Commit Graph

1093 Commits

Author SHA1 Message Date
David Benjamin
340d5ed295 Test that warning alerts are ignored.
Partly inspired by the new state exposed in
dc3da93899, stress this codepath by spamming our
poor shim with warning alerts.

Change-Id: I876c6e52911b6eb57493cf3e1782b37ea96d01f8
Reviewed-on: https://boringssl-review.googlesource.com/4112
Reviewed-by: Adam Langley <agl@google.com>
2015-03-25 15:25:28 +00:00
David Benjamin
0570923ed2 Add additional features to bssl client.
This exposes the features needed to mimic Chrome's ClientHello, which is useful
in testing. Also use bssl_shim's scopers for SSL objects.

Change-Id: Icb88bb00c0a05c27610134d618f466a24f7f757a
Reviewed-on: https://boringssl-review.googlesource.com/4113
Reviewed-by: Adam Langley <agl@google.com>
2015-03-23 23:16:30 +00:00
David Benjamin
0d4db50a54 Use C++11 inline initialization.
Google C++ style allows these. It's also considerably less tedious and
error-prone than defining an out-of-line constructor.

Change-Id: Ib76ccf6079be383722433046ac5c5d796dd1f525
Reviewed-on: https://boringssl-review.googlesource.com/4111
Reviewed-by: Adam Langley <agl@google.com>
2015-03-23 23:09:11 +00:00
David Benjamin
e5a3ac2cac Fix fail_second_ddos_callback flag.
It was failing only on 32-bit for some reason. Part of TestConfig wasn't
getting initialized.

Change-Id: I2a3747a347a47b47e2357f34d32f8db86d6cc629
Reviewed-on: https://boringssl-review.googlesource.com/4110
Reviewed-by: Adam Langley <agl@google.com>
2015-03-23 23:08:48 +00:00
David Benjamin
8056343a58 Fix CRYPTO_add_lock documentation.
It's not actually CRYPTO_add_locked, despite the name. I guess they just needed
a name that didn't clash with CRYPTO_add.

Change-Id: I3fdee08bf75e9a4e1b5e75630707c0be5792599b
Reviewed-on: https://boringssl-review.googlesource.com/4102
Reviewed-by: Adam Langley <agl@google.com>
2015-03-23 23:08:20 +00:00
David Benjamin
b6d0c6db5e Remove the stats block in SSL_CTX.
Within the library, only ssl_update_cache read them, so add a dedicated field
to replace that use.

The APIs have a handful of uninteresting callers so I've left them in for now,
but they now always return zero.

Change-Id: Ie4e36fd4ab18f9bff544541d042bf3c098a46933
Reviewed-on: https://boringssl-review.googlesource.com/4101
Reviewed-by: Adam Langley <agl@google.com>
2015-03-23 23:07:56 +00:00
David Benjamin
90fa69aaae Remove unnecessary -ldl and clean up includes for malloc tests.
I'm guessing a previous iteration used dlsym to look up the real malloc.

Change-Id: I18be9ef4db4ed059400074c8507d4e2fea882fbc
Reviewed-on: https://boringssl-review.googlesource.com/4100
Reviewed-by: Adam Langley <agl@google.com>
2015-03-21 00:07:42 +00:00
Håvard Molland
ab2479a08a Clean up error reporting.
Quite a few functions reported wrong function names when pushing
to the error stack.

Change-Id: I84d89dbefd2ecdc89ffb09799e673bae17be0e0f
Reviewed-on: https://boringssl-review.googlesource.com/4080
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-20 22:12:59 +00:00
Adam Langley
32156b974d Add some more Android compatibility declarations.
Change-Id: Ia1de2b746dec680eb59dc614295a1da289c5741a
2015-03-20 11:50:29 -07:00
David Benjamin
72dc7834af Test that signature_algorithm preferences are enforced.
Both on the client and the server.

Change-Id: I9892c6dbbb29938154aba4f53b10e8b5231f9c47
Reviewed-on: https://boringssl-review.googlesource.com/4071
Reviewed-by: Adam Langley <agl@google.com>
2015-03-20 18:23:54 +00:00
David Benjamin
67d1fb59ad Test that client cipher preferences are enforced.
Change-Id: I6e760cfd785c0c5688da6f7d3d3092a8add40409
Reviewed-on: https://boringssl-review.googlesource.com/4070
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 22:44:49 +00:00
David Benjamin
642f1498d0 evp: prevent underflow in base64 decoding
This patch resolves RT ticket #2608.

(Imported from upstream's d0666f289ac013094bbbf547bfbcd616199b7d2d.)

Change-Id: If0c8f583f3f643f3db6b6158cbc9ad7541bab8ec
Reviewed-on: https://boringssl-review.googlesource.com/4060
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 21:59:28 +00:00
David Benjamin
7061e28dc2 Rename EECDH and EDH to ECDHE and DHE.
Align with upstream's renames from a while ago. These names are considerably
more standard. This also aligns with upstream in that both "ECDHE" and "EECDH"
are now accepted in the various cipher string parsing bits.

Change-Id: I84c3daeacf806f79f12bc661c314941828656b04
Reviewed-on: https://boringssl-review.googlesource.com/4053
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:54:58 +00:00
David Benjamin
3c9746a6d7 Regression test for CVE-2015-0291.
This is really just scar tissue with https://crbug.com/468889 being the real
underlying problem. But the test is pretty easy.

Change-Id: I5eca18fdcbde8665c0e6c3ac419a28152647d66f
Reviewed-on: https://boringssl-review.googlesource.com/4052
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:52:59 +00:00
David Benjamin
b85a4c2923 Remove unnecessary NULL initializations in ssl_cert_dup.
A casual grep would suggest this function has the same problems as
CVE-2015-0291, but the structure is memset to 0, so the calls are unnecessary.
Also use BUF_memdup rather than an OPENSSL_malloc + mempcy pair.

Change-Id: Id605374d99cff32e2dccb7f9b8a9da226faf7715
Reviewed-on: https://boringssl-review.googlesource.com/4051
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:52:57 +00:00
David Benjamin
cdea40c3e2 Add tests for full handshakes under renegotiation.
In verifying the fix for CVE-2015-0291, I noticed we don't actually have any
test coverage for full handshakes on renegotiation. All our tests always do
resumptions.

Change-Id: Ia9b701e8a50ba9353fefb8cc4fb86e78065d0b40
Reviewed-on: https://boringssl-review.googlesource.com/4050
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:51:16 +00:00
David Benjamin
4b1510c71e Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209

(Imported from upstream's 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.)

Change-Id: Ic2e5dc5c96e316c55f76bedc6ea55b416be3287a
Reviewed-on: https://boringssl-review.googlesource.com/4049
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:50:32 +00:00
David Benjamin
7a8e62dbd9 Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

(Imported from upstream's e677e8d13595f7b3287f8feef7676feb301b0e8a.)

Change-Id: I5faefc190568504bb5895ed9816a6d80432cfa45
Reviewed-on: https://boringssl-review.googlesource.com/4048
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:48:41 +00:00
David Benjamin
61c0d4e8b2 Always reset sigalgslen when NULLing sigalgs.
See also upstream's 34e3edbf3a10953cb407288101fd56a629af22f9. This fixes
CVE-2015-0291. Also bubble up malloc failures in tls1_set_shared_sigalgs. Tidy
up style a bit and remove unnecessary check (it actually is unnecessary; see
https://boringssl-review.googlesource.com/4042).

Change-Id: Idfb31a90fb3e56ef6fe7701464748a5c1603f064
Reviewed-on: https://boringssl-review.googlesource.com/4047
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:46:28 +00:00
David Benjamin
c12d377e24 Free up ADB and CHOICE if already initialised.
CVE-2015-0287

(Imported from upstream's b485d976340d3ca080060c3c7dee9102e2200762.)

Change-Id: Ie8dac46ccc95a4eee9ef535d8620217202f13ca1
Reviewed-on: https://boringssl-review.googlesource.com/4046
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:42:27 +00:00
David Benjamin
7e3b5840c2 Fix more missing error checks in v3_cpols.c
I only imported half of upstream's c5f2b5336ab72e40ab91e2ca85639f51fa3178c6 on
accident.

Change-Id: Ice8185ca6770f915eb859e918f5db7d5ccdc7cc7
Reviewed-on: https://boringssl-review.googlesource.com/4045
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:41:28 +00:00
Adam Langley
078abceb29 Don't install SIGILL handler until after sigsetjmp.
Previously, if SIGILL was received between the signal handler being
installed and before the sigsetjmp, the process would longjmp to a
random location.

Change-Id: I9e6143a17ff3db0e1b00ece68fce161801461010
Reviewed-on: https://boringssl-review.googlesource.com/3950
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:53:07 +00:00
David Benjamin
8b368412d3 Minor formatting fixes.
Noticed these as I was poking around.

Change-Id: I93833a152583feced374c9febf7485bec7abc1c7
Reviewed-on: https://boringssl-review.googlesource.com/3973
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:52:44 +00:00
David Benjamin
9e13e1a31d Move the is_dtls bit from SSL3_ENC_METHOD to SSL_PROTOCOL_METHOD.
This too isn't version-specific. This removes the final difference between TLS
and DTLS SSL3_ENC_METHODs and we can fold them together. (We should be able to
fold away the version-specific differences too, but all in due time.)

Change-Id: I6652d3942a0970273d46d28d7052629c81f848b5
Reviewed-on: https://boringssl-review.googlesource.com/3771
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:51:49 +00:00
David Benjamin
cfdd6b1aef Account for partial reads in PacketedBio.
This fixes test flakiness on Windows.

BUG=467767

Change-Id: Ie69b5b43ddd524aadb15c53705f6ec860e928786
Reviewed-on: https://boringssl-review.googlesource.com/4001
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:49:37 +00:00
David Benjamin
506fa4f770 Allocate string types directly.
Allocate and free ASN.1 string types directly instead of going through
the ASN.1 item code.

(Imported from upstream's 3d6aa6d441fe8124d247dffee5c68c2e5efd8258.)

Change-Id: I617283e67071a792f219ed08f19078afc223e2f5
Reviewed-on: https://boringssl-review.googlesource.com/4041
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:47:52 +00:00
David Benjamin
42574efaff Avoid undefined behavior in probable_prime.
(Imported from upstream's e4676e900f165f5272991443225813002300b09b.)

Change-Id: I678e158c223daf2f7f9114f4e743d531fe2e2a93
Reviewed-on: https://boringssl-review.googlesource.com/4044
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:36:49 +00:00
David Benjamin
cdcecf546b Fix regression in ASN1_UTCTIME_cmp_time_t
Previously, ASN1_UTCTIME_cmp_time_t would return 1 if s > t, -1 if
s < t, and 0 if s == t.

This behavior was broken in upstream's
904348a4922333106b613754136305db229475ea, resulting in the opposite time
comparison behavior.

PR#3706

(Imported from upstream's da27006df06853a33b132133699a7aa9d4277920.)

Change-Id: I9c1c28ba21d82ff4b587e33b262f46be4e846ff9
Reviewed-on: https://boringssl-review.googlesource.com/4043
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:36:10 +00:00
David Benjamin
a5a3eeb9cc Remove ssl_cert_inst()
It created the cert structure in SSL_CTX or SSL if it was NULL, but they can
never be NULL as the comments already said.

(Imported from upstream's 2c3823491d8812560922a58677e3ad2db4b2ec8d.)

Change-Id: I97c7bb306d6f3c18597850db9f08023b2ef74839
Reviewed-on: https://boringssl-review.googlesource.com/4042
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:35:46 +00:00
David Benjamin
ced555394f Fix undefined behavior in shifts.
Td4 is an array of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not
representable in an integer, behaviour is undefined. In other words, you can't
shift into the sign bit of a signed integer. Fix this by casting to u32
whenever we're shifting left by 24.

(For consistency, cast other shifts, too.)

Caught by -fsanitize=shift

Submitted by Nick Lewycky (Google)

(Imported from upstream's 8b37e5c14f0eddb10c7f91ef91004622d90ef361.)

Change-Id: Id0f98d1d65738533c6ddcc3c21bc38b569d74793
Reviewed-on: https://boringssl-review.googlesource.com/4040
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:33:46 +00:00
David Benjamin
34860739de ASN.1 print fix.
When printing out an ASN.1 structure, if the type is an item template don't
fall through and attempt to interpret as a primitive type.

(Imported from upstream's 5dc1247a7494f50c88ce7492518bbe0ce6f124fa.)

Change-Id: Ica39757792cbf3f83879953b67838927ddbdb809
Reviewed-on: https://boringssl-review.googlesource.com/4009
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:32:45 +00:00
David Benjamin
859a04b7ff Fix missing return checks in v3_cpols.c
Fixed assorted missing return value checks in v3_cpols.c

(Imported from upstream's c5f2b5336ab72e40ab91e2ca85639f51fa3178c6.)

Change-Id: I95e4157fc689201ca32e1c8e51d04801ba478685
Reviewed-on: https://boringssl-review.googlesource.com/4008
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:31:03 +00:00
David Benjamin
a9c6667cab Fix asn1_item_print_ctx
The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.

(Imported from upstream's 34a7ed0c39aa3ab67eea1e106577525eaf0d7a00.)

Change-Id: Ia43cdc73b5f1d16e6fc907b5aaf13c9df5a9958c
Reviewed-on: https://boringssl-review.googlesource.com/4007
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:28:48 +00:00
David Benjamin
e30f3fb080 ASN1_primitive_new NULL param handling
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.

(Imported from upstream's 9e488fd6ab2c295941e91a47ab7bcd346b7540c7)

Change-Id: Icbb13cd00d0ec5529871b678b0bcc465956a7572
Reviewed-on: https://boringssl-review.googlesource.com/4006
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:11:04 +00:00
David Benjamin
c02f148fa8 Fix error handling in bn_exp
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.

(Imported from upstream's 8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485.)

Change-Id: I0b392991ce8170dc418e93003af256d535d1e2e8
Reviewed-on: https://boringssl-review.googlesource.com/4005
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:10:27 +00:00
David Benjamin
87b2a13a86 Fix seg fault in ASN1_generate_v3/ASN1_generate_nconf
(Imported from upstream's ac5a110621ca48f0bebd5b4d76d081de403da29e)

Change-Id: I1a0518447716a93038bd95d40abef1d9fb4e5f72
Reviewed-on: https://boringssl-review.googlesource.com/4004
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:08:50 +00:00
David Benjamin
2ddba8cd48 Check for RAND_bytes failures in the ClientHello.
(Imported from upstream's e1b568dd2462f7cacf98f3d117936c34e2849a6b.)

Our RAND_bytes secretly can't actually fail, but we should propagate the check
upwards.

Change-Id: Ieaaea98dad00bf73b1c0a42c039507d76b10ac78
Reviewed-on: https://boringssl-review.googlesource.com/4003
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:08:25 +00:00
David Benjamin
3305858342 Fix wrong numbers being passed as string lengths
(Imported from upstream's 0b142f022e2c5072295e00ebc11c5b707a726d74.)

Modified further because these ought to just be BIO_puts.

Change-Id: I8b70d70d0f626bb19b455adb4f0e08bacf453c1d
Reviewed-on: https://boringssl-review.googlesource.com/4002
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:07:45 +00:00
Adam Langley
f21645f4e3 Typo fix in comment.
(Thanks to William Hesse.)

Change-Id: I8479663250546a5ec0a024f80e50541f91d833bc
Reviewed-on: https://boringssl-review.googlesource.com/4020
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 22:01:26 +00:00
David Benjamin
067321502d Explicitly document EVP_PKEY_size vs EVP_PKEY_bits.
They do not quite measure the same value for EC keys. "size" is a really weird
notion to generalize on so we should document what it means for each key type.
EVP_PKEY_size's meaning is most tied to signatures, thanks to EVP_SignFinal
implicitly using it as output bounds.

Change-Id: I7504c142818f8f90f8bcf6891c97a6adaf2d574e
Reviewed-on: https://boringssl-review.googlesource.com/4000
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:45:42 +00:00
Adam Langley
1df63e93f9 Fix a couple of issues with building with strict C99.
C99 doesn't, technically, allow empty statements. Thus if a #define'ed
function ends in a semicolon, and the use of it also ends in a
semicolon, then the compiler sees “;;” at the end.

Since a choice has to be made, I prefer that the semicolon exist at the
“callsite” of a #define'ed fuction. But I haven't gone and changed
everything to follow that in this patch.

Change-Id: I1343e52a5ac6255db49aa053048d0df3225bcf43
Reviewed-on: https://boringssl-review.googlesource.com/3890
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:17:40 +00:00
Adam Langley
0e782a9eb3 Add AEADs for AES-CTR with HMAC-SHA256.
Change-Id: Id035d2c6ab9c6ae034326c313ffe35e0d035dec1
Reviewed-on: https://boringssl-review.googlesource.com/3911
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:16:55 +00:00
Adam Langley
52f9f62283 Change aes_set_gcm_key to be more flexible.
Firstly, it was odd that AES-NI was a special case. Secondly, I have a
need coming up for being able to get the block function and not create a
GCM context.

Change-Id: Ie87de5e7ea42dc042d302c5eafecbc6af03c714b
Reviewed-on: https://boringssl-review.googlesource.com/3910
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:16:39 +00:00
Adam Langley
5edc4e2a9b Correct three incorrect function names in errors.
Thanks to Sean Burford.

Change-Id: I4efa352f3e830c4c3761660508a1a8aa927eedf1
Reviewed-on: https://boringssl-review.googlesource.com/3841
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:15:04 +00:00
Adam Langley
ca8feeb301 Add support for 3DES ECB.
At least the linker can discard this function in the cases where nobody
is calling it.

Change-Id: I30050e918e6bc1dd9c97cc70f3a56408701abebc
Reviewed-on: https://boringssl-review.googlesource.com/3724
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 19:55:14 +00:00
Adam Langley
7282738bad Add DES_set_odd_parity.
Because NTLM authentication is still a thing.

Change-Id: I3308a8431c82f0b614e09ce3e5efac1526881f1e
Reviewed-on: https://boringssl-review.googlesource.com/3723
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 19:54:53 +00:00
Adam Langley
3f92d21094 Add SSL_get_rc4_state.
This allows the current RC4 state of an SSL* to be extracted. We have
internal uses for this functionality.

Change-Id: Ic124c4b253c8325751f49e7a4c021768620ea4b7
Reviewed-on: https://boringssl-review.googlesource.com/3722
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 19:54:34 +00:00
Adam Langley
524e717b87 Add a callback for DDoS protection.
This callback receives information about the ClientHello and can decide
whether or not to allow the handshake to continue.

Change-Id: I21be28335fa74fedb5b73a310ee24310670fc923
Reviewed-on: https://boringssl-review.googlesource.com/3721
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 19:53:29 +00:00
Brian Smith
ab2a8e03d9 Fix duplicate lock IDs & simplify lock ID maintenance.
* Eliminate the possibility of multiple lock IDs having the same
  value (CRYPTO_LOCK_FIPS2 and CRYPTO_LOCK_OBJ were both 40 prior to
  this commit).
* Remove unused lock IDs.
* Automatically guarantee that lock IDs and lock names stay in sync.

Change-Id: If20e462db1285fa891595a7e52404ad011ff16f6
Reviewed-on: https://boringssl-review.googlesource.com/3923
Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 23:58:20 +00:00
David Benjamin
d434f28ef2 Fix bssl speed.
The TLS AEADs require EVP_AEAD_CTX_init_with_direction now. The speed command
was never updated to account for this.

BUG=467762

Change-Id: I8c7d4566b51d54d91d17318b8f4813ad8f19c777
Reviewed-on: https://boringssl-review.googlesource.com/3971
Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 23:57:02 +00:00