Commit Graph

1984 Commits

Author SHA1 Message Date
David Benjamin
c2ae53db6d Document alert handling.
SSL_alert_desc_string_long was kept in the undeprecated bucket and one missing
alert was added. We have some uses and it's not completely ridiculous for
logging purposes.

The two-character one is ridiculous though and gets turned into a stub
that returns a constant string ("!" or "!!") because M2Crypto expects
it.

Change-Id: Iaf8794b5d953630216278536236c7113655180af
Reviewed-on: https://boringssl-review.googlesource.com/6297
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 19:03:24 +00:00
David Benjamin
b86847c24b Clean up ssl_stat.c slightly.
(Documentation/deprecation will come in later commits.)

Change-Id: I3aba26e32b2e47a1afb5cedd44d09115fc193bce
Reviewed-on: https://boringssl-review.googlesource.com/6296
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:49:51 +00:00
David Benjamin
1a1b34d759 Deprecate SSL_get_(peer_)finished.
The only reason you'd want it is to tls_unique, and we have a better API
for that. (It has one caller and that is indeed what that caller uses it
for.)

Change-Id: I39f8e353f56f18becb63dd6f7205ad31f4192bfd
Reviewed-on: https://boringssl-review.googlesource.com/6295
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:48:41 +00:00
David Benjamin
93d17499e9 Deprecate SSL_want*.
This is redundant with SSL_get_error. Neither is very good API, but
SSL_get_error is more common. SSL_get_error also takes a return code
which makes it harder to accidentally call it at some a point other than
immediately after an operation. (Any other point is confusing since you
can have SSL_read and SSL_write operations going on in parallel and
they'll get mixed up.)

Change-Id: I5818527c30daac28edb552c6c550c05c8580292d
Reviewed-on: https://boringssl-review.googlesource.com/6294
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:42:15 +00:00
David Benjamin
7f393f72a5 Unexport SSL_SESSION_ASN1_VERSION.
It's pretty clearly pointless to put in the public header.

Change-Id: I9527aba09b618f957618e653c4f2ae379ddd0fdb
Reviewed-on: https://boringssl-review.googlesource.com/6293
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:41:08 +00:00
David Benjamin
79a0589dc4 Ditch remaining filename comments from public headers and ssl/
Change-Id: I8fc795d18aacb0c929b82e7d58514b22103e2106
Reviewed-on: https://boringssl-review.googlesource.com/6292
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:40:05 +00:00
David Benjamin
d4c2bceaab Document early callback functions.
Also added a SSL_CTX_set_select_certificate_cb setter for
select_certificate_cb so code needn't access SSL_CTX directly. Plus it
serves as a convenient anchor for the documentation.

Change-Id: I23755b910e1d77d4bea7bb9103961181dd3c5efe
Reviewed-on: https://boringssl-review.googlesource.com/6291
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:29:33 +00:00
David Benjamin
cfdee213f8 Add use counters for SSL_OP_TLS_D5_BUG and SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER.
These are theh two remaining quirks (SSL_OP_LEGACY_SERVER_CONNECT
aside). Add counters so we can determine whether there are still clients
that trip up these cases.

Change-Id: I7e92f42f3830c1df675445ec15a852e5659eb499
Reviewed-on: https://boringssl-review.googlesource.com/6290
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:22:47 +00:00
David Benjamin
96e97b1bf1 Convert ssl3_send_channel_id to CBB.
In doing so, simplify the mess around serializing the public key.
Channel ID specifies that you write x and y concatenated. Rather than
using the X9.62 serialization and chopping bits off, get the affine
coordinates and write them out in the same way we write r and s.

Also unify the P-256 sanity check around SSL_set1_tls_channel_id and
actually check the curve NID.

BUG=468889

Change-Id: I228877b736c9722e368d315064ce3ae6893adfc0
Reviewed-on: https://boringssl-review.googlesource.com/6201
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:16:46 +00:00
David Benjamin
e97b96224c Convert ssl3_send_next_proto to CBB.
BUG=468889

Change-Id: I841b2816ba47c8c1129e333012272902a52cafd3
Reviewed-on: https://boringssl-review.googlesource.com/6200
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:08:28 +00:00
David Benjamin
5638046cd7 Convert ssl3_send_server_hello to CBB.
BUG=468889

Change-Id: I899d67addbff01c64175f47b19ca2b688626405b
Reviewed-on: https://boringssl-review.googlesource.com/6191
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 18:04:48 +00:00
David Benjamin
e8d53508ca Convert ssl3_send_client_hello to CBB.
Start converting the ones we can right now. Some of the messier ones
resize init_buf rather than assume the initial size is sufficient, so
those will probably wait until init_buf is gone and the handshake's
undergone some more invasive surgery. The async ones will also require
some thought. But some can be incrementally converted now.

BUG=468889

Change-Id: I0bc22e4dca37d9d671a488c42eba864c51933638
Reviewed-on: https://boringssl-review.googlesource.com/6190
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-20 17:56:19 +00:00
Matt Braithwaite
978f16ea08 size_t RSA functions.
This extends 79c59a30 to |RSA_public_encrypt|, |RSA_private_encrypt|,
and |RSA_public_decrypt|.  It benefits Conscrypt, which expects these
functions to have the same signature as |RSA_public_private_decrypt|.

Change-Id: Id1ce3118e8f20a9f43fd4f7bfc478c72a0c64e4b
Reviewed-on: https://boringssl-review.googlesource.com/6286
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-19 23:54:47 +00:00
Eric Roman
63fa118f3a Reject iterations=0 when calling PKCS5_PBKDF2_HMAC().
BUG=https://crbug.com/534961

Change-Id: I69e2434bf8d5564711863c393ee3bafe3763cf24
Reviewed-on: https://boringssl-review.googlesource.com/5932
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 19:40:55 +00:00
David Benjamin
c617413527 Remove SSL_SESSION_print*.
It's missing fields and no one ever calls it.

Change-Id: I450edc1e29bb48edffb5fd3df8da19a03e4185ce
Reviewed-on: https://boringssl-review.googlesource.com/5821
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 19:24:14 +00:00
Brian Smith
e5ae760a96 Silence MSVC warning C4210.
The warning is:

    C4210: nonstandard extension used : function given file scope.

It is caused by function declarations that aren't at the top level in a
file.

Change-Id: Ib1c2ae64e15e66eb0a7255a29c0e560fbf55c2b2
Reviewed-on: https://boringssl-review.googlesource.com/6210
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:20:29 +00:00
David Benjamin
b735b1b6e4 Document that SSL_CTX_sess_set_get_cb's id parameter should be const.
See also upstream's bf0fc41266f17311c5db1e0541d3dd12eb27deb6.

Change-Id: Ib692b0ad608f2e3291f2aeab2ad98a7e177d5851
Reviewed-on: https://boringssl-review.googlesource.com/6150
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:19:28 +00:00
David Benjamin
f88b81aa75 Put OCSP and SCT accessors with SSL_get_peer_certificate.
Grouping along two axes is weird. Doesn't hugely matter which one, but
we should be consistent.

Change-Id: I80fb04d3eff739c08fda29515ce81d101d8542cb
Reviewed-on: https://boringssl-review.googlesource.com/6120
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:19:06 +00:00
David Benjamin
8ac00cafbf Document DTLS-specific retransmit and MTU functions.
The caller obligations for retransmit are messy, so I've peppered a few
other functions with mentions of it. There's only three functions, so
they're lumped in with the other core functions. They're irrelevant for
TLS, but important for DTLS.

Change-Id: Ifc995390952eef81370b58276915dcbe4fc7e3b5
Reviewed-on: https://boringssl-review.googlesource.com/6093
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:18:54 +00:00
David Benjamin
fd8e69f26d Better document the callbacks around client certificates.
Deprecate the client_cert_cb variant since you can't really configure
intermediates with it. (You might be able to by configuring the
intermediates without the leaf or key and leaving the SSL stack to
configure those, but that's really weird. cert_cb is simpler.)

Also document the two functions the callbacks may use to query the
CertificateRequest on the client.

Change-Id: Iad6076266fd798cd74ea4e09978e7f5df5c8a670
Reviewed-on: https://boringssl-review.googlesource.com/6092
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:18:40 +00:00
David Benjamin
9f85949baf Document a few more miscellaneous things.
Change-Id: Ib4829bf9344341e3d4fe90c7cea66e217366fe97
Reviewed-on: https://boringssl-review.googlesource.com/6091
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:18:19 +00:00
David Benjamin
9f4913f4a8 Remove the ifdef around ec.h's ec_key.h compatibility include
It doesn't actually do anything.

Change-Id: I8a5748dc86b842406cc656a5b251e1a7c0092377
Reviewed-on: https://boringssl-review.googlesource.com/6090
Reviewed-by: Adam Langley <alangley@gmail.com>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:14:52 +00:00
Brian Smith
a655c73b93 Switch rsa_test.cc to use new RSA private key parsing API.
Change-Id: I48885402b88309bb514554d209e1827d31738756
Reviewed-on: https://boringssl-review.googlesource.com/6211
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <alangley@gmail.com>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:14:41 +00:00
Brian Smith
b8c1446c1f Fix comment typo in poly1305_test.txt.
Change-Id: Id7391502f08651d018d88400057b18aae9e514e3
Reviewed-on: https://boringssl-review.googlesource.com/6102
Reviewed-by: Adam Langley <alangley@gmail.com>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:14:26 +00:00
David Benjamin
03bad147b6 Links in README.md, take two.
gitiles seems to mangle the links when viewed from
https://boringssl.googlesource.com/boringssl/+/master/README.md, but not
https://boringssl.googlesource.com/boringssl/.

This document suggests that it handles absolute and relative links to files
specially. I guess it didn't interpret 'README.md' as either and failed to adjust
it accordingly. Let's see if this works instead.

https://gerrit.googlesource.com/gitiles/+/master/Documentation/markdown.md#Links

Change-Id: Ic181919140f968c88c69ea8f3c21c70f63e4b467
Reviewed-on: https://boringssl-review.googlesource.com/6230
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:04:43 +00:00
David Benjamin
1d5ef3bb1e Add SSL_set_renegotiate_mode.
Add a slightly richer API. Notably, one can configure ssl_renegotiate_once to
only accept the first renego.

Also, this API doesn't repeat the mistake I made with
SSL_set_reject_peer_renegotiations which is super-confusing with the negation.

Change-Id: I7eb5d534e3e6c553b641793f4677fe5a56451c71
Reviewed-on: https://boringssl-review.googlesource.com/6221
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 18:02:28 +00:00
David Benjamin
324dce4fd7 Unbreak SSL_total_renegotiations.
The logic to update that got removed in
https://boringssl-review.googlesource.com/4825. Add tests.

Change-Id: Idc550e8fa3ce6f69a76fa65d7651adde281edba6
Reviewed-on: https://boringssl-review.googlesource.com/6220
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: Adam Langley <alangley@gmail.com>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 17:53:30 +00:00
Adam Langley
6a2c512a7b Add a README.
Change-Id: I77b1d0efa6cddfcb162be693d53276822780540f
Reviewed-on: https://boringssl-review.googlesource.com/5790
Reviewed-by: Adam Langley <agl@google.com>
2015-10-13 17:52:28 +00:00
David Benjamin
617eac6a21 Align BIO_get_fd with upstream.
OpenSSL's BIO_get_fd returns the fd or -1, not a boolean.

Change-Id: I12a3429c71bb9c9064f9f91329a88923025f1fb5
Reviewed-on: https://boringssl-review.googlesource.com/6080
Reviewed-by: Adam Langley <agl@google.com>
2015-10-12 22:18:17 +00:00
David Benjamin
c7ce977fb9 Ignore all extensions but renegotiation_info in SSL 3.0.
SSL 3.0 used to have a nice and simple rule around extensions. They don't
exist. And then RFC 5746 came along and made this all extremely confusing.

In an SSL 3.0 server, rather than blocking ServerHello extension
emission when renegotiation_info is missing, ignore all ClientHello
extensions but renegotiation_info. This avoids a mismatch between local
state and the extensions with emit.

Notably if, for some reason, a ClientHello includes the session_ticket
extension, does NOT include renegotiation_info or the SCSV, and yet the
client or server are decrepit enough to negotiate SSL 3.0, the
connection will fail due to unexpected NewSessionTicket message.

See https://crbug.com/425979#c9 for a discussion of something similar
that came up in diagnosing https://poodle.io/'s buggy POODLE check.
This is analogous to upstream's
5a3d8eebb7667b32af0ccc3f12f314df6809d32d.

(Not supporting renego as a server in any form anyway, we may as well
completely ignore extensions, but then our extensions callbacks can't
assume the parse hooks are always called. This way the various NULL
handlers still function.)

Change-Id: Ie689a0e9ffb0369ef7a20ab4231005e87f32d5f8
Reviewed-on: https://boringssl-review.googlesource.com/6180
Reviewed-by: Adam Langley <agl@google.com>
2015-10-11 20:47:19 +00:00
Adam Langley
7bd538d94d Remove an unreachable expression.
The goto always jumps into the loop so the for's initialisation
expression can never be executed. Clang warns about this.

Change-Id: I3c3d4b8430754099e9ca6fd20101868c40165245
2015-10-09 13:04:03 -07:00
Adam Langley
f0258fe956 Add optimised version of P-224.
This imports the Google-authored P-224 implementation by Emilia Käsper
and Bodo Möller that is also in upstream OpenSSL.

Change-Id: I16005c74a2a3e374fb136d36f3f6569dab9d8919
Reviewed-on: https://boringssl-review.googlesource.com/6145
Reviewed-by: Adam Langley <agl@google.com>
2015-10-08 20:29:22 +00:00
Adam Langley
82aa28fa81 Make |BUF_memdup| look for zero length, not NULL.
BUF_memdup tries to avoid mallocing zero bytes (and thus unduly
returning an error for a NULL return value) by testing whether the input
buffer is NULL. This goes back to the original OpenSSL code.

However, when |ext_npn_parse_serverhello| tries to use |BUF_memdup| to
copy an NPN value returned by a callback, some callbacks just set the
output /length/ to zero to indicate an empty value. Thus, when
|BUF_memdup| tests the pointer, it's an uninitialised value and MSan
throws an error.

Since passing a NULL pointer to |BUF_memdup| better imply that the
length is zero, while the reverse empirically isn't true, testing the
length seems safer.

Change-Id: I06626f7dfb761de631fd997bda60057b76b8da94
2015-10-06 18:11:33 -07:00
Chuck Hays
c608d6b02b Updating Bazel outputs to work on other platforms.
Bazel on Mac requires some alterations to the generated build files.
This change updates generate_build_files.py to emit suitable Bazel
files. This will require some tweaks to projects that build with Bazel.

Change-Id: I3d68ec754b8abaa41a348f86c32434477f2c5e1c
Reviewed-on: https://boringssl-review.googlesource.com/6146
Reviewed-by: Adam Langley <agl@google.com>
2015-10-07 00:57:20 +00:00
Eric Roman
1aec2cbad2 Reject iterationCount == 0 when parsing PBKDF2-params.
Previously a value of 0 would be accepted and intepreted as equivalent
to 1. This contradicts RFC 2898 which defines:

     iterationCount INTEGER (1..MAX),

BUG=https://crbug.com/534961

Change-Id: I89623980f99fde3ca3780880d311955d3f6fe0b5
Reviewed-on: https://boringssl-review.googlesource.com/5971
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-02 16:19:04 +00:00
David Benjamin
20c0e90d11 Allow NULL inputs in SSL_SESSION_get_time.
Some code relies on OpenSSL's behavior where it allowed for NULL. But this time
add a comment so people don't think this is the convention for new functions.

BUG=538292

Change-Id: I66566e0e24566fafe17e05369276248be3b05591
Reviewed-on: https://boringssl-review.googlesource.com/6070
Reviewed-by: Adam Langley <agl@google.com>
2015-10-01 20:16:49 +00:00
Brian Smith
20605684e8 Fix |max_tag_len| for TLS CBC AEADs.
Change-Id: Iba21583a4de08039fab78e526c91003fbd327592
Reviewed-on: https://boringssl-review.googlesource.com/6058
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 23:59:22 +00:00
Brian Smith
d4ebc99122 Remove always-zero |bulk| variables in crypto/cipher/e_aes.c.
Change-Id: I36b2bb0e10c627ae6efa9d133df53b814922e652
Reviewed-on: https://boringssl-review.googlesource.com/6051
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 23:12:45 +00:00
Brian Smith
bc41cdf327 Add tests from cipher_test.txt to the AEAD test suite.
Change-Id: I819b5473e35e1f71192d3a336252ae4506c4230b
Reviewed-on: https://boringssl-review.googlesource.com/6055
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 23:11:40 +00:00
Adam Langley
0dd93002dd Revert section changes for ASM.
This change reverts the following commits:
  72d9cba7cb
  5b61b9ebc5
  3f85e04f40
  2ab24a2d40

Change-Id: I669b83f2269cf96aa71a649a346147b9407a811e
Reviewed-on: https://boringssl-review.googlesource.com/6056
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 22:09:52 +00:00
Adam Langley
f4e554e438 Bitwise-or, not logical-or, when hashing.
This didn't actually break anything, but it does make session lookup
quite slow.

Change-Id: I13615e8ccf6a46683a21774eb7c073318ae8c28c
Reviewed-on: https://boringssl-review.googlesource.com/6054
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 20:50:18 +00:00
Adam Langley
72d9cba7cb Move .align directives next to their labels for ARM.
2ab24a2d40 added sections to ARM assembly
files. However, in cases where .align directives were not next to the
labels that they were intended to apply to, the section directives would
cause them to be ignored.

Change-Id: I32117f6747ff8545b80c70dd3b8effdc6e6f67e0
Reviewed-on: https://boringssl-review.googlesource.com/6050
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 18:35:29 +00:00
David Benjamin
3b27843b7c Go's darwin filenames have changed.
32-bit is gone (wasn't being used anyway) and the -osx10.8 suffix is gone.
Still looking into why the Linux bots are unhappy.

Change-Id: If3a35d20fb1cc6f1e3f023d792dc78b5c5aac72a
Reviewed-on: https://boringssl-review.googlesource.com/6061
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 18:32:05 +00:00
David Benjamin
3fc9fe3f4a Move the bots to Go 1.5.1.
Nothing in particular, but probably good to match the version of Go on our
workstations.

Change-Id: I5f4828299d56d25cd8c0dadfa91e9f18212a178d
Reviewed-on: https://boringssl-review.googlesource.com/6060
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 18:23:19 +00:00
Adam Langley
dc7e9c4043 Make the runner tests a go “test”
This change makes the runner tests (in ssl/test/runner) act like a
normal Go test rather than being a Go binary. This better aligns with
some internal tools.

Thus, from this point onwards, one has to run the runner tests with `go
test` rather than `go run` or `go build && ./runner`.

This will break the bots.

Change-Id: Idd72c31e8e0c2b7ed9939dacd3b801dbd31710dd
Reviewed-on: https://boringssl-review.googlesource.com/6009
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-30 17:10:45 +00:00
David Benjamin
368ef1aa51 Take thread.h out of the documentation.
There's nothing in there that isn't deprecated, since BoringSSL is thread-safe
by default now.

Change-Id: Idfd9de8bd3a6544b1d4176b2d115eef9eefa63d0
Reviewed-on: https://boringssl-review.googlesource.com/6031
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 23:38:09 +00:00
David Benjamin
9a798ecc0e Document the hexadecimal casing thing in PORTING.md.
mab@ seems to be dealing with a fair number of these, so it's probably worth
adding to the list.

Change-Id: Ifaea3c96e7b089f28a87c7728ceb8c671786eb27
Reviewed-on: https://boringssl-review.googlesource.com/6030
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 23:37:50 +00:00
Matt Braithwaite
4d11aff33a Don't record handshake hashes if no Channel ID
Change-Id: Ic0dcde436024e8d11f9b5986998cf6e808ff036b
Reviewed-on: https://boringssl-review.googlesource.com/6007
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 21:47:05 +00:00
Adam Langley
2492586058 Add |PKCS12_verify_mac|.
This utility function is provided for API-compatibility and simply calls
|PKCS12_parse| internally.

BUG=536939

Change-Id: I86c548e5dfd64b6c473e497b95adfa5947fe9529
Reviewed-on: https://boringssl-review.googlesource.com/6008
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 20:30:35 +00:00
Adam Langley
5b61b9ebc5 Update ChaCha20 ARM asm with sections.
The ChaCha20 ARM asm is generated from GCC. This change updates the GCC
command line to include -ffunction-sections, which causes GCC to put
each function in its own section so that the linker with --gc-sections
can trim unused functions.

Since the file only has a single function, this is a bit useless, but
it'll now be consistent with the other ARM asm.

Change-Id: If12c675700310ea55af817b5433844eeffc9d029
Reviewed-on: https://boringssl-review.googlesource.com/6006
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 18:07:54 +00:00