Commit Graph

2902 Commits

Author SHA1 Message Date
Adam Langley
09feb0f3d9 Move C++ helpers into |bssl| namespace.
We currently have the situation where the |tool| and |bssl_shim| code
includes scoped_types.h from crypto/test and ssl/test. That's weird and
shouldn't happen. Also, our C++ consumers might quite like to have
access to the scoped types.

Thus this change moves some of the template code to base.h and puts it
all in a |bssl| namespace to prepare for scattering these types into
their respective headers. In order that all the existing test code be
able to access these types, it's all moved into the same namespace.

Change-Id: I3207e29474dc5fcc344ace43119df26dae04eabb
Reviewed-on: https://boringssl-review.googlesource.com/8730
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 23:04:52 +00:00
David Benjamin
09eb655e5c Simplify ssl_get_message somewhat.
It still places the current message all over the place, but remove the
bizarre init_num/error/ok split. Now callers get the message length out
of init_num, which mirrors init_msg. Also fix some signedness.

Change-Id: Ic2e97b6b99e234926504ff217b8aedae85ba6596
Reviewed-on: https://boringssl-review.googlesource.com/8690
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 23:01:32 +00:00
David Benjamin
528bd26dd9 Don't use init_buf in DTLS.
This machinery is so different between TLS and DTLS that there is no
sense in having them share structures. This switches us to maintaining
the full reassembled message in hm_fragment and get_message just lets
the caller read out of that when ready.

This removes the last direct handshake dependency on init_buf,
ssl3_hash_message.

Change-Id: I4eccfb6e6021116255daead5359a0aa3f4d5be7b
Reviewed-on: https://boringssl-review.googlesource.com/8667
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 23:01:11 +00:00
Adam Langley
df759b5a57 Allow CECPQ1 cipher suites to do False Start.
Since they include an ECDHE exchange in them, they are equally-well
suited to False Start.

Change-Id: I75d31493a614a78ccbf337574c359271831d654d
Reviewed-on: https://boringssl-review.googlesource.com/8732
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 22:55:31 +00:00
David Benjamin
4748944644 Reorder functions in bn_test.
We usually put main at the end. There's now nothing interesting in the
function, so avoid having to declare every test at the top.

Change-Id: Iac469f41f0fb7d1f58d12dfbf651bf0d39f073d0
Reviewed-on: https://boringssl-review.googlesource.com/8712
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 21:58:03 +00:00
David Benjamin
ffb7adccc7 Convert BN_mod_sqrt tests to bn_tests.txt.
That removes the last of the bc stuff.

BUG=31

Change-Id: If64c974b75c36daf14c46f07b0d9355b7cd0adcb
Reviewed-on: https://boringssl-review.googlesource.com/8711
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 21:57:04 +00:00
Adam Langley
61367eedfe Set variables to avoid false-positive compiler warnings.
../tool/transport_common.cc:429:14: error: ‘code_250’ may be used uninitialized in this function [-Werror=maybe-uninitialized]

(I don't believe it can actually happen though.)

Change-Id: I78d19ad42ed4c05404f1d8d3e8f254ede3244b8d
2016-07-11 12:24:55 -07:00
Adam Langley
403c52aa94 Support “-starttls smtp” in bssl client
This change adds support for doing an SMTP STARTTLS dance before a TLS
handshake when using the tool. This is useful for poking at SMTP
servers.

Change-Id: I04cd60d02d3377cce83e412d62e3257235a19116
Reviewed-on: https://boringssl-review.googlesource.com/8662
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 18:45:01 +00:00
Adam Langley
abe22b605f BUILD: drop -fvisibility=hidden.
Since Bazel doesn't have a shared vs static concept that's exposed to
the build rules (as far as I know) symbol visibility would mean that the
symbols might be exposed when building a larger library. That could be
fixed with a linker script, but this change appears to be slightly more
useful for our consumers.

(Also, if we're going to set -fvisibility=hidden, we should also have set
the defines needed to include the visibility annotations.)

Change-Id: Ic7d64a553da48cfb9cf5460d26254de7e105fd65
Reviewed-on: https://boringssl-review.googlesource.com/8664
Reviewed-by: Adam Langley <agl@google.com>
2016-07-11 18:32:05 +00:00
David Benjamin
7a4b404da5 Remove SSL_get_server_key_exchange_hash.
Chromium no longer uses it.

Change-Id: I50cc55bad4124305686d299032a2e8ed2cb9d0d7
Reviewed-on: https://boringssl-review.googlesource.com/8691
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 18:28:28 +00:00
David Benjamin
397c8e6fb6 Forbid renegotiation in TLS 1.3.
Change-Id: I1b34acbbb5528e7e31595ee0cbce7618890f3955
Reviewed-on: https://boringssl-review.googlesource.com/8669
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 18:26:27 +00:00
David Benjamin
71dd6660e8 Test that stray HelloRequests during the handshake are ignored.
Change-Id: I79e21ffce9c2d7f47b055b75bd00b80aafa8b8f0
Reviewed-on: https://boringssl-review.googlesource.com/8668
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 18:25:32 +00:00
David Benjamin
97718f1437 Move references to init_buf into SSL_PROTOCOL_METHOD.
Both DTLS and TLS still use it, but that will change in the following
commit. This also removes the handshake's knowledge of the
dtls_clear_incoming_messages function.

(It's possible we'll want to get rid of begin_handshake in favor of
allocating it lazily depending on how TLS 1.3 post-handshake messages
end up working out. But this should work for now.)

Change-Id: I0f512788bbc330ab2c947890939c73e0a1aca18b
Reviewed-on: https://boringssl-review.googlesource.com/8666
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 18:20:33 +00:00
David Benjamin
a2c42d7685 Rename (s3,d1)_meth.c.
These are where the DTLS- and TLS-specific transport layer hooks will be
defined. Later we can probably move much of the implementations of these
hooks into these files so those functions can be static.

While I'm here, fix up the naming of some constants.

Change-Id: I1009dd9fdc3cc4fd49fbff0802f6289931abec3d
Reviewed-on: https://boringssl-review.googlesource.com/8665
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-11 17:22:35 +00:00
Alessandro Ghedini
0d099f0f1b Define RAND_cleanup in one place only
Change-Id: I439e275394c2ad686924f4e7dfc99cfdc7bb14b9
Reviewed-on: https://boringssl-review.googlesource.com/8682
Reviewed-by: Adam Langley <agl@google.com>
2016-07-11 17:02:45 +00:00
Nick Harper
85f20c2263 Implement downgrade signaling in Go.
[Originally written by nharper, revised by davidben.]

When we add this in the real code, this will want ample tests and hooks
for bugs, but get the core logic in to start with.

Change-Id: I86cf0b6416c9077dbb6471a1802ae984b8fa6c72
Reviewed-on: https://boringssl-review.googlesource.com/8598
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-07 23:51:29 +00:00
David Benjamin
4dbdf94c67 Push V2ClientHello handling into ssl3_get_message.
V2ClientHello is going to be ugly wherever we do it, but this hides it
behind the transport method table. It removes a place where the
handshake state machine reaches into ssl3_get_message's internal state.
ssl3_get_message will now silently translate V2ClientHellos into true
ClientHellos and manage the handshake hash appropriately.

Now the only accesses of init_buf from the handshake state machines are
to create and destroy the buffer.

Change-Id: I81467a038f6ac472a465eec7486a443fe50a98e1
Reviewed-on: https://boringssl-review.googlesource.com/8641
Reviewed-by: Adam Langley <agl@google.com>
2016-07-07 23:51:25 +00:00
David Benjamin
f25dda98bd Split readClientHello in two.
TLS 1.3 will use a different function from processClientHello.

Change-Id: I8b26a601cf553834b508feab051927d5986091ca
Reviewed-on: https://boringssl-review.googlesource.com/8597
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-07 23:50:56 +00:00
David Benjamin
7d79f831c7 Pull Go TLS server extension logic into its own function.
As with the client, the logic around extensions in 1.3 will want to be
tweaked. readClientHello will probably shrink a bit. (We could probably
stuff 1.3 into the existing parameter negotiation logic, but I expect
it'll get a bit unwieldy once HelloRetryRequest, PSK resumption, and
0-RTT get in there, so I think it's best we leave them separate.)

Change-Id: Id8c323a06a1def6857a59accd9f87fb0b088385a
Reviewed-on: https://boringssl-review.googlesource.com/8596
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-07 23:50:25 +00:00
David Benjamin
44b33bc92d Implement OCSP stapling and SCT in Go TLS 1.3.
While the random connection property extensions like ALPN and SRTP
remain largely unchanged in TLS 1.3 (but for interaction with 0-RTT),
authentication-related extensions change significantly and need
dedicated logic.

Change-Id: I2588935c2563a22e9879fb81478b8df5168b43de
Reviewed-on: https://boringssl-review.googlesource.com/8602
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-07 23:49:46 +00:00
David Benjamin
82261be65c Improve CCS/Handshake synchronization tests.
Test with and without PackHandshakeFlight enabled to cover when the
early post-CCS fragment will get packed into one of the pre-CCS
handshake records. Also test the resumption cases too to cover more
state transitions.

The various CCS-related tests (since CCS is kind of a mess) are pulled
into their own group.

Change-Id: I6384f2fb28d9885cd2b06d59e765e080e3822d8a
Reviewed-on: https://boringssl-review.googlesource.com/8661
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-07 23:46:17 +00:00
Nick Harper
b41d2e41b1 Implement basic TLS 1.3 client handshake in Go.
[Originally written by nharper and then revised by davidben.]

Most features are missing, but it works for a start. To avoid breaking
the fake TLS 1.3 tests while the C code is still not landed, all the
logic is gated on a global boolean. When the C code gets in, we'll
set it to true and remove this boolean.

Change-Id: I6b3a369890864c26203fc9cda37c8250024ce91b
Reviewed-on: https://boringssl-review.googlesource.com/8601
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-07 23:28:27 +00:00
David Benjamin
582ba04dce Add tests for packed handshake records in TLS.
I'm surprised we'd never tested this. In addition to splitting handshake
records up, one may pack multiple handshakes into a single record, as
they fit. Generalize the DTLS handshake flush hook to do this in TLS as
well.

Change-Id: Ia546d18c7c56ba45e50f489c5b53e1fcd6404f51
Reviewed-on: https://boringssl-review.googlesource.com/8650
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-07 23:23:20 +00:00
David Benjamin
751014066c Move Go server extension logic to a separate function.
TLS 1.2 and 1.3 will process more-or-less the same server extensions,
but at slightly different points in the handshake. In preparation for
that, split this out into its own function.

Change-Id: I5494dee4724295794dfd13c5e9f9f83eade6b20a
Reviewed-on: https://boringssl-review.googlesource.com/8586
Reviewed-by: Adam Langley <agl@google.com>
2016-07-07 23:21:40 +00:00
Nick Harper
f8b0e70392 Add parsing logic for the three new TLS 1.3 extensions.
[Originally written by nharper, tweaked by davidben.]

For now, ignore them completely.

Change-Id: I28602f219d210a857aa80d6e735557b8d2d1c590
Reviewed-on: https://boringssl-review.googlesource.com/8585
Reviewed-by: Adam Langley <agl@google.com>
2016-07-07 23:17:53 +00:00
David Benjamin
34a3c49875 Simplify TLS reuse_message implementation.
Rather than have a separate codepath, just skip the message_complete
logic and parse what's in the buffer. This also cuts down on one input
to setting up a reuse_message; message_type is now only written to in
the get_message implementation.

Change-Id: I96689b5957a3f2548af9099ec4e53cabacdc395a
Reviewed-on: https://boringssl-review.googlesource.com/8640
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2016-07-07 23:01:07 +00:00
David Benjamin
c937edef3e Remove backslash.
It seems in this context, one doesn't escape _.

https://boringssl.googlesource.com/boringssl/+/HEAD/INCORPORATING.md#Bazel

Change-Id: I7ec587de8e9d033a3cb9f108ec645e4ce5e0c4fc
Reviewed-on: https://boringssl-review.googlesource.com/8660
Reviewed-by: Adam Langley <agl@google.com>
2016-07-07 21:39:44 +00:00
Adam Langley
affdee99e2 Update documentation to reference the “master-with-bazel” branch.
We now have a branch that contains the source code in a form suitable
for using with Bazel. This can be easier for projects that are already
using Bazel to deal with.

Change-Id: Iaaddb2ee50b367114ff2de88a526bf4bdb6ad7ab
Reviewed-on: https://boringssl-review.googlesource.com/8651
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-07 21:10:40 +00:00
Adam Langley
2304447a63 No-op change to trigger the new Bazel bot.
Change-Id: I3ca064545892b3e7be6083355fe1814bab320035
2016-07-07 12:07:04 -07:00
Adam Langley
5a09d02c7b No-op change to trigger the new Bazel bot.
Change-Id: Ifc785d76528f406860ecbed5cb1ea3f1251ad42a
2016-07-07 11:54:24 -07:00
Adam Langley
87010555cd No-op change to trigger the new Bazel bot.
Change-Id: If385f78b2d8103aac1a078cf9c5751d173878f8d
2016-07-07 11:23:21 -07:00
David Benjamin
ff26f09a05 Fix c.in.decrypt error handling in runner.
Part of this was we messed up the TLS 1.3 logic slightly, though the
root bug is https://go-review.googlesource.com/#/c/24709/.

Change-Id: I0a99b935f0e9a9c8edd5aa6cc56f3b2cb594703b
Reviewed-on: https://boringssl-review.googlesource.com/8583
Reviewed-by: Adam Langley <agl@google.com>
2016-07-07 17:28:36 +00:00
David Benjamin
95c69563dc Add version tolerance tests for DTLS.
Also move them with the other version negotiation tests.

Change-Id: I8ea5777c131f8ab618de3c6d02038e802bd34dd0
Reviewed-on: https://boringssl-review.googlesource.com/8550
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:18:46 +00:00
David Benjamin
ce9a2166d6 Document that BN_mod_sqrt assumes p is a prime.
Change-Id: I5be2337ce6c333b704894c64e7931919bc047995
Reviewed-on: https://boringssl-review.googlesource.com/8595
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:15:41 +00:00
David Benjamin
4cb00ba08c Convert test_exp to bn_tests.txt.
Amazingly, this function actually has (not crypto-related) callers, despite
being pretty much useless for cryptography.

BUG=31

Change-Id: I440827380995695c7a15bbf2220a05ffb28d9335
Reviewed-on: https://boringssl-review.googlesource.com/8594
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:15:28 +00:00
David Benjamin
ad6d33c70d Convert test_mod_exp_mont5 test vectors.
These were generated by running test_mod_exp_mont5 10 times. The values with
Montgomery representation 1 were generated separately so the test file could
preserve the comment. (Though, at 10,000 lines, no one's going to find it...)

BUG=31

Change-Id: I8e9d4d6d7b5f7d283bd259df10a1dbdc90b888cf
Reviewed-on: https://boringssl-review.googlesource.com/8611
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:15:17 +00:00
David Benjamin
45a8c8a3c4 Convert test_mod_exp and test_mod_exp_consttime.
Honestly, with this size of number, they're pretty bad test vectors.
test_mod_exp_mont5 will be imported in the next commit which should help.

This was done by taking test_mod_exp's generation, running it a few times
(since otherwise the modulus is always the same). I also ran it a few times
with the odd constraint removed since BN_mod_exp is supposed to support it,
even if it's not actually useful.

BUG=31

Change-Id: Id53953f0544123a5ea71efac534946055dd5aabc
Reviewed-on: https://boringssl-review.googlesource.com/8610
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:12:49 +00:00
David Benjamin
28a8c2fe25 Fold the rest of test_sqrt into TestSquare.
BUG=31

Change-Id: Ief7bda365c3d786f946caaba0ab2af03c50459c3
Reviewed-on: https://boringssl-review.googlesource.com/8609
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:12:37 +00:00
David Benjamin
5a13e40ab6 Convert test_mont and test_mod_mul to bn_tests.txt.
That one needs reduced inputs and the other ought to be also tested against
unreduced ones is a bit annoying. But the previous commit made sure BN_nnmod
has tests, and test_mont could stand to inherit test_mod_mul's test data (it
only had five tests originally!), so I merged them.

BUG=31

Change-Id: I1eb585b14f85f0ea01ee81537a01e07ced9f5d9a
Reviewed-on: https://boringssl-review.googlesource.com/8608
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:12:13 +00:00
David Benjamin
e8317a5530 Add tests for BN_nnmod.
Change-Id: Ic72e00bb01d254408671b3f8d036be3cd4c06086
Reviewed-on: https://boringssl-review.googlesource.com/8606
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:11:53 +00:00
David Benjamin
7819409e13 Generate more test data in test_mont.
In preparation for converting test_mont and test_mod_mul to test vectors, make
test_mont less silly. We can certainly get away with doing more than five
tests. Also generate |a| and |b| anew each time. Otherwise the first BN_nmod is
destructive.

Change-Id: I944007ed7b6013a16d972cb7290ab9992c9360ce
Reviewed-on: https://boringssl-review.googlesource.com/8605
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:11:33 +00:00
David Benjamin
56cbbe5b8d Use BN_set_bit in TestLShift1.
No need for the special case and such.

Change-Id: If8fbc73eda0ccbaf3fd422e97c96fee6dc10b1ab
Reviewed-on: https://boringssl-review.googlesource.com/8604
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:11:11 +00:00
David Benjamin
66a0e6e37d Add a Go tool to check bn_tests.txt.
Since the format no longer is readable by bc, compare it to Go's math/big
instead.

Change-Id: I34d37aa0c29c6f4178267858cb0d3941b4266b93
Reviewed-on: https://boringssl-review.googlesource.com/8603
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 23:09:49 +00:00
Adam Langley
0186787c49 Add top-level BUILD file (in util/).
When we have *-with-bazel branches this BUILD file will be copied to the
top-level for consumers that want to use Bazel.

From empirical testing, x86-64 on Linux is spelt “k8” and x86-64 on
macOS is spelt “darwin”. I've not tried to enable assembly for any other
cases yet.

Change-Id: Ic6cb739565f145db20756fb57c0d087227fd9e18
Reviewed-on: https://boringssl-review.googlesource.com/8571
Reviewed-by: Adam Langley <agl@google.com>
2016-07-06 23:03:01 +00:00
David Benjamin
7505144558 Extract certificate message processing in Go.
TLS 1.2 and 1.3 will both need to call it at different points.

Change-Id: Id62ec289213aa6c06ebe5fe65a57ca6c2b53d538
Reviewed-on: https://boringssl-review.googlesource.com/8600
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 22:30:43 +00:00
David Benjamin
a6f82637da Extract Go CertificateRequest logic into a helper.
TLS 1.3 will need to call it under different circumstances. We will also
wish to test TLS 1.3 post-handshake auth, so this function must work
without being passed handshake state.

In doing so, implement matching based on signature algorithms as 1.3
does away with the certificate type list.

Change-Id: Ibdee44bbbb589686fcbcd7412432100279bfac63
Reviewed-on: https://boringssl-review.googlesource.com/8589
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 22:29:52 +00:00
Nick Harper
7e0442a217 Rewrite Go Certificate and CertificateRequest serialization.
[Originally written by nharper and then tweaked by davidben.]

TLS 1.3 tweaks them slightly, so being able to write them in one pass
rather than two will be somewhat more convenient.

Change-Id: Ib7e2d63e28cbae025c840bbb34e9e9c295b44dc6
Reviewed-on: https://boringssl-review.googlesource.com/8588
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 22:27:18 +00:00
Nick Harper
e5d577d70e Add Go HKDF implementation with test.
[Originally written by nharper. Test added by davidben.]

Test vectors taken from hkdf_test.c.

Change-Id: I214bcae325e9c7c242632a169ab5cf80a3178989
Reviewed-on: https://boringssl-review.googlesource.com/8587
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 22:25:43 +00:00
Nick Harper
b3d51be52f Split ServerHello extensions into a separate struct.
[Originally written by nharper, tweaked by davidben.]

In TLS 1.3, every extension the server previously sent gets moved to a
separate EncryptedExtensions message. To be able to share code between
the two, parse those extensions separately. For now, the handshake reads
from serverHello.extensions.foo, though later much of the extensions
logic will probably handle serverExtensions independent of whether it
resides in ServerHello or EncryptedExtensions.

Change-Id: I07aaae6df3ef6fbac49e64661d14078d0dbeafb0
Reviewed-on: https://boringssl-review.googlesource.com/8584
Reviewed-by: David Benjamin <davidben@google.com>
2016-07-06 22:24:29 +00:00
David Benjamin
1701776908 Clarify how Quotient tests do rounding.
Change-Id: Ifea17a894065cce607845208c96e2092e4632d61
Reviewed-on: https://boringssl-review.googlesource.com/8607
Reviewed-by: Adam Langley <agl@google.com>
2016-07-06 22:17:26 +00:00