Commit Graph

838 Commits

Author SHA1 Message Date
David Benjamin
2a0e72f08a Fix segfault with empty fields as last in the config.
(Imported from upstream's 2747d73c1466c487daf64a1234b6fe2e8a62ac75.)

Also fix up some stylistic issues in conf.c and clarify empty case in
documentation.

Change-Id: Ibacabfab2339d7566d51db4b3ac4579aec0d1fbf
Reviewed-on: https://boringssl-review.googlesource.com/3023
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:37:47 +00:00
David Benjamin
df1cda345f Use inner algorithm when printing certificate.
(Imported from upstream's 004efdbb41f731d36bf12d251909aaa08704a756.)

The outer algorithm is already printed at the bottom of the function. This
allows any tools which print the X509 this way to determine if there is a
mismatch. This is also the point where the TBSCertificate is printed, not the
Certificate. See upstream's RT #3665.

Change-Id: I89baa4e4b626abf8813545a90eaa4409489ad893
Reviewed-on: https://boringssl-review.googlesource.com/3022
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:37:23 +00:00
David Benjamin
e3b24674ef sha256-armv4.pl: fix typo.
(Imported from upstream's 52cab5635603c1a7a00bc6f92401c84ec8920298.)

Change-Id: I97b89c03e1a05063100f94b87e06afb2028371ff
Reviewed-on: https://boringssl-review.googlesource.com/3021
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:37:01 +00:00
David Benjamin
8604eda634 Add Broadwell performance results.
(Imported from upstream's b3d7294976c58e0e05d0ee44a0e7c9c3b8515e05.)

May as well avoid diverging.

Change-Id: I3edec4fe15b492dd3bfb3146a8944acc6575f861
Reviewed-on: https://boringssl-review.googlesource.com/3020
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:35:35 +00:00
Adam Langley
c5cc15b4f5 Don't expect bsaes functions on ARMv6.
The bsaes-armv7.S asm has an #if __ARM_ARCH__>=7 around its contents,
i.e. it's not just switched at runtime – it only compiles for >= ARMv7.

I mistakenly regressed e_aes.c in 3e652657 to always expected bsaes
functions to exist on ARM. This change fixes that.

Change-Id: Ifd9111438508909a0627b25aee3e2f11e62e3ee8
2015-01-23 11:04:46 -08:00
David Benjamin
5fa3eba03d Clear the error queue when dropping a bad DTLS packet.
This regressed in e95d20dcb8. EVP_AEAD will push
errors on the error queue (unlike the EVP_CIPHER codepath which checked
everything internally to ssl/ and didn't bother pushing anything). This meant
that a dropped packet would leave junk in the error queue.

Later, when SSL_read returns <= 0 (EOF or EWOULDBLOCK), the non-empty error
queue check in SSL_get_error kicks in and SSL_read looks to have failed.

BUG=https://code.google.com/p/webrtc/issues/detail?id=4214

Change-Id: I1e5e41c77a3e5b71e9eb0c72294abf0da677f840
Reviewed-on: https://boringssl-review.googlesource.com/2982
Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 22:06:40 +00:00
David Benjamin
9a38e924aa Return SSL_ERROR_SYSCALL on unclean EOF.
This regressed in fcf25833bc. 0 return code on
unclean shutdown means the underlying BIO returned EOF, didn't push any error
code, but we haven't seen close_notify yet. The intent seems to be that you go
check errno or some BIO-specific equivalent if you care about close_notify.

Make sure test code routes all SSL_read return codes through SSL_get_error
since that's supposed to work in all cases.

(Note that rv == 0 can still give SSL_ERROR_SSL if the error queue is not
empty.)

Change-Id: I45bf9614573f876d93419ce169a4e0d9ceea9052
Reviewed-on: https://boringssl-review.googlesource.com/2981
Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 22:01:35 +00:00
David Benjamin
1e52ecac4d Normalize tls1_enc return values.
The distinction between publicly and non-publicly invalid is barely acted upon
and slightly silly now that the CBC padding check has been folded into
EVP_AEAD.

Change-Id: Idce4b9b8d29d624e3c95243a147265d071612127
Reviewed-on: https://boringssl-review.googlesource.com/2980
Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 22:00:01 +00:00
Adam Langley
66850ddec1 Add dummy variables to keep wpa_supplicant happy.
Since we can't update wpa_supplicant nearly as fast as we would like, we
need to try and keep it happy. Unfortunately, the recent switch to
EVP_AEAD breaks it so this dismal change adds some dummy variables that
will allow it to compile.

Change-Id: I03d6b81c30bbebc07af3af0d6cda85a26b461edf
Reviewed-on: https://boringssl-review.googlesource.com/2960
Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 19:27:30 +00:00
David Benjamin
384673ceb7 Fix tool build on Windows.
C++ doesn't allow implicit void* casts.

Change-Id: I50a2ab3fce6a38470b4e8216bd461ba2cd2c2215
Reviewed-on: https://boringssl-review.googlesource.com/2971
Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 19:22:39 +00:00
David Benjamin
cb878e20f3 More documentation fixes.
Missing newlines. I think they got lost in some patch reordering.

Change-Id: Ib1e5833623f4ef613965d32b4e82ba18b6a551e6
Reviewed-on: https://boringssl-review.googlesource.com/2970
Reviewed-by: Adam Langley <agl@google.com>
2015-01-22 19:22:33 +00:00
Adam Langley
07100c6e69 Only use -Wshadow with GCC > 4.6.0.
Prior to 4.6.0, -Wshadow would cause GCC to warn when variables shadowed
global functions. Since libc defines a number of functions with common
names, this is a problem. Also, without this change, we'll keep breaking
on older versions of GCC because we won't be testing with them.

OpenBSD, specifically is reported to have a problem:
https://boringssl-review.googlesource.com/#/c/2900/

(Note the test should really be >= 4.6.0, but CMake doesn't have a
VERSION_GREATEROREQUAL.)

Change-Id: I1aedda01ab629e138c8781e4319bfaaed0b236b0
Reviewed-on: https://boringssl-review.googlesource.com/2952
Reviewed-by: Adam Langley <agl@google.com>
2015-01-21 00:27:26 +00:00
Eric Roman
4dcb05729f Remove support for passing a C-String to PKCS5_PBKDF2_HMAC*().
Before it was possible to pass a NULL-terminated C-string to the PBKDF2
functions, and indicate the parameter was a C-string by passing a length
of -1.

This is not relied on anywhere in the BoringSSL code, and the API contract is
possible to misuse as it is not the common way of doing things.

(A problem would arise when passing in a large unsigned length that
subsequently gets interpreted as -1).

Change-Id: Ifbd31ff76e183fa74e9fa346908daf4bfb8fc3da
Reviewed-on: https://boringssl-review.googlesource.com/2953
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-20 23:44:05 +00:00
Emanuele Pucciarelli
25bde4c1f9 Recognize common DH parameter sets.
Recognize the four most commonly offered safe DH parameter sets when
negotiating multiplicative, ephemeral Diffie-Hellman. These values were
found from a scan of the Alexa common sites.

When a known safe prime is used, reduce the private key size
correspondingly.

Change-Id: I655eb7a5c743c0b389698c0471d16db5a0966652
2015-01-16 14:46:59 -08:00
Adam Langley
e49da742cb Include arm_arch.h in e_aes.c.
Not sure why this is working in CMake build, but the Chromium trybots
aren't happy without it.

Change-Id: I810740786c4f3cb9ba786891fdcd6053eea3afcb
2015-01-16 14:06:22 -08:00
Adam Langley
e7624340ee Also test AES-CBC modes in the speed tool.
This change adds the AES-128-CBC-SHA and AES-256-CBC-SHA AEADs to the
speed test. These AEADs need an 11 byte additional data so the test is
extended to be able to provide that.

Change-Id: I9a57c2321a979a68ab0df9faf1bb26b44a3009c4
Reviewed-on: https://boringssl-review.googlesource.com/2922
Reviewed-by: Adam Langley <agl@google.com>
2015-01-16 19:04:44 +00:00
Adam Langley
6a3c288cdf Update SHA-1/256/512 asm for ARM from upstream.
This change syncs these asm files with upstream's 1.0.2 branch. The
important change is that they contain ARMv8 code that allows 32-bit ARM
code to use the hardware support in ARMv8 when running on such a chip.

Change-Id: Id37cb1ff0cbc98a8e328612df7cf60340ca96064
Reviewed-on: https://boringssl-review.googlesource.com/2921
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-16 19:00:26 +00:00
Adam Langley
543d00692a Benchmark AEADs with aligned buffers.
This eliminates a source of variability from the benchmarks.

Change-Id: I8ce07bd68e7591f8c5545040b02b96d21609a0e5
Reviewed-on: https://boringssl-review.googlesource.com/2920
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-16 19:00:17 +00:00
David Benjamin
7f1d5d5932 Follow-ups from recent patch train.
Comment fixups and a mismerge in aead_test. Also some buffer was larger than
needed.

Change-Id: I0e158089f42801575833684912f9edb206f61007
Reviewed-on: https://boringssl-review.googlesource.com/2870
Reviewed-by: Adam Langley <agl@google.com>
2015-01-16 02:05:45 +00:00
Adam Langley
f0eb169829 Free all error queues on shutdown.
As feared, 2bca0988 did cause some leak checkers to get upset about the
state_hash pointer getting cleared.

This change makes err_shutdown free all the error queues to try and
avoid this. Hopefully this doesn't upset TSAN in turn.

BUG=448296

Change-Id: I827da63c793dcabc73168ece052cdcd3d3cc64e3
Reviewed-on: https://boringssl-review.googlesource.com/2890
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-15 22:10:02 +00:00
Adam Langley
d749af7ab1 Use a weak pointer for getauxval.
The Android SDK version against which Chromium builds is too old to
include sys/auxv.h. This change switches the ARM code to use a weak
pointer for getauxval and to hard code the aux value numbers.

It also switches the license on cpu-arm.c because there's no OpenSSL
left in there now.

Change-Id: I440cb9d533a06d8b245b189d8e5148fa33e29412
Reviewed-on: https://boringssl-review.googlesource.com/2880
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-15 22:09:53 +00:00
Adam Langley
b1116a4a3b Always write the Poly1305 tag to an aligned buffer.
With GCC 4.9 and -O2 (and only -O2, -O1 and -O3 didn't trigger it), the
Poly1305 code can end up writing to an unaligned address otherwise and
that triggers a bus error on ARM.

Change-Id: Ifbeb7e2066a893d91d6f63c6565bac7d5542ef81
Reviewed-on: https://boringssl-review.googlesource.com/2850
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 23:38:25 +00:00
Adam Langley
3e6526575a aarch64 support.
This is an initial cut at aarch64 support. I have only qemu to test it
however—hopefully hardware will be coming soon.

This also affects 32-bit ARM in that aarch64 chips can run 32-bit code
and we would like to be able to take advantage of the crypto operations
even in 32-bit mode. AES and GHASH should Just Work in this case: the
-armx.pl files can be built for either 32- or 64-bit mode based on the
flavour argument given to the Perl script.

SHA-1 and SHA-256 don't work like this however because they've never
support for multiple implementations, thus BoringSSL built for 32-bit
won't use the SHA instructions on an aarch64 chip.

No dedicated ChaCha20 or Poly1305 support yet.

Change-Id: Ib275bc4894a365c8ec7c42f4e91af6dba3bd686c
Reviewed-on: https://boringssl-review.googlesource.com/2801
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 23:38:11 +00:00
David Benjamin
bc44c089fb Store SRTP_PROTECTION_PROFILES as const.
They're small, but they should be read-only. This slightly changes public API
and affects downstream WebRTC code.

Hold on landing this until https://webrtc-codereview.appspot.com/34649004/
rolls into Chromium.

Change-Id: I93cbae20f69d55411d6b1cb62ed7d9a81c83b701
Reviewed-on: https://boringssl-review.googlesource.com/2720
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 22:10:08 +00:00
David Benjamin
7ce1c0ca75 Make SSL_load_error_strings a no-op.
SSL_library_init already loads the error strings (unlike upstream). Code which
calls both will end up loading error strings twice. Instead make the second
call a no-op.

Change-Id: Ifd34ab20ed46aabeba14661e58f8dac2bbb29f69
Reviewed-on: https://boringssl-review.googlesource.com/2790
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 22:09:58 +00:00
David Benjamin
e9fc3e547e Remove P-521 from the default supported curves list.
Per review comment on https://boringssl-review.googlesource.com/#/c/2843/.

Change-Id: I84c9320ff908c9f8912e83c6ece89d9b06c32bbf
Reviewed-on: https://boringssl-review.googlesource.com/2860
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:53:23 +00:00
David Benjamin
4de5f54e54 RT3662: Allow leading . in nameConstraints
Change by SteveH from original by John Denker (in the RT)

(Imported from upstream's 77ff1f3b8bfaa348956c5096a2b829f2e767b4f1)

Confirmed by inspection of source that this matches mozilla::pkix behavior. See
https://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixnames.cpp#939

Change-Id: Ic4e7d011f7c10cbc83e5267550063b0ebe9648fb
Reviewed-on: https://boringssl-review.googlesource.com/2848
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:53:12 +00:00
David Benjamin
aa3f6daa86 Tag a number of globals as const.
Change-Id: I6f334911f153395a2e5e26adfd08912a1d8c558b
Reviewed-on: https://boringssl-review.googlesource.com/2847
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:53:00 +00:00
David Benjamin
1681d79ddf Remove ECDH_KDF_X9_62 and associated EVP glue.
Removes a bit of unused code. This effectively reverts upstream's
25af7a5dbc05c7359d1d7f472d50d65a9d876b7e. It's new with OpenSSL 1.0.2 so
nothing can be using it yet. We can restore it with tests if we end up wanting
it later.

(Also I think it might be misnamed. The KDF seems to be defined in X9.63, not
X9.62.)

Change-Id: I482daf681e0cf5c3bbdc72c57793f91448deaee8
Reviewed-on: https://boringssl-review.googlesource.com/2846
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:52:52 +00:00
David Benjamin
c61517cb5a Define the error case's output in RSA_message_index_PKCS1_type_2.
The use in s3_srvr.c doesn't care (it doesn't even have to be in bounds), but
it's good to have the value be initialized and not a function of the input.
(The old uninitialized case wasn't hit in s3_srvr.c because of the earlier
bounds check.)

Change-Id: Ib6b418b3c140aa564f8a46da3d34bb2b69f06195
Reviewed-on: https://boringssl-review.googlesource.com/2845
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:52:36 +00:00
David Benjamin
70bd80a236 Remove constraints on curve ID values.
The under 32 constraint is silly; it's to check for duplicate curves in
library-supplied configuration. That API is new as of 1.0.2. It doesn't seem
worth bothering; if the caller supplies a repeated value, may as well emit a
repeated one and so be it. (Probably no one will ever call that function
outside of maybe test code anyway.)

While I'm here, remove the 0 constraint too. It's not likely to change, but
removing the return value overload seems easier than keeping comments about it
comments about it.

Change-Id: I01d36dba1855873875bb5a0ec84b040199e0e9bc
Reviewed-on: https://boringssl-review.googlesource.com/2844
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:52:28 +00:00
David Benjamin
52e5bacf7c Prune away unimplemented curve IDs.
We only implement four curves (P-224, P-256, P-384, and P-521) and only
advertise the latter three by default. Don't maintain entries corresponding to
all the unimplemented curves.

Change-Id: I1816a10c6f849ca1d9d896bc6f4b64cd6b329481
Reviewed-on: https://boringssl-review.googlesource.com/2843
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:51:44 +00:00
David Benjamin
0cb3f5bc27 Switch OBJ_undef uses to NID_undef.
They both happen to be zero, but OBJ_undef is a type error; OBJ_foo expands to
a comma-separated list of integers.

Change-Id: Ia5907dd3bc83240b7cc98af6456115d2efb48687
Reviewed-on: https://boringssl-review.googlesource.com/2842
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:51:25 +00:00
David Benjamin
6095de8da2 Add tests for certificate mismatch.
Cover another mildly interesting error case.

Change-Id: Ice773af79f5e03f39f0cd2a9e158bae03e065392
Reviewed-on: https://boringssl-review.googlesource.com/2841
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:51:17 +00:00
David Benjamin
5b082e880d Various documentation fixes.
Add some missing headers and ensure each header has a short description. doc.go
gets confused at declarations that break before the first (, so avoid doing
that. Also skip a/an/deprecated: in markupFirstWord and process pipe words in
the table of contents.

Change-Id: Ia08ec5ae8e496dd617e377e154eeea74f4abf435
Reviewed-on: https://boringssl-review.googlesource.com/2839
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:50:50 +00:00
David Benjamin
d1d7d3d26a Clear existing extension state.
When parsing ClientHello clear any existing extension state from
SRP login and SRTP profile.

(Imported from upstream's 4f605ccb779e32a770093d687e0554e0bbb137d3)

More state that should be systematically reset across handshakes. Add a reset
on the ServerHello end too since that was missed.

Change-Id: Ibb4549acddfd87caf7b6ff853e2adbfa4b7e7856
Reviewed-on: https://boringssl-review.googlesource.com/2838
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:50:40 +00:00
David Benjamin
39507745e3 remove duplicate defines
(Imported from upstream's b17dcb0d63cc41aa58bf356fda203670085fc83d)

Change-Id: I0ba0ba8013f9d6b2bcce6e1c10e9b11652fccff9
Reviewed-on: https://boringssl-review.googlesource.com/2837
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:50:30 +00:00
David Benjamin
d83c1884fd Return error when a bit string indicates an invalid amount of bits left
(Imported from upstream's 5a1e8c67a90aead86ccc2dda324e8f897d1a044d)

Change-Id: Idfba7eb8244c1926e7921119767cb32605a74202
Reviewed-on: https://boringssl-review.googlesource.com/2836
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:50:20 +00:00
David Benjamin
1716b3d172 Reject invalid constructed encodings.
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.

(Imported from upstream's 89f40f369f414b52e00f7230b0e3ce99e430a508.)

Change-Id: Ia5d15eef72e379119f50fdbac4e92c4761bf5eaf
Reviewed-on: https://boringssl-review.googlesource.com/2835
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:49:23 +00:00
David Benjamin
e3b2eebd04 The dtls1_output_cert_chain function no longer exists so remove it from ssl_locl.h
(Imported from upstream's 789da2c73d875af59b14156b6295aa4bdfc4f424)

Change-Id: Id94877d8d22578e23c63d1f133820a89ceae29ae
Reviewed-on: https://boringssl-review.googlesource.com/2834
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:49:16 +00:00
David Benjamin
710d227daa Fix memory leak in SSL_new if errors occur.
(Imported from upstream's 76e6509085ea96df0ca542568ee2596343711307)

Change-Id: I6319271a1f46b3d36a4eba950cbab60420126175
Reviewed-on: https://boringssl-review.googlesource.com/2833
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:49:04 +00:00
David Benjamin
2adb7ec286 ssl_create_cipher_list: check whether push onto cipherstack succeeds
(Imported from upstream's f5905ba341ad0fa3731469f10f7fba6f92ecd787.)

Change-Id: I92f2f53a127a4f59ce71cf00a9a4aedd0560e586
Reviewed-on: https://boringssl-review.googlesource.com/2832
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:48:55 +00:00
David Benjamin
af19de3101 Fix the test async_bio in datagram mode.
write_quota should only be decremented by 1 in datagram mode, otherwise we'll
underflow and always allow writes through. This does not cause any existing
tests to fail.

(It will be useful once the bug in dtls1_do_write is fixed.)

Change-Id: I42aa001d7264790a3726269890635f679497fb1c
Reviewed-on: https://boringssl-review.googlesource.com/2831
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:48:40 +00:00
David Benjamin
17a5f85cbb Clarify dtls1_do_write's interaction with the buffering BIO.
The existing comments are not very helpful. This code is also quite buggy.
Document two of them as TODOs.

Change-Id: Idfaf93d9c3b8b1ee92f2fb0d292ef513b5f6d824
Reviewed-on: https://boringssl-review.googlesource.com/2830
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:48:31 +00:00
David Benjamin
80cee912de Account for the MTU BIO_ctrls returning negative or overly large numbers.
BIO_ctrls do not have terribly well-defined return values on error. (Though the
existing ones seem to all return 0, not -1, on nonexistant operation.)

Change-Id: I08497f023ce3257c253aa71517a98b2fe73c3f74
Reviewed-on: https://boringssl-review.googlesource.com/2829
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:46:50 +00:00
David Benjamin
a18b671c94 Simplify minimum and default MTUs.
g_probably_mtu and dtls1_guess_mtu is a bunch of logic for guessing the right
MTU, but it only ever returns the maximum (the input is always zero). Trim that
down to only what it actually does.

Change-Id: If3afe3f68ccb36cbf9c4525372564d16a4bbb73f
Reviewed-on: https://boringssl-review.googlesource.com/2828
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:45:57 +00:00
David Benjamin
5a3cc0381b Remove BIO_CTRL_DGRAM_MTU_EXCEEDED retry in dtls1_do_write.
The retry doesn't actually work when we're sending a non-initial fragment; the
s->init_off != 0 block will get re-run each iteration through and continually
prepend headers. It can also infinite loop if the BIO reports
BIO_CTRL_DGRAM_MTU_EXCEEDED but either fails to report an MTU or reports an MTU
that always rounds up to the minimum. See upstream's
d3d9eef31661633f5b003a9e115c1822f79d1870.

WebRTC doesn't participate in any of the MTU logic and inherits the default
MTU, so just remove it for now.

Change-Id: Ib2ed2ba016b7c229811741fb7369c015ba0b551f
Reviewed-on: https://boringssl-review.googlesource.com/2827
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:45:14 +00:00
David Benjamin
7f18b139cc Always SSL_OP_NO_QUERY_MTU before querying the BIO MTU.
That setting means that the MTU is provided externally via SSL_set_mtu.

(Imported from upstream's 001235778a6e9c645dc0507cad6092d99c9af8f5)

Change-Id: I4e5743a9dee734ddd0235f080aefe98a7365aaf6
Reviewed-on: https://boringssl-review.googlesource.com/2826
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:43:36 +00:00
David Benjamin
d9778fb418 Guard against small MTUs from the BIO.
Based in part on upstream's cf75017bfd60333ff65edf9840001cd2c49870a3. This
situation really shouldn't be able to happen, but between no static asserts
that the minimum MTU is always large enough and a bug in reseting the MTU later
(to be fixed be a follow-up import from upstream), check these and return a
useful error code.

Change-Id: Ie853e5d35a6a7bc9c0032e74ae71529d490f4fe2
Reviewed-on: https://boringssl-review.googlesource.com/2825
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:43:07 +00:00
David Benjamin
c67a3ae6ba Drop retransmits in DTLS tests.
BoringSSL currently retransmits non-deterministically on an internal timer
(rather than one supplied externally), so the tests currently fail flakily
depending on timing. Valgrind is a common source for this. We still assume an
in-order and reliable channel, but drop retransmits silently:

- Handshake messages may arrive with old sequence numbers.

- Retransmitted CCS records arrive from the previous epoch.

- We may receive a retransmitted Finished after we believe the handshake has
  completed. (Aside: even in a real implementation, only Finished is possible
  here. Even with out-of-order delivery, retransmitted or reordered messages
  earlier in the handshake come in under a different epoch.)

Note that because DTLS renego and a Finished retransmit are ambiguous at the
record layer[*], this precludes us writing tests for DTLS renego. But DTLS
renego should get removed anyway. As BoringSSL currently implements renego,
this ambiguity is also a source of complexity in the real implementation. (See
the SSL3_MT_FINISHED check in dtls1_read_bytes.)

[*] As a further fun aside, it's also complex if dispatching renego vs Finished
after handshake message reassembly. The spec doesn't directly say the sequence
number is reset across renegos, but it says "The first message each side
transmits in /each/ handshake always has message_seq = 0". This means that such
an implementation needs the handshake message reassembly logic be aware that a
Finished fragment with high sequence number is NOT an out-of-order fragment for
the next handshake.

Change-Id: I35d13560f82bcb5eeda62f4de1571d28c818cc36
Reviewed-on: https://boringssl-review.googlesource.com/2770
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:13:05 +00:00