Commit Graph

427 Commits

Author SHA1 Message Date
David Benjamin
4f7783eaea Use EC_KEY_new_by_curve_name.
May as well use this convenience function when we can. A little tidier. Even
fixes a leak on malloc failure in eckey_type2param.

Change-Id: Ie48dd98f2fe03fa9911bd78db4423ab9faefc63d
Reviewed-on: https://boringssl-review.googlesource.com/3772
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:49:39 +00:00
David Benjamin
7cb0f44d9d Remove EVP_MAXCHUNK from DES EVP code.
Upstream needs this to deal with size_t, but our low-level DES APIs take
size_t, so this is not a concern.

Change-Id: I9dc4c7248c5dd9515246a4b224147b932328a400
Reviewed-on: https://boringssl-review.googlesource.com/3882
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:46:49 +00:00
David Benjamin
165de16c2e Import additional AES-GCM test vector from upstream.
Upstream added another test vector in 4e049c52599d4a3fd918ba8570f49d88159e551b.

Change-Id: I17855dd479214657f0698b78f93e183cd6cb912e
Reviewed-on: https://boringssl-review.googlesource.com/3880
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:41:49 +00:00
David Benjamin
1a5c50f3a8 Error codes are uint32_t, not unsigned long.
Fix a few remnants of them being unsigned long. Also rename extremely unhelpful
variable names in SSL_get_error. i is now ret_code to match the header.

Change-Id: Ic31d6626bfe09c9e21c03691dfc716c5573833ea
Reviewed-on: https://boringssl-review.googlesource.com/3881
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:41:42 +00:00
David Benjamin
7cc29ab833 Take advantage of normalized return values.
Now that much of EVP has been normalized to 0/1, a lot of code can just use
boolean operators. (As can some code which was already using them...)

Change-Id: I6bb17edfd6f67050bf1706d59d8f37df57535faa
Reviewed-on: https://boringssl-review.googlesource.com/3875
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:40:42 +00:00
David Benjamin
e0ba4dddf6 Normalize all EVP_PKEY_CTX_ctrl return values.
No code within BoringSSL or Google (grep for EVP_PKEY_CTX_(ctrl|get|set)) is
sensitive to the various failure cases. Normalize it all to 0/1 for simplicity.

This does carry a slight risk: any new ctrl hooks we import from upstream that,
like EVP_PKEY_CTX_get_rsa_oaep_md, return something other than success/failure
cannot be called directly via EVP_PKEY_CTX_ctrl. They instead need to
internally be routed through a struct like CBS and only called through the
wrappers. To that end, unexport EVP_PKEY_CTX_ctrl and require that callers use
the wrappers. No code in Google uses it directly and, if need be, switching to
the wrapper would be an incredibly upstreamable patch.

Change-Id: I3fd4e5a1a0f3d4d1c4122c52d4c74a5105b99cd5
Reviewed-on: https://boringssl-review.googlesource.com/3874
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:39:42 +00:00
David Benjamin
bc5d8ee0d4 Route EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL through a CBS.
This is the only EVP_PKEY ctrl hook which returns something other than a
boolean.

Change-Id: Ic226aef168abdf72e5d30e8264a559ed5039a055
Reviewed-on: https://boringssl-review.googlesource.com/3873
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:19:59 +00:00
David Benjamin
e60202797d Move EVP_R_COMMAND_NOT_SUPPORTED into individual EVP_PKEY ctrl hooks.
This removes another place where we're internally sensitive to the
success/failure conditions.

Change-Id: I18fecf6457e841ba0afb718397b9b5fd3bbdfe4c
Reviewed-on: https://boringssl-review.googlesource.com/3872
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:18:39 +00:00
David Benjamin
33c8d60a1f Remove EVP_PKEY_CTRL_DIGESTINIT -2 special-case in md_begin_digest.
All EVP_PKEY types return 1 on that. (It can go away entirely when
EVP_PKEY_HMAC is gone.) This removes a place internally where we're sensitive
to the failure code.

Change-Id: Ic6cda2da9337ba7ef1c66a18e40c5dcc44fcf840
Reviewed-on: https://boringssl-review.googlesource.com/3871
Reviewed-by: Adam Langley <agl@google.com>
2015-03-13 19:17:59 +00:00
David Benjamin
389939422a ARMv4 assembly pack: add Cortex-A15 performance data.
(Imported from upstream's e390ae50e0bc41676994c6fa23f7b65a8afc4d7f)

Change-Id: Ifee85b0936c06c42cc7c09f8327d15fec51da48a
Reviewed-on: https://boringssl-review.googlesource.com/3832
Reviewed-by: Adam Langley <agl@google.com>
2015-03-10 02:32:05 +00:00
David Benjamin
5a93342fab Fix two unchecked mallocs in crypto/asn1.
Imported from upstream's 918bb8652969fd53f0c390c1cd909265ed502c7e. (The
remainder is in code we've since deleted.)

Change-Id: Ie878272114086ba60a0fd5eae059b641b00ec0c4
Reviewed-on: https://boringssl-review.googlesource.com/3831
Reviewed-by: Adam Langley <agl@google.com>
2015-03-10 02:31:29 +00:00
David Benjamin
ee562b987e Get rid of the RSMBLY macros.
Turn them into static functions that take in an hm_fragment. It's not
immediately obvious that the frag_off/frag_len bounds checks and the msg_len
consistency check are critical to avoiding an out-of-bounds write. Better to
have dtls1_hm_fragment_mark also check internally.

Also rework the bitmask logic to be clearer and avoid a table.

Change-Id: Ica54e98f66295efb323e033cb6c67ab21e7d6cbc
Reviewed-on: https://boringssl-review.googlesource.com/3765
Reviewed-by: Adam Langley <agl@google.com>
2015-03-10 01:11:21 +00:00
David Benjamin
7538122ca6 Rework DTLS handshake message reassembly logic.
Notably, drop all special cases around receiving a message in order and
receiving a full message. It makes things more complicated and was the source
of bugs (the MixCompleteMessageWithFragments tests added in this CL did not
pass before). Instead, every message goes through an hm_fragment, and
dtls1_get_message always checks buffered_messages to see if the next is
complete.

The downside is that we pay one more copy of the message data in the common
case. This is only during connection setup, so I think it's worth the
simplicity. (If we want to optimize later, we could either tighten
ssl3_get_message's interface to allow the handshake data being in the
hm_fragment's backing store rather than s->init_buf or swap out s->init_buf
with the hm_fragment's backing store when a mesasge completes.

This CL does not address ssl_read_bytes being an inappropriate API for DTLS.
Future work will revise the handshake/transport boundary to align better with
DTLS's needs. Also other problems that I've left as TODOs.

Change-Id: Ib4570d45634b5181ecf192894d735e8699b1c86b
Reviewed-on: https://boringssl-review.googlesource.com/3764
Reviewed-by: Adam Langley <agl@google.com>
2015-03-10 00:56:45 +00:00
David Benjamin
d03b5eddb9 Fix some stray tabs that snuck into e_tls.c.
Change-Id: Iee44636a3f80d86f94b0c34bb708d4d723964159
Reviewed-on: https://boringssl-review.googlesource.com/3820
Reviewed-by: Adam Langley <agl@google.com>
2015-03-10 00:55:22 +00:00
Adam Langley
8a4ab4fc1d Don't include .extern and .hidden on OS X.
Change-Id: I582eaa2ff922bbf1baf298a5c6857543524a8d4e
Reviewed-on: https://boringssl-review.googlesource.com/3810
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-06 21:44:19 +00:00
Adam Langley
d216b71f90 Include .extern and .hidden in x86-64 asm.
It's unclear why .extern was being suppressed, it's also a little
unclear how the Chromium build was working without this. None the less,
it's causing problems with Android and it's more obviously correct to
make these symbols as hidden.

Change-Id: Id13ec238b80b8bd08d8ae923ac659835450e77f8
Reviewed-on: https://boringssl-review.googlesource.com/3800
Reviewed-by: Adam Langley <agl@google.com>
2015-03-06 19:08:11 +00:00
David Benjamin
d27eda00a4 Generate error data at build time.
This avoids cluttering up the diff and making merge conflicts a pain.  It does,
however, mean we need to generate err_data.c ahead of time in Chromium and
likely other downstream builds. It also adds a build dependency on Go.

Change-Id: I6e0513ed9f50cfb030f7a523ea28519590977104
Reviewed-on: https://boringssl-review.googlesource.com/3790
Reviewed-by: Adam Langley <agl@google.com>
2015-03-06 18:59:25 +00:00
David Benjamin
9d102ddbc0 Check public key is not NULL.
CVE-2015-0288
PR#3708

(Imported from upstream's 28a00bcd8e318da18031b2ac8778c64147cd54f9.)

Change-Id: I6d60691da4c6860f87c753c065e93e9d0704aba9
Reviewed-on: https://boringssl-review.googlesource.com/3750
Reviewed-by: Adam Langley <agl@google.com>
2015-03-06 18:55:32 +00:00
Adam Langley
5f5bf6f210 Don't add another error to the queue when RSA_private_transform fails.
Some code, sadly, tests the error and the extra error is breaking it.

Change-Id: I89eabadf5d2c5f7dd761030da33dd4c3f2ac8382
Reviewed-on: https://boringssl-review.googlesource.com/3720
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-03-05 22:43:43 +00:00
David Benjamin
b34f510b3b Don't delay-initialize legacy AEADs.
Instead, add a separate init_with_direction hook. Normal AEADs ignore the
direction, while legacy AEADs must be initialized with it. This avoids
maintaining extra state to support the delayed initialization.

Change-Id: I25271f0e56ee2783a2fd4d4026434154d58dc0a8
Reviewed-on: https://boringssl-review.googlesource.com/3731
Reviewed-by: Adam Langley <agl@google.com>
2015-03-05 21:25:05 +00:00
David Benjamin
23721e3705 Forbid reusing HMAC key without reusing the hash function.
There's no good reason to do this, and it doesn't work; HMAC checks the length
of the key and runs it through the hash function if too long. The reuse occurs
after this check.

This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it
ever stored the original key. It also slightly simplifies HMAC_Init_ex's
logic.

Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab
Reviewed-on: https://boringssl-review.googlesource.com/3733
Reviewed-by: Adam Langley <agl@google.com>
2015-03-02 23:16:12 +00:00
David Benjamin
cc239d3903 Use HMAC_Init_ex, not HMAC_Init, in HMAC.
We've already initialized the context, HMAC_Init has questionable behavior
around NULL keys, and this avoids a size_t truncation.

Change-Id: Iab6bfc24fe22d46ca4c01be6129efe0630d553e6
Reviewed-on: https://boringssl-review.googlesource.com/3732
Reviewed-by: Adam Langley <agl@google.com>
2015-03-02 23:15:20 +00:00
Adam Langley
4e581b5378 Add support for reading PKCS#7 data from PEM files.
(There are times when I actually miss C++ templates.)

Change-Id: I3db56e4946ae4fb919105fa33e2cfce3c7542d37
Reviewed-on: https://boringssl-review.googlesource.com/3700
Reviewed-by: Adam Langley <agl@google.com>
2015-02-27 21:02:38 +00:00
Adam Langley
50073e8c5e Add functions to parse and generate PKCS#7 files with CRLs.
Change-Id: I7b6acc9004beb7b7090de1837814ccdff2e9930e
Reviewed-on: https://boringssl-review.googlesource.com/3680
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-02-27 19:48:19 +00:00
David Benjamin
5ae21bc02b Remove pointless free, and use preferred way of calling d2i_* functions
(Imported from upstream's 535bc8faf69dc4ff39e2ee99195b268cf99b9569)

Change-Id: Ia5abf4dce9dc8cdf5a9b77a3e360a40b5f815adf
Reviewed-on: https://boringssl-review.googlesource.com/3672
Reviewed-by: Adam Langley <agl@google.com>
2015-02-27 19:47:36 +00:00
David Benjamin
29b50eab6c Align d2i_ECPrivateKey error-handling with upstream.
Upstream decided to make the caller free the scratch space rather than the
callee. May as well match. (Existing code is pretty inconsistent. This API
pattern needs to go.)

See upstream's 9e442d485008046933cdc7da65080f436a4af089.

Change-Id: I7c9fcae5778a74d6ae8e9f546e03fb2cf6e48426
Reviewed-on: https://boringssl-review.googlesource.com/3671
Reviewed-by: Adam Langley <agl@google.com>
2015-02-27 19:45:42 +00:00
David Benjamin
114ddebbf6 Unexport EC_GROUP_copy.
EC_GROUP_copy is an rather unfriendly function; it doesn't work if the groups
have different[*] underlying EC_METHODs, but this notion is not exposed through
the API. I found no callers of EC_GROUP_copy in external code.

This leaves the precompute_mult functions as the remaining mutable API exposed
through EC_GROUP.

[*] Though, of the two EC_METHODs right now, simple.c is entirely unused.

Change-Id: Iabb52518005250fb970e12b3b0ea78b4f6eff4a0
Reviewed-on: https://boringssl-review.googlesource.com/3631
Reviewed-by: Adam Langley <agl@google.com>
2015-02-27 19:43:02 +00:00
David Benjamin
03741f61d9 Use EC_GROUP_dup and EC_POINT_dup in EC_KEY_copy.
They do the same thing. This removes all callers of EC_GROUP_copy outside
EC_GROUP_dup.

Change-Id: I65433ee36040de79e56483dfece774e01e2e2743
Reviewed-on: https://boringssl-review.googlesource.com/3630
Reviewed-by: Adam Langley <agl@google.com>
2015-02-25 21:44:24 +00:00
David Benjamin
09bdb2a2c3 Remove explicit .hiddens from x86_64 perlasm files.
This reverts the non-ARM portions of 97999919bb.
x86_64 perlasm already makes .globl imply .hidden. (Confusingly, ARM does not.)
Since we don't need it, revert those to minimize divergence with upstream.

Change-Id: I2d205cfb1183e65d4f18a62bde187d206b1a96de
Reviewed-on: https://boringssl-review.googlesource.com/3610
Reviewed-by: Adam Langley <agl@google.com>
2015-02-25 21:26:16 +00:00
Adam Langley
7c21925a10 EC_GROUP_cmp should return zero if the groups match.
(I got this wrong when reading the OpenSSL code.)

Change-Id: Ib289ef41d0ab5a3157ad8b9454d2de96d1f86c22
Reviewed-on: https://boringssl-review.googlesource.com/3620
Reviewed-by: Adam Langley <agl@google.com>
2015-02-25 21:13:02 +00:00
David Benjamin
3ce3c369cb Find perl using the CMake's standard FindPerl module.
This gives a standard PERL_EXECUTABLE configuration knob which is useful for
specifying a perl to use without having it in PATH.

Change-Id: I4b196b77e0b4666081a3f291fee3654c47925844
Reviewed-on: https://boringssl-review.googlesource.com/3570
Reviewed-by: Adam Langley <agl@google.com>
2015-02-23 19:59:48 +00:00
David Benjamin
87c8a643e1 Use TCP sockets rather than socketpairs in the SSL tests.
This involves more synchronization with child exits as the kernel no longer
closes the pre-created pipes for free, but it works on Windows. As long as
TCP_NODELAY is set, the performance seems comparable. Though it does involve
dealing with graceful socket shutdown. I couldn't get that to work on Windows
without draining the socket; not even SO_LINGER worked. Current (untested)
theory is that Windows refuses to gracefully shutdown a socket if the peer
sends data after we've stopped reading.

cmd.ExtraFiles doesn't work on Windows; it doesn't use fds natively, so you
can't pass fds 4 and 5. (stdin/stdout/stderr are special slots in
CreateProcess.) We can instead use the syscall module directly and mark handles
as inheritable (and then pass the numerical values out-of-band), but that
requires synchronizing all of our shim.Start() calls and assuming no other
thread is spawning a process.

PROC_THREAD_ATTRIBUTE_HANDLE_LIST fixes threading problems, but requires
wrapping more syscalls.  exec.Cmd also doesn't let us launch the process
ourselves. Plus it still requires every handle in the list be marked
inheritable, so it doesn't help if some other thread is launching a process
with bInheritHandles TRUE but NOT using PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
(Like Go, though we can take syscall.ForkLock there.)

http://blogs.msdn.com/b/oldnewthing/archive/2011/12/16/10248328.aspx

The more natively Windows option seems to be named pipes, but that too requires
wrapping more system calls. (To be fair, that isn't too painful.) They also
involve a listening server, so we'd still have to synchronize with shim.Wait()
a la net.TCPListener.

Then there's DuplicateHandle, but then we need an out-of-band signal.

All in all, one cross-platform implementation with a TCP sockets seems
simplest.

Change-Id: I38233e309a0fa6814baf61e806732138902347c0
Reviewed-on: https://boringssl-review.googlesource.com/3563
Reviewed-by: Adam Langley <agl@google.com>
2015-02-23 19:59:06 +00:00
David Benjamin
6204eba91e perlasm/x86masm.pl: make it work.
Though this doesn't mean that masm becomes supported, the script is
still provided on don't-ask-in-case-of-doubt-use-nasm basis.
See RT#3650 for background.

(Imported from upstream's 2f8d82d6418c4de8330e2870c1ca6386dc9e1b34)

The data_word changes were already fixed with our
3e700bb3e8, but best to avoid diverging there.

Change-Id: Iab5455534e8bd632fb2b247ff792d411b105f17a
Reviewed-on: https://boringssl-review.googlesource.com/3581
Reviewed-by: Adam Langley <agl@google.com>
2015-02-23 19:45:30 +00:00
David Benjamin
2b48d6b7dd sha/asm/sha1-586.pl: fix typo.
The typo doesn't affect supported configuration, only unsupported masm.

(Imported from upstream's 3372c4fffa0556a688f8f1f550b095051398f596)

Change-Id: Ib6a2f1d9f6fc244a33da1e079188acdf69d5e2f3
Reviewed-on: https://boringssl-review.googlesource.com/3580
Reviewed-by: Adam Langley <agl@google.com>
2015-02-23 19:44:50 +00:00
David Benjamin
3f5917f320 EVP_CIPHER_CTX_cleanup cannot fail.
There is exactly one implementation and it doesn't fail. Plus a cleanup
function that can fail is very bad manners; the caller has no choice but to
leak at that point.

Change-Id: I5b524617ef37bc7d92273472fa742416ea7dfd43
Reviewed-on: https://boringssl-review.googlesource.com/3564
Reviewed-by: Adam Langley <agl@google.com>
2015-02-23 19:44:02 +00:00
Adam Langley
04c36b5062 Never set RC4_CHAR.
RC4_CHAR is a bit in the x86(-64) CPUID information that switches the
RC4 asm code from using an array of 256 uint32_t's to 256 uint8_t's. It
was originally written for the P4, where the uint8_t style was faster.

(On modern chips, setting RC4_CHAR took RC4-MD5 from 458 to 304 MB/s.
Although I wonder whether, on a server with many connections, using less
cache wouldn't be better.)

However, I'm not too worried about a slowdown of RC4 on P4 systems these
days (the last new P4 chip was released nine years ago) and I want the
code to be simplier.

Also, RC4_CHAR was set when the CPUID family was 15, but Intel actually
lists 15 as a special code meaning "also check the extended family
bits", which the asm didn't do.

The RC4_CHAR support remains in the RC4 asm code to avoid drift with
upstream.

Change-Id: If3febc925a83a76f453b9e9f8de5ee43759927c6
Reviewed-on: https://boringssl-review.googlesource.com/3550
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-02-20 23:59:59 +00:00
Adam Langley
3f309aef45 Tidy up RC4 a little.
RC4_CHUNK is always defined, RC4_INT is always uint32_t and the
"register" keyword is an anachronism.

Change-Id: Ia752af30ba6bac0ee6216ce189fcf3888de73c6e
Reviewed-on: https://boringssl-review.googlesource.com/3544
Reviewed-by: Adam Langley <agl@google.com>
2015-02-20 23:44:33 +00:00
Adam Langley
93531bd70f Add the CTX parameter back to EC_GROUP_cmp.
It was a mistake to remove this in the first place.

Change-Id: Icd97b4db01e49151daa41dd892f9da573ddc2842
Reviewed-on: https://boringssl-review.googlesource.com/3541
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-02-20 23:33:55 +00:00
Adam Langley
97999919bb Hide all asm symbols.
We are leaking asm symbols in Android builds because the asm code isn't
affected by -fvisibility=hidden. This change hides all asm symbols.

This assumes that no asm symbols are public API and that should be true.
Some points to note:

In crypto/rc4/asm/rc4-md5-x86_64.pl there are |RC4_set_key| and
|RC4_options| functions which aren't getting marked as hidden. That's
because those functions aren't actually ever generated. (I'm just trying
to minimise drift with upstream here.)

In crypto/rc4/asm/rc4-x86_64.pl there's |RC4_options| which is "public"
API, except that we've never had it in the header files. So I've just
deleted it. Since we have an internal caller, we'll probably have to put
it back in the future, but it can just be done in rc4.c to save
problems.

BUG=448386

Change-Id: I3846617a0e3d73ec9e5ec3638a53364adbbc6260
Reviewed-on: https://boringssl-review.googlesource.com/3520
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-02-20 21:24:01 +00:00
Adam Langley
16e38b2b8f Mark OPENSSL_armcap_P as hidden in ARM asm.
This is an import from ARM. Without this, one of the Android builds of
BoringSSL was failing with:
  (sha512-armv4.o): requires unsupported dynamic reloc R_ARM_REL32; recompile with -fPIC

This is (I believe) a very misleading error message. The R_ARM_REL32
relocation type is the correct type for position independent code. But
unless the target symbol is hidden then the linker doesn't know that
it's not going to be overridden by a different ELF module.

Chromium probably gets away with this because of different default
compiler flags than Android.

Change-Id: I967eabc4d6b33d1e6635caaf6e7a306e4e77c101
Reviewed-on: https://boringssl-review.googlesource.com/3471
Reviewed-by: Adam Langley <agl@google.com>
2015-02-19 19:58:17 +00:00
David Benjamin
dd1ca99da4 Remove X509_get_pubkey_parameters.
It's never called in outside code. This too seems to be a remnant of the DSA
PKIX optional parameter stuff. This is confirmed both by a removed comment and
by the brief documentation at http://www.umich.edu/~x509/ssleay/x509_pkey.html

RFC 5480 does not allow ECDSA keys to be missing parameters, so this logic is
incorrect for ECDSA anyway.  It was also failing to check
EVP_PKEY_copy_parameters' return value. And that logic looks pretty suspect if
you have a chain made up multiple certificate types.

Change-Id: Id6c60659a0162356c7f3eae5c797047366baae1c
Reviewed-on: https://boringssl-review.googlesource.com/3485
Reviewed-by: Adam Langley <agl@google.com>
2015-02-17 23:15:47 +00:00
David Benjamin
9d0847ae6d Add some missing error failure checks.
Found while diagnosing some crashes and hangs in the malloc tests. This (and
the follow-up) get us further but does not quite let the malloc tests pass
quietly, even without valgrind. DTLS silently ignores some malloc failures
(confusion with silently dropping bad packets) which then translate to hangs.

Change-Id: Ief06a671e0973d09d2883432b89a86259e346653
Reviewed-on: https://boringssl-review.googlesource.com/3482
Reviewed-by: Adam Langley <agl@google.com>
2015-02-17 20:55:56 +00:00
Adam Langley
26c2b929ba Switch nonce type in chacha_vec.c to uint32_t.
This was suggested in https://boringssl-review.googlesource.com/#/c/3460
but I forgot to upload the change before submitting in Gerrit.

Change-Id: I3a333fe2e8880603a9027638dd013f21d8270638
2015-02-13 13:16:59 -08:00
Adam Langley
d306f165a4 Don't require the ChaCha nonce to be aligned on ARM.
Change-Id: I34ee66fcc53d3371591beee3373c46598c31b5c5
Reviewed-on: https://boringssl-review.googlesource.com/3460
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-02-13 20:35:36 +00:00
Adam Langley
c64ccb51b0 Remove support for zero lengths from do_x509_check.
Change-Id: I9ea838850d4c7ea8280cacb1a275b2d6cee1cbbe
2015-02-13 11:00:48 -08:00
Adam Langley
6899b19464 Update API to use (char *) for email addresses and hostnames.
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(Imported from upstream's e83c913723fac7432a7706812f12394aaa00e8ce.)

Change-Id: Id0fc11773a0cee8933978cd4bdbd8251fd7cfb5f
2015-02-13 11:00:48 -08:00
Adam Langley
6f8c366989 Set optional peername when X509_check_host() succeeds.
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().

(Imported from upstream's 55fe56837a65ff505b492aa6aee748bf5fa91fec.)

Change-Id: Ic21bfb361b8eb25677c4c2175882fa95ea44fc31
2015-02-13 11:00:48 -08:00
Adam Langley
d0f5df2d71 New peername element in X509_VERIFY_PARAM_ID.
Declaration, memory management, accessor and documentation.

(Imported from upstream's 1eb57ae2b78c119bfba7ab647951130e968d1664.)

Change-Id: Ifa9672e46445e44a78001b0f9430a93c138d73d7
2015-02-13 11:00:47 -08:00
Adam Langley
82fc3bd333 More complete input validation of X509_check_mumble.
(Imported from upstream's 3d15d58e55b97207188e87708a0e7f49b4bfd7fd.)

Change-Id: Iae9e3f839e03c22dc45ac2151884e7afcf31af7b
2015-02-13 10:59:10 -08:00
Adam Langley
589963f79e Multiple verifier reference identities.
(Imported from upstream's 8abffa4a73fcbf6536e0a42d736ed9211a8204ea,
9624b50d51de25bb2e3a72e81fe45032d80ea5c2 and
41e3ebd5abacfdf98461cdeb6fa97a4175b7aad3.)

Change-Id: Ic9099eb5704b19b4500229e89351371cc6184f9d
2015-02-13 10:59:10 -08:00