Commit Graph

5630 Commits

Author SHA1 Message Date
Adam Langley
695e589b0c Include newlines at the end of generated asm.
Perl's print doesn't automatically include a newline and the delocate
script doesn't like files that don't end with one.

Change-Id: Ib1bce2b3bb6fbe1a122bd88b58198b497c599adb
Reviewed-on: https://boringssl-review.googlesource.com/31804
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-09-10 16:47:13 +00:00
Adam Langley
e77c27d734 Automatically disable assembly with MSAN.
MSAN is incompatible with hand-written assembly code. Previously we
required that OPENSSL_NO_ASM be set when building with MSAN, and the
CMake build would take care of this. However, with other build systems
it wasn't always so easy.

This change automatically disables assembly when the compiler is
configured for MSAN.

Change-Id: I6c219120f62d16b99bafc2efb02948ecbecaf87f
Reviewed-on: https://boringssl-review.googlesource.com/31724
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-09-07 21:12:37 +00:00
David Benjamin
967cd8219c Mark the C version of md5_block_data_order static.
This doesn't really matter, but once less visible symbol.

Change-Id: If4ee8cfe5c9db9d1c05ca74b8c6fee5cf3ea5a9b
Reviewed-on: https://boringssl-review.googlesource.com/31764
Reviewed-by: Adam Langley <agl@google.com>
2018-09-07 20:00:12 +00:00
Adam Langley
d66809580a Reorder some extensions to better match Firefox.
Change-Id: I3e2056b3c958d0fc5f49c0caa5003dc37f598424
Reviewed-on: https://boringssl-review.googlesource.com/31264
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-09-07 17:59:18 +00:00
David Benjamin
19ac2666b9 Make symbol-prefixing work on ARM.
The assembly files need some includes. Also evp.h has some conflicting
macros. Finally, md5.c's pattern of checking if a function name is
defined needs to switch to checking MD5_ASM.

Change-Id: Ib1987ba6f279144f0505f6951dead53968e05f20
Reviewed-on: https://boringssl-review.googlesource.com/31704
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-09-07 17:43:05 +00:00
David Benjamin
4b85a94542 Document alternative functions to BIO_f_base64.
Also point out that we're a cryptography library, not a text encoding library.
Not that that'll dissuade anyone.

Change-Id: Ia324e08c5cdd108fa182d2610f80447262e0bd5c
Reviewed-on: https://boringssl-review.googlesource.com/31664
Reviewed-by: Adam Langley <agl@google.com>
2018-09-07 15:58:12 +00:00
David Benjamin
8525ff31ee Another batch of bools.
Change-Id: I5a7688b6e635e7ee6fc16173f9919bff16c4d59d
Reviewed-on: https://boringssl-review.googlesource.com/31604
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
2018-09-07 15:06:55 +00:00
David Benjamin
632d1127df Add some RAND_bytes tests.
We're a far cry from the good old days when we just read from /dev/urandom
without any fuss...

In particular, the threading logic is slightly non-trivial and probably worth
some basic sanity checks. Also write a fork-safety test, and test the
fork-unsafe-buffering path.

The last one is less useful right now, since fork-unsafe-buffering is a no-op
with RDRAND enabled (although we do have an SDE bot...), but it's probably
worth exercising the code in
https://boringssl-review.googlesource.com/c/boringssl/+/31564.

Change-Id: I14b1fc5216f2a93183286aa9b35f5f2309107fb2
Reviewed-on: https://boringssl-review.googlesource.com/31684
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-09-06 23:54:57 +00:00
Joshua Liebow-Feeser
8c7c6356e6 Support symbol prefixes
- In base.h, if BORINGSSL_PREFIX is defined, include
  boringssl_prefix_symbols.h
- In all .S files, if BORINGSSL_PREFIX is defined, include
  boringssl_prefix_symbols_asm.h
- In base.h, BSSL_NAMESPACE_BEGIN and BSSL_NAMESPACE_END are
  defined with appropriate values depending on whether
  BORINGSSL_PREFIX is defined; these macros are used in place
  of 'namespace bssl {' and '}'
- Add util/make_prefix_headers.go, which takes a list of symbols
  and auto-generates the header files mentioned above
- In CMakeLists.txt, if BORINGSSL_PREFIX and BORINGSSL_PREFIX_SYMBOLS
  are defined, run util/make_prefix_headers.go to generate header
  files
- In various CMakeLists.txt files, add "global_target" that all
  targets depend on to give us a place to hook logic that must run
  before all other targets (in particular, the header file generation
  logic)
- Document this in BUILDING.md, including the fact that it is
  the caller's responsibility to provide the symbol list and keep it
  up to date
- Note that this scheme has not been tested on Windows, and likely
  does not work on it; Windows support will need to be added in a
  future commit

Change-Id: If66a7157f46b5b66230ef91e15826b910cf979a2
Reviewed-on: https://boringssl-review.googlesource.com/31364
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-09-06 20:07:52 +00:00
David Benjamin
492c9aa90c Fill in a fake session ID for TLS 1.3.
Historically, OpenSSL filled in a fake session ID for ticket-only
client sessions. Conscrypt relies on this to implement some weird Java
API where every session has an ID and may be queried out of the client
session cache and, e.g., revoked that way.

(Note that a correct client session cache is not keyed by session ID and
indeed this allows one server to knock out another server's sessions by
matching session IDs. But existing APIs are existing APIs.)

For consistency between TLS 1.2 and TLS 1.3, as well as matching
OpenSSL's TLS 1.3 implementation, do the same in TLS 1.3. Note this
smooths over our cross-version resumption tests by allowing for
something odd: it is now syntactically possible to resume a TLS 1.3
session at TLS 1.2. It doesn't matter either way, but now a different
codepath rejects certain cases.

Change-Id: I9caf4f0c3b2e2e24ae25752826d47bce77e65616
Reviewed-on: https://boringssl-review.googlesource.com/31525
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-09-06 18:12:11 +00:00
Adam Langley
e84c375303 Create output directories for perlasm.
Flattening the build seems to have changed the order of actions when
using Make and output directories for perlasm are no longer created
before Perl is run. Additionally, if the output directory doesn't exist,
the perlasm scripts seem to output to stdout instead.

Change-Id: I59b801f7347951a3b9cef2ff084b28a00b2d5a3c
Reviewed-on: https://boringssl-review.googlesource.com/31645
Reviewed-by: Adam Langley <agl@google.com>
2018-09-06 15:47:57 +00:00
Adam Langley
3a08fbd2a4 Fix Fiat path.
(I'm not sure why this built anywhere, but it did.)

Change-Id: I47e5b9b689c597e38a74104ac9ddcadfc2fb063d
Reviewed-on: https://boringssl-review.googlesource.com/31644
Reviewed-by: Adam Langley <agl@google.com>
2018-09-06 15:38:25 +00:00
Adam Langley
3faf3db6d8 Fix GCC (8.2.1) build error.
Not sure that I think this is a very valid build error from GCC, but
it's easy enough to work around.

../crypto/cpu-arm-linux_test.cc: In member function ‘virtual void ARMLinuxTest_CPUInfo_Test::TestBody()’:
../crypto/cpu-arm-linux_test.cc:25:10: error: declaration of ‘struct ARMLinuxTest_CPUInfo_Test::TestBody()::Test’ shadows a previous local [-Werror=shadow]
   struct Test {
          ^~~~
In file included from ../crypto/cpu-arm-linux_test.cc:19:
../third_party/googletest/include/gtest/gtest.h:375:23: note: shadowed declaration is here
 class GTEST_API_ Test {

Change-Id: Icc1676a621ec26b3665adaf5daf7d6c6f5307ba8
Reviewed-on: https://boringssl-review.googlesource.com/31624
Reviewed-by: Adam Langley <agl@google.com>
2018-09-06 15:38:11 +00:00
David Benjamin
12f58786aa Some more bools.
Change-Id: I60d9e728c1ca5e788ee7df5e874fb6e8ea182fec
Reviewed-on: https://boringssl-review.googlesource.com/31524
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-09-06 13:49:57 +00:00
David Benjamin
681ff27720 Flatten most of the crypto target.
The fipsmodule is still separate as that's a lot of build mess. (Though
that too may be worth pulling in eventually. CMake usually has different
opinions on generated files if they're in the same directory. We might
be able to avoid the set_source_properties(GENERATED) thing.)

Change-Id: Ie1f9345009044d4f0e7541ca779e01bdc5ad62f6
Reviewed-on: https://boringssl-review.googlesource.com/31586
Reviewed-by: Adam Langley <agl@google.com>
2018-09-05 23:41:25 +00:00
David Benjamin
1fcae84a4f Flatten assembly files.
Change-Id: I37438652b7e73ce16e50b5b1b8ba011b5076ded8
Reviewed-on: https://boringssl-review.googlesource.com/31585
Reviewed-by: Adam Langley <agl@google.com>
2018-09-05 23:39:59 +00:00
David Benjamin
d144539da6 Flatten the decrepit target.
https://boringssl-review.googlesource.com/c/boringssl/+/31364 wants to
add a dependency to each target, which is much easier with fewer of
them. Start with decrepit.

Change-Id: Ib3777063d545dfebe3e2b8448eb7e5bbb5c3aaac
Reviewed-on: https://boringssl-review.googlesource.com/31584
Reviewed-by: Adam Langley <agl@google.com>
2018-09-05 23:39:08 +00:00
David Benjamin
8e09d90142 Clarify "reference" and fix typo.
It was pointed out that "a reference" to C++ programmers means something
very different from what we intend.

Change-Id: I508196f8e3427ea71439c7871eae9b735a4fa5ca
Reviewed-on: https://boringssl-review.googlesource.com/31544
Reviewed-by: Adam Langley <agl@google.com>
2018-09-05 19:06:48 +00:00
David Benjamin
8cd61f710b Fix corner case in cpuinfo parser.
I realized looking at the sigalgs parser that I messed up the
space-splitting logic slightly. If the CPU features are "foo bar baz",
it would not parse "baz". This doesn't particular matter (the last one
is "crc32"), but better to parse it correctly.

Fix this and add a unit test. While I'm here, may as well add a fuzzer
too.

Change-Id: Ifc1603b8f70d975f391d10e51ede95deec31a83d
Reviewed-on: https://boringssl-review.googlesource.com/31464
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-09-05 00:00:14 +00:00
David Benjamin
f016f814c8 Add some about ownership to API-CONVENTIONS.
In particular, we often don't say anything if using the "default" conventions,
but we don't say what those are.  We've also never documented
get0/get1/set0/set1.

Change-Id: I113593cfcdcb93e0009796649e4c19219e765caf
Reviewed-on: https://boringssl-review.googlesource.com/31504
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-09-04 23:36:09 +00:00
David Benjamin
92812cb73c Tidy up docs for #defines.
This removes the special-case for #defines in doc.go.

Change-Id: I6bf750485a94ad28c3975644c74a17c550bb3224
Reviewed-on: https://boringssl-review.googlesource.com/31505
Reviewed-by: Adam Langley <agl@google.com>
2018-09-04 22:32:01 +00:00
David Benjamin
53affef486 No negative moduli.
https://boringssl-review.googlesource.com/31085 wasn't right. We already forbid
creating BN_MONT_CTX on negative numbers, which means almost all moduli already
don't work with BN_mod_exp_mont. Only -1 happened to not get rejected, but it
computed the wrong value. Reject it instead.

Update-Note: BN_mod_exp* will no longer work for negative moduli. It already
didn't work for all negative odd moduli other than -1, so rejecting -1 and
negative evens is unlikely to be noticed.

Bug: 71
Change-Id: I7c713d417e2e6512f3e78f402de88540809977e3
Reviewed-on: https://boringssl-review.googlesource.com/31484
Reviewed-by: Adam Langley <agl@google.com>
2018-09-04 22:26:53 +00:00
Joshua Liebow-Feeser
67e64342c1 Document that ED25519_sign only fails on allocation failure
Change-Id: I45866c3a4aa98ebac51d4e554a22eb5add45002f
Reviewed-on: https://boringssl-review.googlesource.com/31404
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-29 18:35:12 +00:00
David Benjamin
2556f8ba60 Clarify thread-safety of key objects.
This often causes confusion since, for various silly reasons (intrinsic
ref-counting, FOO_METHOD, and RSA's cached Montgomery bits), the thread
safety of some functions don't match the usual const/non-const
distinction. Fix const-ness where easy and document it otherwise.

Change-Id: If2037a4874d7580cc79b18ee21f12ae0f47db7fd
Reviewed-on: https://boringssl-review.googlesource.com/31344
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-28 18:52:59 +00:00
Matthew Braithwaite
e768212e7d shim: don't clear environment when invoking handshaker.
Change-Id: I266bf4dfbbc9b1867fbc91d44393c3f0a6ea9391
Reviewed-on: https://boringssl-review.googlesource.com/31405
Reviewed-by: Adam Langley <agl@google.com>
2018-08-28 17:50:26 +00:00
David Benjamin
6855e0a470 Switch the default TLS 1.3 variant to tls13_rfc.
Update-Note: If not explicitly configured to use tls13_all, callers that enable
TLS 1.3 will now only enable the final standard version.

Change-Id: Ifcfc65a9d8782c983df6e002925e8f77f45b6e53
Reviewed-on: https://boringssl-review.googlesource.com/31384
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-28 13:58:28 +00:00
Adam Langley
9c969bf491 Switch to Clang 6.0's fuzzer support.
With Clang 6.0, libFuzzer is now included and there's a new
-fsanitize=fuzzer command to enable the needed compiler actions.

Change-Id: If8c0d649f494655c5bb1e55ebdbf39450940c75b
Reviewed-on: https://boringssl-review.googlesource.com/31324
Reviewed-by: David Benjamin <davidben@google.com>
2018-08-27 17:18:56 +00:00
Adam Langley
7f4f41fa81 Don't depend on extension ordering to avoid an empty final extension.
In order to work around server bugs (see https://crbug.com/363583) we
need to ensure that the final extension is not empty. Doing this by
fixing the order of extensions is a little error-prone. Instead, insert
a padding extension to ensure this as neeeded.

Change-Id: I90760f2e6735082386c484c956a470aef38ed109
Reviewed-on: https://boringssl-review.googlesource.com/31284
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-08-23 23:36:15 +00:00
David Benjamin
23849f09af Fix TLS 1.3 downgrade tests.
The client downgrade detection tests were not asserting on the error (would
have caught the missing error string). Additionally, Downgrade-FalseStart-Draft
isn't testing what it's supposed to; it doesn't actually configure a draft
version or anything. Fix that and have it use ALPN rather than NPN, to match
the test above.

Change-Id: I0b759385641aa00994a912303a6f5bd65522b4bb
Reviewed-on: https://boringssl-review.googlesource.com/31204
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-22 15:47:11 +00:00
David Benjamin
1c2532ffe6 Fix error strings for SSL_R_TLS13_DOWNGRADE.
make_errors.go didn't seem to get run.

Change-Id: I12739fbab75b9f4898f73f206e404d101642b9c0
Reviewed-on: https://boringssl-review.googlesource.com/31184
Reviewed-by: Adam Langley <agl@google.com>
2018-08-22 01:26:47 +00:00
Steven Valdez
4ac9405eba Remove unused BORINGSSL_PREFIX.
Change-Id: Ifd7239106471bb59057b0a65c6e91837379c78bf
Reviewed-on: https://boringssl-review.googlesource.com/31164
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-21 14:53:16 +00:00
Joshua Liebow-Feeser
21558f43ce Document error behavior of PKCS5_PBKDF2_HMAC and EVP_PBE_scrypt
Change-Id: I5ce176538a53136aff3eea4af04b762ac9a5a994
Reviewed-on: https://boringssl-review.googlesource.com/31044
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-21 01:08:24 +00:00
Adam Langley
1c2779e819 Don't let a NULL mean the initial SSL_CTX in SSL_set_SSL_CTX.
We broke this a while back and nothing noticed. (Note dereference just
above.) Therefore I guess we don't need to support it.

Change-Id: I501d43825e89acb5f7f13998541dc8ff59452a99
Reviewed-on: https://boringssl-review.googlesource.com/31144
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-16 20:59:45 +00:00
Tom Bridgwater
929fd44f92 Update URL for GN quick start guide.
Bug: None
Change-Id: I01ea2bb0508b018e219ecc94108e6a4fbe247984
Reviewed-on: https://boringssl-review.googlesource.com/31124
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-16 20:18:41 +00:00
David Benjamin
a130ce0b71 Update TLS 1.3 citations for the final RFC.
Change-Id: I2d1671a4f21a602191fd0c9b932244a376ac5713
Reviewed-on: https://boringssl-review.googlesource.com/31104
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-16 18:37:50 +00:00
David Benjamin
c4131a4a23 Support the allocating case of i2d_ASN1_{BOOLEAN,OBJECT}.
Imported from upstream's 0971432f6f6d8b40d797133621809bd31eb7bf4e and
7d4c97add12cfa5d4589880b09d6139c3203e2f4, but with missing tests added. Along
the way, make Bytes work with any Span<const uint8_t>-convertable type.

Change-Id: If365f981fe8a8274e12000309ffd99b1bb719842
Reviewed-on: https://boringssl-review.googlesource.com/31086
Reviewed-by: Adam Langley <agl@google.com>
2018-08-16 15:59:11 +00:00
David Benjamin
378cca8016 Handle a modulus of -1 correctly.
Historically, OpenSSL's modular exponentiation functions tolerated negative
moduli by ignoring the sign bit. The special case for a modulus of 1 should do
the same. That said, this is ridiculous and the only reason I'm importing this
is BN_abs_is_word(1) is marginally more efficient than BN_is_one() and we
haven't gotten around to enforcing positive moduli yet.

Thanks to Guido Vranken and OSSFuzz for finding this issue and reporting to
OpenSSL.

(Imported from upstream's 235119f015e46a74040b78b10fd6e954f7f07774.)

Change-Id: I526889dfbe2356753aa1e6ecfd3aa3dc3a8cd2b8
Reviewed-on: https://boringssl-review.googlesource.com/31085
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2018-08-16 15:57:10 +00:00
David Benjamin
01e8e625ad Don't allow RC4 in PEM.
This fixes uninitialized memory read reported by Nick Mathewson in
https://github.com/openssl/openssl/issues/6347.

It imports the memset from upstream's 2c739f72e5236a8e0c351c00047c77083dcdb77f,
but I believe that fix is incorrect and instead RC4 shouldn't be allowed in
this context. See
https://github.com/openssl/openssl/pull/6603#issuecomment-413066462 for
details.

Update-Note: Decoding a password-protected PEM block with RC4 will, rather than
derive garbage from uninitialized memory, simply fail. Trying to encode a
password-protect PEM block with an unsupported cipher will also fail, rather
than output garbage (e.g. tag-less AES-GCM).

Change-Id: Ib7e23dbf5514f0a523730926daad3c0bdb989417
Reviewed-on: https://boringssl-review.googlesource.com/31084
Reviewed-by: Adam Langley <agl@google.com>
2018-08-16 15:33:43 +00:00
Steven Valdez
f1af129fb4 Implement TLS 1.3 anti-downgrade signal.
Change-Id: Ib4739350948ec339457d993daef582748ed8f100
Reviewed-on: https://boringssl-review.googlesource.com/30924
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-08-15 15:23:43 +00:00
Adam Langley
ae3223957f Remove dummy PQ padding extension.
Results written up at https://www.imperialviolet.org/2018/04/11/pqconftls.html

Change-Id: I4614fbda555323c67a7ee4683441b59b995f97fb
Reviewed-on: https://boringssl-review.googlesource.com/31064
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-15 00:28:52 +00:00
Adam Langley
cac346eddb Update Miller–Rabin check numbers.
This imports upstream's be4e1f79f631e49c76d02fe4644b52f907c374b2.

Change-Id: If0c4f066ba0ce540beaddd6a3e2540165d949dd2
Reviewed-on: https://boringssl-review.googlesource.com/31024
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-14 23:10:53 +00:00
Joshua Liebow-Feeser
978169951f Document error behavior of various functions
- Document error behavior of:
  - EVP_PKEY_assign_XXX
  - EVP_PKEY_set1_XXX
  - EVP_PKEY_assign
  - EVP_PKEY_set_type
  - EC_GROUP_new_by_curve_name
  - EC_KEY_set_group
  - ECDSA_size
  - HMAC_Final
- Document that EVP_parse_public_key sets the curve for EC keys

Change-Id: I498ae19a8729680216fee518f97bd0cbaab94c40
Reviewed-on: https://boringssl-review.googlesource.com/30985
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-14 20:42:21 +00:00
Joshua Liebow-Feeser
dea6d90de2 Document failure conditions of some EVP, HMAC, and CBB functions
- Document failure conditions of EVP_MD_CTX_copy_ex,
  EVP_DigestInit_ex, HMAC_Init_ex, and CBB_init

Change-Id: I643d1b92e88e7f690fa555f7d908317a23e5cd95
Reviewed-on: https://boringssl-review.googlesource.com/30964
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-14 19:31:43 +00:00
David Benjamin
2865567748 Use Span/Array for ticket decryption.
This isn't actually shorter, but there is a bunch of slicing up of the ticket,
which Span makes a little easier to follow.

Change-Id: I7ea4dfe025641a3b88e2c9b8e34246fefc23412f
Reviewed-on: https://boringssl-review.googlesource.com/29865
Reviewed-by: Adam Langley <agl@google.com>
2018-08-14 19:00:34 +00:00
Jesse Selover
6b0d82229b Format ssl/internal.h with clang-format.
Fixed up the comment about ssl_version. There's one line which I
manually edited:
int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
where clang-format puts spaces on both sides of the second *.

Change-Id: Id1c0bd02f664df14b1e5bbd8abaf2687fb9179db
Reviewed-on: https://boringssl-review.googlesource.com/31004
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-14 17:50:40 +00:00
David Benjamin
bc3286bb8c Add a pile of compatibility functions.
Change-Id: I75c8783139c717be34a9159a2291d2ae55ee71d5
Reviewed-on: https://boringssl-review.googlesource.com/30984
Reviewed-by: Adam Langley <agl@google.com>
2018-08-13 23:13:26 +00:00
Adam Langley
5e3c8a61ab Bound two other cases of PKCS#12 iteration counts.
The fuzzer found another place where it could cause a timeout by
providing a huge PBKDF2 iteration count. This change bounds another two
places where we parse out iteration counts and that's hopefully all of
them.

BUG=oss-fuzz:9853

Change-Id: I037fa09d2bee79e7435a9d40cbd89c07b4a9d443
Reviewed-on: https://boringssl-review.googlesource.com/30944
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-13 21:42:06 +00:00
Steven Valdez
d451453067 Implement final TLS 1.3 RFC!!!
The anti-downgrade signal is being implemented in a follow-up change.

Change-Id: I5ea3ff429ed1389a3577026588fef3660d2d0615
Reviewed-on: https://boringssl-review.googlesource.com/30904
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2018-08-13 20:34:23 +00:00
Jesse Selover
1c337e566d Option to reverify certs on resumption.
Works in the 1.3 and 1.2 client handshakes, not implemented on the
server for now.
Creates an SSL_CTX option to reverify the server certificate on session
resumption. Reverification only runs the client's certificate verify callback.
Adds new states to the client handshakes: state_reverify_server_certificate in
TLS 1.2, and state_server_certificate_reverify in TLS 1.3.
Adds a negative test to make sure that by default we don't verify the
certificate on resumption, and positive tests that make sure we do when the
new option is set.

Change-Id: I3a47ff3eacb3099df4db4c5bc57f7c801ceea8f1
Bug: chromium:347402
Reviewed-on: https://boringssl-review.googlesource.com/29984
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-10 20:06:22 +00:00
David Benjamin
bdc409801f Add new curve/hash ECDSA combinations from Wycheproof.
Change-Id: I7bb36c4e4108a2b7d9481ab2cafc245ea31927c0
Reviewed-on: https://boringssl-review.googlesource.com/30847
Reviewed-by: Adam Langley <agl@google.com>
2018-08-10 18:26:06 +00:00