Commit Graph

435 Commits

Author SHA1 Message Date
David Benjamin
69ad27fdd8 Run x86 perlasm on UNIX with -fPIC.
This matches the Chromium build.

Change-Id: I6ebd01c6ecb67c79577f98cf468dc204721595ef
Reviewed-on: https://boringssl-review.googlesource.com/3063
Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 19:32:17 +00:00
David Benjamin
36eb7d5fbc Fix buffer size in aead_test.c.
out2 wasn't sized to account for stateful AEAD open requiring a seal overhead's
worth of scratch space. Also, pass in sizeof(out2) rather than a computed
ciphertext length, so the max_out check would have actually caught this.

Change-Id: Ibe689424f6c8ad550b3a45266699892076e7ba5e
Reviewed-on: https://boringssl-review.googlesource.com/3060
Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 01:38:57 +00:00
David Benjamin
53cbd6c8a0 Fix unused variable warning in OPENSSL_NO_ASM build.
Te4 is used in in crypto/aes/aes.c. It's used upstream in an alternate
implementation of AES_set_encrypt_key not included in our version.

Change-Id: I5704dbc714bdb05ef515cbf2aff5e43c3b62c5b2
Reviewed-on: https://boringssl-review.googlesource.com/3061
Reviewed-by: Adam Langley <agl@google.com>
2015-01-27 01:34:54 +00:00
David Benjamin
cd5c892a87 Add a test for CONF_parse_list.
Change-Id: I7af0753cac07756a75d03a4820a16f3f8b18d7ba
Reviewed-on: https://boringssl-review.googlesource.com/3026
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 21:24:50 +00:00
Adam Langley
fd4eb60497 Remove duplication of common DH parameters.
Previously, the data for the common DH parameters was given twice: once
with 64-bit limbs and again with 32-bit limbs. A simple macro can
eliminate this duplication.

Change-Id: I15af008a769616f8146845cc8dd0e6526aa142ba
Reviewed-on: https://boringssl-review.googlesource.com/2950
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 20:26:51 +00:00
David Benjamin
347f025d75 Remove unused modexp512-x86_64.pl.
See upstream's c436e05bdc7f49985a750df64122c960240b3ae1.

Change-Id: I7cbe5315a769450e4630dd4e8f465cdfd45c2e08
Reviewed-on: https://boringssl-review.googlesource.com/3025
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:45:45 +00:00
David Benjamin
2a0e72f08a Fix segfault with empty fields as last in the config.
(Imported from upstream's 2747d73c1466c487daf64a1234b6fe2e8a62ac75.)

Also fix up some stylistic issues in conf.c and clarify empty case in
documentation.

Change-Id: Ibacabfab2339d7566d51db4b3ac4579aec0d1fbf
Reviewed-on: https://boringssl-review.googlesource.com/3023
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:37:47 +00:00
David Benjamin
df1cda345f Use inner algorithm when printing certificate.
(Imported from upstream's 004efdbb41f731d36bf12d251909aaa08704a756.)

The outer algorithm is already printed at the bottom of the function. This
allows any tools which print the X509 this way to determine if there is a
mismatch. This is also the point where the TBSCertificate is printed, not the
Certificate. See upstream's RT #3665.

Change-Id: I89baa4e4b626abf8813545a90eaa4409489ad893
Reviewed-on: https://boringssl-review.googlesource.com/3022
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:37:23 +00:00
David Benjamin
e3b24674ef sha256-armv4.pl: fix typo.
(Imported from upstream's 52cab5635603c1a7a00bc6f92401c84ec8920298.)

Change-Id: I97b89c03e1a05063100f94b87e06afb2028371ff
Reviewed-on: https://boringssl-review.googlesource.com/3021
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:37:01 +00:00
David Benjamin
8604eda634 Add Broadwell performance results.
(Imported from upstream's b3d7294976c58e0e05d0ee44a0e7c9c3b8515e05.)

May as well avoid diverging.

Change-Id: I3edec4fe15b492dd3bfb3146a8944acc6575f861
Reviewed-on: https://boringssl-review.googlesource.com/3020
Reviewed-by: Adam Langley <agl@google.com>
2015-01-26 18:35:35 +00:00
Adam Langley
c5cc15b4f5 Don't expect bsaes functions on ARMv6.
The bsaes-armv7.S asm has an #if __ARM_ARCH__>=7 around its contents,
i.e. it's not just switched at runtime – it only compiles for >= ARMv7.

I mistakenly regressed e_aes.c in 3e652657 to always expected bsaes
functions to exist on ARM. This change fixes that.

Change-Id: Ifd9111438508909a0627b25aee3e2f11e62e3ee8
2015-01-23 11:04:46 -08:00
Eric Roman
4dcb05729f Remove support for passing a C-String to PKCS5_PBKDF2_HMAC*().
Before it was possible to pass a NULL-terminated C-string to the PBKDF2
functions, and indicate the parameter was a C-string by passing a length
of -1.

This is not relied on anywhere in the BoringSSL code, and the API contract is
possible to misuse as it is not the common way of doing things.

(A problem would arise when passing in a large unsigned length that
subsequently gets interpreted as -1).

Change-Id: Ifbd31ff76e183fa74e9fa346908daf4bfb8fc3da
Reviewed-on: https://boringssl-review.googlesource.com/2953
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-20 23:44:05 +00:00
Emanuele Pucciarelli
25bde4c1f9 Recognize common DH parameter sets.
Recognize the four most commonly offered safe DH parameter sets when
negotiating multiplicative, ephemeral Diffie-Hellman. These values were
found from a scan of the Alexa common sites.

When a known safe prime is used, reduce the private key size
correspondingly.

Change-Id: I655eb7a5c743c0b389698c0471d16db5a0966652
2015-01-16 14:46:59 -08:00
Adam Langley
e49da742cb Include arm_arch.h in e_aes.c.
Not sure why this is working in CMake build, but the Chromium trybots
aren't happy without it.

Change-Id: I810740786c4f3cb9ba786891fdcd6053eea3afcb
2015-01-16 14:06:22 -08:00
Adam Langley
6a3c288cdf Update SHA-1/256/512 asm for ARM from upstream.
This change syncs these asm files with upstream's 1.0.2 branch. The
important change is that they contain ARMv8 code that allows 32-bit ARM
code to use the hardware support in ARMv8 when running on such a chip.

Change-Id: Id37cb1ff0cbc98a8e328612df7cf60340ca96064
Reviewed-on: https://boringssl-review.googlesource.com/2921
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-16 19:00:26 +00:00
David Benjamin
7f1d5d5932 Follow-ups from recent patch train.
Comment fixups and a mismerge in aead_test. Also some buffer was larger than
needed.

Change-Id: I0e158089f42801575833684912f9edb206f61007
Reviewed-on: https://boringssl-review.googlesource.com/2870
Reviewed-by: Adam Langley <agl@google.com>
2015-01-16 02:05:45 +00:00
Adam Langley
f0eb169829 Free all error queues on shutdown.
As feared, 2bca0988 did cause some leak checkers to get upset about the
state_hash pointer getting cleared.

This change makes err_shutdown free all the error queues to try and
avoid this. Hopefully this doesn't upset TSAN in turn.

BUG=448296

Change-Id: I827da63c793dcabc73168ece052cdcd3d3cc64e3
Reviewed-on: https://boringssl-review.googlesource.com/2890
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-15 22:10:02 +00:00
Adam Langley
d749af7ab1 Use a weak pointer for getauxval.
The Android SDK version against which Chromium builds is too old to
include sys/auxv.h. This change switches the ARM code to use a weak
pointer for getauxval and to hard code the aux value numbers.

It also switches the license on cpu-arm.c because there's no OpenSSL
left in there now.

Change-Id: I440cb9d533a06d8b245b189d8e5148fa33e29412
Reviewed-on: https://boringssl-review.googlesource.com/2880
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-15 22:09:53 +00:00
Adam Langley
b1116a4a3b Always write the Poly1305 tag to an aligned buffer.
With GCC 4.9 and -O2 (and only -O2, -O1 and -O3 didn't trigger it), the
Poly1305 code can end up writing to an unaligned address otherwise and
that triggers a bus error on ARM.

Change-Id: Ifbeb7e2066a893d91d6f63c6565bac7d5542ef81
Reviewed-on: https://boringssl-review.googlesource.com/2850
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 23:38:25 +00:00
Adam Langley
3e6526575a aarch64 support.
This is an initial cut at aarch64 support. I have only qemu to test it
however—hopefully hardware will be coming soon.

This also affects 32-bit ARM in that aarch64 chips can run 32-bit code
and we would like to be able to take advantage of the crypto operations
even in 32-bit mode. AES and GHASH should Just Work in this case: the
-armx.pl files can be built for either 32- or 64-bit mode based on the
flavour argument given to the Perl script.

SHA-1 and SHA-256 don't work like this however because they've never
support for multiple implementations, thus BoringSSL built for 32-bit
won't use the SHA instructions on an aarch64 chip.

No dedicated ChaCha20 or Poly1305 support yet.

Change-Id: Ib275bc4894a365c8ec7c42f4e91af6dba3bd686c
Reviewed-on: https://boringssl-review.googlesource.com/2801
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 23:38:11 +00:00
David Benjamin
4de5f54e54 RT3662: Allow leading . in nameConstraints
Change by SteveH from original by John Denker (in the RT)

(Imported from upstream's 77ff1f3b8bfaa348956c5096a2b829f2e767b4f1)

Confirmed by inspection of source that this matches mozilla::pkix behavior. See
https://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixnames.cpp#939

Change-Id: Ic4e7d011f7c10cbc83e5267550063b0ebe9648fb
Reviewed-on: https://boringssl-review.googlesource.com/2848
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:53:12 +00:00
David Benjamin
aa3f6daa86 Tag a number of globals as const.
Change-Id: I6f334911f153395a2e5e26adfd08912a1d8c558b
Reviewed-on: https://boringssl-review.googlesource.com/2847
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:53:00 +00:00
David Benjamin
1681d79ddf Remove ECDH_KDF_X9_62 and associated EVP glue.
Removes a bit of unused code. This effectively reverts upstream's
25af7a5dbc05c7359d1d7f472d50d65a9d876b7e. It's new with OpenSSL 1.0.2 so
nothing can be using it yet. We can restore it with tests if we end up wanting
it later.

(Also I think it might be misnamed. The KDF seems to be defined in X9.63, not
X9.62.)

Change-Id: I482daf681e0cf5c3bbdc72c57793f91448deaee8
Reviewed-on: https://boringssl-review.googlesource.com/2846
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:52:52 +00:00
David Benjamin
c61517cb5a Define the error case's output in RSA_message_index_PKCS1_type_2.
The use in s3_srvr.c doesn't care (it doesn't even have to be in bounds), but
it's good to have the value be initialized and not a function of the input.
(The old uninitialized case wasn't hit in s3_srvr.c because of the earlier
bounds check.)

Change-Id: Ib6b418b3c140aa564f8a46da3d34bb2b69f06195
Reviewed-on: https://boringssl-review.googlesource.com/2845
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:52:36 +00:00
David Benjamin
d83c1884fd Return error when a bit string indicates an invalid amount of bits left
(Imported from upstream's 5a1e8c67a90aead86ccc2dda324e8f897d1a044d)

Change-Id: Idfba7eb8244c1926e7921119767cb32605a74202
Reviewed-on: https://boringssl-review.googlesource.com/2836
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:50:20 +00:00
David Benjamin
1716b3d172 Reject invalid constructed encodings.
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.

(Imported from upstream's 89f40f369f414b52e00f7230b0e3ce99e430a508.)

Change-Id: Ia5d15eef72e379119f50fdbac4e92c4761bf5eaf
Reviewed-on: https://boringssl-review.googlesource.com/2835
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:49:23 +00:00
David Benjamin
0ebfac554e Add tests for padding variations.
Test that SSLv3 accepts arbitrary padding bytes (hello, POODLE) and rejects
non-minimal padding, while TLS accepts non-minimal padding but rejects
arbitrary padding bytes.

Also test what happens when the MAC is correct, but there is no padding. This
is the case that triggers a failing padding_ok check after the MAC check
on padding_len = 0 passes.

Change-Id: Ia1444c526437899fc57ceafcbcef9c8f5cb9a6c5
Reviewed-on: https://boringssl-review.googlesource.com/2702
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 21:09:16 +00:00
David Benjamin
044abb0aaa Implement SSLv3 ciphers with stateful AEADs.
This introduces another knob into SSL_AEAD_CTX to omit the version from the ad
parameter. It also allows us to fold a few more SSL3_ENC_METHOD hooks together.

Change-Id: I6540d410d4722f734093554fb434dab6e5217d4f
Reviewed-on: https://boringssl-review.googlesource.com/2698
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 20:55:58 +00:00
David Benjamin
238510a679 Introduce HMAC_CTX_copy_ex and deprecate HMAC_CTX_copy.
HMAC_CTX_copy's documentation is off. It actually follows the old copy
functions which call FOO_init on dest first. Notably this means that they leak
memory if dest is currently in use.

Add HMAC_CTX_copy_ex as an analog of EVP_MD_CTX_copy and deprecate
HMAC_CTX_copy. (EVP_CIPHER_CTX_copy, in contrast, was correct from the start.)

Change-Id: I48566c858663d3f659bd356200cf862e196576c9
Reviewed-on: https://boringssl-review.googlesource.com/2694
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 20:35:47 +00:00
David Benjamin
bbd8444d92 Drop SSLv3 parts of crypto/cipher/tls_cbc.c.
CBC modes in SSLv3 are bust already with POODLE and we're moving away from it.
Align all the names from 'ssl3' and 'tls1' to 'tls', to match the names of the
TLS-only AEADs.

Change-Id: If742296a8e2633ef42a484e4d873b4a83558b6aa
Reviewed-on: https://boringssl-review.googlesource.com/2693
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 20:33:41 +00:00
David Benjamin
ea72bd0b60 Implement all TLS ciphers with stateful AEADs.
The EVP_CIPHER codepath should no longer be used with TLS. It still exists for
DTLS and SSLv3. The AEAD construction in TLS does not allow for
variable-overhead AEADs, so stateful AEADs do not include the length in the ad
parameter. Rather the AEADs internally append the unpadded length once it is
known. EVP_aead_rc4_md5_tls is modified to account for this.

Tests are added (and RC4-MD5's regenerated) for each of the new AEADs. The
cipher tests are all moved into crypto/cipher/test because there's now a lot of
them and they clutter the directory listing.

In ssl/, the stateful AEAD logic is also modified to account for stateful AEADs
with a fixed IV component, and for AEADs which use a random nonce (for the
explicit-IV CBC mode ciphers).

The new implementation fixes a bug/quirk in stateless CBC mode ciphers where
the fixed IV portion of the keyblock was generated regardless. This is at the
end, so it's only relevant for EAP-TLS which generates a MSK from the end of
the key block.

Change-Id: I2d8b8aa11deb43bde2fd733f4f90b5d5b8cb1334
Reviewed-on: https://boringssl-review.googlesource.com/2692
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 20:30:26 +00:00
David Benjamin
df109ab3d4 Replicate s3_cbc.c under crypto/cipher/internal.h.
These helper functions will be used in the implementation of the legacy CBC
mode AEADs. The file is copied as-is and then modified to remove the dependency
on ssl/. Notably explicit IV logic is removed (that's a side effect of how
explicit IVs are currently implemented) and the padding length is returned
directly rather than smuggled into rec->type.

(Diffing tls_cbc.c and s3_cbc.c is probably the easiest for a review.)

The helpers are currently unused.

Change-Id: Ib703f4d3620196c9f2921cb3b8bf985f2d1777db
Reviewed-on: https://boringssl-review.googlesource.com/2691
Reviewed-by: Adam Langley <agl@google.com>
2015-01-14 19:48:35 +00:00
Adam Langley
2bca0988a4 Free more memory in cleanup functions.
The extra free in ex_data_impl.c is fixing a mistake: when calling
|CRYPTO_cleanup_all_ex_data| the |EX_CLASS_ITEM| itself wouldn't be
freed.

The change in err_impl.c is to free the thread-id hash also. This allows
programs to free absolutely all memory allocated by BoringSSL, which
allows fuzz testing to find any memory leaks.

Change-Id: I1e518adf2b3e0efa7d7f00f7ab4e65e1dc70161e
Reviewed-on: https://boringssl-review.googlesource.com/2670
Reviewed-by: Adam Langley <agl@google.com>
2015-01-13 00:04:35 +00:00
David Benjamin
95e18c52f2 Fix DER checks for DSA_check_signature and add tests.
DSA_verify and DSA_check_signature didn't share a codepath, so the fix was only
applied to the former. Implement verify in terms of check_signature and add
tests for bad DER variants.

Change-Id: I6577f96b13b57fc89a5308bd8a7c2318defa7ee1
Reviewed-on: https://boringssl-review.googlesource.com/2820
Reviewed-by: Adam Langley <agl@google.com>
2015-01-12 22:29:10 +00:00
Adam Langley
ca9a538aa0 Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject the
signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the certificate
signature. NB: this will result in signature failure errors for some broken
certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received signature.
Return an error if there is a mismatch.

This will reject various cases including garbage after signature (thanks to
Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program for
discovering this case) and use of BER or invalid ASN.1 INTEGERs (negative or
with leading zeroes).

CVE-2014-8275

(Imported from upstream's 85cfc188c06bd046420ae70dd6e302f9efe022a9 and
4c52816d35681c0533c25fdd3abb4b7c6962302d)

Change-Id: Ic901aea8ea6457df27dc542a11c30464561e322b
Reviewed-on: https://boringssl-review.googlesource.com/2783
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-09 19:41:59 +00:00
Adam Langley
a83cc803b1 Fix for CVE-2014-3570.
(With minor bn/generic.c revamp.)

(Imported from upstream's 56df92efb6893abe323307939425957ce878c8f0)

Change-Id: I9d85cfde4dfb29e64ff7417f781d0c9f1685e905
Reviewed-on: https://boringssl-review.googlesource.com/2780
Reviewed-by: Adam Langley <agl@google.com>
2015-01-09 02:49:10 +00:00
Eric Roman
aac2f6a6a0 Fix a compile error on Windows.
Write the array literal of all zeros as {0} rather than {}.

Change-Id: If15330d96d019be671d3bcbbdea60c2b3ecc2128
Reviewed-on: https://boringssl-review.googlesource.com/2740
Reviewed-by: Adam Langley <agl@google.com>
2015-01-06 19:46:52 +00:00
Adam Langley
0ed0cf6f38 s/comparision/comparison/.
I typoed this word and then auto-complete duplicated it all over the
place. This change fixes all the comments.

This change has no semantic effect (comment only).

Change-Id: I8952e9e71302043574757cd74a05e66500008432
2015-01-06 10:49:48 -08:00
Adam Langley
46a7ca0fa3 Condition the use of UI64 on _MSC_VER.
Using OPENSSL_WINDOWS for this is inaccurate because it's really a
feature of the compiler, not the platform. I think it's only MSVC that
uses the UI64 suffix.

Change-Id: I4a95961b94e69e72b93f5ed1e0457661b74242c8
Reviewed-on: https://boringssl-review.googlesource.com/2730
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-06 18:47:49 +00:00
David Benjamin
2be62c304c Test which direction ERR_get_error reads from the error queue.
ERR_get_error returns the least recent error, not the most recent error.
Nothing in err_test was actually asserting on that.

Change-Id: Ia49e29c231de4bbec77d037860ad1ffa8cce4779
Reviewed-on: https://boringssl-review.googlesource.com/2750
Reviewed-by: Adam Langley <agl@google.com>
2015-01-06 18:29:45 +00:00
Eric Roman
517073cd4b Set output EC_KEY to NULL when d2i_ECPrivateKey() fails.
BUG=crbug.com/445679

Change-Id: Ia012d806964bd7240148779797eccd326484f364
Reviewed-on: https://boringssl-review.googlesource.com/2722
Reviewed-by: Adam Langley <agl@google.com>
2015-01-06 00:55:19 +00:00
Adam Langley
b9e0ccc650 Fix a couple of minor compiler warnings.
One about a possible uninitialised variable (incorrect, but it's easier
to keep the compiler happy) and one warning about "const static" being
backwards.

Change-Id: Ic5976a5f0b48f32e09682e31b65d8ea1c27e5b88
Reviewed-on: https://boringssl-review.googlesource.com/2632
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-06 00:27:22 +00:00
Adam Langley
a7f6d3c1dc Add void in place of empty function arguments.
Since this is C89 we need to maintain this ancient practice.

Change-Id: I7223e7c38a35cf551b6e3c9159d2e21ebf7e62be
Reviewed-on: https://boringssl-review.googlesource.com/2631
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-06 00:27:07 +00:00
Adam Langley
93efb7228b Rename hexdump to hexdump_write.
It's a static function anyway so it doesn't affect anything and it's
colliding with a debugging function on one platform.

Change-Id: Iae0595cce7cb2bdd4c56217f6f1de51ff3134a8b
Reviewed-on: https://boringssl-review.googlesource.com/2630
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-01-06 00:26:53 +00:00
Nick Harper
d3bcf13165 Properly handle key_len=0 for HMAC
The expectation when calling HMAC with key=NULL and keylen=0 is to compute
HMAC on the provided data with a key of length 0 instead of using the
"previous" key, which in the case of HMAC() is whatever bytes happen to be
left on the stack when the HMAC_CTX struct is allocated.

Change-Id: I52a95e262ee4e15f1af3136cb9c07f42f40ce122
Reviewed-on: https://boringssl-review.googlesource.com/2660
Reviewed-by: Adam Langley <agl@google.com>
2014-12-19 18:18:08 +00:00
Nick Harper
4685e87746 Implement HKDF.
See https://tools.ietf.org/html/rfc5869.

Change-Id: I6d012d8c38806df80aa44350d3a86eaff499ac05
Reviewed-on: https://boringssl-review.googlesource.com/2533
Reviewed-by: Adam Langley <agl@google.com>
2014-12-18 20:13:06 +00:00
David Benjamin
f49196052c Tidy up DSA paramgen stylistically.
No braceless ifs.

Change-Id: I8f559a6bcd7029e642b8b56aa082949570b4c1fb
Reviewed-on: https://boringssl-review.googlesource.com/2622
Reviewed-by: Adam Langley <agl@google.com>
2014-12-16 19:16:31 +00:00
David Benjamin
a6d81018f8 Consistently use RAND_bytes and check for failure.
RAND_pseudo_bytes just calls RAND_bytes now and only returns 0 or 1. Switch all
callers within the library call the new one and use the simpler failure check.
This fixes a few error checks that no longer work (< 0) and some missing ones.

Change-Id: Id51c79deec80075949f73fa1fbd7b76aac5570c6
Reviewed-on: https://boringssl-review.googlesource.com/2621
Reviewed-by: Adam Langley <agl@google.com>
2014-12-16 19:15:59 +00:00
Adam Langley
af7e74ba9f Remove variable shadowing.
Bruce Dawson pointed out that the shadowing of |ret| in |s3_srvr.c|
looked dodgy. It was actually deliberate (we don't want to reset the
default value of the function's |ret| variable with a successful return
from the callback) but it does look dodgy.

This change adds -Wshadow to ban variable shadowing and fixes all
current instances.

Change-Id: I1268f88b9f26245c7d16d6ead5bb9014ea471c01
Reviewed-on: https://boringssl-review.googlesource.com/2520
Reviewed-by: Adam Langley <agl@google.com>
2014-12-09 21:32:49 +00:00
Håvard Molland
3547688ee0 Remove EC_GROUP_set_point_conversion_form
All serialization functions take point format as input, and
asn1_form is never used.

Change-Id: Ib1ede692e815ac0c929e3b589c3a5869adb0dc8b
Reviewed-on: https://boringssl-review.googlesource.com/2511
Reviewed-by: Adam Langley <agl@google.com>
2014-12-09 18:47:03 +00:00
Håvard Molland
306e520cda Remove ec hybrid point format
According to rfc5480 and rfc4492 the hybrid format is not allowed
neither in certificates or the tls protocol.

Change-Id: I1d3fb5bef765bc7b58d29bdd60e15247fac4dc7a
Reviewed-on: https://boringssl-review.googlesource.com/2510
Reviewed-by: Adam Langley <agl@google.com>
2014-12-08 22:47:41 +00:00
David Benjamin
74c68e5e37 Renegerate OID outputs.
The files should round-trip now. This corrects some discrepancies between
obj_mac.h and obj_mac.num which were also present in upstream. There seems to
be a mismerge in upstream's eebd5e5dd7dff58297ea52e1c21df8fccd593965.

(The discrepancy is harmless; those OIDs are not in obj_xref.txt.)

Change-Id: I1f6cda016533ec3182750310f9936f7e072b54a0
Reviewed-on: https://boringssl-review.googlesource.com/2474
Reviewed-by: Adam Langley <agl@google.com>
2014-12-04 22:13:50 +00:00
David Benjamin
a6689b0488 Keep the obj_mac.h license header round-tripping.
Probably best to keep the original format, trailing whitespace and all.

Change-Id: I81a0ac46fd4ab4bb9d2b03d930b191024971447c
Reviewed-on: https://boringssl-review.googlesource.com/2473
Reviewed-by: Adam Langley <agl@google.com>
2014-12-04 22:13:17 +00:00
David Benjamin
687759db79 Restore obj_mac.num from upstream.
This got reset at some point, but not the files generated from it.
obj_mac.num is an input/output parameter to objects.pl and used to keep the
NIDs stable.

Imported from f2d678e6e89b6508147086610e985d4e8416e867, the point at which we
forked.

Change-Id: Ifd52b1aaa55054d37bc1217f2375a93302839e23
Reviewed-on: https://boringssl-review.googlesource.com/2472
Reviewed-by: Adam Langley <agl@google.com>
2014-12-04 22:12:55 +00:00
David Benjamin
7baab87798 Add documentation for the OID scripts.
Make the commands print a short usage summary and add a README file that
explains the dependencies.

Change-Id: I0c3f0713749ecfca23afaa2b536ac70dbdd7db0a
Reviewed-on: https://boringssl-review.googlesource.com/2471
Reviewed-by: Adam Langley <agl@google.com>
2014-12-04 22:12:26 +00:00
David Benjamin
f1eba30292 Don't include undef in cross reference table.
From upstream's 55f7fb8848b6e4bec291724a479e1580d6f407d6.

Change-Id: I54ebc182addbf643bebc78aab03ba1327e24e2e7
Reviewed-on: https://boringssl-review.googlesource.com/2470
Reviewed-by: Adam Langley <agl@google.com>
2014-12-04 22:11:13 +00:00
David Benjamin
61f1085ee9 Switch crypto/bn back to _umul128 on Windows clang.
Upstream (impressively quickly) fixed the missing intrinsic. Switch Windows
clang back to building the same code as MSVC. Also include the intrin.h header
rather than forward-declare the intrinsic. clang only works if the header is
explicitly included. Chromium forcibly includes it to work around these kinds
of issues, but we shouldn't rely on it.

BUG=crbug.com/438382

Change-Id: I0ff6d48e1a3aa455cff99f8dc4c407e88b84d446
Reviewed-on: https://boringssl-review.googlesource.com/2461
Reviewed-by: Adam Langley <agl@google.com>
2014-12-04 00:23:15 +00:00
David Benjamin
00505ec2e1 Add EVP_md5_sha1.
Use it in ssl3_cert_verify_hash so signing a pre-TLS-1.2 handshake hash can go
through RSA_sign and be intercepted via RSA_METHOD appropriately. This avoids
Windows needing to intercept sign_raw. (CAPI keys cannot provide sign_raw,
unless the input size happens to be that of NID_md5_sha1.)

Also use it in processing ServerKeyExchange to avoid special-casing RSA.

BUG=crbug.com/437023

Change-Id: Ia07433f468b75fdf7bfc8fa90c9751639b2478e6
Reviewed-on: https://boringssl-review.googlesource.com/2420
Reviewed-by: David Benjamin <davidben@google.com>
2014-12-02 20:45:07 +00:00
David Benjamin
af9d9419a6 Don't use _umul128 for Windows clang.
Windows clang lacks _umul128, but it has inline assembly so just use
that.

Change-Id: I6ff5d2465edc703a4d47ef0efbcea43d6fcc79fa
Reviewed-on: https://boringssl-review.googlesource.com/2454
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 20:28:25 +00:00
David Benjamin
d0f257dc2c Don't manually extern OPENSSL_ia32cap_P.
This probably snuck in when adapting the code from upstream. There's a header
file for it now. (Also it's uint32_t now rather than unsigned int.)

Change-Id: Ie8f45bc7a88988744174182a70512c0eff37cc1c
Reviewed-on: https://boringssl-review.googlesource.com/2441
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:43:01 +00:00
David Benjamin
192f34b175 Fix bio_test.c build on Windows.
MSVC does not allow pointer arithmetic on void* pointers. Also
fix some style issues around whether * hugs the type or the
variable name.

Change-Id: I40cc1627830b37879fd70e2b688a42df62b6c62a
Reviewed-on: https://boringssl-review.googlesource.com/2452
Reviewed-by: Adam Langley <agl@google.com>
2014-12-01 19:06:59 +00:00
Håvard Molland
4e0a7e5a1d Cleanup of setting external buffer
Don't use |BIO_set_foo_buffer_size| when setting the
sizes of the buffers while making buffer pair. Since it
happens in pair.c we know the BIOs are BIO pairs and using
bio_ctrl here complicates setting external buffers. Also
zero out bio_bio_st during construction.

This fixes a problem that would happen if the default buffer
sizes were not set, since buf_externally_allocated was
not yet initialized.

Remove BIO_C_SET_BUFF_SIZE and BIO_CTRL_RESET which are
not used for bio pairs.

Change-Id: I365091d5f44f6f1c5522c325a771bdf03d8fe950
Reviewed-on: https://boringssl-review.googlesource.com/2370
Reviewed-by: Adam Langley <agl@google.com>
2014-11-24 17:46:00 +00:00
Adam Langley
69a01608f3 Add malloc failure tests.
This commit fixes a number of crashes caused by malloc failures. They
were found using the -malloc-test=0 option to runner.go which runs tests
many times, causing a different allocation call to fail in each case.

(This test only works on Linux and only looks for crashes caused by
allocation failures, not memory leaks or other errors.)

This is not the complete set of crashes! More can be found by collecting
core dumps from running with -malloc-test=0.

Change-Id: Ia61d19f51e373bccb7bc604642c51e043a74bd83
Reviewed-on: https://boringssl-review.googlesource.com/2320
Reviewed-by: Adam Langley <agl@google.com>
2014-11-19 01:24:46 +00:00
David Benjamin
c20febe177 Add EVP_PKEY_supports_digest.
This is intended for TLS client auth with Windows CAPI- and CNG-backed keys
which implement sign over sign_raw and do not support all hash functions. Only
plumbed through RSA for now.

Change-Id: Ica42e7fb026840f817a169da9372dda226f7d6fd
Reviewed-on: https://boringssl-review.googlesource.com/2250
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:18:36 +00:00
Håvard Molland
ce5be4bd5c Add zero copy read and write api for bio pairs.
Also add functionality for setting external buffers to give the
caller better control of the buffers. This is typical needed if OS
sockets can outlive the bio pair.

Change-Id: I500f0c522011ce76e9a9bce5d7b43c93d9d11457
2014-11-18 14:06:46 -08:00
David Benjamin
3087f6e594 Fix garbage free on malloc failure in ec_wNAF_mul.
PR#3595

(Imported from upstream's e04d426bf98ebb22abf0f15b6f09d333a6e8b2ad.)

Change-Id: I01a9d9bef7e911b3fb1565f8a582f5d6cc7d5537
Reviewed-on: https://boringssl-review.googlesource.com/2290
Reviewed-by: Adam Langley <agl@google.com>
2014-11-14 18:47:41 +00:00
David Benjamin
2f3ba910a2 Fix ec_test build on Windows.
No need to include unistd.h. (Though it probably should include string.h for
memcmp and strcmp.)

Change-Id: Ib09d2da4f7079c9d87338df75ec3560f4f203764
Reviewed-on: https://boringssl-review.googlesource.com/2260
Reviewed-by: Adam Langley <agl@google.com>
2014-11-12 19:39:55 +00:00
David Benjamin
0d82482e47 Fix ownership of error data in ERR_peek_*.
The error queue should only take ownership of the data if ERR_get_* is called,
not ERR_peek_*. Add a test for ERR_peek_error_line_data.

Change-Id: I976fc90fb54437dff723418ef3afd94f1c967922
Reviewed-on: https://boringssl-review.googlesource.com/2237
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:09:59 +00:00
David Benjamin
f2f3cfedb7 Use BN_bn2bin_padded rather than doing math to figure out leading zeros.
Saves doing it ad-hoc all the time.

Change-Id: Ic1a1180f56eec37c19799649bb8f18237bd617f8
Reviewed-on: https://boringssl-review.googlesource.com/2241
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:04:52 +00:00
David Benjamin
b145c8140b Compare r and s sizes to the order, not the degree.
r and s are scalars, not EC coordinates.

Change-Id: I46a20215d3c602559c18c74a1da9a91543ea73ca
Reviewed-on: https://boringssl-review.googlesource.com/2240
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:02:41 +00:00
David Benjamin
b044020f84 Remove i2d_X509_PKEY and d2i_X509_PKEY.
One of them was never implemented upstream or downstream. The other no longer
works in BoringSSL. They're not used within BoringSSL (this still compiles),
even in X509_INFO, and do not appear to be used by consumers. If they were, we
would like to know via a compile failure.

This removes the last consumer within BoringSSL of the ASN.1 parsing macros.

Change-Id: Ifb72b1fcd0a4f7b3e6b081486f8638110872334b
Reviewed-on: https://boringssl-review.googlesource.com/2203
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 22:28:23 +00:00
Adam Langley
9ed9dae18e Update constant-time operations.
(Based on upstream's 42af669ff2754dfbe1dd55a0ab56664f82284dc4)

Change-Id: I4d3954fea7471e274c626483a0dfb9d7b3250b74
2014-11-10 13:48:30 -08:00
Adam Langley
a0b74eb241 aesni-x86_64.pl: make ECB subroutine Windows ABI compliant (RT 3552).
(Imported from upstream's 3e3cc471c2682f5cb40523f3997f75974de1755e.)

Change-Id: I8b6468b104091a609140a035739c09a031de90b4
2014-11-10 13:45:33 -08:00
Adam Langley
af6e45bde5 Simplify constant-time RSA padding check.
(Imported form upstream's 455b65dfab0de51c9f67b3c909311770f2b3f801 and
0d6a11a91f4de238ce533c40bd9507fe5d95f288)

Change-Id: Ia195c7fe753cfa3a7f8c91d2d7b2cd40a547be43
2014-11-10 13:45:33 -08:00
Adam Langley
a952d96656 Add a few more constant-time utility functions.
Imported from upstream's 9bed73adaa6f834177f29e478d9a2247a6577c04.

Upstream's commit appears to have been based on BoringSSL's commits to
improve the constant-time behaviour of RSA padding checks and thus I've
not tried to import those bits of the change.

Change-Id: I0ea5775b0f1e18741bbbc9f792a6af0d3d2a4caf
2014-11-10 13:45:32 -08:00
Adam Langley
7530e3031d perlasm/x86_64-xlate.pl: handle inter-bank movd.
(Imported from upstream's f7835e1c20836f286f00d6bcc69f154493e01475)

Change-Id: I9ebf2b90a008ff88bfce0a55566f0d0977391c1e
2014-11-10 13:45:32 -08:00
Adam Langley
fba236fa88 Omit version for v1 certificates.
When calling X509_set_version to set v1 certificate, that should mean
that the version number field is omitted.

(Imported from upstream's 8c0d19d8577c9a96b65622bfa92d0affd6bbb4ac)

Change-Id: If433fda7b6ccbd899f3379a38581c351cf4a82da
2014-11-10 13:45:32 -08:00
Adam Langley
920e69658e Extra return in check_issued.
(Imported from upstream's b8d687bb561384bb3d52027cbf637fa4852c4225)

Change-Id: I5155b8fa165fbb83a0ba6790571fec28e22cd45c
2014-11-10 13:45:32 -08:00
Adam Langley
0e7f89f96c Remove pkey_ctrl.
It only included ASN1_PKEY_CTRL_DEFAULT_MD_NID and that's unused in
BoringSSL.

Change-Id: Idfcbd0f26f6448ce307c53ddef334f2e63c85a64
2014-11-10 13:45:32 -08:00
Adam Langley
08d6fe2fdb Possibly-uninit variable in pem_lib.c.
Can't really happen, but the flow of control isn't obvious. Add an
initializer.

(Imported from upstream's fa2ae04c40510262d198131c758acd8aa5a9b4ce)

Change-Id: If393687bca9f505b825feffaf2a63895a0ea5b6a
2014-11-10 13:45:32 -08:00
Adam Langley
e1cf3f1579 md5-x86_64.pl: work around warning.
(Imported from upstream's 30b7d5e1d83a2f5cb862361c180f7ba1f31a20a5.)

Change-Id: Icbcdb03bcaf8eddda1a7dfecc4f182ce6d93caeb
2014-11-10 13:45:32 -08:00
Adam Langley
3dfbcc1f25 x86[_64] assembly pack: add Silvermont performance data.
(Imported from upstream's 9dd6240201fdd9a9a0ce2aa66df04c174d08cf99)

Change-Id: Ie0f6f876e06ac28c717ec949565f6b0126166b30
2014-11-10 13:45:32 -08:00
Adam Langley
b15d8132c7 Constant-time utilities.
Pull constant-time methods out to a separate header, add tests.

(Imported from upstream's 9a9b0c0401cae443f115ff19921d347b20aa396b and
27739e92659d38cdefa21e51b7f52b81a7ac3388)

Change-Id: Id570f5c531aca791112929e6258989f43c8a78d7
2014-11-10 13:45:32 -08:00
Adam Langley
655038e7db ASN1_STRING_to_UTF8 missing initializer.
(Imported from upstream's b85d461cdf92b1d76d903c245ec01fd7398179d8)

Change-Id: I85f620a5a924c3fe73aa394b39ab8ab343c4c7eb
2014-11-10 13:45:32 -08:00
Adam Langley
9398f168f9 Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey.
The old code implicitly relies on the ASN.1 code returning a \0-prefixed
buffer when the buffer length is 0. Change this to verify explicitly
that the ASN.1 string has positive length.

(Imported from upstream's 7f7c05ca638c3cc6d261961fae439cd91e3c1d27)

Change-Id: Icc6c44b874bdcb02374016a36d209830d6162a8a
2014-11-10 13:45:32 -08:00
Adam Langley
9f5a314d35 Automatically generate a missing EC public key.
When d2i_ECPrivateKey reads a private key with a missing (optional)
public key, generate one automatically from the group and private key.

(Imported from upstream's 2083f7c465d07867dd9867b8742bb71c03d1f203)

Change-Id: I9e5090de87cf846ab92e4be5b6bf64e6091d02e4
2014-11-10 13:45:31 -08:00
David Benjamin
9da9035b50 Add digest_test with tests for all existing EVP_MDs.
Remove the existing md5_test and sha1_test. They now are all covered by
digest_test. For good measure, test the one-shot functions too.

Change-Id: I8e144cc563fb8817144e26cbd2e10c15642464ba
Reviewed-on: https://boringssl-review.googlesource.com/2211
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:49:03 +00:00
David Benjamin
a85093f5bb Fix error handling in X509_PURPOSE_add and X509_TRUST_add.
Two leaks can happen: if idx is -1, the newly allocated entry may not be freed.
Also, for X509_PURPOSE_add, if only one BUF_strdup succeeds, it will leak.

Restructure both so that the allocations happen ahead of time and are properly
cleaned up. This avoids leaving an existing entry in a half-broken state.

Found (sort of) by scan-build; because of all the indirections and DYNAMIC
flags, it doesn't actually realize the leak's been fixed.

Change-Id: I5521889bd14e007b3f62b6a4906d7c346698b48c
Reviewed-on: https://boringssl-review.googlesource.com/2209
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:44:43 +00:00
David Benjamin
ab2815eaff Fix leak in X509V3_EXT_add on error.
If it fails to be added to the list, the input should be freed. Found (sort of)
by scan-build; because of all the indirections and DYNAMIC flags, it doesn't
actually realize the leak's been fixed.

Change-Id: Idca10964e1ffb2ace1cea7f88d94693205d70d5b
Reviewed-on: https://boringssl-review.googlesource.com/2208
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:40:58 +00:00
David Benjamin
4aa86f1cdf Don't leak in err_set_error_data if error queue is empty.
Caught by clang scan-build.

Change-Id: I16496bfc469e809348199057adfb24c33c426ccb
Reviewed-on: https://boringssl-review.googlesource.com/2207
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:35:26 +00:00
David Benjamin
9ecafa5c78 Shush some dead assignments.
Appease clang scan-build a bit. I'm not sure it's actually worth silencing all
of them because some of them look like preserving invariants between local
variables, but some are clearly pointless or can be restructured slightly.

Change-Id: I0bc81e2589bb402ff3ef0182d7a8921e31b85052
Reviewed-on: https://boringssl-review.googlesource.com/2205
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:34:33 +00:00
David Benjamin
626fb8b75c Fix leaks in and de-macro X509_PKEY_new.
Caught by clang scan-build.

Change-Id: I075ae0423ec72493f21608ab5704e2984ca3e86c
Reviewed-on: https://boringssl-review.googlesource.com/2202
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:30:59 +00:00
David Benjamin
74072ac84c Fix a2i_ASN1_* leak on failure.
Caught by clang scan-build.

Change-Id: I1097848052026361e24fd1202cc0c831c3f83e49
Reviewed-on: https://boringssl-review.googlesource.com/2201
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:29:59 +00:00
Adam Langley
25cb99c149 crypto/bn/asm/rsaz-*.pl: allow spaces in Perl path name.
(Imported from upstream's ef908777218bd4a362dbe9cebb8e18fa8ab384cf.)

Change-Id: Id9b288d230cc9d8ab308690a18e687e2132e3293
Reviewed-on: https://boringssl-review.googlesource.com/2168
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-11-05 21:26:15 +00:00
Adam Langley
404e6e64d0 Small tweak to ec_GFp_simple_points_make_affine.
(Imported from upstream's 267e6f3cc0ef78dea4e5cf93907a71556a45f008)

Change-Id: I99cfd0196b9625449c50494562c44f57f09fed17
Reviewed-on: https://boringssl-review.googlesource.com/2167
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-11-05 21:26:04 +00:00
David Benjamin
817ec3462e Rename example_sign to evp_test.
This stopped being a sample program a bit ago.

Change-Id: I23301fd71a373f995847dcfd64346bd262811f39
Reviewed-on: https://boringssl-review.googlesource.com/2131
Reviewed-by: Adam Langley <agl@google.com>
2014-11-05 00:43:09 +00:00
David Benjamin
8fb19217a0 Allow PKCS#8 in d2i_AutoPrivateKey.
This got lost in the initial commit. Add a test for d2i_AutoPrivateKey.

BUG=crbug.com/428671

Change-Id: Ib4f6114b03536edcfe3b1720a513f57f748e81d2
Reviewed-on: https://boringssl-review.googlesource.com/2130
Reviewed-by: Adam Langley <agl@google.com>
2014-11-05 00:42:58 +00:00
David Benjamin
dfc2948c73 Call RtlGenRandom directly in RAND_bytes.
It works within the Chromium sandbox, unlike CryptAcquireContext
and CryptGenRandom which requires the HCRYPTPROV be pre-warmed and held within
the sandbox. Also account for the mismatch between size_t and ULONG/DWORD.

See https://chromium.googlesource.com/chromium/src/+/master/base/rand_util_win.cc

BUG=crbug.com/429919

Change-Id: Ia684124736c0c039ca9410509973192a597856ab
Reviewed-on: https://boringssl-review.googlesource.com/2190
Reviewed-by: Adam Langley <agl@google.com>
2014-11-05 00:42:07 +00:00
David Benjamin
8cfd8ad144 Remove unused EVP_PKEY_ASN1_METHODs and flags.
The only alias, EVP_PKEY_RSA2, is handled programmatically. ASN1_PKEY_ALIAS and
ASN1_PKEY_DYNAMIC are then unused and unexported and can be removed.

Change-Id: I990650636bac3b802c8b439257c67ce7a3f8bc70
Reviewed-on: https://boringssl-review.googlesource.com/2124
Reviewed-by: Adam Langley <agl@google.com>
2014-11-04 00:28:09 +00:00
David Benjamin
029a779204 Remove BN_LONG macro.
It's never used, upstream or downstream. The 64-bit value is wrong anyway for
LLP64 platforms.

Change-Id: I56afc51f4c17ed3f1c30959b574034f181b5b0c7
Reviewed-on: https://boringssl-review.googlesource.com/2123
Reviewed-by: Adam Langley <agl@google.com>
2014-11-04 00:27:40 +00:00
David Benjamin
2a0ee112c4 Remove remnants of EVP_MD_FLAG_PKEY_METHOD_SIGNATURE.
Some archaeology: it was added in upstream's
ee1d9ec019a7584482bd95891404f1cad66a4a0a. This seems to come from upstream's
arrangement where an EVP_MD can specify both the signing algorithm and the
message digest. (Most of the usual hash algorithms were tied to RSA.)

The flag is set on EVP_MDs that should use the EVP_PKEY's method table in
EVP_Sign* rather than the one attached to the EVP_MD (there's also
required_pkey_type to filter on EVP_PKEY to prevent a mismatch). Without the
flag, the old codepath is hit where they're tied together.

Interestingly, EVP_md5 does not have the flag, but I suppose this is because no
one would sign ECDSA + MD5. EVP_DigestSign* also postdates this and doesn't use
the legacy mechanism anyway. Upstream also has, e.g., EVP_ecdsa(). Although
those too have since also gained the flag in
bce1af776247fee153223ea156228810779483ce.

Let's get rid of these TODOs. We don't have the old codepath. It's unclear if
upstream really does either at this point.

Note: EVP_PKEY_RSA_method in upstream is actually a macro that expands to three
fields, which is why it's so difficult to figure out what's going on with those
structs.

Change-Id: I1aea4d3f79f1eb1755063bb96c1c65276c6e3643
Reviewed-on: https://boringssl-review.googlesource.com/2122
Reviewed-by: Adam Langley <agl@google.com>
2014-11-04 00:27:19 +00:00
David Benjamin
8b1d900c52 Fix unused variables in bn/generic.c
bl and bh are never used by macros if either BN_UMULT_LOHI or
BN_UMULT_HIGH are defined.

Change-Id: I7fdd45014a6b78cc586b5223396e09bc213608a5
Reviewed-on: https://boringssl-review.googlesource.com/2105
Reviewed-by: Adam Langley <agl@google.com>
2014-11-03 20:52:10 +00:00
David Benjamin
bc786a9569 Build with yasm on Win64 as well.
Chromium's doesn't have built-in support for ml64.exe. Seems easier to
just build consistently with Yasm on both Win32 and Win64. (This will
require an equivalent change in Chromium's build, but keep upstream
and downstream builds consistent.)

Also don't set CMAKE_ASM_NASM_COMPILER explicitly; cmake's default
ASM_NASM behavior will search for both nasm or yasm in %PATH%. Leave
it unset so it can be overwritten on the command-line to point to
a particular yasm. Update BUILDING accordingly.

Verified the tests still pass.

Change-Id: I7e434be474b5b2d49e3bafbced5b41cc0246bd00
Reviewed-on: https://boringssl-review.googlesource.com/2104
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 22:02:45 +00:00
David Benjamin
f44aa68a26 Fix standalone Win64 build.
generic.c still needs to include generic implementations in Win64.
Those are currently done with inline assembly and won't work on
MSVC.

Change-Id: Ifeb5470872d8c97b2ccffeae6f3ccb5661051de3
Reviewed-on: https://boringssl-review.googlesource.com/2102
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 22:00:45 +00:00
Adam Langley
e6def376fe Remove ERR_LIB_PKCS12.
This is no longer used but, by retaining it, we might miss cases where
code is still testing against it.

Change-Id: I40ed47e41f903aaf2c5e5354d4348f8890021382
Reviewed-on: https://boringssl-review.googlesource.com/2110
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 18:25:06 +00:00
David Benjamin
03a739d8d2 Build Win32 with Yasm rather than MASM.
Although x86masm.pl exists, upstream's documentation suggest only x86nasm.pl is
supported. Yasm seems to handle it fine with a small change.

Change-Id: Ia77be57c6b743527225924b2b398f2f07a084a7f
Reviewed-on: https://boringssl-review.googlesource.com/2092
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 23:14:11 +00:00
David Benjamin
3e700bb3e8 Get MASM output working on Win32.
We were building the NASM flavor with MASM which is why it didn't work. Get the
MASM output working: cpuid and cmove are not available in MASM unless the file
declares .686. Also work around MASM rejecting a very long line in SHA-256.

The follow-up change will get the NASM flavor working. We should probably use
that one as it's documented as supported upstream. But let's make this one
functional too.

Change-Id: Ica69cc042a7250c7bc9ba9325caab597cd4ce616
Reviewed-on: https://boringssl-review.googlesource.com/2091
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 23:13:20 +00:00
David Benjamin
2a0f3420f7 Fix standalone bio_test and v3name_test on Win64.
Win32 still has assembly issues and bssl wants to select() on both sockets and
stdin (doesn't work on Windows). But this is a start.

Change-Id: Iafc5215be281aed836c5ac2dc8b379399848a2c2
Reviewed-on: https://boringssl-review.googlesource.com/2090
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 21:17:27 +00:00
David Benjamin
b06711ca34 Move the X509_NAME typedef into x509.h.
X509_NAME is one of the symbols that collide with wincrypt.h. Move it to x509.h
so libraries which only use the pure-crypto portions of BoringSSL without X.509
needn't have to resolve the collision.

Change-Id: I057873498e58fe4a4cf264356f9a58d7a15397b7
Reviewed-on: https://boringssl-review.googlesource.com/2080
Reviewed-by: Adam Langley <agl@google.com>
2014-10-28 22:38:38 +00:00
David Benjamin
e167976126 Make EVP_DigestVerifyFinal return only zero or one.
It was already almost there. Just a malloc failure away. now all the
EVP_Digest{Sign,Verify}* functions may be used without worrying about -1 return
values.

Change-Id: I96a9750b300010615979bd5f1522b1d241764665
Reviewed-on: https://boringssl-review.googlesource.com/2064
Reviewed-by: Adam Langley <agl@google.com>
2014-10-28 20:22:46 +00:00
Piotr Sikora
3b73c18fca Fix "integer constant is too large for 'long' type" errors.
Change-Id: I018cdc805e19284b057a57d04c9665f0a35ccc3b
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-on: https://boringssl-review.googlesource.com/2040
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 22:12:49 +00:00
Adam Langley
7571292eac Extended master secret support.
This change implements support for the extended master secret. See
https://tools.ietf.org/html/draft-ietf-tls-session-hash-01
https://secure-resumption.com/

Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93
Reviewed-on: https://boringssl-review.googlesource.com/1930
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 21:19:44 +00:00
David Benjamin
83fd6b686f Reimplement d2i_SSL_SESSION with CBS.
Do away with all those unreadable macros. Also fix many many memory leaks in
the SSL_SESSION reuse case. Add a number of helper functions in CBS to help
with parsing optional fields.

Change-Id: I2ce8fd0d5b060a1b56e7f99f7780997fabc5ce41
Reviewed-on: https://boringssl-review.googlesource.com/1998
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:26:41 +00:00
David Benjamin
fbe6f498cd The empty contents are not a valid ASN.1 INTEGER.
Zero is encoded as a single zero octet. Per X.690, 8.3.1:

  The encoding of an integer value shall be primitive. The contents octets
  shall consist of one or more octets.

Change-Id: If4304a2be5117b71446a3a62a2b8a6124f85a202
Reviewed-on: https://boringssl-review.googlesource.com/2010
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:26:11 +00:00
David Benjamin
b5b6854968 Add CBB_add_asn1_uint64.
Companion to CBS_get_asn1_uint64. Also add tests for both the parsing and the
serializing.

Change-Id: Ic5e9a0089c88b300f874712d0e9964cb35a8c40b
Reviewed-on: https://boringssl-review.googlesource.com/1999
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:25:52 +00:00
Adam Langley
4a674152fd Set the IV length for AES-ECB to zero.
This has been wrong since the initial rework of e_aes.c.

Change-Id: I91d92b643c151cd38a272a27f805e5f8ba6dc2df
Reviewed-on: https://boringssl-review.googlesource.com/1981
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 23:51:32 +00:00
David Benjamin
721e6e1500 Don't read past the end of the string in BUF_strndup.
BUF_strlcpy still assumes |src| is a NUL-terminated string and will call strlen
on it to determine the actual length. BUF_strndup's input need not be
NUL-terminated.

Change-Id: I9ca95e92533d12f1b0283412249bda4f8cf92433
Reviewed-on: https://boringssl-review.googlesource.com/1997
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 20:07:02 +00:00
David Benjamin
b698617007 Add CBS_peek_asn1_tag.
Intended to make parsing ASN.1 structures with OPTIONAL elements easier. (Just
attempting to parse the next tag doesn't distinguish between a malformed CBS
which has now been partially advanced and an optional tag mismatch.)

Change-Id: Idceb3dfd6ec028e87e1bc5aaddcec177b0c32150
Reviewed-on: https://boringssl-review.googlesource.com/1995
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:20:26 +00:00
David Benjamin
0248889950 Don't mix and match libraries and errors.
The same library code applies for both the error and the function, so modules
cannot easily report errors from each other. Switch evp/algorithm.c's error
codes to the EVP library. Remove the original error codes so it's obvious some
changes are needed.

- X509_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED -> EVP_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED
  ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED -> EVP_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED
  (Actually, the X509 version of this error code doesn't exist in OpenSSL. It should
   have been ASN1.)

- ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM -> EVP_R_UNKNOWN_SIGNATURE_ALGORITHM

- ASN1_R_WRONG_PUBLIC_KEY_TYPE -> EVP_R_WRONG_PUBLIC_KEY_TYPE

- ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM -> EVP_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM

Change-Id: I05b1a05b465d800c85f7d63ca74588edf40847b9
Reviewed-on: https://boringssl-review.googlesource.com/1940
Reviewed-by: Adam Langley <agl@google.com>
2014-10-13 22:56:28 +00:00
Adam Langley
7ea848165b Add generic OPERATION_NOT_SUPPORTED error code.
Implementations of ENGINEs often don't want to implement every function.
This change adds an error code for those situations.

Change-Id: Id6b7eace36d06ffad7f347f556d942d447d8a2fd
Reviewed-on: https://boringssl-review.googlesource.com/1920
Reviewed-by: Wan-Teh Chang <wtc@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 23:55:39 +00:00
David Benjamin
bc8d737807 Add tests for AlgorithmIdentifier support in EVP.
Change-Id: I6691c93cfebfb06132e847d7c0bd3dd6bf076cab
Reviewed-on: https://boringssl-review.googlesource.com/1917
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 22:07:32 +00:00
David Benjamin
8f160a680b Add EVP_DigestVerifyInitFromAlgorithm and EVP_DigestSignAlgorithm.
Factor the AlgorithmIdentifier portions of ASN1_item_sign and ASN1_item_verify
out. This makes it possible to initialize a signature context from an
AlgorithmIdentifier without needing the data parsed into an ASN1_ITEM/void*
pair and reserialized.

Change-Id: Idc2e06b1310a3f801aa25de323d39d2b7a44ef50
Reviewed-on: https://boringssl-review.googlesource.com/1916
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:52:52 +00:00
David Benjamin
2e1594dfb5 Remove #if-0'd ASN1_sign.
Verified that nothing uses it.

Change-Id: I1755144129e274f3d1680ddb8cb12273070eb078
Reviewed-on: https://boringssl-review.googlesource.com/1912
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:07:48 +00:00
David Benjamin
75a1dd0dbe Remove EVP_PKEY_CTX case in rsa_pss_to_ctx.
We only ever use the EVP_PKEY case, not the EVP_PKEY_CTX one.

Change-Id: Ibead854f793663da0a9e474599507d9c3ff920cb
Reviewed-on: https://boringssl-review.googlesource.com/1915
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:07:32 +00:00
David Benjamin
f4b4952719 Fix rsa_pss_to_ctx return value.
It should return 0 for failure, not -1; the call site was expecting 0 anyway.

Change-Id: I24ab5d3695b8ac438e40be1a4fd74ecd3b845f5a
Reviewed-on: https://boringssl-review.googlesource.com/1914
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:04:36 +00:00
David Benjamin
5db5d4e2b0 RSA_encrypt and RSA_sign_raw aren't the same.
Change-Id: Ie09ab12baf59b8c1d628396424ce6cadf43bf0e1
Reviewed-on: https://boringssl-review.googlesource.com/1913
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:04:07 +00:00
David Benjamin
a87941ad17 Remove misspelled error code.
One ASN1_R_UNKNOWN_FORMAT got mispelled into ASN1_R_UNKOWN_FORMAT and
duplicated.

Change-Id: If123ef848ffe68afa021f5f3e3fb08eac92c5f94
Reviewed-on: https://boringssl-review.googlesource.com/1911
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:03:42 +00:00
David Benjamin
b1659f597b Fix err_test.
ERR_FLAG_MALLOCED is now masked and isn't returned through
ERR_get_error_line_data.

Change-Id: Ida633bf1a5ca01f563c1323dbdfb2433c2ab5159
Reviewed-on: https://boringssl-review.googlesource.com/1910
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:03:11 +00:00
Adam Langley
57e52f2a63 Fix invariant broken in 5f1374e2.
If to_free is not a valid pointer then it should be NULL.

Change-Id: I6addb2b8e7aa61d3ba47baaf8d0606d10ff2545d
2014-10-06 19:30:44 -07:00
Adam Langley
5f1374e203 Retain ownership of malloced error data.
I misunderstood the OpenSSL semantics here. When receiving an error data
pointer via ERR_get_error_line_data and friends, although the error is
cleared, OpenSSL retains ownership of the data pointer. It's kept in the
cleared error until another error overrides it, or the whole error queue
is cleared.

It's pretty odd to have live pointers in empty errors so this change
allows an error queue to retain one data pointer. Thus the pointer
returned from ERR_get_error_line_data is valid until the next call to
ERR_get_error_line_data, or until the queue is freed.

From reviewing uses of the API, this is sufficient for all of them.

Change-Id: I73cb8e9c792452ae3c1a934ac8bbe8b5353b65b2
Reviewed-on: https://boringssl-review.googlesource.com/1880
Reviewed-by: Adam Langley <agl@google.com>
2014-10-07 01:38:05 +00:00
David Benjamin
bce495c9f3 Fix a_{digest,verify}.c error codepaths.
Not that these functions can actually fail. The only codepaths that do so are
user errors.

Change-Id: I9fcbd402ab6574b5423ae22b462a0e1192ef01d7
Reviewed-on: https://boringssl-review.googlesource.com/1900
Reviewed-by: Adam Langley <agl@google.com>
2014-10-06 23:50:31 +00:00
Adam Langley
51fcd87102 Fix NaCl build.
NaCl defines _POSIX_C_SOURCE on the command line for some reason, thus
we have to be defensive about defining it.

Change-Id: Icbc8afcb1ac0e0ca23b788b11ea911c3f55a8b7f
Reviewed-on: https://boringssl-review.googlesource.com/1891
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-02 22:45:22 +00:00
Adam Langley
ad912f348b Use _POSIX_C_SOURCE not _BSD_SOURCE.
_BSD_SOURCE has been deprecated (see bug). The manpage for printf
suggests that any _POSIX_C_SOURCE >= 200112L is also sufficient to bring
in the needed declarations and the bug reporter confirms that it's
sufficient for him.

https://code.google.com/p/chromium/issues/detail?id=419859

Change-Id: Ifc053f11c5aa1df35aae8e952d2c73a7f4599ec2
Reviewed-on: https://boringssl-review.googlesource.com/1890
Reviewed-by: Adam Langley <agl@google.com>
2014-10-02 21:35:33 +00:00
Ben Laurie
176b70efd1 Silence warnings about unused values.
Change-Id: Iabfb85d90554b25e0a545a8ef3a3e9a607770132
Reviewed-on: https://boringssl-review.googlesource.com/1850
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 17:27:08 +00:00
David Benjamin
b99106a7a5 Fix bio_test on Windows.
Winsock needs to be initialized. Also, perror doesn't do anything
useful and read/recv aren't interchangeable.

Change-Id: Ic9dfd6907b7b0d396eafe72072a29d027b66bc0c
Reviewed-on: https://boringssl-review.googlesource.com/1871
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 17:24:22 +00:00
David Benjamin
66a3531237 Fix BIO_printf on Windows.
vsnprintf returns -1 on Windows on truncation, not the needed
size.

Change-Id: I0a9f32504127b2fb740244c3b59132e201d14234
Reviewed-on: https://boringssl-review.googlesource.com/1870
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 17:22:56 +00:00
David Benjamin
fb3ff2c66c Don't compare signed vs. unsigned.
This resolves a pile of MSVC warnings in Chromium.

Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803
Reviewed-on: https://boringssl-review.googlesource.com/1865
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:17:38 +00:00
David Benjamin
5e77bd449e Use OPENSSL_64_BIT in rc4.c.
This avoids unnecessary differences between LP64 and LLP64. Also
MSVC throws overflow warnings in the big-endian 64-bit codepath,
so use the preprocessor.

Change-Id: I74cef2d631d39f282177e043ed24bc6ecbbcb8fd
Reviewed-on: https://boringssl-review.googlesource.com/1860
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:06:31 +00:00
David Benjamin
04284b8952 Account for Windows and UNIX socket API differences.
close is closesocket. Also some of the headers are different
and inet_aton should be inet_pton.

Change-Id: I9eee0880d91833bdd3bcf0f2a352923c9fb1a891
Reviewed-on: https://boringssl-review.googlesource.com/1864
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:05:43 +00:00
David Benjamin
357fd0a878 Remove meth_num in ex_data_impl.c.
It's unnecessary and Windows was unhappy about the signed/unsigned
comparisons.

Change-Id: If2c4a20de48a2cddb0a4e0ca01e84eef91b155db
Reviewed-on: https://boringssl-review.googlesource.com/1863
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:04:51 +00:00
David Benjamin
775b75f9de Fix Windows shared library build.
Windows is much pickier about dllimport/dllexport. Declare it on
the declaration, not the definition. Also ensure that the declaration
precedes the definition. Finally, remove a stray OPENSSL_EXPORT.

Change-Id: Id50b9de5acbe5adf1b15b22dd60b7a5c13a80cce
Reviewed-on: https://boringssl-review.googlesource.com/1862
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:01:53 +00:00
David Benjamin
de211dbd7b Don't use ssize_t in base64_test.c.
Windows doesn't have it, and it should have been size_t anyway.

Change-Id: I901b8d78182576eaa52384d3ffef4810ff48cf7b
Reviewed-on: https://boringssl-review.googlesource.com/1861
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 01:07:28 +00:00
Ben Laurie
6a3ecf37da _POSIX_C_SOURCE needs to be set to a date, at least on FreeBSD.
Change-Id: I4020bb6ecd3d7ed745cdba89e50536eafab1f1ee
Reviewed-on: https://boringssl-review.googlesource.com/1851
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 19:15:39 +00:00
Adam Langley
ddb300306d Don't include strings.h because of Windows.
This is a follow on to dab64ff9be.

Change-Id: I01644f058030c0fac3f636871cc55a082edf51f1
2014-09-29 17:57:38 -07:00
Adam Langley
dab64ff9be Use OPENSSL_strcasecmp.
Windows doesn't provide strcasecmp and I forgot to use the wrapper
function in 704453fa9c.

Change-Id: I291387d1f73328977fc9e0ba7c3b23eede9bc368
2014-09-29 10:23:48 -07:00
Adam Langley
704453fa9c Add deprecated functions for tcpdump.
This reduces the delta for getting Android to compile and avoids having
Android carry around diffs to upstream versions of tcpdump.

Change-Id: I7f4cbb22b7a0f246bbebe960ca2139f0f42e14a0
Reviewed-on: https://boringssl-review.googlesource.com/1830
Reviewed-by: Adam Langley <agl@google.com>
2014-09-26 22:10:45 +00:00
Adam Langley
e7fa75b74f Remove use of GOTPCREL in asm.
Now that symbol visibility is done correctly, this shouldn't be needed.

Change-Id: I608beed1de63c1309358ff17dd28e3191e87dbd4
Reviewed-on: https://boringssl-review.googlesource.com/1810
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-09-26 22:07:45 +00:00
Adam Langley
5127db3b4d Provide compatibility functions for PKCS#12 parsing.
In order to minimise the upstream diffs needed for bits of Android to
build with BoringSSL, this change implements the old style PKCS#12
functions as wrappers around the modern parser.

The function to read all the contents of a BIO could almost be a utility
function but I'll wait until there are two uses for it first.

The important change from the original functions is that these will
always read the complete buffer/BIO/FILE passed in. Based on a survey of
uses of d2i_PKCS12 that I found, this appears to be universally what
callers want anyway.

Change-Id: I3f5b84e710b161d975f91f4d16c83d44371368d1
Reviewed-on: https://boringssl-review.googlesource.com/1791
Reviewed-by: Adam Langley <agl@google.com>
2014-09-20 00:10:03 +00:00
Adam Langley
588d2528d1 Don't try to setup CPUID if NO_ASM.
Change-Id: Idec1cda87b0a58e9350d0e10c3251a2c47ac1929
Reviewed-on: https://boringssl-review.googlesource.com/1790
Reviewed-by: Adam Langley <agl@google.com>
2014-09-20 00:09:57 +00:00
Adam Langley
bed8ce78f0 Add misc functions for easier porting.
Android requested that the wpa_supplicant go upstream. This change adds
some dummy functions and reinstates DSA_dup_DH in order to make the diff
smaller and easier for upstream.

Change-Id: I77ac271b8652bae5a0bbe16afde51d9096f3dfb5
Reviewed-on: https://boringssl-review.googlesource.com/1740
Reviewed-by: Adam Langley <agl@google.com>
2014-09-18 22:38:11 +00:00