Commit Graph

1077 Commits

Author SHA1 Message Date
David Benjamin
4b1510c71e Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209

(Imported from upstream's 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f.)

Change-Id: Ic2e5dc5c96e316c55f76bedc6ea55b416be3287a
Reviewed-on: https://boringssl-review.googlesource.com/4049
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:50:32 +00:00
David Benjamin
7a8e62dbd9 Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

(Imported from upstream's e677e8d13595f7b3287f8feef7676feb301b0e8a.)

Change-Id: I5faefc190568504bb5895ed9816a6d80432cfa45
Reviewed-on: https://boringssl-review.googlesource.com/4048
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:48:41 +00:00
David Benjamin
61c0d4e8b2 Always reset sigalgslen when NULLing sigalgs.
See also upstream's 34e3edbf3a10953cb407288101fd56a629af22f9. This fixes
CVE-2015-0291. Also bubble up malloc failures in tls1_set_shared_sigalgs. Tidy
up style a bit and remove unnecessary check (it actually is unnecessary; see
https://boringssl-review.googlesource.com/4042).

Change-Id: Idfb31a90fb3e56ef6fe7701464748a5c1603f064
Reviewed-on: https://boringssl-review.googlesource.com/4047
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:46:28 +00:00
David Benjamin
c12d377e24 Free up ADB and CHOICE if already initialised.
CVE-2015-0287

(Imported from upstream's b485d976340d3ca080060c3c7dee9102e2200762.)

Change-Id: Ie8dac46ccc95a4eee9ef535d8620217202f13ca1
Reviewed-on: https://boringssl-review.googlesource.com/4046
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:42:27 +00:00
David Benjamin
7e3b5840c2 Fix more missing error checks in v3_cpols.c
I only imported half of upstream's c5f2b5336ab72e40ab91e2ca85639f51fa3178c6 on
accident.

Change-Id: Ice8185ca6770f915eb859e918f5db7d5ccdc7cc7
Reviewed-on: https://boringssl-review.googlesource.com/4045
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 19:41:28 +00:00
Adam Langley
078abceb29 Don't install SIGILL handler until after sigsetjmp.
Previously, if SIGILL was received between the signal handler being
installed and before the sigsetjmp, the process would longjmp to a
random location.

Change-Id: I9e6143a17ff3db0e1b00ece68fce161801461010
Reviewed-on: https://boringssl-review.googlesource.com/3950
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:53:07 +00:00
David Benjamin
8b368412d3 Minor formatting fixes.
Noticed these as I was poking around.

Change-Id: I93833a152583feced374c9febf7485bec7abc1c7
Reviewed-on: https://boringssl-review.googlesource.com/3973
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:52:44 +00:00
David Benjamin
9e13e1a31d Move the is_dtls bit from SSL3_ENC_METHOD to SSL_PROTOCOL_METHOD.
This too isn't version-specific. This removes the final difference between TLS
and DTLS SSL3_ENC_METHODs and we can fold them together. (We should be able to
fold away the version-specific differences too, but all in due time.)

Change-Id: I6652d3942a0970273d46d28d7052629c81f848b5
Reviewed-on: https://boringssl-review.googlesource.com/3771
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:51:49 +00:00
David Benjamin
cfdd6b1aef Account for partial reads in PacketedBio.
This fixes test flakiness on Windows.

BUG=467767

Change-Id: Ie69b5b43ddd524aadb15c53705f6ec860e928786
Reviewed-on: https://boringssl-review.googlesource.com/4001
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:49:37 +00:00
David Benjamin
506fa4f770 Allocate string types directly.
Allocate and free ASN.1 string types directly instead of going through
the ASN.1 item code.

(Imported from upstream's 3d6aa6d441fe8124d247dffee5c68c2e5efd8258.)

Change-Id: I617283e67071a792f219ed08f19078afc223e2f5
Reviewed-on: https://boringssl-review.googlesource.com/4041
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:47:52 +00:00
David Benjamin
42574efaff Avoid undefined behavior in probable_prime.
(Imported from upstream's e4676e900f165f5272991443225813002300b09b.)

Change-Id: I678e158c223daf2f7f9114f4e743d531fe2e2a93
Reviewed-on: https://boringssl-review.googlesource.com/4044
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:36:49 +00:00
David Benjamin
cdcecf546b Fix regression in ASN1_UTCTIME_cmp_time_t
Previously, ASN1_UTCTIME_cmp_time_t would return 1 if s > t, -1 if
s < t, and 0 if s == t.

This behavior was broken in upstream's
904348a4922333106b613754136305db229475ea, resulting in the opposite time
comparison behavior.

PR#3706

(Imported from upstream's da27006df06853a33b132133699a7aa9d4277920.)

Change-Id: I9c1c28ba21d82ff4b587e33b262f46be4e846ff9
Reviewed-on: https://boringssl-review.googlesource.com/4043
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:36:10 +00:00
David Benjamin
a5a3eeb9cc Remove ssl_cert_inst()
It created the cert structure in SSL_CTX or SSL if it was NULL, but they can
never be NULL as the comments already said.

(Imported from upstream's 2c3823491d8812560922a58677e3ad2db4b2ec8d.)

Change-Id: I97c7bb306d6f3c18597850db9f08023b2ef74839
Reviewed-on: https://boringssl-review.googlesource.com/4042
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:35:46 +00:00
David Benjamin
ced555394f Fix undefined behavior in shifts.
Td4 is an array of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not
representable in an integer, behaviour is undefined. In other words, you can't
shift into the sign bit of a signed integer. Fix this by casting to u32
whenever we're shifting left by 24.

(For consistency, cast other shifts, too.)

Caught by -fsanitize=shift

Submitted by Nick Lewycky (Google)

(Imported from upstream's 8b37e5c14f0eddb10c7f91ef91004622d90ef361.)

Change-Id: Id0f98d1d65738533c6ddcc3c21bc38b569d74793
Reviewed-on: https://boringssl-review.googlesource.com/4040
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:33:46 +00:00
David Benjamin
34860739de ASN.1 print fix.
When printing out an ASN.1 structure, if the type is an item template don't
fall through and attempt to interpret as a primitive type.

(Imported from upstream's 5dc1247a7494f50c88ce7492518bbe0ce6f124fa.)

Change-Id: Ica39757792cbf3f83879953b67838927ddbdb809
Reviewed-on: https://boringssl-review.googlesource.com/4009
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:32:45 +00:00
David Benjamin
859a04b7ff Fix missing return checks in v3_cpols.c
Fixed assorted missing return value checks in v3_cpols.c

(Imported from upstream's c5f2b5336ab72e40ab91e2ca85639f51fa3178c6.)

Change-Id: I95e4157fc689201ca32e1c8e51d04801ba478685
Reviewed-on: https://boringssl-review.googlesource.com/4008
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:31:03 +00:00
David Benjamin
a9c6667cab Fix asn1_item_print_ctx
The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.

(Imported from upstream's 34a7ed0c39aa3ab67eea1e106577525eaf0d7a00.)

Change-Id: Ia43cdc73b5f1d16e6fc907b5aaf13c9df5a9958c
Reviewed-on: https://boringssl-review.googlesource.com/4007
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:28:48 +00:00
David Benjamin
e30f3fb080 ASN1_primitive_new NULL param handling
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.

(Imported from upstream's 9e488fd6ab2c295941e91a47ab7bcd346b7540c7)

Change-Id: Icbb13cd00d0ec5529871b678b0bcc465956a7572
Reviewed-on: https://boringssl-review.googlesource.com/4006
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:11:04 +00:00
David Benjamin
c02f148fa8 Fix error handling in bn_exp
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.

(Imported from upstream's 8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485.)

Change-Id: I0b392991ce8170dc418e93003af256d535d1e2e8
Reviewed-on: https://boringssl-review.googlesource.com/4005
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:10:27 +00:00
David Benjamin
87b2a13a86 Fix seg fault in ASN1_generate_v3/ASN1_generate_nconf
(Imported from upstream's ac5a110621ca48f0bebd5b4d76d081de403da29e)

Change-Id: I1a0518447716a93038bd95d40abef1d9fb4e5f72
Reviewed-on: https://boringssl-review.googlesource.com/4004
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:08:50 +00:00
David Benjamin
2ddba8cd48 Check for RAND_bytes failures in the ClientHello.
(Imported from upstream's e1b568dd2462f7cacf98f3d117936c34e2849a6b.)

Our RAND_bytes secretly can't actually fail, but we should propagate the check
upwards.

Change-Id: Ieaaea98dad00bf73b1c0a42c039507d76b10ac78
Reviewed-on: https://boringssl-review.googlesource.com/4003
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:08:25 +00:00
David Benjamin
3305858342 Fix wrong numbers being passed as string lengths
(Imported from upstream's 0b142f022e2c5072295e00ebc11c5b707a726d74.)

Modified further because these ought to just be BIO_puts.

Change-Id: I8b70d70d0f626bb19b455adb4f0e08bacf453c1d
Reviewed-on: https://boringssl-review.googlesource.com/4002
Reviewed-by: Adam Langley <agl@google.com>
2015-03-19 11:07:45 +00:00
Adam Langley
f21645f4e3 Typo fix in comment.
(Thanks to William Hesse.)

Change-Id: I8479663250546a5ec0a024f80e50541f91d833bc
Reviewed-on: https://boringssl-review.googlesource.com/4020
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 22:01:26 +00:00
David Benjamin
067321502d Explicitly document EVP_PKEY_size vs EVP_PKEY_bits.
They do not quite measure the same value for EC keys. "size" is a really weird
notion to generalize on so we should document what it means for each key type.
EVP_PKEY_size's meaning is most tied to signatures, thanks to EVP_SignFinal
implicitly using it as output bounds.

Change-Id: I7504c142818f8f90f8bcf6891c97a6adaf2d574e
Reviewed-on: https://boringssl-review.googlesource.com/4000
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:45:42 +00:00
Adam Langley
1df63e93f9 Fix a couple of issues with building with strict C99.
C99 doesn't, technically, allow empty statements. Thus if a #define'ed
function ends in a semicolon, and the use of it also ends in a
semicolon, then the compiler sees “;;” at the end.

Since a choice has to be made, I prefer that the semicolon exist at the
“callsite” of a #define'ed fuction. But I haven't gone and changed
everything to follow that in this patch.

Change-Id: I1343e52a5ac6255db49aa053048d0df3225bcf43
Reviewed-on: https://boringssl-review.googlesource.com/3890
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:17:40 +00:00
Adam Langley
0e782a9eb3 Add AEADs for AES-CTR with HMAC-SHA256.
Change-Id: Id035d2c6ab9c6ae034326c313ffe35e0d035dec1
Reviewed-on: https://boringssl-review.googlesource.com/3911
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:16:55 +00:00
Adam Langley
52f9f62283 Change aes_set_gcm_key to be more flexible.
Firstly, it was odd that AES-NI was a special case. Secondly, I have a
need coming up for being able to get the block function and not create a
GCM context.

Change-Id: Ie87de5e7ea42dc042d302c5eafecbc6af03c714b
Reviewed-on: https://boringssl-review.googlesource.com/3910
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:16:39 +00:00
Adam Langley
5edc4e2a9b Correct three incorrect function names in errors.
Thanks to Sean Burford.

Change-Id: I4efa352f3e830c4c3761660508a1a8aa927eedf1
Reviewed-on: https://boringssl-review.googlesource.com/3841
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 21:15:04 +00:00
Adam Langley
ca8feeb301 Add support for 3DES ECB.
At least the linker can discard this function in the cases where nobody
is calling it.

Change-Id: I30050e918e6bc1dd9c97cc70f3a56408701abebc
Reviewed-on: https://boringssl-review.googlesource.com/3724
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 19:55:14 +00:00
Adam Langley
7282738bad Add DES_set_odd_parity.
Because NTLM authentication is still a thing.

Change-Id: I3308a8431c82f0b614e09ce3e5efac1526881f1e
Reviewed-on: https://boringssl-review.googlesource.com/3723
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 19:54:53 +00:00
Adam Langley
3f92d21094 Add SSL_get_rc4_state.
This allows the current RC4 state of an SSL* to be extracted. We have
internal uses for this functionality.

Change-Id: Ic124c4b253c8325751f49e7a4c021768620ea4b7
Reviewed-on: https://boringssl-review.googlesource.com/3722
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 19:54:34 +00:00
Adam Langley
524e717b87 Add a callback for DDoS protection.
This callback receives information about the ClientHello and can decide
whether or not to allow the handshake to continue.

Change-Id: I21be28335fa74fedb5b73a310ee24310670fc923
Reviewed-on: https://boringssl-review.googlesource.com/3721
Reviewed-by: Adam Langley <agl@google.com>
2015-03-18 19:53:29 +00:00
Brian Smith
ab2a8e03d9 Fix duplicate lock IDs & simplify lock ID maintenance.
* Eliminate the possibility of multiple lock IDs having the same
  value (CRYPTO_LOCK_FIPS2 and CRYPTO_LOCK_OBJ were both 40 prior to
  this commit).
* Remove unused lock IDs.
* Automatically guarantee that lock IDs and lock names stay in sync.

Change-Id: If20e462db1285fa891595a7e52404ad011ff16f6
Reviewed-on: https://boringssl-review.googlesource.com/3923
Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 23:58:20 +00:00
David Benjamin
d434f28ef2 Fix bssl speed.
The TLS AEADs require EVP_AEAD_CTX_init_with_direction now. The speed command
was never updated to account for this.

BUG=467762

Change-Id: I8c7d4566b51d54d91d17318b8f4813ad8f19c777
Reviewed-on: https://boringssl-review.googlesource.com/3971
Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 23:57:02 +00:00
David Benjamin
1b3a95122d Document exactly how the stateful AEADs are weird.
Probably worth spelling that out.

Change-Id: Ie8815fc645e2836f4fb5bf7d09df1e5326751544
Reviewed-on: https://boringssl-review.googlesource.com/3970
Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 23:55:56 +00:00
Brian Smith
1d1562d9b5 Free new[]'d array using delete[] instead of free in speed.cc.
Change-Id: Ic3d5e8de0b6800c0852c2057427836302c1f1aaa
Reviewed-on: https://boringssl-review.googlesource.com/3962
Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 21:04:15 +00:00
Brian Smith
a42b4163f8 Remove remaining remnants of RIPEMD-160 support.
Change-Id: I59d06bcb9245ba93d3c3b63afbc24d6cef7c5af4
Reviewed-on: https://boringssl-review.googlesource.com/3925
Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 21:03:42 +00:00
Brian Smith
d53b2c3c88 Fix out-of-bounds memory write in speed.cc.
Windows x64 uses the IL32P64 data model, which means that unsigned int
is 32 bits and size_t is 64 bits. Previously, the expression
|~(alignment - 1)| resulted in the 32-bit value 0xFFFFFFF0, which was
then extended to the 64-bit value 0x00000000FFFFFFF0 when promoted to
size_t. When the input pointer was masked with this value, the result
was a pointer that was usually way outside the boundaries of the array.

The new code casts |alignment| to size_t first prior to the bitwise
negation, resulting in the correct mask value of 0xFFFFFFFFFFFFFFF0.

Change-Id: I04754aa9e1ce7a615c2b4c74051cfcca38dbb52f
Reviewed-on: https://boringssl-review.googlesource.com/3961
Reviewed-by: Adam Langley <agl@google.com>
2015-03-17 19:12:54 +00:00
Brian Smith
4df48dd30f Define more OPENSSL_NO_xxx flags in opensslfeatures.h.
Change-Id: I464159dd03a2ea9a5e01452888fda86a5af51024
Reviewed-on: https://boringssl-review.googlesource.com/3924
Reviewed-by: Adam Langley <agl@google.com>
2015-03-14 00:21:01 +00:00
Brian Smith
949b26827a Remove Unused SPARC & PowerPC perlasm scripts.
Change-Id: I6139a3e9a2780c5a52169c72afc95665d453da8c
Reviewed-on: https://boringssl-review.googlesource.com/3922
Reviewed-by: Adam Langley <agl@google.com>
2015-03-14 00:16:55 +00:00
Brian Smith
28120a18f6 Fix mistaken use of CRYPTO_EX_INDEX_DSA in rsa.c.
Change-Id: I4a81fcbdd79f96b34cafcbd33279906b55dafbac
Reviewed-on: https://boringssl-review.googlesource.com/3920
Reviewed-by: Adam Langley <agl@google.com>
2015-03-14 00:14:40 +00:00
David Benjamin
dc3da93899 Process alerts between ChangeCipherSpec and Finished.
This mostly[*] doesn't matter for TLS since the message would have been
rejected anyway, but, in DTLS, if the peer rejects our Finished, it will send
an encrypted alert. This will then cause it to hang, which isn't very helpful.

I've made the change on both TLS and DTLS so the two protocols don't diverge on
this point. It is true that we're accepting nominally encrypted and
authenticated alerts before Finished, but, prior to ChangeCipherSpec, the
alerts are sent in the clear anyway so an attacker could already inject alerts.
A consumer could only be sensitive to it being post-CCS if it was watching
msg_callback. The only non-debug consumer of msg_callback I've found anywhere
is some hostapd code to detect Heartbeat.

See https://code.google.com/p/webrtc/issues/detail?id=4403 for an instance
where the equivalent behavior in OpenSSL masks an alert.

[*] This does change behavior slightly if the peer sends a warning alert
between CCS and Finished. I believe this is benign as warning alerts are
usually ignored apart from info_callback and msg_callback. The one exception is
a close_notify which is a slightly new state (accepting close_notify during a
handshake seems questionable...), but they're processed pre-CCS too.

Change-Id: Idd0d49b9f9aa9d35374a9f5e2f815cdb931f5254
Reviewed-on: https://boringssl-review.googlesource.com/3883
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 20:19:11 +00:00
David Benjamin
4f7783eaea Use EC_KEY_new_by_curve_name.
May as well use this convenience function when we can. A little tidier. Even
fixes a leak on malloc failure in eckey_type2param.

Change-Id: Ie48dd98f2fe03fa9911bd78db4423ab9faefc63d
Reviewed-on: https://boringssl-review.googlesource.com/3772
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:49:39 +00:00
David Benjamin
7cb0f44d9d Remove EVP_MAXCHUNK from DES EVP code.
Upstream needs this to deal with size_t, but our low-level DES APIs take
size_t, so this is not a concern.

Change-Id: I9dc4c7248c5dd9515246a4b224147b932328a400
Reviewed-on: https://boringssl-review.googlesource.com/3882
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:46:49 +00:00
David Benjamin
165de16c2e Import additional AES-GCM test vector from upstream.
Upstream added another test vector in 4e049c52599d4a3fd918ba8570f49d88159e551b.

Change-Id: I17855dd479214657f0698b78f93e183cd6cb912e
Reviewed-on: https://boringssl-review.googlesource.com/3880
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:41:49 +00:00
David Benjamin
1a5c50f3a8 Error codes are uint32_t, not unsigned long.
Fix a few remnants of them being unsigned long. Also rename extremely unhelpful
variable names in SSL_get_error. i is now ret_code to match the header.

Change-Id: Ic31d6626bfe09c9e21c03691dfc716c5573833ea
Reviewed-on: https://boringssl-review.googlesource.com/3881
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:41:42 +00:00
David Benjamin
7cc29ab833 Take advantage of normalized return values.
Now that much of EVP has been normalized to 0/1, a lot of code can just use
boolean operators. (As can some code which was already using them...)

Change-Id: I6bb17edfd6f67050bf1706d59d8f37df57535faa
Reviewed-on: https://boringssl-review.googlesource.com/3875
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:40:42 +00:00
David Benjamin
e0ba4dddf6 Normalize all EVP_PKEY_CTX_ctrl return values.
No code within BoringSSL or Google (grep for EVP_PKEY_CTX_(ctrl|get|set)) is
sensitive to the various failure cases. Normalize it all to 0/1 for simplicity.

This does carry a slight risk: any new ctrl hooks we import from upstream that,
like EVP_PKEY_CTX_get_rsa_oaep_md, return something other than success/failure
cannot be called directly via EVP_PKEY_CTX_ctrl. They instead need to
internally be routed through a struct like CBS and only called through the
wrappers. To that end, unexport EVP_PKEY_CTX_ctrl and require that callers use
the wrappers. No code in Google uses it directly and, if need be, switching to
the wrapper would be an incredibly upstreamable patch.

Change-Id: I3fd4e5a1a0f3d4d1c4122c52d4c74a5105b99cd5
Reviewed-on: https://boringssl-review.googlesource.com/3874
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:39:42 +00:00
David Benjamin
bc5d8ee0d4 Route EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL through a CBS.
This is the only EVP_PKEY ctrl hook which returns something other than a
boolean.

Change-Id: Ic226aef168abdf72e5d30e8264a559ed5039a055
Reviewed-on: https://boringssl-review.googlesource.com/3873
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:19:59 +00:00
David Benjamin
e60202797d Move EVP_R_COMMAND_NOT_SUPPORTED into individual EVP_PKEY ctrl hooks.
This removes another place where we're internally sensitive to the
success/failure conditions.

Change-Id: I18fecf6457e841ba0afb718397b9b5fd3bbdfe4c
Reviewed-on: https://boringssl-review.googlesource.com/3872
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:18:39 +00:00