029edaeeb6bab86fcba6ab31bdce77e2ec9c
Author: Piotr Sikora <piotrsikora@google.com>
Date: Fri Mar 18 17:28:36 2016 -0700
Add missing internal includes.
Partially fixes build with -Wmissing-prototypes -Wmissing-declarations.
Change-Id: I51209c30f532899f57cfdd9a50cff0a8ee3da5b5
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7512
Reviewed-by: David Benjamin <davidben@google.com>
commit 9bb8ba6ba1a865bd7e55ccf494d082b1bc027734
Author: Piotr Sikora <piotrsikora@google.com>
Date: Fri Mar 18 18:19:04 2016 -0700
Make local functions static.
Partially fixes build with -Wmissing-prototypes -Wmissing-declarations.
Change-Id: I6048f5b7ef31560399b25ed9880156bc7d8abac2
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7511
Reviewed-by: David Benjamin <davidben@google.com>
commit 537cfc37b82f91f1006596317ba544e4be1a5c8e
Author: Piotr Sikora <piotrsikora@google.com>
Date: Fri Mar 18 15:53:29 2016 -0700
Use UINT64_C instead of unsigned long long integer constant.
Change-Id: I44aa9be26ad9aea6771cb46a886a721b4bc28fde
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/7510
Reviewed-by: David Benjamin <davidben@google.com>
commit 594e7d2b7703a6c231264edf6b03460b018d2200
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 17 17:49:56 2016 -0400
Add a test that declining ALPN works.
Inspired by https://mta.openssl.org/pipermail/openssl-dev/2016-March/006150.html
Change-Id: I973b3baf054ed1051002f7bb9941cb1deeb36d78
Reviewed-on: https://boringssl-review.googlesource.com/7504
Reviewed-by: David Benjamin <davidben@google.com>
commit f277add6c2de55286f0d13edebf41929e4970d5a
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 9 14:38:24 2016 -0500
Run ripemd_test as part of all_tests.go.
Change-Id: I9c5e66c34d0f1b735c69d033daee5d312e3c2fe7
Reviewed-on: https://boringssl-review.googlesource.com/7410
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 110fcc960757d7aeb7760359800b8f5646dc70ca
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 16 15:43:15 2016 -0400
poly1305/asm/poly1305-x86_64.pl: make it work with linux-x32.
(Imported from upstream's 2460c7f13389d766dd65fa4e14b69b6fbe3e4e3b.)
This is a no-op for us, but avoid a diff with upstream.
Change-Id: I6e875704a38dcd9339371393a4dd523647aeef44
Reviewed-on: https://boringssl-review.googlesource.com/7491
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit eebfd896fe178b4ca78bbd8064944a5b31a27667
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 14 19:23:58 2016 -0400
Don't shift serial number into sign bit
(Imported from upstream's 01c32b5e448f6d42a23ff16bdc6bb0605287fa6f.)
Change-Id: Ib52278dbbac1ed1ad5c80f0ad69e34584d411cec
Reviewed-on: https://boringssl-review.googlesource.com/7461
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 8d5717b019b5540a72dceefd747d02a72d539dda
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 14 19:18:14 2016 -0400
perlasm/x86_64-xlate.pl: handle binary constants early.
Not all assemblers of "gas" flavour handle binary constants, e.g.
seasoned MacOS Xcode doesn't, so give them a hand.
(Imported from upstream's ba26fa14556ba49466d51e4d9e6be32afee9c465.)
Change-Id: I35096dc8035e06d2fbef2363b869128da206ff9d
Reviewed-on: https://boringssl-review.googlesource.com/7459
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 51545ceac659fe30e245c6e992e7fd45b00e8f16
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 16 19:53:34 2016 -0400
Remove a number of unnecessary stdio.h includes.
Change-Id: I6267c9bfb66940d0b6fe5368514210a058ebd3cc
Reviewed-on: https://boringssl-review.googlesource.com/7494
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit b371f1b9ddd8ed519b4ab74b8860aea317e943fa
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 15 18:06:13 2016 -0400
Include time.h in time_support.h.
For time_t and struct tm.
BUG=595118
Change-Id: I6c7f05998887ed2bd3fb56c83ac543894ef27fe6
Reviewed-on: https://boringssl-review.googlesource.com/7462
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: Nico Weber <thakis@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
commit 9aa1562843fbe63bc520c513222d0100a2085780
Author: Brian Smith <brian@briansmith.org>
Date: Tue Mar 15 13:00:49 2016 -1000
Remove unnecessary type casts in crypto/rsa.
Change-Id: I0b5c661674fbcaf6b4d5b0ce7944459cd45606b1
Reviewed-on: https://boringssl-review.googlesource.com/7466
Reviewed-by: David Benjamin <davidben@google.com>
commit 6f7374b0edf3960eeb292b4af2a4003db395e22d
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 11 16:08:39 2016 -0500
Restore EC_GROUP_new_by_curve_name and EC_GROUP_set_generator.
Having a different API for this case than upstream is more trouble than is
worth it. This is sad since the new API avoids incomplete EC_GROUPs at least,
but I don't believe supporting this pair of functions will be significantly
more complex than supporting EC_GROUP_new_arbitrary even when we have static
EC_GROUPs.
For now, keep both sets of APIs around, but we'll be able to remove the scar
tissue once Conscrypt's complex dependencies are resolved.
Make the restored EC_GROUP_set_generator somewhat simpler than before by
removing the ability to call it multiple times and with some parameters set to
NULL. Keep the test.
Change-Id: I64e3f6a742678411904cb15c0ad15d56cdae4a73
Reviewed-on: https://boringssl-review.googlesource.com/7432
Reviewed-by: David Benjamin <davidben@google.com>
commit 5c05648b8d048c33105c96a41c48c855c44291f5
Author: Emily Stark <estark@google.com>
Date: Tue Mar 15 11:40:10 2016 -0700
Tiny documentation fix for EC_POINT_set_affine_coordinates_GFp
Change-Id: Icfd9986272f6e1adba54aa7521c28901fa02dfb7
Reviewed-on: https://boringssl-review.googlesource.com/7470
Reviewed-by: David Benjamin <davidben@google.com>
commit a2f2bc3a4062d755644adf0f6dca79903638a283
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 14 17:13:54 2016 -0400
Align with upstream's error strings, take two.
I messed up a few of these.
ASN1_R_UNSUPPORTED_ALGORITHM doesn't exist. X509_R_UNSUPPORTED_ALGORITHM does
exist as part of X509_PUBKEY_set, but the SPKI parser doesn't emit this. (I
don't mind the legacy code having really weird errors, but since EVP is now
limited to things we like, let's try to keep that clean.) To avoid churn in
Conscrypt, we'll keep defining X509_R_UNSUPPORTED_ALGORITHM, but not actually
do anything with it anymore. Conscrypt was already aware of
EVP_R_UNSUPPORTED_ALGORITHM, so this should be fine. (I don't expect
EVP_R_UNSUPPORTED_ALGORITHM to go away. The SPKI parsers we like live in EVP
now.)
A few other ASN1_R_* values didn't quite match upstream, so make those match
again. Finally, I got some of the rsa_pss.c values wrong. Each of those
corresponds to an (overly specific) RSA_R_* value in upstream. However, those
were gone in BoringSSL since even the initial commit. We placed the RSA <-> EVP
glue in crypto/evp (so crypto/rsa wouldn't depend on crypto/evp) while upstream
placed them in crypto/rsa.
Since no one seemed to notice the loss of RSA_R_INVALID_SALT_LENGTH, let's undo
all the cross-module errors inserted in crypto/rsa. Instead, since that kind of
specificity is not useful, funnel it all into X509_R_INVALID_PSS_PARAMETERS
(formerly EVP_R_INVALID_PSS_PARAMETERS, formerly RSA_R_INVALID_PSS_PARAMETERS).
Reset the error codes for all affected modules.
(That our error code story means error codes are not stable across this kind of
refactoring is kind of a problem. Hopefully this will be the last of it.)
Change-Id: Ibfb3a0ac340bfc777bc7de6980ef3ddf0a8c84bc
Reviewed-on: https://boringssl-review.googlesource.com/7458
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit a5177cb319f5ed5cb28f72bd564b4d6d6d355975
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 11 19:38:17 2016 -0500
Use a less tedious pattern for X509_NAME.
Also fix a long/unsigned-long cast. (ssl_get_message returns long. It really
shouldn't, but ssl_get_message needs much more work than just a long -> size_t
change, so leave it as long for now.)
Change-Id: Ice8741f62a138c0f35ca735eedb541440f57e114
Reviewed-on: https://boringssl-review.googlesource.com/7457
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 6b6e0b20893e2be0e68af605a60ffa2cbb0ffa64
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 11 19:30:29 2016 -0500
Fix a memory leak in ssl3_get_certificate_request.
Found by libFuzzer.
Change-Id: Ifa343a184cc65f71fb6591d290b2d47d24a2be80
Reviewed-on: https://boringssl-review.googlesource.com/7456
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 15c1488b6177b269a311814b63e670df534549e3
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 14 14:25:46 2016 -0400
Clear the error queue on entry to core SSL operations.
OpenSSL historically made some poor API decisions. Rather than returning a
status enum in SSL_read, etc., these functions must be paired with
SSL_get_error which determines the cause of the last error's failure. This
requires SSL_read communicate with SSL_get_error with some stateful flag,
rwstate.
Further, probably as workarounds for bugs elsewhere, SSL_get_error does not
trust rwstate. Among other quirks, if the error queue is non-empty,
SSL_get_error overrides rwstate and returns a value based on that. This
requires that SSL_read, etc., be called with an empty error queue. (Or we hit
one of the spurious ERR_clear_error calls in the handshake state machine,
likely added as further self-workarounds.)
Since requiring callers consistently clear the error queue everywhere is
unreasonable (crbug.com/567501), clear ERR_clear_error *once* at the entry
point. Until/unless[*] we make SSL_get_error sane, this is the most reasonable
way to get to the point that clearing the error queue on error is optional.
With those in place, the calls in the handshake state machine are no longer
needed. (I suspect all the ERR_clear_system_error calls can also go, but I'll
investigate and think about that separately.)
[*] I'm not even sure it's possible anymore, thanks to the possibility of
BIO_write pushing to the error queue.
BUG=567501,593963
Change-Id: I564ace199e5a4a74b2554ad3335e99cd17120741
Reviewed-on: https://boringssl-review.googlesource.com/7455
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit cfa9de85a3f1b5c09fe0087fb94b3b5f7210ba69
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 14 14:19:41 2016 -0400
Revert "Revert "Reduce maximum RSA public exponent size to 33 bits.""
This reverts commit ba70118d8ea7bb0232554bbd70606703bde5bde3. Reverting this
did not resolve the regression and the cause is now known.
BUG=593963
Change-Id: Ic5e24b74e8f16b01d9fdd80f267a07ef026c82cf
Reviewed-on: https://boringssl-review.googlesource.com/7454
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit fb8e67889792e2a5914bcfdc590c250141645a74
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 11 14:39:46 2016 -0500
Match upstream's error codes for the old sigalg code.
People seem to condition on these a lot. Since this code has now been moved
twice, just make them all cross-module errors rather than leave a trail of
renamed error codes in our wake.
Change-Id: Iea18ab3d320f03cf29a64a27acca119768c4115c
Reviewed-on: https://boringssl-review.googlesource.com/7431
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 3f1904bee1f1a119e48b4827579955cc11733e39
Author: Brian Smith <brian@briansmith.org>
Date: Thu Mar 10 17:16:02 2016 -1000
Set |bn->neg| to zero in |bn_set_words|.
If the values of any of the coordinates in the output point |r| were
negative during nistz256 multiplication, then the calls to
|bn_set_word| would result in the wrong coordinates being returned
(the negatives of the correct coordinates would be returned instead).
Fix that.
Change-Id: I6048e62f76dca18f625650d11ef5a051c9e672a4
Reviewed-on: https://boringssl-review.googlesource.com/7442
Reviewed-by: David Benjamin <davidben@google.com>
commit 6603b76f7616fe781ec6dcf3d66c82f29d776697
Author: Brian Smith <brian@briansmith.org>
Date: Thu Mar 10 16:50:25 2016 -1000
Remove reduction in |ec_GFp_simple_set_Jprojective_coordinates_GFp|.
The (internal) constant-time callers of this function already do a
constant-time reduction before calling. And, nobody should be calling
this function with out-of-range coordinates anyway. So, just require
valid coordinates as input.
Further, this function is rarely called, so don't bother with the
optimization to avoid encoding Montgomery encoding of 1 for the Z
coordinate.
Change-Id: I637ffaf4d39135ca17214915b9a8582ea052eea8
Reviewed-on: https://boringssl-review.googlesource.com/7441
Reviewed-by: David Benjamin <davidben@google.com>
commit 8542daa22d2cade301dfada99748d872a1f577af
Author: Brian Smith <brian@briansmith.org>
Date: Thu Mar 10 16:46:15 2016 -1000
Require compressed x EC coordinate to be a field element.
Don't try to fix a bad |x| coordinate by reducing it. Instead, just
fail. This also makes the code clearer; in particular, it was confusing
why |x_| was used for some calculations when it seems like |x| was just
as good or better.
Change-Id: I9a6911f0d2bd72852a26b46f3828eb5ba3ef924f
Reviewed-on: https://boringssl-review.googlesource.com/7440
Reviewed-by: David Benjamin <davidben@google.com>
commit df28c3acf120361f260c8a91b902e089ff213bb8
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 16:11:51 2016 -0500
Tidy up the client Certificate message skipping slightly.
Align all unexpected messages on SSL_R_UNEXPECTED_MESSAGE. Make the SSL 3.0
case the exceptional case. In doing so, make sure the SSL 3.0
SSL_VERIFY_FAIL_IF_NO_PEER_CERT case has its own test as that's a different
handshake shape.
Change-Id: I1a539165093fbdf33e2c1b25142f058aa1a71d83
Reviewed-on: https://boringssl-review.googlesource.com/7421
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 11d50f94d8742010520ecfc315534e9a39f71375
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 15:55:45 2016 -0500
Include colons in expectedError matches.
If we're doing substring matching, we should at least include the delimiter.
Change-Id: I98bee568140d0304bbb6a2788333dbfca044114c
Reviewed-on: https://boringssl-review.googlesource.com/7420
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 454aa4c25e0cc0a0e95781d715038a16be3c190d
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 08:43:27 2016 -0500
Rewrite ssl3_send_client_certificate.
The old logic was quite messy and grew a number of no-ops over the
years. It was also unreasonably fond of the variable name |i|.
The current logic wasn't even correct. It's overly fond of sending no
certificate, even when it pushes errors on the error queue for a fatal
error.
Change-Id: Ie5b2b38dd309f535af1d17fa261da7dc23185866
Reviewed-on: https://boringssl-review.googlesource.com/7418
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 0b7ca7dc0098f329d6348a45e372bd884f92bc97
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 15:44:22 2016 -0500
Add tests for doing client auth with no certificates.
In TLS, you never skip the Certificate message. It may be empty, but its
presence is determined by CertificateRequest. (This is sensible.)
In SSL 3.0, the client omits the Certificate message. This means you need to
probe and may receive either Certificate or ClientKeyExchange (thankfully,
ClientKeyExchange is not optional, or we'd have to probe at ChangeCipherSpec).
We didn't have test coverage for this, despite some of this logic being a
little subtle asynchronously. Fix this.
Change-Id: I149490ae5506f02fa0136cb41f8fea381637bf45
Reviewed-on: https://boringssl-review.googlesource.com/7419
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit f41bb59703b5fed45209a608daac1d523072e4de
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 20:10:38 2016 -0500
Remove unused functions.
We never heap-allocate a GCM128_CONTEXT.
Change-Id: I7e89419ce4d81c1598a4b3a214c44dbbcd709651
Reviewed-on: https://boringssl-review.googlesource.com/7430
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit acb6dccf12f17545c219605d70e12c995018bdcd
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 09:15:01 2016 -0500
Add tests for the old client cert callback.
Also add no-certificate cases to the state machine coverage tests.
Change-Id: I88a80df6f3ea69aabc978dd356abcb9e309e156f
Reviewed-on: https://boringssl-review.googlesource.com/7417
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit a857159dd61204bfe93bd8e2f00448434e8b0b99
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 01:41:55 2016 -0500
Clean up some silly variable names.
Change-Id: I5b38e2938811520f52ece6055245248c80308b4d
Reviewed-on: https://boringssl-review.googlesource.com/7416
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 08791e6756c3fbee0ef1bdc104a74ab212501bb6
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 10 12:41:19 2016 -0500
Appease sanitizers in x25519_ge_scalarmult.
Although exactly one iteration of cmov_cached will always initialize selected,
it ends up messing with uninitialized memory. Initialize |selected| before the
loop.
BUG=593540
Change-Id: I5921843f68c6dd1dc7f752538825bc43ba75df4a
Reviewed-on: https://boringssl-review.googlesource.com/7415
Reviewed-by: Arnar Birgisson <arnarb@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 97c80512afc7ff8d0afcc806ef6dd936cca752a2
Author: Adam Langley <agl@google.com>
Date: Thu Mar 10 09:23:03 2016 -0800
Add |DH_generate_parameters| to decrepit.
This makes building OpenLDAP easier.
Change-Id: Id64699f95477fb8fb98957027c97070ebf41f4b1
Reviewed-on: https://boringssl-review.googlesource.com/7407
Reviewed-by: David Benjamin <davidben@google.com>
commit b8b28a64ff45fd88fd51b7af78452da5b10288f3
Author: Adam Langley <agl@google.com>
Date: Thu Mar 10 09:20:47 2016 -0800
Add CRYPTO_[malloc|free|realloc] as aliases for the OPENSSL_đť‘Ą names.
This makes building OpenLDAP easier.
Change-Id: Ic1c5bcb2ec35c61c048e780ebc56db033d8382d8
Reviewed-on: https://boringssl-review.googlesource.com/7406
Reviewed-by: David Benjamin <davidben@google.com>
commit 8f307d3805db102a5f2afffed821acff6b30c98e
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 9 18:40:04 2016 -0500
Update cmake-linux64.tar.gz and cmake-mac.tar.gz.
Built from:
92c83ad8a4fd6224cf6319a60b399854f55b38ebe9d297c942408b792b1a9efa cmake-3.5.0.tar.gz
Update instructions in the UPDATING file.
Change-Id: I49d3f5ef353347c446a04797719227e9793e3e0d
Reviewed-on: https://boringssl-review.googlesource.com/7414
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 8169df23ddff0169560583052492715590b5c9df
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 9 18:05:12 2016 -0500
Update Windows tools for the bots.
See 0d5e080ab948da74be68e5f9f6c002fedc99a3ec for the previous version. Include
instructions on where to get the tools used.
807f96230c889b10f2957a47585426af4cdb116a8a77f1caecca83b7d7ab862b cmake-3.5.0-win32-x86.zip
e6bb5c3e4d936bb1067560a58a21260693a0fbe34e55afb0111fe14f7eebc92c strawberry-perl-5.22.1.2-32bit-portable.zip
Change-Id: I504cf779abce26087d09c0c974fb481886c9c459
Reviewed-on: https://boringssl-review.googlesource.com/7413
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 659b24d96108bbb45e6c41caef08ce5bfaa05f20
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 9 17:46:47 2016 -0500
Update versions of tools in util/bot.
Update the easy ones here. Also include instructions on how to do this. The
.sha1 files will be updated separately with instructions.
Change-Id: I2a3aba43b8ffbdf930b8a2602dc1460077f6d0e7
Reviewed-on: https://boringssl-review.googlesource.com/7412
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 23afa689379b1b5a6a7a98327b847d323141930a
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 9 15:11:12 2016 -0500
Fix the shared library build.
libdecrepit wants some symbols visible. Also a build file typo.
Change-Id: I670d2324ab9048f84e7f80afdefc98cbab80335d
Reviewed-on: https://boringssl-review.googlesource.com/7411
Reviewed-by: Adam Langley <agl@google.com>
commit f284a7dab6fe4fcc3b96a520f93cd79ec4cff2fd
Author: Adam Langley <agl@google.com>
Date: Wed Mar 9 12:09:00 2016 -0800
Fix Windows build.
Windows doesn't like returning void values from void functions.
Change-Id: I9fbcb26098a5434ff4e8980f3ed0cd7b2567d658
commit f202d96875d5d66eb8e64a8ed9fd7b0232c7797a
Author: Adam Langley <agl@google.com>
Date: Wed Mar 9 12:04:55 2016 -0800
Fix bug in obj_decrepit.c
Interestingly, Windows caught this with:
..\decrepit\obj\obj_decrepit.c(33) : warning C4090: 'function' : different 'const' qualifiers
However, the value of |name| isn't const, only the thing that it points
to. So this seems like a bug in MSVC, but I'm ok with it this time.
Change-Id: I076f98339cb0b669a4f592fba89aafc0a580efc4
Reviewed-on: https://boringssl-review.googlesource.com/7404
Reviewed-by: David Benjamin <davidben@google.com>
commit ef18746ad4421273d051aa32953fe422d7713563
Author: Brian Smith <brian@briansmith.org>
Date: Fri Feb 5 14:41:39 2016 -1000
Remove unused code for multiple-point ECC multiplication.
The points are only converted to affine form when there are at least
three points being multiplied (in addition to the generator), but there
never is more than one point, so this is all dead code.
Also, I doubt that the comments "...point at infinity (which normally
shouldn't happen)" in the deleted code are accurate. And, the
projective->affine conversions that were removed from p224-64.c and
p256-64.c didn't seem to properly account for the possibility that any of
those points were at infinity.
Change-Id: I611d42d36dcb7515eabf3abf1857e52ff3b45c92
Reviewed-on: https://boringssl-review.googlesource.com/7100
Reviewed-by: David Benjamin <davidben@google.com>
commit a7a226add9a3fb9efc2540d12635683150820f83
Author: Adam Langley <agl@google.com>
Date: Tue Mar 8 15:00:18 2016 -0800
Add |OBJ_NAME_do_all_sorted|.
This another of those functions that tries to turn C into Python. In
this case, implement it in terms of the similar functions in EVP so that
at least we only have one list of things.
This makes life with nmap easier.
Change-Id: I6d01c43f062748d4ba7d7020587c286322e610bb
Reviewed-on: https://boringssl-review.googlesource.com/7403
Reviewed-by: David Benjamin <davidben@google.com>
commit ff452c1d0e5bf389a112e35dba09a61b424a7d00
Author: Adam Langley <agl@google.com>
Date: Tue Mar 8 14:17:02 2016 -0800
Add RIPEMD160 support in decrepit.
This version is taken from OpenSSL 1.0.2 with tweaks to support the
changes that we have made to md32_common.h. None of the assembly
implementations have been imported.
This makes supporting nmap easier.
Change-Id: Iae9241abdbc9021cc6bc35a65b40c3d739011ccc
Reviewed-on: https://boringssl-review.googlesource.com/7402
Reviewed-by: David Benjamin <davidben@google.com>
commit d279a21d8c7c39e603dd3d7922afa219fbbc713b
Author: Brian Smith <brian@briansmith.org>
Date: Tue Mar 8 17:09:40 2016 -1000
Avoid potential uninitialized memory read in crypto/ec/p256-x86_64.c.
If the function returns early due to an error, then the coordinates of the
result will have their |top| value set to a value beyond what has actually
been been written. Fix that, and make it easier to avoid such issues in the
future by refactoring the code.
As a bonus, avoid a false positive MSVC 64-bit opt build "potentially
uninitialized value used" warning.
Change-Id: I8c48deb63163a27f739c8797962414f8ca2588cd
Reviewed-on: https://boringssl-review.googlesource.com/6579
Reviewed-by: David Benjamin <davidben@google.com>
commit 081e3f34a2b324edce50b7a5df9b2e283781af7b
Author: Brian Smith <brian@briansmith.org>
Date: Wed Nov 25 14:19:21 2015 -1000
Remove |EC_POINT::Z_is_one|.
Having |Z_is_one| be out of sync with |Z| could potentially be a very
bad thing, and in the past there have been multiple bugs of this sort,
including one currently in p256-x86_64.c (type confusion: Montgomery-
encoded vs unencoded). Avoid the issue entirely by getting rid of
|Z_is_one|.
Change-Id: Icb5aa0342df41d6bc443f15f952734295d0ee4ba
Reviewed-on: https://boringssl-review.googlesource.com/6576
Reviewed-by: David Benjamin <davidben@google.com>
commit bfb38b1a3c5e37d43188bbd02365a87bebc8d122
Author: Adam Langley <agl@google.com>
Date: Tue Mar 8 14:15:35 2016 -0800
Add |RC4_options| to decrepit.
I've no idea who thought that this function was a good idea in the first
place, but including it in decrepit makes supporting nmap easier.
Change-Id: I7433cda6a6ddf1cc545126edf779625e9fc70ada
Reviewed-on: https://boringssl-review.googlesource.com/7401
Reviewed-by: David Benjamin <davidben@google.com>
commit a34a5aacffa98941fed0abe19dc1bb29e9c1c4ef
Author: Adam Langley <agl@google.com>
Date: Tue Mar 8 14:11:48 2016 -0800
Add one-shot |MD4| function.
This could live in decrepit, but it's tiny and having it makes the
interface more uniform that what we have for MD5 so I put it in the main
code. This is to more easily support nmap.
Change-Id: Ia098cc7ef6e00a90d2f3f56ee7deba8329c9a82e
Reviewed-on: https://boringssl-review.googlesource.com/7400
Reviewed-by: David Benjamin <davidben@google.com>
commit ba70118d8ea7bb0232554bbd70606703bde5bde3
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 8 18:03:31 2016 -0500
Revert "Reduce maximum RSA public exponent size to 33 bits."
This reverts commit b944882f26d64881161622b6c708568ff67483dd.
Recent Chrome canaries show a visible jump in ERR_SSL_PROTOCOL_ERROR which
coincided with a DEPS roll that included this change. Speculatively revert it
to see if they go back down afterwards.
Change-Id: I067798db144c348d666985986dfb9720d1153b7a
Reviewed-on: https://boringssl-review.googlesource.com/7391
Reviewed-by: David Benjamin <davidben@google.com>
commit 617804adc5cd6760a3febcd9d4408fbfc6ebcd0c
Author: Brian Smith <brian@briansmith.org>
Date: Mon Feb 8 20:36:51 2016 -1000
Always use |BN_mod_exp_mont|/|BN_mod_exp_mont_consttime| in RSA.
This removes a hard dependency on |BN_mod_exp|, which will allow the
linker to drop it in programs that don't use other features that
require it.
Also, remove the |mont| member of |bn_blinding_st| in favor of having
callers pass it when necssaary. The |mont| member was a weak reference,
and weak references tend to be error-prone.
Finally, reduce the scope of some parts of the blinding code to
|static|.
Change-Id: I16d8ccc2d6d950c1bb40377988daf1a377a21fe6
Reviewed-on: https://boringssl-review.googlesource.com/7111
Reviewed-by: David Benjamin <davidben@google.com>
commit 3ed5977cbb14d82bc2c2e9b3cd717ba1235cdefd
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 8 12:50:21 2016 -0500
Add an idle timeout to runner.go.
If a Read or Write blocks for too long, time out the operation. Otherwise, some
kinds of test failures result in hangs, which prevent the test harness from
progressing. (Notably, OpenSSL currently has a lot of those failure modes and
upstream expressed interest in being able to run the tests to completion.)
Go's APIs want you to send an absolute timeout, to avoid problems when a Read
is split into lots of little Reads. But we actively want the timer to reset in
that case, so this needs a trivial adapter.
The default timeout is set at 15 seconds for now. If this becomes a problem, we
can extend it or build a more robust deadlock detector given an out-of-band
channel (shim tells runner when it's waiting on data, abort if we're also
waiting on data at the same time). But I don't think we'll need that
complexity. 15 seconds appears fine for both valgrind and running tests on a
Nexus 4.
BUG=460189
Change-Id: I6463fd36058427d883b526044da1bbefba851785
Reviewed-on: https://boringssl-review.googlesource.com/7380
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 3d38c03a8e2011e1d2801c389fc481c8ba9841d6
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 8 16:04:50 2016 -0500
Fix a few more missing CBB_cleanups.
See also 1b0c438e1a0e570de18ecc7aabda3be8dea4cfa0.
Change-Id: Ifcfe15caa4d0db8ef725f8dacd0e8c5c94b00a09
Reviewed-on: https://boringssl-review.googlesource.com/7390
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit f945952d5779bf7e2b38297cad29d1efb61f5911
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 7 15:30:26 2016 -0500
Add a script to run tests on Android.
The bots will likely use different infrastructure (I expect I'll need to write
an isolate file and such). In the meantime, make it easier to run tests
manually.
BUG=487432
Change-Id: I0e10b23e5f3eb1c5cd60fb88f21ba4a8385b979e
Reviewed-on: https://boringssl-review.googlesource.com/7334
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit dfd6fe4f9545a8fd55b65c99e5a04eb06f9f3600
Author: David Benjamin <davidben@google.com>
Date: Mon Mar 7 21:41:13 2016 -0500
Add a PULL_REQUEST_TEMPLATE.
Now that we have a GitHub mirror, set up a PULL_REQUEST_TEMPLATE so people know
not to file pull requests against us. Text borrowed from Go's version of this
file.
Change-Id: I7da127fbf36eb3a7cb68e3a91cc9dfbb7fc92155
Reviewed-on: https://boringssl-review.googlesource.com/7370
Reviewed-by: Adam Langley <agl@google.com>
commit cdd7048358b524567734eb5fc283cc9f42005686
Author: Adam Langley <agl@google.com>
Date: Mon Mar 7 17:53:10 2016 -0800
Fix windows build.
Windows doesn't like struct literals:
..\decrepit\dsa\dsa_decrepit.c(85) : warning C4204: nonstandard extension used : non-constant aggregate initializer
Change-Id: I12541f2883ecbb10c85cddfae8d2adbbb1365ae3
Reviewed-on: https://boringssl-review.googlesource.com/7364
Reviewed-by: Adam Langley <agl@google.com>
commit 6e96eaebe016804a96aa99c8a06a2654103f8de6
Author: Adam Langley <agl@google.com>
Date: Mon Mar 7 17:07:54 2016 -0800
Add |X509_EXT_conf_nid| to decrepit.
This function is a deprecated version of |X509_EXT_nconf_nid| that takes
a hash of |CONF_VALUE|s directly rather than a |CONF|.
Change-Id: I5fd1025b31d73b988d9298b2624453017dd34ff4
Reviewed-on: https://boringssl-review.googlesource.com/7363
Reviewed-by: David Benjamin <davidben@google.com>
commit 8ba4b2d5bf812eae838796266b1d01aa363a8dcf
Author: Adam Langley <agl@google.com>
Date: Mon Mar 7 16:35:18 2016 -0800
Add |RSA_[padding_add|verify]_PKCS1_PSS to decrepit.
These functions are just like the _mgf1 versions but omit one of the
parameters. It's easier to add them than to patch the callers in some
cases.
Change-Id: Idee5b81374bf15f2ea89b7e0c06400c2badbb275
Reviewed-on: https://boringssl-review.googlesource.com/7362
Reviewed-by: David Benjamin <davidben@google.com>
commit 4435e96b08c3cacdde5bb12a2f1aa82aa87a9516
Author: Adam Langley <agl@google.com>
Date: Mon Mar 7 16:16:13 2016 -0800
Include buffer.h from bio.h.
We shouldn't really have to do this, but there's a lot of code that
doesn't always include what it uses. In this case, since bio.h
references |BUF_MEM| in function signatures, it seems a little less
distasteful.
Change-Id: Ifb50f8bce40639f977b4447404597168a68c8388
Reviewed-on: https://boringssl-review.googlesource.com/7361
Reviewed-by: David Benjamin <davidben@google.com>
commit 99a24ba0f14c1eb87b6ebc4c4de4dde5335534be
Author: Adam Langley <agl@google.com>
Date: Mon Mar 7 16:11:01 2016 -0800
Add DSA_generate_parameters to decrepit.
This function was deprecated by OpenSSL in 0.9.8 but code that uses it
still exists. This change adds an implementation of this function to
decreipt/ to support these programs.
Change-Id: Ie99cd00ff8b0ab2675f2b1c821c3d664b9811f16
Reviewed-on: https://boringssl-review.googlesource.com/7360
Reviewed-by: David Benjamin <davidben@google.com>
commit 22ce9b2d08a52e399bf2ab86851952d727be034d
Author: David Benjamin <davidben@google.com>
Date: Sun Mar 6 19:26:52 2016 -0500
SSL_set_fd should create socket BIOs, not fd BIOs.
In OpenSSL, they create socket BIOs. The distinction isn't important on UNIX.
On Windows, file descriptors are provided by the C runtime, while sockets must
use separate recv and send APIs. Document how these APIs are intended to work.
Also add a TODO to resolve the SOCKET vs int thing. This code assumes that
Windows HANDLEs only use the bottom 32 bits of precision. (Which is currently
true and probably will continue to be true for the foreseeable future[*], but
it'd be nice to do this right.)
Thanks to Gisle Vanem and Daniel Stenberg for reporting the bug.
[*] Both so Windows can continue to run 32-bit programs and because of all the
random UNIX software, like OpenSSL and ourselves, out there which happily
assumes sockets are ints.
Change-Id: I67408c218572228cb1a7d269892513cda4261c82
Reviewed-on: https://boringssl-review.googlesource.com/7333
Reviewed-by: David Benjamin <davidben@google.com>
commit 66b2fe8e0273d1f6cca5db95d4ac3979621dc4ce
Author: Tom Thorogood <me+google@tomthorogood.co.uk>
Date: Sun Mar 6 20:08:38 2016 +1030
Add |SSL_CTX_set_private_key_method| to parallel |SSL_set_private_key_method|
This change adds a |SSL_CTX_set_private_key_method| method that sets key_method on a SSL_CTX's cert.
It allows the private key method to be set once and inherited.
A copy of key_method (from SSL_CTX's cert to SSL's cert) is added in |ssl_cert_dup|.
Change-Id: Icb62e9055e689cfe2d5caa3a638797120634b63f
Reviewed-on: https://boringssl-review.googlesource.com/7340
Reviewed-by: David Benjamin <davidben@google.com>
commit 62e0219679f5a120445a95def01c7679f5eb1790
Author: Emily Stark <estark@google.com>
Date: Sun Mar 6 23:41:16 2016 -0800
Handle empty keys in EVP_marshal_public_key()
Instead of crashing when an empty key is passed to
EVP_marshal_public_key(), return with an
EVP_R_UNSUPPORTED_ALGORITHM_ERROR. This brings e.g. X509_PUBKEY_set()
closer to how it behaved before 68772b31 (previously, it returned an
error on an empty public key rather than dereferencing pkey->ameth).
Change-Id: Ieac368725adb7f22329c035d9d0685b44b885888
Reviewed-on: https://boringssl-review.googlesource.com/7351
Reviewed-by: David Benjamin <davidben@google.com>
commit ad004af661759cdc4bf486e81f70a350a3a0a5a9
Author: David Benjamin <davidben@google.com>
Date: Sat Mar 5 14:35:35 2016 -0500
Rename NID_x25519 to NID_X25519.
I went with NID_x25519 to match NID_sha1 and friends in being lowercase.
However, upstream seems to have since chosen NID_X25519. Match their
name.
Change-Id: Icc7b183a2e2dfbe42c88e08e538fcbd242478ac3
Reviewed-on: https://boringssl-review.googlesource.com/7331
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 154c2f2b37b1acff8f033787072fe7f7bed82fa5
Author: David Benjamin <davidben@google.com>
Date: Sat Mar 5 11:57:44 2016 -0500
Add some missing return false lines to test_config.cc.
Change-Id: I9540c931b6cdd4d65fa9ebfc52e1770d2174abd2
Reviewed-on: https://boringssl-review.googlesource.com/7330
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit 1b0c438e1a0e570de18ecc7aabda3be8dea4cfa0
Author: Emily Stark <estark@google.com>
Date: Sun Mar 6 23:11:31 2016 -0800
Fix i2d_RSAPrivateKey, i2d_RSAPublicKey memory leaks
Change-Id: Id2678c20270f2f45efe56efd65caf23e0bb8c09e
Reviewed-on: https://boringssl-review.googlesource.com/7350
Reviewed-by: David Benjamin <davidben@google.com>
commit 05c7bb4565b1f099e3aceea3623c073003cf5ccd
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 4 17:07:23 2016 -0500
Avoid shifting negative numbers in curve25519.
C is still kind of unsure about the whole two's complement thing and leaves
left-shifting of negative numbers undefined. Sadly, some sanitizers believe in
teaching the controversy and complain when code relies on the theory of two's
complement.
Shushing these sanitizers in this case is easier than fighting with build
configuration, so replace the shifts with masks. (This is equivalent as the
left-shift was of a value right-shifted by the same amount. Instead, we store
the unshifted value in carry0, etc., and mask off the bottom bits.) A few other
places get casts to unsigned types which, by some miracle, C compilers are
forbidden from miscompiling.
This is imported from upstream's b95779846dc876cf959ccf96c49d4c0a48ea3082 and
5b7af0dd6c9315ca76fba16813b66f5792c7fe6e.
Change-Id: I6bf8156ba692165940c0c4ea1edd5b3e88ca263e
Reviewed-on: https://boringssl-review.googlesource.com/7320
Reviewed-by: Adam Langley <agl@google.com>
commit 58218b63bc033782162168e1462c9c8890606885
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 4 12:44:35 2016 -0500
Regenerate server_corpus and client_corpus.
Now that client.cc and server.cc run through application data, regenerate the
corpus.
Change-Id: I8278ebfe47fd2ba74f67db6f9b545aabf9fd1f84
Reviewed-on: https://boringssl-review.googlesource.com/7301
Reviewed-by: Adam Langley <agl@google.com>
commit d86c8a400be34bd77d14448008e3985714654283
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 2 14:53:11 2016 -0500
Enable renegotiation in the client fuzzer and read app data.
As long as the HTTP/1.1 client auth hack forces use to support renego, having
it on seems much more useful than having it off for fuzzing purposes. Also read
app data to exercise that code and, on the client, trigger renegotiations as
needed.
Change-Id: I1941ded6ec9bd764abd199d1518420a1075ed1b2
Reviewed-on: https://boringssl-review.googlesource.com/7291
Reviewed-by: Adam Langley <agl@google.com>
commit 1d34e3c644cdafea4187002a8409895bbda31289
Author: David Benjamin <davidben@google.com>
Date: Fri Mar 4 12:30:51 2016 -0500
Add an option to pick a different build directory in minimise_corpuses.sh.
Also pass set -e instead of chaining things with &&. (One line was missing the
&&.)
Change-Id: Ia04e7f40f46688c9664101efefef1d1ea069de71
Reviewed-on: https://boringssl-review.googlesource.com/7300
Reviewed-by: Adam Langley <agl@google.com>
commit d7166d07ade008390ac5d526ecc25e1ebd140ab1
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 3 20:03:55 2016 -0500
Add a standalone ChaCha test.
The coverage tool revealed that we weren't testing all codepaths of the ChaCha
assembly. Add a standalone test as it's much easier to iterate over all lengths
when there isn't the entire AEAD in the way.
I wasn't able to find a really long test vector, so I generated a random one
with the Go implementation we have in runner.
This test gives us full coverage on the ChaCha20_ssse3 variant. (We'll see how
it fares on the other codepaths when the multi-variant test harnesses get in. I
certainly hope there isn't a more novel way to call ChaCha20 than this...)
Change-Id: I087e421c7351f46ea65dacdc7127e4fbf5f4c0aa
Reviewed-on: https://boringssl-review.googlesource.com/7299
Reviewed-by: Adam Langley <agl@google.com>
commit 433366587d6156c9660cc87a843e9dcef1a58917
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 3 15:32:29 2016 -0500
Move AES128 above AES256 by default.
This is in preparation for adding AES_256_GCM in Chromium below AES_128_GCM.
For now, AES_128_GCM is preferable over AES_256_GCM for performance reasons.
While I'm here, swap the order of 3DES and RC4. Chromium has already disabled
RC4, but the default order should probably reflect that until we can delete it
altogether.
BUG=591516
Change-Id: I1b4df0c0b7897930be726fb8321cee59b5d93a6d
Reviewed-on: https://boringssl-review.googlesource.com/7296
Reviewed-by: Adam Langley <agl@google.com>
commit bd30f480c5bf62444d350abd9a81958b0bb81ae8
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 3 15:36:33 2016 -0500
poly1305/asm/poly1305-*.pl: flip horizontal add and reduction.
Only the 32-bit AVX2 code path needs this, but upstream choose to harmonize all
vector code paths.
RT#4346
(Imported from 1ea8ae5090f557fea2e5b4d5758b10566825d74b.)
Tested the new code manually on arm and aarch64, NEON and non-NEON. Steven
reports that all variants pass on x86 and x86-64 too.
I've left the 32-bit x86 AVX2 code disabled since valgrind can't measure the
code coverage, but this avoids diff with upstream. We can enable it if we ever
end up caring.
Change-Id: Id9becc2adfbe44b84764f8e9c1fb5e8349c4d5a8
Reviewed-on: https://boringssl-review.googlesource.com/7295
Reviewed-by: Adam Langley <agl@google.com>
commit ab14a4a44042cc1623d287a4e8e3b88df752c344
Author: Steven Valdez <svaldez@google.com>
Date: Mon Feb 29 16:58:26 2016 -0500
Adding scripts to generate line coverage.
Uses LCOV for C(++) line coverage and Valgrind's Callgrind tool to
generate assembly-level line coverage for the generated assembly
code.
BUG=590332
Change-Id: Ic70300a272c38f4fa6dd615747db568aa0853584
Reviewed-on: https://boringssl-review.googlesource.com/7251
Reviewed-by: David Benjamin <davidben@google.com>
commit 80c0fd6746b601f274cd8815d1a9f4536ecc9423
Author: Adam Langley <agl@google.com>
Date: Thu Mar 3 09:49:09 2016 -0800
Update fuzzing corpuses.
This results from running the fuzzers for a little while with both the
8bit-counters change and after taking the transcripts from the runner
tests as seeds for the `client` and `server` fuzzers.
Change-Id: I545a89d8dccd7ef69dd97546ed61610eea4a27a3
Reviewed-on: https://boringssl-review.googlesource.com/7276
Reviewed-by: David Benjamin <davidben@google.com>
commit fde5afcd887f682eccf3dc7fd6b6f7a31ecb5143
Author: David Benjamin <davidben@google.com>
Date: Thu Mar 3 08:47:53 2016 -0500
Remove dead comment.
EC point format negotiation is dead and gone.
Change-Id: If13ed7c5f31b64df2bbe90c018b2683b6371a980
Reviewed-on: https://boringssl-review.googlesource.com/7293
Reviewed-by: Adam Langley <agl@google.com>
commit ddcc186ef15a7739d370768327007d3259b77328
Author: Adam Langley <agl@google.com>
Date: Thu Mar 3 09:50:25 2016 -0800
Document how to minimise corpuses.
Change-Id: Ie487163787d78d867e34709fb34b4c6a836f668d
Reviewed-on: https://boringssl-review.googlesource.com/7275
Reviewed-by: David Benjamin <davidben@google.com>
commit de29f36cf4b538ac2027c36fc9d0ccf75a745320
Author: Adam Langley <agl@google.com>
Date: Thu Mar 3 09:50:10 2016 -0800
Add `8bit-counters` option for fuzzing.
This enables coverage counters[1] when fuzzing.
[1] http://clang.llvm.org/docs/SanitizerCoverage.html#coverage-counters
Change-Id: I33fca02d0406b75ac1f7598f41fe4c2ce43538d1
Reviewed-on: https://boringssl-review.googlesource.com/7274
Reviewed-by: David Benjamin <davidben@google.com>
commit cf81b540ce938f43308eb37ab2ab6ee726c8f122
Author: Brian Smith <brian@briansmith.org>
Date: Tue Dec 29 12:02:59 2015 -1000
Remove call to |fprintf| in |CRYPTO_once|.
The |fprintf| dependency is quite heavyweight for small targets. Also,
using |fprintf| on a closed file dsecriptor is undefined behavior, and
there's no way that this code can know whether |stderr| has already
been closed. So, just don't do it.
Change-Id: I1277733afe0649ae1324d11cac84826a1056e308
Reviewed-on: https://boringssl-review.googlesource.com/6812
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
commit 9867b7dca287c8e74a5c48f20eec1cc6bc14d670
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 1 23:25:48 2016 -0500
Add an option to record transcripts from runner tests.
This can be used to get some initial corpus for fuzzing.
Change-Id: Ifcd365995b54d202c4a2674f49e7b28515f36025
Reviewed-on: https://boringssl-review.googlesource.com/7289
Reviewed-by: Adam Langley <agl@google.com>
commit f2b8363578b289aee1fb1a2a6e6190b70801c600
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 1 22:57:46 2016 -0500
Fix the tests for the fuzzer mode.
It's useful to make sure our fuzzer mode works. Not all tests pass, but most
do. (Notably the negative tests for everything we've disabled don't work.) We
can also use then use runner to record fuzzer-mode transcripts with the ciphers
correctly nulled.
Change-Id: Ie41230d654970ce6cf612c0a9d3adf01005522c6
Reviewed-on: https://boringssl-review.googlesource.com/7288
Reviewed-by: Adam Langley <agl@google.com>
commit bc5b2a2e22b63f0f6f57cf067c3cdd23af785225
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 1 22:57:32 2016 -0500
Add a deterministic PRNG for fuzzing.
If running the stack through a fuzzer, we would like execution to be
completely deterministic. This is gated on a
BORINGSSL_UNSAFE_FUZZER_MODE #ifdef.
For now, this just uses the zero ChaCha20 key and a global counter. As
needed, we can extend this to a thread-local counter and a separate
ChaCha20 stream and counter per input length.
Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395
Reviewed-on: https://boringssl-review.googlesource.com/7286
Reviewed-by: Adam Langley <agl@google.com>
commit 8b9e7802acde5e7d811ede05360b03fb4720e104
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 2 18:23:21 2016 -0500
Fix up all_tests.go parallelism support.
A len(tests) should have been len(testCases), the code never added to the
sync.WaitGroup, and feeding tests to the tests channel blocks on the tests
completing, so with one worker the results didn't stream. (And if the results
channel wasn't large enough, we'd deadlock.)
Change-Id: Iee37507b9706b14cffddd9c1b55fc311ee9b666d
Reviewed-on: https://boringssl-review.googlesource.com/7292
Reviewed-by: Adam Langley <agl@google.com>
commit bf82aede675e343087ca9d31b53547d01c269be0
Author: David Benjamin <davidben@google.com>
Date: Tue Mar 1 22:57:40 2016 -0500
Disable all TLS crypto in fuzzer mode.
Both sides' signature and Finished checks still occur, but the results
are ignored. Also, all ciphers behave like the NULL cipher.
Conveniently, this isn't that much code since all ciphers and their size
computations funnel into SSL_AEAD_CTX.
This does carry some risk that we'll mess up this code. Up until now, we've
tried to avoid test-only changes to the SSL stack.
There is little risk that anyone will ship a BORINGSSL_UNSAFE_FUZZER_MODE build
for anything since it doesn't interop anyway. There is some risk that we'll end
up messing up the disableable checks. However, both skipped checks have
negative tests in runner (see tests that set InvalidSKXSignature and
BadFinished). For good measure, I've added a server variant of the existing
BadFinished test to this CL, although they hit the same code.
Change-Id: I37f6b4d62b43bc08fab7411965589b423d86f4b8
Reviewed-on: https://boringssl-review.googlesource.com/7287
Reviewed-by: Adam Langley <agl@google.com>
commit 2477adcf6236c3040a291ad1bfd53f525e1af96d
Author: Brian Smith <brian@briansmith.org>
Date: Tue Mar 1 20:16:26 2016 -1000
Clarify use of |$end0| in stitched x86-64 AES-GCM code.
There was some uncertainty about what the code is doing with |$end0|
and whether it was necessary for |$len| to be a multiple of 16 or 96.
Hopefully these added comments make it clear that the code is correct
except for the caveat regarding low memory addresses.
Change-Id: Iea546a59dc7aeb400f50ac5d2d7b9cb88ace9027
Reviewed-on: https://boringssl-review.googlesource.com/7194
Reviewed-by: Adam Langley <agl@google.com>
commit 32223940f28dc55e2d875961bcd2b51b1685358f
Author: Steven Valdez <svaldez@google.com>
Date: Wed Mar 2 11:53:07 2016 -0500
Making all_tests.go parallelizable
Use -num-workers to run multiple workers in parallel when running tests.
Change-Id: Iee5554ee78ec8d77700a0df5a297bd2515d34dca
Reviewed-on: https://boringssl-review.googlesource.com/7285
Reviewed-by: David Benjamin <davidben@google.com>
commit 9bea349660c8230fe33f62a5c03e647854125afc
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 2 10:59:16 2016 -0500
Account for Windows line endings in runner.
Otherwise the split on "--- DONE ---\n" gets confused.
Change-Id: I74561a99e52b98e85f67efd85523213ad443d325
Reviewed-on: https://boringssl-review.googlesource.com/7283
Reviewed-by: Adam Langley <agl@google.com>
commit 29ec5d1fdab3286946a217878b0326af19f533f2
Author: Adam Langley <alangley@gmail.com>
Date: Tue Mar 1 16:12:28 2016 -0800
Add dummy |SSL_get_server_tmp_key|.
Node.js calls it but handles it failing. Since we have abstracted this
in the state machine, we mightn't even be using a cipher suite where the
server's key can be expressed as an EVP_PKEY.
Change-Id: Ic3f013dc9bcd7170a9eb2c7535378d478b985849
Reviewed-on: https://boringssl-review.googlesource.com/7272
Reviewed-by: David Benjamin <davidben@google.com>
commit d323f4b1e185b43f8d5e5a3b191d4bf0d5b65609
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 15:58:14 2016 -0800
Bring back |verify_store|.
This was dropped in d27441a9cb55b02149d7f1236de94f3a40dd1692 due to lack
of use, but node.js now needs it.
Change-Id: I1e207d4b46fc746cfae309a0ea7bbbc04ea785e8
Reviewed-on: https://boringssl-review.googlesource.com/7270
Reviewed-by: David Benjamin <davidben@google.com>
commit 2b07fa4b22198ac02e0cee8f37f3337c3dba91bc
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 2 00:23:57 2016 -0500
Fix a memory leak in an error path.
Found by libFuzzer combined with some experimental unsafe-fuzzer-mode patches
(to be uploaded once I've cleaned them up a bit) to disable all those pesky
cryptographic checks in the protocol.
Change-Id: I9153164fa56a0c2262c4740a3236c2b49a596b1b
Reviewed-on: https://boringssl-review.googlesource.com/7282
Reviewed-by: Adam Langley <agl@google.com>
commit ff3a1498dae79e7fa1cf8d93f735f6fdae49e286
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 2 10:12:06 2016 -0500
Ensure runner notices post-main stderr output.
If LeakSanitizer fires something on a test that's expected to fail, runner will
swallow it. Have stderr output always end in a "--- DONE ---" marker and treat
all output following that as a test failure.
Change-Id: Ia8fd9dfcaf48dd23972ab8f906d240bcb6badfe2
Reviewed-on: https://boringssl-review.googlesource.com/7281
Reviewed-by: Adam Langley <agl@google.com>
commit 3cd8196f14d8fd762f06ce2e20a23cd912eb06f2
Author: David Benjamin <davidben@google.com>
Date: Wed Mar 2 09:40:08 2016 -0500
Mark all curve25519 tables const.
See also upstream's dc22d6b37e8058a4334e6f98932c2623cd3d8d0d. (Though I'm not
sure why they didn't need to fix cmov.)
Change-Id: I2a194a8aea1734d4c1e7f6a0536a636379381627
Reviewed-on: https://boringssl-review.googlesource.com/7280
Reviewed-by: Adam Langley <agl@google.com>
commit 7a17ba2e3ab1cc30812193660138cb9f09b27c7e
Author: Adam Langley <alangley@gmail.com>
Date: Tue Mar 1 16:00:36 2016 -0800
Add |FIPS_mode|, which returns zero.
(node.js calls it.)
Change-Id: I7401f4cb4dfc61d500331821784ae717ad9f7adf
Reviewed-on: https://boringssl-review.googlesource.com/7271
Reviewed-by: David Benjamin <davidben@google.com>
commit 708db16463a21b922aed6d393ef74c3c5a366668
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 11:48:00 2016 -0800
Pass |alice_msg| by reference in the SPAKE2 speed test.
This is an attempt to make MSVC happy. Currently it's saying:
..\tool\speed.cc(508) : error C2536: 'SpeedSPAKE2::<lambda_…>::SpeedSPAKE2::<lambda_…>::alice_msg' : cannot specify explicit initializer for arrays
Change-Id: Ifba1df26b5d734f142668a41834645c1549f9f52
Reviewed-on: https://boringssl-review.googlesource.com/7248
Reviewed-by: David Benjamin <davidben@google.com>
commit f27459e41259bd66179febbd3b89cc183791172c
Author: Arnar Birgisson <arnarb@google.com>
Date: Tue Feb 9 18:09:00 2016 -0800
Add SPAKE2 over Ed25519.
SPAKE2 is a password-authenticated key exchange. This implementation is
over the twisted Edwards curve Ed25519, and uses SHA-512 as the hash
primitive.
See https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03
Change-Id: I2cd3c3ebdc3d55ac3aea3a9eb0d06275509597ac
Reviewed-on: https://boringssl-review.googlesource.com/7114
Reviewed-by: Adam Langley <agl@google.com>
commit e4f3f4df6e521e9f98f6b2e340b98b59cba2c237
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 09:07:14 2016 -0800
Add test that A+A = 2Ă—A on elliptic curves.
Change-Id: I914efab9a15c903f79a1b83388b577b14c534269
Reviewed-on: https://boringssl-review.googlesource.com/7247
Reviewed-by: David Benjamin <davidben@google.com>
commit 060bd590cec36c11008a513a0f1f239e0c84c774
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 08:23:53 2016 -0800
ec/asm/p256-x86_64-asm.pl: get corner case logic right.
(Imported from upstream's 64333004a41a9f4aa587b8e5401420fb70d00687.)
RT#4284.
This case should be impossible to hit because |EC_POINT_add| doesn't use
this function and trying to add equal inputs should never occur during a
multiplication. Support for this exists because the pattern has been
copied from the first 64-bit P-224 and P-256 work that Emilia, Bodo and
I did. There it seemed like a reasonable defense-in-depth in case the
code changed in the future.
Change-Id: I7ff138669c5468b7d7a5153429bec728cb67e338
Reviewed-on: https://boringssl-review.googlesource.com/7246
Reviewed-by: David Benjamin <davidben@google.com>
commit 7aea80f5761e839543b4c9b3952eec123d611f3c
Author: Steven Valdez <svaldez@google.com>
Date: Tue Mar 1 10:09:04 2016 -0500
Adding missing BN_CTX_start/BN_CTX_end in ec_key
Change-Id: Icfa6a0bc36b808e2e6ea8b36a0fc49b3c4943b07
Reviewed-on: https://boringssl-review.googlesource.com/7254
Reviewed-by: David Benjamin <davidben@google.com>
commit df2a5562f3cbbf4438cf215cca1d4c3f77fad292
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 08:17:29 2016 -0800
bn/asm/x86_64-mont5.pl: unify gather procedure in hardly used path and reorganize/harmonize post-conditions.
(Imported from upstream's 515f3be47a0b58eec808cf365bc5e8ef6917266b)
Additional hardening following on from CVE-2016-0702.
Change-Id: I19a6739b401887a42eb335fe5838379dc8d04100
Reviewed-on: https://boringssl-review.googlesource.com/7245
Reviewed-by: Adam Langley <agl@google.com>
commit b360eaf0018a0ed82b3713adc993ffff8270631e
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 08:16:30 2016 -0800
crypto/bn/x86_64-mont5.pl: constant-time gather procedure.
(Imported from upstream's 25d14c6c29b53907bf614b9964d43cd98401a7fc.)
At the same time remove miniscule bias in final subtraction. Performance
penalty varies from platform to platform, and even with key length. For
rsa2048 sign it was observed to be 4% for Sandy Bridge and 7% on
Broadwell.
(This is part of the fix for CVE-2016-0702.)
Change-Id: I43a13d592c4a589d04c17c33c0ca40c2d7375522
Reviewed-on: https://boringssl-review.googlesource.com/7244
Reviewed-by: Adam Langley <agl@google.com>
commit 1168fc72fc7f3d5b2954ff0cd41365f2a973ba1b
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 07:58:38 2016 -0800
bn/asm/rsaz-avx2.pl: constant-time gather procedure.
(Imported from upstream's 08ea966c01a39e38ef89e8920d53085e4807a43a)
Performance penalty is 2%.
(This is part of the fix for CVE-2016-0702.)
Change-Id: Id3b6262c5d3201dd64b93bdd34601a51794a9275
Reviewed-on: https://boringssl-review.googlesource.com/7243
Reviewed-by: Adam Langley <agl@google.com>
commit 842a06c2b9f7797d19f7f3ba862abe0f208d2391
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 07:57:08 2016 -0800
bn/asm/rsax-x86_64.pl: constant-time gather procedure.
(Imported from upstream's ef98503eeef5c108018081ace902d28e609f7772.)
Performance penalty is 2% on Linux and 5% on Windows.
(This is part of the fix for CVE-2016-0702.)
Change-Id: If82f95131c93168282a46ac5a35e2b007cc2bd67
Reviewed-on: https://boringssl-review.googlesource.com/7242
Reviewed-by: Adam Langley <agl@google.com>
commit 82bdaa89f07c944265fa899aff9dbefdfd5d0f92
Author: Adam Langley <agl@google.com>
Date: Tue Mar 1 07:54:10 2016 -0800
Make copy_from_prebuf constant time.
(Imported from upstream's 708dc2f1291e104fe4eef810bb8ffc1fae5b19c1.)
Performance penalty varies from platform to platform, and even key
length. For rsa2048 sign it was observed to reach almost 10%.
This is part of the fix for CVE-2016-0702.
Change-Id: Ie0860bf3e531196f03102db1bc48eeaf30ab1d58
Reviewed-on: https://boringssl-review.googlesource.com/7241
Reviewed-by: Adam Langley <agl@google.com>
commit aeb69a02b833994766f0af1f4d84929f7496d7f6
Author: Steven Valdez <svaldez@google.com>
Date: Fri Feb 26 10:48:59 2016 -0500
Pass pure constants verbatim in perlasm/x86_64-xlate.pl
(Imported from upstream's 10c639a8a56c90bec9e332c7ca76ef552b3952ac)
Change-Id: Ia8203eeae9d274249595a6e352ec2f77a97ca5d5
Reviewed-on: https://boringssl-review.googlesource.com/7227
Reviewed-by: David Benjamin <davidben@google.com>
commit 2c198fae28c13f7cdeadd33dc7f68036310edbe5
Author: David Benjamin <davidben@google.com>
Date: Wed Feb 17 14:52:08 2016 -0500
Enforce that d2i_PrivateKey returns a key of the specified type.
If d2i_PrivateKey hit the PKCS#8 codepath, it didn't enforce that the key was
of the specified type.
Note that this requires tweaking d2i_AutoPrivateKey slightly. A PKCS #8
PrivateKeyInfo may have 3 or 4 elements (optional attributes), so we were
relying on this bug for d2i_AutoPrivateKey to work.
Change-Id: If50b7a742f535d208e944ba37c3a585689d1da43
Reviewed-on: https://boringssl-review.googlesource.com/7253
Reviewed-by: Adam Langley <agl@google.com>
commit 886119b9f73b4fe0159c2ab793cccb3fa96ace99
Author: David Benjamin <davidben@google.com>
Date: Mon Feb 29 17:21:02 2016 -0500
Disable ChaCha20 assembly for OPENSSL_X86.
They fail the newly-added in-place tests. Since we don't have bots for them
yet, verified manually that the arm and aarch64 code is fine.
Change-Id: Ic6f4060f63e713e09707af05e6b7736b7b65c5df
Reviewed-on: https://boringssl-review.googlesource.com/7252
Reviewed-by: Adam Langley <agl@google.com>
commit f132d4e8f84602182e521fbe688a264dbc3d19f8
Author: Adam Langley <agl@google.com>
Date: Thu Feb 25 17:07:19 2016 -0800
Test AEAD interface with aliased buffers.
Cases where the input and output buffers overlap are always a little
odd. This change adds a test to ensures that the (generic) AEADs
function in these situations.
Change-Id: I6f1987a5e10ddef6b2b8f037a6d50737a120bc99
Reviewed-on: https://boringssl-review.googlesource.com/7195
Reviewed-by: David Benjamin <davidben@google.com>
commit 42c8c63fcbb53642674da648924e61d4aa65b67c
Author: David Benjamin <davidben@google.com>
Date: Mon Feb 29 16:59:19 2016 -0500
Fix build.
Forgot to delete a line.
Change-Id: Ia1fb2904398816d495045dc237337f0be5b09272
Reviewed-on: https://boringssl-review.googlesource.com/7250
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
commit d7305d50e4dbc16edc2f22133b7daae2cd1724f2
Author: Steven Valdez <svaldez@google.com>
Date: Mon Feb 29 10:38:26 2016 -0500
Add missing initialization in bn/exponentiation
(Imported from upstream's 04f2a0b50d219aafcef2fa718d91462b587aa23d)
Change-Id: Ie840edeb1fc9d5a4273f137467e3ef16528c9668
Reviewed-on: https://boringssl-review.googlesource.com/7234
Reviewed-by: David Benjamin <davidben@google.com>
commit 318c076b69d1487cae300abbec7025583f198a2e
Author: Steven Valdez <svaldez@google.com>
Date: Mon Feb 29 10:14:11 2016 -0500
modes/ctr.c: Ensure ecount_buf alignment in CRYPTO_ctr128_encrypt.
This isn't a problem when called from EVP, since the buffer is
aligned in the EVP_CIPHER_CTX. The increment counter code is also
fixed to deal with overflow.
(Imported from upstream's 6533a0b8d1ed12aa5f7dfd7a429eec67c5486bb5)
Change-Id: I8d7191c3d3873db254a551085d2358d90bc8397a
Reviewed-on: https://boringssl-review.googlesource.com/7233
Reviewed-by: David Benjamin <davidben@google.com>
commit df1dc9840946c91426a55c242fe3dc50ed781152
Author: David Benjamin <davidben@google.com>
Date: Mon Feb 29 16:27:37 2016 -0500
Add a few more large tag tests to asn1_test.
While we're here, may as well test others.
Change-Id: I711528641a3f7dd035c696c3c1d6b035437c91cc
Reviewed-on: https://boringssl-review.googlesource.com/7239
Reviewed-by: Adam Langley <agl@google.com>
commit fb2c6f8c8565e1e2d85c24408050c96521acbcdc
Author: David Benjamin <davidben@google.com>
Date: Mon Feb 29 15:42:59 2016 -0500
ASN1_get_object should not accept large universal tags.
The high bits of the type get used for the V_ASN1_NEG bit, so when used with
ASN1_ANY/ASN1_TYPE, universal tags become ambiguous. This allows one to create
a negative zero, which should be impossible. Impose an upper bound on universal
tags accepted by crypto/asn1 and add a test.
BUG=590615
Change-Id: I363e01ebfde621c8865101f5bcbd5f323fb59e79
Reviewed-on: https://boringssl-review.googlesource.com/7238
Reviewed-by: Adam Langley <agl@google.com>
commit 7e8ed440135c166d0a29e28548b485b66d1645b8
Author: Adam Langley <agl@google.com>
Date: Mon Feb 29 08:08:11 2016 -0800
Fix possible memory leak on BUF_MEM_grow_clean failure
(Imported from upstream's e9cf5f03666bb82f0184e4f013702d0b164afdca and
29305f4edc886db349f2beedb345f9dd93311c09)
Change-Id: I0fa019e9d337676a84a7a6c103d2c4e14e18aede
Reviewed-on: https://boringssl-review.googlesource.com/7240
Reviewed-by: David Benjamin <davidben@google.com>
commit a14934ff2de02c6a12cc34272a26816940e93a60
Author: Steven Valdez <svaldez@google.com>
Date: Mon Feb 29 10:05:08 2016 -0500
Handle shutdown during init/handshake earlier
Sending close_notify during init causes some problems for some
applications so we instead revert to the previous behavior returning an
error instead of silently passing.
(Imported from upstream's 64193c8218540499984cd63cda41f3cd491f3f59)
Change-Id: I5efed1ce152197d291e6c7ece6e5dbb8f3ad867d
Reviewed-on: https://boringssl-review.googlesource.com/7232
Reviewed-by: David Benjamin <davidben@google.com>
commit c4eec0c16b02c97a62a95b6a08656c3a9ddb6baa
Author: Adam Langley <agl@google.com>
Date: Mon Feb 29 08:01:05 2016 -0800
Fix encoding bug in i2c_ASN1_INTEGER
(Imported from upstream's 3661bb4e7934668bd99ca777ea8b30eedfafa871.)
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.
Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and Hanno Böck
<hanno@hboeck.de> for reporting this issue.
BUG=590615
Change-Id: I8959e8ae01510a5924862a3f353be23130eee554
Reviewed-on: https://boringssl-review.googlesource.com/7199
Reviewed-by: David Benjamin <davidben@google.com>
commit b944882f26d64881161622b6c708568ff67483dd
Author: Brian Smith <brian@briansmith.org>
Date: Wed Jan 13 10:50:00 2016 -1000
Reduce maximum RSA public exponent size to 33 bits.
Reduce the maximum RSA exponent size to 33 bits, regardless of modulus
size, for public key operations.
Change-Id: I88502b1033d8854696841531031298e8ad96a467
Reviewed-on: https://boringssl-review.googlesource.com/6901
Reviewed-by: Adam Langley <agl@google.com>
commit f4e447c16d24aa2f6a9336aa6dbba015380beb29
Author: David Benjamin <davidben@chromium.org>
Date: Sun Feb 7 12:31:53 2016 -0500
Move ASN1_bn_print to a static function in evp/print.c.
It's not used anywhere else, in the library or consumers (Google ones or
ones I could find on Debian codesearch). This is a sufficiently
specialized function that the risk of a third-party library newly
depending on it is low. This removes the last include of asn1.h or
x509.h in crypto/evp.
(This is almost entirely cosmetic because it wasn't keeping the static linker
from doing the right thing anyway. But if we were want to separate the legacy
ASN.1 stack into its own decrepit-like target, we'll need to be pickier about
separation.)
Change-Id: I9be97c9321572e3a2ed093e1d50036b7654cff41
Reviewed-on: https://boringssl-review.googlesource.com/7080
Reviewed-by: Adam Langley <agl@google.com>
commit 63d9246812e4ee0055ca8be425d61b12b89a5876
Author: David Benjamin <davidben@chromium.org>
Date: Mon Feb 1 15:48:51 2016 -0500
Reset crypto/evp error codes.
A number of values have fallen off now that code's been shuffled
around.
Change-Id: I5eac1d3fa4a9335c6aa72b9876d37bb9a9a029ac
Reviewed-on: https://boringssl-review.googlesource.com/7029
Reviewed-by: Adam Langley <agl@google.com>
commit 921d906bb640e105b852c849edb8f0a115cc1a6c
Author: David Benjamin <davidben@chromium.org>
Date: Sat Jan 30 19:33:52 2016 -0500
Reimplement d2i_PrivateKey.
Functions which lose object reuse and need auditing:
- d2i_PrivateKey
This removes evp_asn1.c's dependency on the old stack. (Aside from
obj/.) It also takes old_priv_decode out of EVP_ASN1_METHOD in favor of
calling out to the new-style function. EVP_ASN1_METHOD no longer has any
old-style type-specific serialization hooks, only the PKCS#8 and SPKI
ones.
BUG=499653
Change-Id: Ic142dc05a5505b50e4717c260d3893b20e680194
Reviewed-on: https://boringssl-review.googlesource.com/7027
Reviewed-by: Adam Langley <agl@google.com>
commit 6d3387d9c1cc184c7d9ca29d726ab478cdfc1023
Author: David Benjamin <davidben@chromium.org>
Date: Thu Dec 31 15:11:31 2015 -0500
Reimplement d2i_AutoPrivateKey with the new ASN.1 stack.
This is kind of a ridiculous function. It would be nice to lose it, but
SSL_use_PrivateKey_file actually calls into it (by way of
d2i_PrivateKey_bio).
BUG=499653
Change-Id: I83634f6982b15f4b877e29f6793b7e00a1c10450
Reviewed-on: https://boringssl-review.googlesource.com/7026
Reviewed-by: Adam Langley <agl@google.com>
commit 8ebc0f55a01539a9eef39e162c25d09303f4013b
Author: David Benjamin <davidben@chromium.org>
Date: Sun Jan 3 03:02:50 2016 -0800
Decouple the EVP and PEM code.
EVP_PKEY_asn1_find can already be private. EVP_PKEY_asn1_find_str is used
only so the PEM code can get at legacy encoders. Since this is all
legacy non-PKCS8 stuff, we can just explicitly list out the three cases
in the two places that need it. If this changes, we can later add a
table in crypto/pem mapping string to EVP_PKEY type.
With this, EVP_PKEY_ASN1_METHOD is no longer exposed in the public API
and nothing outside of EVP_PKEY reaches into it. Unexport all of that.
Change-Id: Iab661014247dbdbc31e5e9887364176ec5ad2a6d
Reviewed-on: https://boringssl-review.googlesource.com/6871
Reviewed-by: Adam Langley <agl@google.com>
commit 3f4f7ee08fe0e36c87519befcaff073dc5a90e95
Author: David Benjamin <davidben@chromium.org>
Date: Sun Jan 3 02:52:40 2016 -0800
PEM_write_bio_PrivateKey is always PKCS#8.
Every key type which has a legacy PEM encoding also has a PKCS#8
encoding. The fallback codepath is never reached.
This removes the only consumer of pem_str, so that may be removed from
EVP_PKEY_ASN1_METHOD.
Change-Id: Ic680bfc162e1dc76db8b8016f6c10f669b24f5aa
Reviewed-on: https://boringssl-review.googlesource.com/6870
Reviewed-by: Adam Langley <agl@google.com>
commit 8c07ad3e3be810663d2fe5f94de8cfb256285851
Author: David Benjamin <davidben@chromium.org>
Date: Fri Aug 7 12:34:57 2015 -0400
Pull EVP_PKEY print hooks out of the main method table.
This allows the static linker to drop it in consumers which don't need this
stuff (i.e. all sane ones), once crypto/x509 falls off. This cuts down
on a number of dependencies from the core crypto bits on crypto/asn1 and
crypto/x509.
BUG=499653
Change-Id: I76a10a04dcc444c1ded31683df9f87725a95a4e6
Reviewed-on: https://boringssl-review.googlesource.com/5660
Reviewed-by: Adam Langley <agl@google.com>
commit 17727c6843e3b3d4ec93132a454732dd5176ff85
Author: David Benjamin <davidben@chromium.org>
Date: Sat Jan 30 14:58:52 2016 -0500
Move all signature algorithm code to crypto/x509.
All the signature algorithm logic depends on X509_ALGOR. This also
removes the X509_ALGOR-based EVP functions which are no longer used
externally. I think those APIs were a mistake on my part. The use in
Chromium was unnecessary (and has since been removed anyway). The new
X.509 stack will want to process the signatureAlgorithm itself to be
able to enforce policies on it.
This also moves the RSA_PSS_PARAMS bits to crypto/x509 from crypto/rsa.
That struct is also tied to crypto/x509. Any new RSA-PSS code would
have to use something else anyway.
BUG=499653
Change-Id: I6c4b4573b2800a2e0f863d35df94d048864b7c41
Reviewed-on: https://boringssl-review.googlesource.com/7025
Reviewed-by: Adam Langley <agl@google.com>
commit 93a69b4f8f33d70a3350512ec744b5b948fe2f6b
Author: David Benjamin <davidben@chromium.org>
Date: Sat Jan 30 12:57:05 2016 -0500
Move X.509 signature algorithm tests to the crypto/x509 layer.
This is in preparation for moving the logic itself to crypto/x509, so
the lower-level functions will not be as readily available.
Change-Id: I6507b895317df831ab11d0588c5b09bbb2aa2c24
Reviewed-on: https://boringssl-review.googlesource.com/7023
Reviewed-by: Adam Langley <agl@google.com>
commit da295d35f2ccd179635229d719345dd056a56cfb
Author: David Benjamin <davidben@chromium.org>
Date: Sat Jan 30 14:09:08 2016 -0500
Drop the DSA signature printing hook.
It's only used by crypto/x509, and we don't even support DSA in
crypto/x509 anymore since the EVP_PKEY_CTX hooks aren't wired up.
Change-Id: I1b8538353eb51df353cf9171b1cbb0bb47a879a3
Reviewed-on: https://boringssl-review.googlesource.com/7024
Reviewed-by: Adam Langley <agl@google.com>
commit 136df6bd999aa72d4a3817f719bcb87f86014490
Author: Aaron Green <aarongreen@google.com>
Date: Fri Feb 12 08:15:35 2016 -0800
Fix implementation-specific behavior in gcm_test.c
gcm_test.c includes a test case that does a 'malloc(0)'. This test case
currently fails if malloc(0) returns NULL. According to the standard,
malloc's behavior with a size of 0is implementation specific and may
either be NULL or another pointer suitable to be passed to free(). This
change modifies gcm_test.c to handle a return value of NULL. It has
been tested with a custom allocator on an experimental branch.
Change-Id: I35514ec9735cedffc621f7dfae42b4c6664a1766
Reviewed-on: https://boringssl-review.googlesource.com/7122
Reviewed-by: Adam Langley <agl@google.com>
commit 95a79eec40703fcd9f108ff7dac0ec4d34856ecb
Author: Emily Stark <estark@google.com>
Date: Thu Feb 25 21:12:28 2016 -0800
Add a stub for SSL_get_shared_ciphers().
This stub returns an empty string rather than NULL (since some callers
might assume that NULL means there are no shared ciphers).
Change-Id: I9537fa0a80c76559b293d8518599b68fd9977dd8
Reviewed-on: https://boringssl-review.googlesource.com/7196
Reviewed-by: David Benjamin <davidben@google.com>
commit 6f0c4db90e47437ed87a2d385c7797e692a2cf65
Author: David Benjamin <davidben@google.com>
Date: Tue Feb 23 17:43:36 2016 -0500
Enable upstream's Poly1305 code.
The C implementation is still our existing C implementation, but slightly
tweaked to fit with upstream's init/block/emits convention.
I've tested this by looking at code coverage in kcachegrind and
valgrind --tool=callgrind --dump-instr=yes --collect-jumps=yes
(NB: valgrind 3.11.0 is needed for AVX2. And even that only does 64-bit AVX2,
so we can't get coverage for the 32-bit code yet. But I had to disable that
anyway.)
This was paired with a hacked up version of poly1305_test that would repeat
tests with different ia32cap and armcap values. This isn't checked in, but we
badly need a story for testing all the different variants.
I'm not happy with upstream's code in either the C/asm boundary or how it
dispatches between different versions, but just debugging the code has been a
significant time investment. I'd hoped to extract the SIMD parts and do the
rest in C, but I think we need to focus on testing first (and use that to
guide what modifications would help). For now, this version seems to work at
least.
The x86 (not x86_64) AVX2 code needs to be disabled because it's broken. It
also seems pretty unnecessary.
https://rt.openssl.org/Ticket/Display.html?id=4346
Otherwise it seems to work and buys us a decent performance improvement.
Notably, my Nexus 6P is finally faster at ChaCha20-Poly1305 than my Nexus 4!
bssl speed numbers follow:
x86
---
Old:
Did 1554000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000536us (1553167.5 ops/sec): 24.9 MB/s
Did 136000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1003947us (135465.3 ops/sec): 182.9 MB/s
Did 30000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1022990us (29325.8 ops/sec): 240.2 MB/s
Did 1888000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000206us (1887611.2 ops/sec): 30.2 MB/s
Did 173000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1003036us (172476.4 ops/sec): 232.8 MB/s
Did 30000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1027759us (29189.7 ops/sec): 239.1 MB/s
New:
Did 2030000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000507us (2028971.3 ops/sec): 32.5 MB/s
Did 404000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1000287us (403884.1 ops/sec): 545.2 MB/s
Did 83000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1001258us (82895.7 ops/sec): 679.1 MB/s
Did 2018000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000006us (2017987.9 ops/sec): 32.3 MB/s
Did 360000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1001962us (359295.1 ops/sec): 485.0 MB/s
Did 85000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1002479us (84789.8 ops/sec): 694.6 MB/s
x86_64, no AVX2
---
Old:
Did 2023000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000258us (2022478.2 ops/sec): 32.4 MB/s
Did 466000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1002619us (464782.7 ops/sec): 627.5 MB/s
Did 90000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1001133us (89898.1 ops/sec): 736.4 MB/s
Did 2238000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000175us (2237608.4 ops/sec): 35.8 MB/s
Did 483000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1001348us (482349.8 ops/sec): 651.2 MB/s
Did 90000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1003141us (89718.2 ops/sec): 735.0 MB/s
New:
Did 2558000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000275us (2557296.7 ops/sec): 40.9 MB/s
Did 510000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1001810us (509078.6 ops/sec): 687.3 MB/s
Did 115000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1006457us (114262.2 ops/sec): 936.0 MB/s
Did 2818000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000187us (2817473.1 ops/sec): 45.1 MB/s
Did 418000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1001140us (417524.0 ops/sec): 563.7 MB/s
Did 91000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1002539us (90769.5 ops/sec): 743.6 MB/s
x86_64, AVX2
---
Old:
Did 2516000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000115us (2515710.7 ops/sec): 40.3 MB/s
Did 774000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1000300us (773767.9 ops/sec): 1044.6 MB/s
Did 171000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1004373us (170255.5 ops/sec): 1394.7 MB/s
Did 2580000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000144us (2579628.5 ops/sec): 41.3 MB/s
Did 769000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1000472us (768637.2 ops/sec): 1037.7 MB/s
Did 169000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1000320us (168945.9 ops/sec): 1384.0 MB/s
New:
Did 3240000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000114us (3239630.7 ops/sec): 51.8 MB/s
Did 932000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1000059us (931945.0 ops/sec): 1258.1 MB/s
Did 217000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1003282us (216290.1 ops/sec): 1771.8 MB/s
Did 3187000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000100us (3186681.3 ops/sec): 51.0 MB/s
Did 926000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1000071us (925934.3 ops/sec): 1250.0 MB/s
Did 215000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1000479us (214897.1 ops/sec): 1760.4 MB/s
arm, Nexus 4
---
Old:
Did 430248 ChaCha20-Poly1305 (16 bytes) seal operations in 1000153us (430182.2 ops/sec): 6.9 MB/s
Did 115250 ChaCha20-Poly1305 (1350 bytes) seal operations in 1000549us (115186.8 ops/sec): 155.5 MB/s
Did 27000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1030124us (26210.4 ops/sec): 214.7 MB/s
Did 451750 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000549us (451502.1 ops/sec): 7.2 MB/s
Did 118000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1001557us (117816.6 ops/sec): 159.1 MB/s
Did 27000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1024263us (26360.4 ops/sec): 215.9 MB/s
New:
Did 553644 ChaCha20-Poly1305 (16 bytes) seal operations in 1000183us (553542.7 ops/sec): 8.9 MB/s
Did 126000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1000396us (125950.1 ops/sec): 170.0 MB/s
Did 27000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1000336us (26990.9 ops/sec): 221.1 MB/s
Did 559000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1001465us (558182.3 ops/sec): 8.9 MB/s
Did 124000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1000824us (123897.9 ops/sec): 167.3 MB/s
Did 28000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1034854us (27057.0 ops/sec): 221.7 MB/s
aarch64, Nexus 6P
---
Old:
Did 358000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000358us (357871.9 ops/sec): 5.7 MB/s
Did 45000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1022386us (44014.7 ops/sec): 59.4 MB/s
Did 8657 ChaCha20-Poly1305 (8192 bytes) seal operations in 1063722us (8138.4 ops/sec): 66.7 MB/s
Did 350000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000074us (349974.1 ops/sec): 5.6 MB/s
Did 44000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1007907us (43654.8 ops/sec): 58.9 MB/s
Did 8525 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1042644us (8176.3 ops/sec): 67.0 MB/s
New:
Did 713000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000190us (712864.6 ops/sec): 11.4 MB/s
Did 180000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1004249us (179238.4 ops/sec): 242.0 MB/s
Did 41000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1005811us (40763.1 ops/sec): 333.9 MB/s
Did 775000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000719us (774443.2 ops/sec): 12.4 MB/s
Did 182000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1003529us (181360.0 ops/sec): 244.8 MB/s
Did 41000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1010576us (40570.9 ops/sec): 332.4 MB/s
Change-Id: Iaa4ab86ac1174b79833077963cc3616cfb08e686
Reviewed-on: https://boringssl-review.googlesource.com/7226
Reviewed-by: Adam Langley <agl@google.com>
commit a211aee545cb665b5099803e106656e4c3b788bf
Author: David Benjamin <davidben@google.com>
Date: Wed Feb 24 17:18:44 2016 -0500
Add SSL_CIPHER_has_SHA256_HMAC.
Change-Id: I05a8f5d1778aba1813fe4d34b4baa21849158218
Reviewed-on: https://boringssl-review.googlesource.com/7215
Reviewed-by: Adam Langley <agl@google.com>
commit e593fed3786e9e5dcfe5a1e43181dc91c8e3ff27
Author: David Benjamin <davidben@google.com>
Date: Thu Feb 25 11:39:59 2016 -0500
Rename opensslfeatures.h to opensslconf.h.
Some software #includes opensslconf.h which typically contains settings that we
put in opensslfeatures.h (a header name not in OpenSSL). Rename it to
opensslconf.h.
Change-Id: Icd21dde172e5e489ce90dd5c16ae4d2696909fb6
Reviewed-on: https://boringssl-review.googlesource.com/7216
Reviewed-by: Adam Langley <agl@google.com>
commit a473e554b412abf8415cc83487d146909ecb1e45
Author: David Benjamin <davidben@google.com>
Date: Thu Feb 25 12:04:37 2016 -0500
Add BIO_do_connect.
Some consumers of connect BIOs connect them explicitly, and we already have the
BIO_ctrl hooked up.
Change-Id: Ie6b14f8ceb272b560e2b534e0b6c32fae050475b
Reviewed-on: https://boringssl-review.googlesource.com/7217
Reviewed-by: Adam Langley <agl@google.com>
commit b4e3e694e80bf59bbdc202c9a626e6ecb272c9b1
Author: Brian Smith <brian@briansmith.org>
Date: Wed Feb 24 09:58:18 2016 -1000
Use correct counter after invoking stitched AES-NI GCM code.
Commit a3d9528e9e212e0dcda30dcb561092c3b3a69010 has a bug that could
cause counters to be reused if |$avx=2| were set in the AES-NI AES-GCM
assembly code, if the EVP interface were used with certain coding
patterns, as demonstrated by the test cases added in
a5ee83f67e83d4065d1aa40137e8dd8b1c83b3e5.
This changes the encryption code in the same way the decryption code
was changed in a3d9528e9e212e0dcda30dcb561092c3b3a69010.
This doesn't have any effect currently since the AES-NI AES-GCM code
has |$avx=0| now, so |aesni_gcm_encrypt| doesn't change the counter.
Change-Id: Iba69cb4d2043d1ea57c6538b398246af28cba006
Reviewed-on: https://boringssl-review.googlesource.com/7193
Reviewed-by: Adam Langley <agl@google.com>
commit 6234a7f3a706d2f863e949b4d360ff07faba9dbd
Author: David Benjamin <davidben@google.com>
Date: Tue Feb 23 18:39:10 2016 -0500
Switch poly1305-armv4.pl to named constants.
See https://rt.openssl.org/Ticket/Display.html?id=4341.
Change-Id: Ied39744dcf557e4267c7a84d6f95d78a691084e1
Reviewed-on: https://boringssl-review.googlesource.com/7225
Reviewed-by: Adam Langley <agl@google.com>
commit f28caea521aab668abf83629dc8116a518f53459
Author: David Benjamin <davidben@google.com>
Date: Tue Feb 23 16:25:40 2016 -0500
Check in pristine copies of upstream's poly1305 assembly.
Taken from 6b2ebe4332e22b4eb7dd6fadf418e3da7b926ca4. These don't do anything
right now but are checked in unmodified to make diffs easier to see.
Change-Id: I4f5bdb7b16f4ac27e7ef175f475540c481b8d593
Reviewed-on: https://boringssl-review.googlesource.com/7224
Reviewed-by: Adam Langley <agl@google.com>
commit 8ccc3c383a3dc9f3fee1974c08f4f93b3e38404e
Author: David Benjamin <davidben@google.com>
Date: Thu Feb 25 11:37:12 2016 -0500
Test poly1305 more aggressively.
OpenSSL upstream's SIMD assembly is rather complex. This pattern of update
calls should be sufficient to stress all the codepaths.
Change-Id: I50dea8351e4203b6b2cd9b23456eb4a592d31b5e
Reviewed-on: https://boringssl-review.googlesource.com/7223
Reviewed-by: Adam Langley <agl@google.com>
commit 3f81b607fee408fe8142442c6e654b0762d8f844
Author: Steven Valdez <svaldez@google.com>
Date: Thu Feb 25 13:43:49 2016 -0500
Fix missing ok=0 with cert verification.
Also avoid using "i" in X509_cert_verify as a loop counter, trust
outcome and as an error ordinal.
(Imported from upstream's a3baa171053547488475709c7197592c66e427cf)
Change-Id: I4b0b542ffacf7fa861c93c8124b334c0aacc3c17
Reviewed-on: https://boringssl-review.googlesource.com/7222
Reviewed-by: David Benjamin <davidben@google.com>
commit 06c5fb4512ecd9aeb74e7d438c257b9f606f67af
Author: David Benjamin <davidben@google.com>
Date: Thu Feb 25 20:23:24 2016 +0000
Revert "Fix missing ok=0 with cert verification."
This reverts commit b0576889fa4c86a8e9cb7e978e7160904fa2c5b4.
This broke x509_test.
Change-Id: Idbb60df9ca0a8ce727931f8e35e99bbd0f08c3c1
Reviewed-on: https://boringssl-review.googlesource.com/7221
Reviewed-by: David Benjamin <davidben@google.com>
commit fd26b7a015b4a5f372eff88c4cd981d34217cc45
Author: Steven Valdez <svaldez@google.com>
Date: Thu Feb 25 13:49:45 2016 -0500
If no comparison function is set, sk_sort is a NOP
(Imported from upstream's 402fb1896b2aab5cf887127bbce964554b9c8113)
Change-Id: I80c1f952085c8fc9062d3395f211a525151c404d
Reviewed-on: https://boringssl-review.googlesource.com/7219
Reviewed-by: David Benjamin <davidben@google.com>
commit b0576889fa4c86a8e9cb7e978e7160904fa2c5b4
Author: Steven Valdez <svaldez@google.com>
Date: Thu Feb 25 13:43:49 2016 -0500
Fix missing ok=0 with cert verification.
Also avoid using "i" in X509_cert_verify as a loop counter, trust
outcome and as an error ordinal.
(Imported from upstream's a3baa171053547488475709c7197592c66e427cf)
Change-Id: I492afdbaa5017bcf00a0412033cf99fca3fe9401
Reviewed-on: https://boringssl-review.googlesource.com/7218
Reviewed-by: David Benjamin <davidben@google.com>
commit e42da0e4b4a587f30ee5fbb65ce7bb5791a7a5be
Author: David Benjamin <davidben@google.com>
Date: Thu Feb 25 13:53:25 2016 -0500
Fix bssl rand -hex.
It emits NULs instead of c.
Change-Id: Id7f103eac049129dbf9a3e852454b22134ce3270
Reviewed-on: https://boringssl-review.googlesource.com/7220
Reviewed-by: Adam Langley <agl@google.com>
commit cd8d1761df85b460562237e50af3ee60a1b9856f
Author: Brian Smith <brian@briansmith.org>
Date: Sun Feb 14 10:12:05 2016 -1000
Move |bn_div_words| to crypto/bn/div.c and make it static.
It is only used by |bn_div_rem_words|.
Change-Id: I57627091d8db5890d7fea34d8560897717008646
Reviewed-on: https://boringssl-review.googlesource.com/7128
Reviewed-by: David Benjamin <davidben@google.com>
commit d1425f69df16310bdca46a3d66144dcb4e3ad4fc
Author: Brian Smith <brian@briansmith.org>
Date: Thu Feb 11 12:10:16 2016 -1000
Simplify division-with-remainder calculations in crypto/bn/div.c.
Create a |bn_div_rem_words| that is used for double-word/single-word
divisions and division-with-remainder. Remove all implementations of
|bn_div_words| except for the implementation needed for 64-bit MSVC.
This allows more code to be shared across platforms and also removes
an instance of the dangerous pattern wherein the |div_asm| macro
modified a variable that wasn't passed as a parameter.
Also, document the limitations of the compiler-generated code for the
non-asm code paths more fully. Compilers indeed have not improved in
this respect.
Change-Id: I5a36a2edd7465de406d47d72dcd6bf3e63e5c232
Reviewed-on: https://boringssl-review.googlesource.com/7127
Reviewed-by: David Benjamin <davidben@google.com>
commit 76c6381c21ef07b13371120dc0b938da64f51ca7
Author: Brian Smith <brian@briansmith.org>
Date: Sat Feb 13 16:46:11 2016 -1000
Return 0 on error in |EC_POINT_is_on_curve| instead of -1.
Callers of this function are not checking for the -1 result. Change
the semantics to match their expectations and to match the common
semantics of most other parts of BoringSSL.
Change-Id: I4ec537d7619e20e8ddfee80c72125e4c02cfaac1
Reviewed-on: https://boringssl-review.googlesource.com/7125
Reviewed-by: David Benjamin <davidben@google.com>
commit 0bc2349375212f79cc4a5996f86389d6250fde4f
Author: Brian Smith <brian@briansmith.org>
Date: Fri Feb 12 10:06:36 2016 -1000
Remove unused |ccm128_context| in crypto/modes/internal.h.
Note that this structure has a weak pointer to the key, which was a
problem corrected in the AES-GCM code in
0f8bfdeb3383749eecfefb17a36416e6b35fa10c. Also, it uses |void *|
instead of |const AES_KEY *| to refer to that key.
Change-Id: I70e632e3370ab27eb800bc1c0c64d2bd36b7cafb
Reviewed-on: https://boringssl-review.googlesource.com/7123
Reviewed-by: David Benjamin <davidben@google.com>
commit d8eea14443ab890b0a6d00a40d2dbf6d3bf79484
Author: Steven Valdez <svaldez@google.com>
Date: Wed Feb 24 14:00:22 2016 -0500
BIO_new_mem_buf should take const void *
BIO_FLAGS_MEM_RDONLY keeps the invariant.
(Imported from upstream's a38a159bfcbc94214dda00e0e6b1fc6454a23b78)
Change-Id: I4cb35615d76b77929915e370dbb7fec1455da069
Reviewed-on: https://boringssl-review.googlesource.com/7214
Reviewed-by: David Benjamin <davidben@google.com>
commit a5ee83f67e83d4065d1aa40137e8dd8b1c83b3e5
Author: Adam Langley <agl@google.com>
Date: Wed Feb 24 10:04:31 2016 -0800
Test different chunk sizes in cipher_test.
This change causes cipher_test to test the EVP cipher interfaces with
various chunk sizes and adds a couple of large tests of GCM. This is
sufficient to uncover the issue that would have been caused by a3d9528e,
had the AVX code been enabled.
Change-Id: I58d4924c0bcd11a0999c24a0fb77fc5eee71130f
Reviewed-on: https://boringssl-review.googlesource.com/7192
Reviewed-by: David Benjamin <davidben@google.com>
commit 5ec72de203ff52ff73648b0a3018e79dca830208
Author: Steven Valdez <svaldez@google.com>
Date: Wed Feb 24 12:16:32 2016 -0500
Add missing EC NULL Check
(imported from upstream's 2b80d00e3ac652377ace84c51b53f51a1b7e1ba2)
Change-Id: Iee5a8d85d276033b6ac8bc9ac87e157916a1a29a
Reviewed-on: https://boringssl-review.googlesource.com/7212
Reviewed-by: David Benjamin <davidben@google.com>
commit b9824e241746d70d985d1004078b5bad0ad9a75b
Author: Steven Valdez <svaldez@chromium.org>
Date: Wed Feb 24 10:47:52 2016 -0500
Handle SSL_shutdown while in init more appropriately
Calling SSL_shutdown while in init previously gave a "1" response,
meaning everything was successfully closed down (even though it
wasn't). Better is to send our close_notify, but fail when trying to
receive one.
The problem with doing a shutdown while in the middle of a handshake
is that once our close_notify is sent we shouldn't really do anything
else (including process handshake/CCS messages) until we've received a
close_notify back from the peer. However the peer might send a CCS
before acting on our close_notify - so we won't be able to read it
because we're not acting on CCS messages!
(Imported from upstream's f73c737c7ac908c5d6407c419769123392a3b0a9)
Change-Id: Iaad5c5e38983456d3697c955522a89919628024b
Reviewed-on: https://boringssl-review.googlesource.com/7207
Reviewed-by: David Benjamin <davidben@google.com>
commit e52d22d5f9dc439658746d25cb69702749ec3f67
Author: Steven Valdez <svaldez@chromium.org>
Date: Wed Feb 24 10:44:54 2016 -0500
Empty SNI names are not valid
(Imported from upstream's 4d6fe78f65be650c84e14777c90e7a088f7a44ce)
Change-Id: Id28e0d49da2490e454dcb8603ccb93a506dfafaf
Reviewed-on: https://boringssl-review.googlesource.com/7206
Reviewed-by: David Benjamin <davidben@google.com>
commit e412bbd9a15d812666291e38e194b71da6a2a062
Author: Steven Valdez <svaldez@chromium.org>
Date: Tue Feb 23 15:37:41 2016 -0500
Fix wildcard match on punycode/IDNA DNS names
- bugfix: should not treat '--' as invalid domain substring.
- '-' should not be the first letter of a domain
(Imported from upstream's 15debc128ac13420a4eec9b4a66d72f1dfd69126)
Change-Id: Ifd8ff7cef1aab69da5cade8ff8c76c3a723f3838
Reviewed-on: https://boringssl-review.googlesource.com/7205
Reviewed-by: David Benjamin <davidben@google.com>
commit 85003903fc58d8825e02162fd33a9b9c28fdec35
Author: David Benjamin <davidben@google.com>
Date: Tue Feb 23 18:04:15 2016 -0500
Remove CRYPTO_set_NEON_functional.
This depends on https://codereview.chromium.org/1730823002/. The bit was only
ever targetted to one (rather old) CPU. Disable NEON on it uniformly, so we
don't have to worry about whether any new NEON code breaks it.
BUG=589200
Change-Id: Icc7d17d634735aca5425fe0a765ec2fba3329326
Reviewed-on: https://boringssl-review.googlesource.com/7211
Reviewed-by: Adam Langley <agl@google.com>
commit 030d08513e7127a0fe8608fed9d75308e1df98b6
Author: David Benjamin <davidben@google.com>
Date: Tue Feb 23 16:43:54 2016 -0500
ymm registers are not suffixed with w.
This imports a fix to x86gas.pl from upstream's
a98c648e40ea5158c8ba29b5a70ccc239d426a20. It's needed to get poly1305-x86.pl
working.
Confirmed that this is a no-op for our current assembly files.
Change-Id: I28de1dbf421b29a06147d1aea3ff3659372a78b3
Reviewed-on: https://boringssl-review.googlesource.com/7210
Reviewed-by: Adam Langley <agl@google.com>
commit a3d9528e9e212e0dcda30dcb561092c3b3a69010
Author: Brian Smith <brian@briansmith.org>
Date: Wed Feb 17 18:59:19 2016 -1000
Unify AEAD and EVP code paths for AES-GCM.
This change makes the AEAD and EVP code paths use the same code for
AES-GCM. When AVX instructions are enabled in the assembly this will
allow them to use the stitched AES-GCM implementation.
Note that the stitched implementations are no-ops for small inputs
(smaller than 288 bytes for encryption; smaller than 96 bytes for
decryption). This means that only a handful of test cases with longish
inputs actually test the stitched code.
Change-Id: Iece8003d90448dcac9e0bde1f42ff102ebe1a1c9
Reviewed-on: https://boringssl-review.googlesource.com/7173
Reviewed-by: Adam Langley <agl@google.com>
commit 3dbecdf6f422fe6112533bef95be41caedb80583
Author: David Benjamin <davidben@google.com>
Date: Tue Feb 23 17:44:12 2016 -0500
Append to CMAKE_ASM_FLAGS rather than replace it.
Otherwise we clobber things like -m32.
Change-Id: I9457e4b50dc3063643c31d19c7935276b8a312a1
Reviewed-on: https://boringssl-review.googlesource.com/7209
Reviewed-by: Adam Langley <agl@google.com>
commit 65f83b64d92a17b999d7db711628ee0a9a74e9d6
Author: David Benjamin <davidben@google.com>
Date: Thu Feb 18 13:44:25 2016 -0500
Set --noexecstack for assembly files in the standalone build.
See also upstream's 2966c2ec31e81187da3fbbe1499a6aa3acfd355f.
Change-Id: Iad0a0f11accb4fa2bd93667239dd7462f9fdbd7f
Reviewed-on: https://boringssl-review.googlesource.com/7180
Reviewed-by: Adam Langley <agl@google.com>
commit 35be6880788d90bc2a93de5295391b001a8a6a46
Author: David Benjamin <davidben@google.com>
Date: Fri Feb 19 18:47:22 2016 -0500
Enable upstream's ChaCha20 assembly for x86 and ARM (32- and 64-bit).
This removes chacha_vec_arm.S and chacha_vec.c in favor of unifying on
upstream's code. Upstream's is faster and this cuts down on the number of
distinct codepaths. Our old scheme also didn't give vectorized code on
Windows or aarch64.
BoringSSL-specific modifications made to the assembly:
- As usual, the shelling out to $CC is replaced with hardcoding $avx. I've
tested up to the AVX2 codepath, so enable it all.
- I've removed the AMD XOP code as I have not tested it.
- As usual, the ARM file need the arm_arch.h include tweaked.
Speed numbers follow. We can hope for further wins on these benchmarks after
importing the Poly1305 assembly.
x86
---
Old:
Did 1422000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000433us (1421384.5 ops/sec): 22.7 MB/s
Did 123000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1003803us (122534.0 ops/sec): 165.4 MB/s
Did 22000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1000282us (21993.8 ops/sec): 180.2 MB/s
Did 1428000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000214us (1427694.5 ops/sec): 22.8 MB/s
Did 124000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1006332us (123219.8 ops/sec): 166.3 MB/s
Did 22000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1020771us (21552.3 ops/sec): 176.6 MB/s
New:
Did 1520000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000567us (1519138.6 ops/sec): 24.3 MB/s
Did 152000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1004216us (151361.9 ops/sec): 204.3 MB/s
Did 31000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1009085us (30720.9 ops/sec): 251.7 MB/s
Did 1797000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000141us (1796746.7 ops/sec): 28.7 MB/s
Did 171000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1003204us (170453.9 ops/sec): 230.1 MB/s
Did 31000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1005349us (30835.1 ops/sec): 252.6 MB/s
x86_64, no AVX2
---
Old:
Did 1782000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000204us (1781636.5 ops/sec): 28.5 MB/s
Did 317000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1001579us (316500.2 ops/sec): 427.3 MB/s
Did 62000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1012146us (61256.0 ops/sec): 501.8 MB/s
Did 1778000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000220us (1777608.9 ops/sec): 28.4 MB/s
Did 315000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1002886us (314093.5 ops/sec): 424.0 MB/s
Did 71000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1014606us (69977.9 ops/sec): 573.3 MB/s
New:
Did 1866000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000019us (1865964.5 ops/sec): 29.9 MB/s
Did 399000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1001017us (398594.6 ops/sec): 538.1 MB/s
Did 84000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1005645us (83528.5 ops/sec): 684.3 MB/s
Did 1881000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000325us (1880388.9 ops/sec): 30.1 MB/s
Did 404000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1000004us (403998.4 ops/sec): 545.4 MB/s
Did 85000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1010048us (84154.4 ops/sec): 689.4 MB/s
x86_64, AVX2
---
Old:
Did 2375000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000282us (2374330.4 ops/sec): 38.0 MB/s
Did 448000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1001865us (447166.0 ops/sec): 603.7 MB/s
Did 88000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1005217us (87543.3 ops/sec): 717.2 MB/s
Did 2409000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000188us (2408547.2 ops/sec): 38.5 MB/s
Did 446000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1001003us (445553.1 ops/sec): 601.5 MB/s
Did 90000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1006722us (89399.1 ops/sec): 732.4 MB/s
New:
Did 2622000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000266us (2621302.7 ops/sec): 41.9 MB/s
Did 794000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1000783us (793378.8 ops/sec): 1071.1 MB/s
Did 173000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1000176us (172969.6 ops/sec): 1417.0 MB/s
Did 2623000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000330us (2622134.7 ops/sec): 42.0 MB/s
Did 783000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1000531us (782584.4 ops/sec): 1056.5 MB/s
Did 174000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1000840us (173854.0 ops/sec): 1424.2 MB/s
arm, Nexus 4
---
Old:
Did 388550 ChaCha20-Poly1305 (16 bytes) seal operations in 1000580us (388324.8 ops/sec): 6.2 MB/s
Did 90000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1003816us (89657.9 ops/sec): 121.0 MB/s
Did 19000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1045750us (18168.8 ops/sec): 148.8 MB/s
Did 398500 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000305us (398378.5 ops/sec): 6.4 MB/s
Did 90500 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1000305us (90472.4 ops/sec): 122.1 MB/s
Did 19000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1043278us (18211.8 ops/sec): 149.2 MB/s
New:
Did 424788 ChaCha20-Poly1305 (16 bytes) seal operations in 1000641us (424515.9 ops/sec): 6.8 MB/s
Did 115000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1001526us (114824.8 ops/sec): 155.0 MB/s
Did 27000 ChaCha20-Poly1305 (8192 bytes) seal operations in 1033023us (26136.9 ops/sec): 214.1 MB/s
Did 447750 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000549us (447504.3 ops/sec): 7.2 MB/s
Did 117500 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1001923us (117274.5 ops/sec): 158.3 MB/s
Did 27000 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1025118us (26338.4 ops/sec): 215.8 MB/s
aarch64, Nexus 6p
(Note we didn't have aarch64 assembly before at all, and still don't have it
for Poly1305. Hopefully once that's added this will be faster than the arm
numbers...)
---
Old:
Did 145040 ChaCha20-Poly1305 (16 bytes) seal operations in 1003065us (144596.8 ops/sec): 2.3 MB/s
Did 14000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1042605us (13427.9 ops/sec): 18.1 MB/s
Did 2618 ChaCha20-Poly1305 (8192 bytes) seal operations in 1093241us (2394.7 ops/sec): 19.6 MB/s
Did 148000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000709us (147895.1 ops/sec): 2.4 MB/s
Did 14000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1047294us (13367.8 ops/sec): 18.0 MB/s
Did 2607 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1090745us (2390.1 ops/sec): 19.6 MB/s
New:
Did 358000 ChaCha20-Poly1305 (16 bytes) seal operations in 1000769us (357724.9 ops/sec): 5.7 MB/s
Did 45000 ChaCha20-Poly1305 (1350 bytes) seal operations in 1021267us (44062.9 ops/sec): 59.5 MB/s
Did 8591 ChaCha20-Poly1305 (8192 bytes) seal operations in 1047136us (8204.3 ops/sec): 67.2 MB/s
Did 343000 ChaCha20-Poly1305-Old (16 bytes) seal operations in 1000489us (342832.4 ops/sec): 5.5 MB/s
Did 44000 ChaCha20-Poly1305-Old (1350 bytes) seal operations in 1008326us (43636.7 ops/sec): 58.9 MB/s
Did 8866 ChaCha20-Poly1305-Old (8192 bytes) seal operations in 1083341us (8183.9 ops/sec): 67.0 MB/s
Change-Id: I629fe195d072f2c99e8f947578fad6d70823c4c8
Reviewed-on: https://boringssl-review.googlesource.com/7202
Reviewed-by: Adam Langley <agl@google.com>
commit 0182ecd346add6019e6559ea6f6e515b54c1d78f
Author: David Benjamin <davidben@google.com>
Date: Tue Feb 23 11:20:09 2016 -0500
Consistently use named constants in ARM assembly files.
Most of the OPENSSL_armcap_P accesses in assembly use named constants from
arm_arch.h, but some don't. Consistently use the constants. The dispatch really
should be in C, but in the meantime, make it easier to tell what's going on.
I'll send this patch upstream so we won't be carrying a diff here.
Change-Id: I63c68d2351ea5ce11005813314988e32b6459526
Reviewed-on: https://boringssl-review.googlesource.com/7203
Reviewed-by: Adam Langley <agl@google.com>
commit 295960044bc34fa8aeb01cbed64269330fd0cef6
Author: David Benjamin <davidben@google.com>
Date: Mon Feb 22 17:32:18 2016 -0500
Fix chacha-armv4.pl.
Patch taken from https://rt.openssl.org/Ticket/Display.html?id=4323.
Change-Id: Icbaf8f9a0f92da48f213b251b0afa4b0d5aa627d
Reviewed-on: https://boringssl-review.googlesource.com/7201
Reviewed-by: Adam Langley <agl@google.com>
commit ea4d6863c7d54c96bdd3a7c1a84062c501ea1494
Author: David Benjamin <davidben@google.com>
Date: Fri Feb 19 18:32:47 2016 -0500
Check in pristine copies of OpenSSL's chacha-{arm*,x86}.pl.
They won't be used as-is. This is just to make the diffs easier to see. Taken
from upstream's 4f16039efe3589aa4d63a6f1fab799d0cd9338ca.
Change-Id: I34d8be409f9c8f15b8a6da4b2d98ba3e60aa2210
Reviewed-on: https://boringssl-review.googlesource.com/7200
Reviewed-by: Adam Langley <agl@google.com>
commit b104517f1dd54e7b269ff12fac8842340bf6614b
Author: Adam Langley <agl@google.com>
Date: Mon Feb 22 11:48:18 2016 -0800
Add some bug references to the LICENSE file.
Add references for some cases where we have explicit permission from
authors to use their work. This is just to make things easy for us to
find.
Change-Id: I47dacc6a80f9d0c960c5b6713a8dc25e1a4e6f0b
Reviewed-on: https://boringssl-review.googlesource.com/7191
Reviewed-by: David Benjamin <davidben@google.com>
commit 65dcfc7f9b2ae147cf817ecad22dfcab89230d5e
Author: Adam Langley <agl@google.com>
Date: Mon Feb 22 09:16:57 2016 -0800
Remove CP_UTF8 code for Windows filenames.
Thanks to Gisle Vanem for pointing out that this code was broken and
could never have compiled. Since it has never worked, and thus has never
been used, remove it.
Change-Id: Ic274eaf187928765a809690eda8d790b79f939a5
Reviewed-on: https://boringssl-review.googlesource.com/7190
Reviewed-by: David Benjamin <davidben@google.com>
Diffstat (limited to 'crypto/cipher/aead_test.cc')
-rw-r--r-- | crypto/cipher/aead_test.cc | 172 |
1 files changed, 140 insertions, 32 deletions
diff --git a/crypto/cipher/aead_test.cc b/crypto/cipher/aead_test.cc index 79d7110d..8bad93f5 100644 --- a/crypto/cipher/aead_test.cc +++ b/crypto/cipher/aead_test.cc @@ -192,37 +192,139 @@ static int TestCleanupAfterInitFailure(const EVP_AEAD *aead) { return 1; } -struct AEADName { +static bool TestWithAliasedBuffers(const EVP_AEAD *aead) { + const size_t key_len = EVP_AEAD_key_length(aead); + const size_t nonce_len = EVP_AEAD_nonce_length(aead); + const size_t max_overhead = EVP_AEAD_max_overhead(aead); + + std::vector<uint8_t> key(key_len, 'a'); + ScopedEVP_AEAD_CTX ctx; + if (!EVP_AEAD_CTX_init(ctx.get(), aead, key.data(), key_len, + EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr)) { + return false; + } + + static const uint8_t kPlaintext[260] = + "testing123456testing123456testing123456testing123456testing123456testing" + "123456testing123456testing123456testing123456testing123456testing123456t" + "esting123456testing123456testing123456testing123456testing123456testing1" + "23456testing123456testing123456testing12345"; + const std::vector<size_t> offsets = { + 0, 1, 2, 8, 15, 16, 17, 31, 32, 33, 63, + 64, 65, 95, 96, 97, 127, 128, 129, 255, 256, 257, + }; + + std::vector<uint8_t> nonce(nonce_len, 'b'); + std::vector<uint8_t> valid_encryption(sizeof(kPlaintext) + max_overhead); + size_t valid_encryption_len; + if (!EVP_AEAD_CTX_seal( + ctx.get(), valid_encryption.data(), &valid_encryption_len, + sizeof(kPlaintext) + max_overhead, nonce.data(), nonce_len, + kPlaintext, sizeof(kPlaintext), nullptr, 0)) { + fprintf(stderr, "EVP_AEAD_CTX_seal failed with disjoint buffers.\n"); + return false; + } + + // Test with out != in which we expect to fail. + std::vector<uint8_t> buffer(2 + valid_encryption_len); + uint8_t *in = buffer.data() + 1; + uint8_t *out1 = buffer.data(); + uint8_t *out2 = buffer.data() + 2; + + memcpy(in, kPlaintext, sizeof(kPlaintext)); + size_t out_len; + if (EVP_AEAD_CTX_seal(ctx.get(), out1, &out_len, + sizeof(kPlaintext) + max_overhead, nonce.data(), + nonce_len, in, sizeof(kPlaintext), nullptr, 0) || + EVP_AEAD_CTX_seal(ctx.get(), out2, &out_len, + sizeof(kPlaintext) + max_overhead, nonce.data(), + nonce_len, in, sizeof(kPlaintext), nullptr, 0)) { + fprintf(stderr, "EVP_AEAD_CTX_seal unexpectedly succeeded.\n"); + return false; + } + ERR_clear_error(); + + memcpy(in, valid_encryption.data(), valid_encryption_len); + if (EVP_AEAD_CTX_open(ctx.get(), out1, &out_len, valid_encryption_len, + nonce.data(), nonce_len, in, valid_encryption_len, + nullptr, 0) || + EVP_AEAD_CTX_open(ctx.get(), out2, &out_len, valid_encryption_len, + nonce.data(), nonce_len, in, valid_encryption_len, + nullptr, 0)) { + fprintf(stderr, "EVP_AEAD_CTX_open unexpectedly succeeded.\n"); + return false; + } + ERR_clear_error(); + + // Test with out == in, which we expect to work. + memcpy(in, kPlaintext, sizeof(kPlaintext)); + + if (!EVP_AEAD_CTX_seal(ctx.get(), in, &out_len, + sizeof(kPlaintext) + max_overhead, nonce.data(), + nonce_len, in, sizeof(kPlaintext), nullptr, 0)) { + fprintf(stderr, "EVP_AEAD_CTX_seal failed in-place.\n"); + return false; + } + + if (out_len != valid_encryption_len || + memcmp(in, valid_encryption.data(), out_len) != 0) { + fprintf(stderr, "EVP_AEAD_CTX_seal produced bad output in-place.\n"); + return false; + } + + memcpy(in, valid_encryption.data(), valid_encryption_len); + if (!EVP_AEAD_CTX_open(ctx.get(), in, &out_len, valid_encryption_len, + nonce.data(), nonce_len, in, valid_encryption_len, + nullptr, 0)) { + fprintf(stderr, "EVP_AEAD_CTX_open failed in-place.\n"); + return false; + } + + if (out_len != sizeof(kPlaintext) || + memcmp(in, kPlaintext, out_len) != 0) { + fprintf(stderr, "EVP_AEAD_CTX_open produced bad output in-place.\n"); + return false; + } + + return true; +} + +struct KnownAEAD { const char name[40]; const EVP_AEAD *(*func)(void); + // limited_implementation indicates that tests that assume a generic AEAD + // interface should not be performed. For example, the key-wrap AEADs only + // handle inputs that are a multiple of eight bytes in length and the + // SSLv3/TLS AEADs have the concept of “direction”. + bool limited_implementation; }; -static const struct AEADName kAEADs[] = { - { "aes-128-gcm", EVP_aead_aes_128_gcm }, - { "aes-256-gcm", EVP_aead_aes_256_gcm }, - { "chacha20-poly1305", EVP_aead_chacha20_poly1305 }, - { "chacha20-poly1305-old", EVP_aead_chacha20_poly1305_old }, - { "rc4-md5-tls", EVP_aead_rc4_md5_tls }, - { "rc4-sha1-tls", EVP_aead_rc4_sha1_tls }, - { "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls }, - { "aes-128-cbc-sha1-tls-implicit-iv", EVP_aead_aes_128_cbc_sha1_tls_implicit_iv }, - { "aes-128-cbc-sha256-tls", EVP_aead_aes_128_cbc_sha256_tls }, - { "aes-256-cbc-sha1-tls", EVP_aead_aes_256_cbc_sha1_tls }, - { "aes-256-cbc-sha1-tls-implicit-iv", EVP_aead_aes_256_cbc_sha1_tls_implicit_iv }, - { "aes-256-cbc-sha256-tls", EVP_aead_aes_256_cbc_sha256_tls }, - { "aes-256-cbc-sha384-tls", EVP_aead_aes_256_cbc_sha384_tls }, - { "des-ede3-cbc-sha1-tls", EVP_aead_des_ede3_cbc_sha1_tls }, - { "des-ede3-cbc-sha1-tls-implicit-iv", EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv }, - { "rc4-md5-ssl3", EVP_aead_rc4_md5_ssl3 }, - { "rc4-sha1-ssl3", EVP_aead_rc4_sha1_ssl3 }, - { "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3 }, - { "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3 }, - { "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3 }, - { "aes-128-key-wrap", EVP_aead_aes_128_key_wrap }, - { "aes-256-key-wrap", EVP_aead_aes_256_key_wrap }, - { "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256 }, - { "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256 }, - { "", NULL }, +static const struct KnownAEAD kAEADs[] = { + { "aes-128-gcm", EVP_aead_aes_128_gcm, false }, + { "aes-256-gcm", EVP_aead_aes_256_gcm, false }, + { "chacha20-poly1305", EVP_aead_chacha20_poly1305, false }, + { "chacha20-poly1305-old", EVP_aead_chacha20_poly1305_old, false }, + { "rc4-md5-tls", EVP_aead_rc4_md5_tls, true }, + { "rc4-sha1-tls", EVP_aead_rc4_sha1_tls, true }, + { "aes-128-cbc-sha1-tls", EVP_aead_aes_128_cbc_sha1_tls, true }, + { "aes-128-cbc-sha1-tls-implicit-iv", EVP_aead_aes_128_cbc_sha1_tls_implicit_iv, true }, + { "aes-128-cbc-sha256-tls", EVP_aead_aes_128_cbc_sha256_tls, true }, + { "aes-256-cbc-sha1-tls", EVP_aead_aes_256_cbc_sha1_tls, true }, + { "aes-256-cbc-sha1-tls-implicit-iv", EVP_aead_aes_256_cbc_sha1_tls_implicit_iv, true }, + { "aes-256-cbc-sha256-tls", EVP_aead_aes_256_cbc_sha256_tls, true }, + { "aes-256-cbc-sha384-tls", EVP_aead_aes_256_cbc_sha384_tls, true }, + { "des-ede3-cbc-sha1-tls", EVP_aead_des_ede3_cbc_sha1_tls, true }, + { "des-ede3-cbc-sha1-tls-implicit-iv", EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv, true }, + { "rc4-md5-ssl3", EVP_aead_rc4_md5_ssl3, true }, + { "rc4-sha1-ssl3", EVP_aead_rc4_sha1_ssl3, true }, + { "aes-128-cbc-sha1-ssl3", EVP_aead_aes_128_cbc_sha1_ssl3, true }, + { "aes-256-cbc-sha1-ssl3", EVP_aead_aes_256_cbc_sha1_ssl3, true }, + { "des-ede3-cbc-sha1-ssl3", EVP_aead_des_ede3_cbc_sha1_ssl3, true }, + { "aes-128-key-wrap", EVP_aead_aes_128_key_wrap, true }, + { "aes-256-key-wrap", EVP_aead_aes_256_key_wrap, true }, + { "aes-128-ctr-hmac-sha256", EVP_aead_aes_128_ctr_hmac_sha256, false }, + { "aes-256-ctr-hmac-sha256", EVP_aead_aes_256_ctr_hmac_sha256, false }, + { "", NULL, false }, }; int main(int argc, char **argv) { @@ -233,22 +335,28 @@ int main(int argc, char **argv) { return 1; } - const EVP_AEAD *aead; + const struct KnownAEAD *known_aead; for (unsigned i = 0;; i++) { - const struct AEADName &aead_name = kAEADs[i]; - if (aead_name.func == NULL) { + known_aead = &kAEADs[i]; + if (known_aead->func == NULL) { fprintf(stderr, "Unknown AEAD: %s\n", argv[1]); return 2; } - if (strcmp(aead_name.name, argv[1]) == 0) { - aead = aead_name.func(); + if (strcmp(known_aead->name, argv[1]) == 0) { break; } } + const EVP_AEAD *const aead = known_aead->func(); + if (!TestCleanupAfterInitFailure(aead)) { return 1; } + if (!known_aead->limited_implementation && !TestWithAliasedBuffers(aead)) { + fprintf(stderr, "Aliased buffers test failed for %s.\n", known_aead->name); + return 1; + } + return FileTestMain(TestAEAD, const_cast<EVP_AEAD*>(aead), argv[2]); } |