Commit Graph

1456 Commits

Author SHA1 Message Date
Joel Klinghed
1550a84784 Allow compilation for armv6
Use when giving -DANDROID_ABI="armeabi-v6 with VFP" to android-cmake

Change-Id: Ifb053bcf4788e34fb54e20c27d4e519416ca9a11
Reviewed-on: https://boringssl-review.googlesource.com/4945
Reviewed-by: Adam Langley <agl@google.com>
2015-06-02 18:16:13 +00:00
Joel Klinghed
9a4996e359 Fix compilation of sha256-armv4.S when using -march=armv6
sha256-armv4.S:1884: Error: invalid constant (ffffffffffffef90) after fixup

BUG=495695

Change-Id: I5b7423c2f7a10657c92c7b1ccae970f33c569455
Reviewed-on: https://boringssl-review.googlesource.com/4944
Reviewed-by: Adam Langley <agl@google.com>
2015-06-02 18:15:37 +00:00
Joel Klinghed
485a50ae15 Match the ifdef check in bsaes-armv7.S
bsaes-armv7.S implements bsaes_cbc_encrypt if #if __ARM_MAX_ARCH__ >= 7
but e_aes.c instead used #if __ARM_ARCH >= 7 causing duplicate symbols
for linkers that care about that

Change-Id: I10ad8e24be75fdc03b0670869a53078b0477950b
Reviewed-on: https://boringssl-review.googlesource.com/4943
Reviewed-by: Adam Langley <agl@google.com>
2015-06-02 18:14:41 +00:00
David Benjamin
e216288109 Unexport and prune EVP_MD_CTX flags.
The only flag is EVP_MD_CTX_FLAG_NO_INIT and no good can possibly come of
anyone outside EVP_PKEY_HMAC calling it. (And indeed no one calls it.
EVP_MD_CTX_set_flags has a caller in wpa_supplicant, but it uses
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW which we don't define. The call is guarded by a
pair of ifdefs for some FIPS mode wpa_supplicant.)

Change-Id: I70ab8ffa646f3f75dfa4d37c96b9e82448ff1e40
Reviewed-on: https://boringssl-review.googlesource.com/4971
Reviewed-by: Adam Langley <agl@google.com>
2015-06-02 01:08:10 +00:00
David Benjamin
af8731f7a5 Remove HMAC_CTX_set_flags.
It's never called externally and for good reason; the only flag to set is
EVP_MD_CTX_FLAG_NO_INIT which is an implementation detail of EVP_PKEY_HMAC
(hopefully to be removed eventually). Indeed, only EVP_PKEY_HMAC ever calls
this function. Except there's no need to because the HMAC_CTX has already been
initialized at that point. (And were it not initialized, that call would not
bode well for the poor HMAC_CTX.)

The legacy EVP_PKEY_HMAC API has test coverage and still works after this
change.

Change-Id: I2fb0bede3c24ad1519f9433f957606de15ba86c7
Reviewed-on: https://boringssl-review.googlesource.com/4970
Reviewed-by: Adam Langley <agl@google.com>
2015-06-02 01:07:07 +00:00
David Benjamin
bf3208b849 Add additional HMAC tests.
Not terribly important given that we already have NIST vectors, but may as
well. These tests come from upstream's
2cfbdd71dde0c3ddf4597eb20cc3e3fb8485fc15.

Change-Id: I4f8dadc7d5d1599d0b75ecdef06f2fc6a5cd8003
Reviewed-on: https://boringssl-review.googlesource.com/4962
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:51:00 +00:00
David Benjamin
a1c90a5ce1 Further tidy up cipher logic.
With SSL2 gone, there's no need for this split between the abstract
cipher framework and ciphers. Put the cipher suite table in ssl_cipher.c
and move other SSL_CIPHER logic there. With that gone, prune the
cipher-related hooks in SSL_PROTOCOL_METHOD.

BUG=468889

Change-Id: I48579de8bc4c0ea52781ba1b7b57bc5b4919d21c
Reviewed-on: https://boringssl-review.googlesource.com/4961
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:48:30 +00:00
David Benjamin
0fa4012331 Add a test that DTLS does not support RC4.
Make sure we don't break that on accident.

Change-Id: I22d58d35170d43375622fe61e4a588d1d626a054
Reviewed-on: https://boringssl-review.googlesource.com/4960
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:43:34 +00:00
David Benjamin
9a980abaee Fold TLS1_PRF_* into SSL_HANDSHAKE_MAC_*
They're redundant with each other.

Change-Id: I17e7ff8c4e0b1486986dd866fd99673fa2aaa494
Reviewed-on: https://boringssl-review.googlesource.com/4959
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:43:06 +00:00
David Benjamin
29864b5bb8 Remove SSL_CIPHER_ALGORITHM2_AEAD.
All ciphers are implemented by an EVP_AEAD.

Change-Id: Ifa754599a34e16bf97e1a4b84a271c6d45462c7c
Reviewed-on: https://boringssl-review.googlesource.com/4958
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:30:00 +00:00
David Benjamin
904dc72b32 Fold away SSL_PROTOCOL_METHOD hooks shared between TLS and DTLS.
The ctrl hooks are left alone since they should just go away.
Simplifying the cipher story will happen in the next CL.

BUG=468889

Change-Id: I979971c90f59c55cd5d17554f1253158b114f18b
Reviewed-on: https://boringssl-review.googlesource.com/4957
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:29:46 +00:00
David Benjamin
a6022771b3 Split ssl_read_bytes hook into app_data and close_notify hooks.
This still needs significant work, especially the close_notify half, but
clarify the interface and get *_read_bytes out of SSL_PROTOCOL_METHOD.
read_bytes is an implementation detail of those two and get_message
rather than both an implementation detail of get_message for handshake
and a (wholly inappropriate) exposed interface for the other two.

BUG=468889

Change-Id: I7dd23869e0b7c3532ceb2e9dd31ca25ea31128e7
Reviewed-on: https://boringssl-review.googlesource.com/4956
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:27:55 +00:00
David Benjamin
c933a47e6f Switch the ssl_write_bytes hook to ssl_write_app_data.
The SSL_PROTOCOL_METHOD table needs work, but this makes it clearer
exactly what the shared interface between the upper later and TLS/DTLS
is.

BUG=468889

Change-Id: I38931c484aa4ab3f77964d708d38bfd349fac293
Reviewed-on: https://boringssl-review.googlesource.com/4955
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:18:06 +00:00
David Benjamin
2c3679210e EVP_Digest*Update, EVP_DigestFinal, and HMAC_Update can never fail.
Enough code fails to check their return codes anyway. We ought to make
it official.

Change-Id: Ie646360fd7073ea943036f5e21bed13df7e1b77a
Reviewed-on: https://boringssl-review.googlesource.com/4954
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:17:10 +00:00
David Benjamin
e2375e139e Low-level hash 'final' functions cannot fail.
The SHA-2 family has some exceptions, but they're all programmer errors
and should be documented as such. (Are the failure cases even
necessary?)

Change-Id: I00bd0a9450cff78d8caac479817fbd8d3de872b8
Reviewed-on: https://boringssl-review.googlesource.com/4953
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:14:01 +00:00
David Benjamin
049756be46 Fix integer types in low-level hash functions.
Use sized integer types rather than unsigned char/int/long. The latter
two are especially a mess as they're both used in lieu of uint32_t.
Sometimes the code just blindly uses unsigned long and sometimes it uses
unsigned int when an LP64 architecture would notice.

Change-Id: I4c5c6aaf82cfe9fe523435588d286726a7c43056
Reviewed-on: https://boringssl-review.googlesource.com/4952
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 22:12:21 +00:00
David Benjamin
338e06771c Reject sessions with the wrong structure version.
The old upstream logic actually didn't do this, but 1.1.0's new code does.
Given that the version has never changed and even unknown fields were rejected
by the old code, this seems a safe and prudent thing to do.

Change-Id: I09071585e5183993b358c10ad36fc206f8bceeda
Reviewed-on: https://boringssl-review.googlesource.com/4942
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 20:30:02 +00:00
David Benjamin
f297e021f1 Reject unknown fields in d2i_SSL_SESSION.
The original OpenSSL implementation did the same. M_ASN1_D2I_Finish checks
this. Forwards compatibility with future sessions with unknown fields is
probably not desirable.

Change-Id: I116a8c482cbcc47c3fcc31515c4a3718f66cf268
Reviewed-on: https://boringssl-review.googlesource.com/4941
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 20:29:07 +00:00
David Benjamin
8a228f5bfe Disable the malloc interceptor without glibc.
At some point we might need to make this defined by the consumer.

BUG=495146

Change-Id: Iedac305f234cb383799a5afc14046cd10fb3256a
Reviewed-on: https://boringssl-review.googlesource.com/4963
Reviewed-by: Adam Langley <agl@google.com>
2015-06-01 17:45:27 +00:00
David Benjamin
bd15a8e748 Fix DTLS handling of multiple records in a packet.
9a41d1b946 broke handling of multiple records in
a single packet. If |extend| is true, not all of the previous packet should be
consumed, only up to the record length.

Add a test which stresses the DTLS stack's handling of multiple handshake
fragments in a handshake record and multiple handshake records in a packet.

Change-Id: I96571098ad9001e96440501c4730325227b155b8
Reviewed-on: https://boringssl-review.googlesource.com/4950
Reviewed-by: Adam Langley <agl@google.com>
2015-05-29 22:59:38 +00:00
David Benjamin
15eaafb18a Fix bn_test's bc output and shut it up a little.
bn_test's output is meant to be piped to bc, but this got broken somewhat:

- OpenSSL uses uppercase hex rather than BoringSSL's lowercase. bc only accepts
  uppercase. Document that this needs some shell pipeline until we replace
  them with better tests because this is all ridiculous.

- Some stderr outputs moved to stdout to avoid cluttering stdout. Just remove
  them. The operations are fast enough to not need progress.

- To cut down on noise, only write the bc transcript given a command-line flag.
  Also remove the -results flag since it's pointless. (It writes only the
  results and not the inputs.)

Change-Id: I08f87cac1e03fab461f0dc40b9d4285bd877807d
Reviewed-on: https://boringssl-review.googlesource.com/4896
Reviewed-by: Adam Langley <agl@google.com>
2015-05-28 17:25:41 +00:00
David Benjamin
efd8eb3226 Tidy up overflows in obj_cmp.
While this isn't really an issue, don't use the a - b comparator pattern since
it doesn't account for overflows. (They'll also break silently if that field
ever becomes unsigned as it should be.)

Change-Id: I613d19df6e4a785efd4cffd46e8b03dbc95b98e2
Reviewed-on: https://boringssl-review.googlesource.com/4890
Reviewed-by: Adam Langley <agl@google.com>
2015-05-28 17:22:19 +00:00
Adam Langley
05ead68a0f Readd CRYPTO_{LOCK|UNLOCK|READ|WRITE}.
These defines are part of the the locking callbacks which have been
removed. However, code that still tries to provide locking callbacks
will need these values to compile.

The locking callback that such code tries to install will be ignored,
but that's harmless since BoringSSL handles locking itself now.

Change-Id: Ic84da8b52020ccd3ecc8913b4e41d366690c7649
2015-05-27 15:48:29 -07:00
Adam Langley
71106adf89 Add |BIO_read_asn1| to read a single ASN.1 object.
Android needs to be able to read a PKCS#7 blob from a Java
InputStream. This change adds |BIO_read_asn1| which reads a single
ASN.1 object from the start of a BIO without overreading.

Change-Id: I74776e686529c8e58af1c26a4909f9bd4e87b707
2015-05-27 15:21:56 -07:00
David Benjamin
eb930b8703 Fix signed/unsigned warning in bn_test.cc.
BN_num_bits returns unsigned.

Change-Id: Ie346dbe0a12d3597d2b12e56b57dfc147e65dcc3
Reviewed-on: https://boringssl-review.googlesource.com/4895
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 22:04:16 +00:00
David Benjamin
b3a7b51f18 Fix off-by-one in BN_rand
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur.

See also upstream's efee575ad464bfb60bf72dcb73f9b51768f4b1a1. But rather than
making |BN_rand| fail, be consistent with the |bits| = 0 case and just don't
set the bits that don't exist. Add tests to ensure the degenerate cases behave.

Change-Id: I5e9fbe6fd8f7f7b2e011a680f2fbe6d7ed4dab65
Reviewed-on: https://boringssl-review.googlesource.com/4893
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 22:03:05 +00:00
David Benjamin
074cc04022 Reject negative shifts for BN_rshift and BN_lshift.
The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

(Imported from upstream's 7cc18d8158b5fc2676393d99b51c30c135502107.)

Change-Id: Ib9f5e410a46df3d7f02a61374807fba209612bd3
Reviewed-on: https://boringssl-review.googlesource.com/4892
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:59:35 +00:00
David Benjamin
75fb74ae96 aes/asm/bsaes-armv7.pl: fix compilation with Xcode 6.3.
(Imported from upstream's c4cd8316068f1c3b5a0050e60b3ea21a20db276e.)

Change-Id: Ib2eab081fd3e20ac8bf2ac5c093a804763d877ce
Reviewed-on: https://boringssl-review.googlesource.com/4891
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:58:27 +00:00
David Benjamin
ff81e10313 Add OPENSSL_PUT_ERROR line to X509V3_parse_list.
See upstream's 344c271eb339fc2982e9a3584a94e51112d84584. We had the error check
already. But, for consistency with the rest of that function's error paths,
pushing an error on the error queue would be prudent.

Change-Id: I8b702abc679dc94dffa79c19a9b7c3d0adc0638b
Reviewed-on: https://boringssl-review.googlesource.com/4889
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:56:16 +00:00
David Benjamin
1590811111 Fix typo in valid_star.
(Imported from upstream's 9a3bf97315aa121441777bf1bc4bea3c5e00af29.)

Change-Id: I1ce28437333012347985c788c86671f5ec34b34f
Reviewed-on: https://boringssl-review.googlesource.com/4888
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:55:14 +00:00
David Benjamin
e76ccae68b Release handshake buffer when sending no certificate.
See also upstream's dab18ab596acb35eff2545643e25757e4f9cd777. This allows us to
add an assertion to the finished computation that the handshake buffer has
already been released.

BUG=492371

Change-Id: I8f15c618c8b2c70bfe583c81644d9dbea95519d4
Reviewed-on: https://boringssl-review.googlesource.com/4887
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:54:30 +00:00
David Benjamin
5f04b6521d Release the handshake buffer on the client for abbreviated handshakes.
Another missing case.

BUG=492371

Change-Id: Iaabe43517b8581969431a20f7ba7094787b954aa
Reviewed-on: https://boringssl-review.googlesource.com/4886
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:53:52 +00:00
David Benjamin
5c1ce2925d Decide whether or not to request client certificates early.
This allows us to merge two of the ssl3_digest_cached_records calls which were
almost, but not completely, redundant. Also catches a missing case: the buffer
may be discarded if doing session resumption but otherwise enabling client
authentication.

BUG=492371

Change-Id: I78e9a4a9cca665e89899ef97b815454c6f5c7e02
Reviewed-on: https://boringssl-review.googlesource.com/4885
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:53:16 +00:00
David Benjamin
4b30b28def Remove server-side renego session resumption check.
Servers can no longer renegotiate.

Change-Id: Id79d5753562e29d2872871f4f571552a019215fa
Reviewed-on: https://boringssl-review.googlesource.com/4884
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:51:19 +00:00
David Benjamin
5aea93e604 Deprecate and no-op SSL_VERIFY_CLIENT_ONCE.
This is documented as "Only request a client certificate on the initial TLS/SSL
handshake. Do not ask for a client certificate again in case of a
renegotiation." Server-side renegotiation is gone.

I'm not sure this flag has ever worked anyway, dating all the way back to
SSLeay 0.8.1b. ssl_get_new_session overwrites s->session, so the old
session->peer is lost.

Change-Id: Ie173243e189c63272c368a55167b8596494fd59c
Reviewed-on: https://boringssl-review.googlesource.com/4883
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:50:24 +00:00
David Benjamin
34a1635b3f Remove fake RLE compression OID.
(obj_dat.h and obj_mac.h are generated from the objects.txt change.)

See upstream's 3c161d081e2d30549e787437d05ffa08122a5114. Also see upstream's
12048657a91b12e499d03ec9ff406b42aba67366 to give zlib a better comment.

Change-Id: I86937f037f8e0f6179ba8072ccd972eca773c7ce
Reviewed-on: https://boringssl-review.googlesource.com/4882
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:49:39 +00:00
David Benjamin
9c0918fc3f Fix typo in objects.txt
See upstream's 8332f91cc0db4955259bca9f9138b5eff94d6e8c.

Change-Id: I293acba511e6f390204247787c951a9df08cae68
Reviewed-on: https://boringssl-review.googlesource.com/4881
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:49:08 +00:00
David Benjamin
91af02a9db Add some comments and tweak assertions for cbc.c.
See https://boringssl-review.googlesource.com/#/c/4832/.

Change-Id: Icf457a2b47bc2d5b84dddc454d5ca8ec328b5169
Reviewed-on: https://boringssl-review.googlesource.com/4860
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:48:36 +00:00
David Benjamin
74d8bc2503 Don't make SSL_MODE_*HELLO_TIME configurable.
Never send the time as a client. Always send it as a server.

Change-Id: I20c55078cfe199d53dc002f6ee5dd57060b086d5
Reviewed-on: https://boringssl-review.googlesource.com/4829
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 21:47:59 +00:00
David Benjamin
7b5aff4812 Have consumers supply OPENSSL_C11_ATOMIC.
Support is spotty enough with compiler/library mismatches, and this doesn't
leak to public headers. It's probably simplest to just have consumers supply
it as a build flag.

BUG=491808

Change-Id: I0576a0514a266ee90d644317ae0f49cdddbafd1d
Reviewed-on: https://boringssl-review.googlesource.com/4880
Reviewed-by: Yoshisato Yanagisawa <yyanagisawa@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 19:21:59 +00:00
David Benjamin
ac63748997 Revert "tool: we don't need -lrt."
This reverts commit e60e2a483b. Turns out we do
still use clock_gettime in speed.cc.

Change-Id: Idab42ef2863345c3d1409b5d33c3e36b41739e1f
Reviewed-on: https://boringssl-review.googlesource.com/4894
Reviewed-by: Adam Langley <agl@google.com>
2015-05-27 19:21:43 +00:00
Matt Braithwaite
444dce4934 Do-nothing fns |OpenSSL_add_all_ciphers| and |OpenSSL_add_all_digests|.
Change-Id: Ied2338f84e03ee1736152b82096335b78a256ca4
Reviewed-on: https://boringssl-review.googlesource.com/4850
Reviewed-by: Adam Langley <agl@google.com>
2015-05-21 21:07:48 +00:00
David Benjamin
ece089c3a3 Deprecate and no-op SSL_set_state.
Yes, OpenSSL lets you randomly change its internal state. This is used
as part of server-side renegotiation. Server-side renegotiation is gone.

BUG=429450

Change-Id: Ic1b013705734357acf64e8bf89a051b2b7521c64
Reviewed-on: https://boringssl-review.googlesource.com/4828
Reviewed-by: Adam Langley <agl@google.com>
2015-05-21 20:52:05 +00:00
David Benjamin
be05c63bf8 Remove compatibility s->version checks.
They were added to avoid accidentally enabling renego for a consumer which set
them to zero to break the handshake on renego. Now that renego is off by
default, we can get rid of them again.

Change-Id: I2cc3bf567c55c6562352446a36f2b5af37f519ba
Reviewed-on: https://boringssl-review.googlesource.com/4827
Reviewed-by: Adam Langley <agl@google.com>
2015-05-21 20:51:39 +00:00
David Benjamin
8ec88108d4 Remove SSL_in_before and SSL_ST_BEFORE.
It's never called and the state is meaningless now.

Change-Id: I5429ec3eb7dc2b789c0584ea88323f0ff18920ae
Reviewed-on: https://boringssl-review.googlesource.com/4826
Reviewed-by: Adam Langley <agl@google.com>
2015-05-21 20:51:06 +00:00
David Benjamin
cd90f3a241 Remove renegotiation deferral logic.
When the peer or caller requests a renegotiation, OpenSSL doesn't
renegotiate immediately. It sets a flag to begin a renegotiation as soon
as record-layer read and write buffers are clear. One reason is that
OpenSSL's record layer cannot write a handshake record while an
application data record is being written. The buffer consistency checks
around partial writes will break.

None of these cases are relevant for the client auth hack. We already
require that renego come in at a quiescent part of the application
protocol by forbidding handshake/app_data interleave.

The new behavior is now: when a HelloRequest comes in, if the record
layer is not idle, the renegotiation is rejected as if
SSL_set_reject_peer_renegotiations were set. Otherwise we immediately
begin the new handshake. The server may not send any application data
between HelloRequest and completing the handshake. The HelloRequest may
not be consumed if an SSL_write is pending.

Note this does require that Chromium's HTTP stack not attempt to read
the HTTP response until the request has been written, but the
renegotiation logic already assumes it. Were Chromium to drive the
SSL_read state machine early and the server, say, sent a HelloRequest
after reading the request headers but before we've sent the whole POST
body, the SSL state machine may racily enter renegotiate early, block
writing the POST body on the new handshake, which would break Chromium's
ERR_SSL_CLIENT_AUTH_CERT_NEEDED plumbing.

BUG=429450

Change-Id: I6278240c3bceb5d2e1a2195bdb62dd9e0f4df718
Reviewed-on: https://boringssl-review.googlesource.com/4825
Reviewed-by: Adam Langley <agl@google.com>
2015-05-21 20:50:43 +00:00
David Benjamin
44d3eed2bb Forbid caller-initiated renegotiations and all renego as a servers.
The only case where renego is supported is if we are a client and the
server sends a HelloRequest. That is still needed to support the renego
+ client auth hack in Chrome. Beyond that, no other forms of renego will
work.

The messy logic where the handshake loop is repurposed to send
HelloRequest and the extremely confusing tri-state s->renegotiate (which
makes SSL_renegotiate_pending a lie during the initial handshake as a
server) are now gone. The next change will further simplify things by
removing ssl->s3->renegotiate and the renego deferral logic. There's
also some server-only renegotiation checks that can go now.

Also clean up ssl3_read_bytes' HelloRequest handling. The old logic relied on
the handshake state machine to reject bad HelloRequests which... actually that
code probably lets you initiate renego by sending the first four bytes of a
ServerHello and expecting the peer to read it later.

BUG=429450

Change-Id: Ie0f87d0c2b94e13811fe8e22e810ab2ffc8efa6c
Reviewed-on: https://boringssl-review.googlesource.com/4824
Reviewed-by: Adam Langley <agl@google.com>
2015-05-21 20:43:56 +00:00
Adam Langley
3d59e04bce Fix test used for not-in-place CBC mode.
With NO_ASM defined, the recent AEAD changes broke the tests. The
problem is that the generic CBC mode code tests whether in != out and
omits to save the IV, assuming that it'll be able to read the old
ciphertext block.

However, consider the case where out = in - 16:

    1       2      3       4
|-------|-------|------|-------|
    ^       ^
    |       |
   out     in

First time around, 1 = decrypt(2) ^ iv and everything is fine, because
the IV was preconfigured. However, the next iteration of the loop sets
2 = decrypt(3) and tries to XOR it with the contents of the previous
ciphertext block… from 2.

Change-Id: Ibabff430704fad246de132b4d6d514f6a0362734
2015-05-21 13:27:37 -07:00
David Benjamin
5f387e38fc Remove s->renegotiate check in SSL_clear.
This dates back to upstream's a2a0158959e597188c10fbfeaf61888b2df2e587.
It seems to be a remnant of those SSL_clear calls in the handshake state
machine which... were also bizarre and since gone.

Since SSL_clear is to drop the current connection but retain the
configuration, it doesn't really make sense to forbid it while you're
mid-handshake.

This removes another consumer of s->renegotiate.

BUG=429450

Change-Id: Ifac6bf11644447fd5571262bed7421684739bc39
Reviewed-on: https://boringssl-review.googlesource.com/4823
Reviewed-by: Adam Langley <agl@google.com>
2015-05-21 18:32:26 +00:00
David Benjamin
20f6e97c7e Switch three more renegotiate checks to initial_handshake_complete.
ssl_cipher_list_to_bytes is client-only, so s->renegotiate worked, but
the only reason the other two worked is because s->renegotiate isn't a
lie on the server before ServerHello.

BUG=429450

Change-Id: If68a986c6ec4a0f16e57a6187238e05b50ecedfc
Reviewed-on: https://boringssl-review.googlesource.com/4822
Reviewed-by: Adam Langley <agl@google.com>
2015-05-21 18:31:55 +00:00