Commit Graph

2180 Commits

Author SHA1 Message Date
Adam Langley
2deb984187 Fix NULL dereference in the case of an unexpected extension from a server.
Due to a typo, when a server sent an unknown extension, the extension
number would be taken from a NULL structure rather than from the
variable of the same name that's in the local scope.

BUG=517935

Change-Id: I29d5eb3c56cded40f6155a81556199f12439ae06
Reviewed-on: https://boringssl-review.googlesource.com/5650
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 18:21:20 +00:00
Brian Smith
21cdada609 Fix warning about unused |EVP_PKEY_METHOD.ctrl_str|.
Some compilers in some configurations warn about this structure member
not being assigned a value. Since it is never used anywhere, just
remove it.

Change-Id: I46064234961bf449fe5fcb88594ddb3ff390e7d7
Reviewed-on: https://boringssl-review.googlesource.com/5621
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 16:11:08 +00:00
David Benjamin
b8a6c9e1e9 Fix CRYPTO_hwrand comment.
Missed a mention of CRYPTO_have_hwrand.

Change-Id: I9756d80105c2fcee487a7badbf4d82f375b5652d
Reviewed-on: https://boringssl-review.googlesource.com/5640
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 16:10:41 +00:00
Matt Braithwaite
02e1834bc7 Make |RSA_PSS_PARAMS| public.
Change-Id: I4a30b80a76cb4bb6e9bc488a915488b0a794520e
Reviewed-on: https://boringssl-review.googlesource.com/5591
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:14:56 +00:00
Matt Braithwaite
45b03025bd Add more compatibility symbols like |SSL_OP_NETSCAPE_CA_DN_BUG|.
This benefits PyOpenSSL.

Change-Id: Idbb982def51ec395f3b5e1e0e3452bb62b50d927
Reviewed-on: https://boringssl-review.googlesource.com/5600
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:14:31 +00:00
Brian Smith
4ae9f2746c Clean up weirdness in initializing EC_GROUP cofactor & order.
Previously, |x| was reset to the value of the cofactor for no reason,
and there was an unnecessary copy made of |order|.

Change-Id: Ib6b06f651e280838299dff534c38726ebf4ccc97
Reviewed-on: https://boringssl-review.googlesource.com/4447
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:04:09 +00:00
David Benjamin
1be2ec6756 Fold CRYPTO_hwrand and CRYPTO_have_hwrand together.
Since the caller must check for CRYPTO_hwrand failures anyway, there's not much
point in doing the CRYPTO_have_hwrand check externally.

(As a bonus, CRYPTO_hwrand no longer compiles to abort() on ARM, so linker
deduplicating won't confuse Chrome's crash reporter...)

Change-Id: I2191d835fbda5b70812f14cd9a873a5e35c30c6d
Reviewed-on: https://boringssl-review.googlesource.com/5630
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:02:24 +00:00
David Benjamin
b2d987b47c Free tmp_wNAF in all exit paths.
BUG=517495

Change-Id: I67c9c511d4ed558ab7a976d6708398e02194cd0f
Reviewed-on: https://boringssl-review.googlesource.com/5628
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:00:35 +00:00
David Benjamin
ade291c566 Clean up the DES_key_schedule logic.
It's not clear why OpenSSL had a union. The comment says something about sizes
of long, since OpenSSL doesn't use stdint.h. But the variable is treated as a
bunch of uint32_t's, not DES_cblocks.

The key schedule is also always used by iterating or indexing into a uint32_t*,
treating the 16 2-word subkeys as a single uint32_t[32]. Instead, index into
them properly shush any picky tools. The compiler should be able to figure out
what's going on and optimize it appropriately.

BUG=517495

Change-Id: I83d0e63ac2c6fb76fac1dceda9f2fd6762074341
Reviewed-on: https://boringssl-review.googlesource.com/5627
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:55:59 +00:00
David Benjamin
3b51b7ad0f Remove stray (void)0.
Probably a remnant of ifdef soup somewhere.

Change-Id: I472f236a2db54a97490b22b0bbcc1701a2dba3b3
Reviewed-on: https://boringssl-review.googlesource.com/5623
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:53:43 +00:00
Brian Smith
f9f72b3667 Remove BIO dependency from cmac_test.
This is the only test amongst the tests for core crypto functionality
that depends on crypto/bio. This change removes that dependency. This
also factors out the duplicative hexdump logic into a shared function.

Change-Id: Ic280a71d086555a6993c05f183b94e1d38b60932
Reviewed-on: https://boringssl-review.googlesource.com/5622
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:53:01 +00:00
David Benjamin
b088331ec0 Simplify handshake hash handling.
Rather than support arbitrarily many handshake hashes in the general
case (which the PRF logic assumes is capped at two), special-case the
MD5/SHA1 two-hash combination and otherwise maintain a single rolling
hash.

Change-Id: Ide9475565b158f6839bb10b8b22f324f89399f92
Reviewed-on: https://boringssl-review.googlesource.com/5618
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:47:21 +00:00
David Benjamin
d6a4ae97cd Simplify tls1_channel_id_hash.
Rather than iterate over handshake_dgsts itself, it can just call
tls1_handshake_digest.

Change-Id: Ia518da540e47e65b13367eb1af184c0885908488
Reviewed-on: https://boringssl-review.googlesource.com/5617
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:16:33 +00:00
David Benjamin
5375fd594b Switch the handshake buffer from memory BIO to BUF_MEM.
A memory BIO is internally a BUF_MEM anyway. There's no need to bring
BIO_write into the mix. BUF_MEM is size_t clean.

Change-Id: I4ec6e4d22c72696bf47c95861771013483f75cab
Reviewed-on: https://boringssl-review.googlesource.com/5616
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:11:42 +00:00
David Benjamin
9550c3ac8b Decouple the handshake buffer and digest.
The handshake hash is initialized from the buffer as soon as the cipher
is known. When adding a message to the transcript, independently update
the buffer and rolling hash, whichever is active. This avoids the
complications around dont_free_handshake_buffer and EMS.

BUG=492371

Change-Id: I3b1065796a50fd1be5d42ead7210c2f253ef0aca
Reviewed-on: https://boringssl-review.googlesource.com/5615
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:10:33 +00:00
David Benjamin
5055c76709 Rename algorithm2 to algorithm_prf.
It's purely the PRF function now, although it's still different from the
rest due to the _DEFAULT field being weird.

Change-Id: Iaea7a99cccdc8be4cd60f6c1503df5be2a63c4c5
Reviewed-on: https://boringssl-review.googlesource.com/5614
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:59:34 +00:00
David Benjamin
b2a985bfb8 Fold away SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD.
It's a property of just algorithm_enc and hopefully AES-GCM will
continue to be the only true AEAD that requires this. Simpler to just
keep it in ssl_aead_ctx.c.

Change-Id: Ib7c060a3de2fa8590b2dc36c23a5d5fabff43b07
Reviewed-on: https://boringssl-review.googlesource.com/5613
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:57:37 +00:00
Brian Smith
62138c5d5a Check the return value of |BN_sub| in bn_test.cc.
Coverity complains about this.

Change-Id: I5140fd82bdbe7c2e3b36a8bc9006770a431741ea
Reviewed-on: https://boringssl-review.googlesource.com/5619
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:52:58 +00:00
Brian Smith
f4bbc2a360 Improve error checking of some |BN_CTX_get| callers.
The documentation for |BN_CTX_get| states: "Once |BN_CTX_get| has
returned NULL, all future calls will also return NULL until
|BN_CTX_end| is called." Some code takes advantage of that guarantee
by only checking the return value of the last call to |BN_CTX_get| in a
series of calls. That is correct and the most efficient way of doing
it. However, that pattern is inconsistent with most of the other uses
of |BN_CTX_get|. Also, static analysis tools like Coverity cannot
understand that pattern. This commit removes the instances of that
pattern that Coverity complained about when scanning *ring*.

Change-Id: Ie36d0223ea1caee460c7979547cf5bfd5fb16f93
Reviewed-on: https://boringssl-review.googlesource.com/5611
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:50:17 +00:00
Brian Smith
7b5f08edb8 Fix null pointer dereference in file_test.cc.
The error condition was checked for, but the return statement was
missing.

Change-Id: I92f89809a7a112fdece49a2a8a8628ff2da8e0da
Reviewed-on: https://boringssl-review.googlesource.com/5610
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:48:03 +00:00
Adam Langley
07bf9f69ba Drop DEFINE_STACK_OF.
We never need to define the actual structs because we always cast them
before use. The types only exist to be distinct, and they can do that
without a definition.

Change-Id: I1e1ca0833b383f3be422675cb7b90dacbaf82acf
Reviewed-on: https://boringssl-review.googlesource.com/5593
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:30:08 +00:00
Brian Smith
906e2993a8 Fix Windows build.
When using CMake to build with MSVC, MSVC complains about unreachable
code in the <xtree> header. This incantation silences that.

Change-Id: I5fc5305dc816a009a4c59501b212fd11e290637d
Reviewed-on: https://boringssl-review.googlesource.com/5552
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:26:34 +00:00
Matt Braithwaite
d0e1f1ca85 Include thread.h from crypto.h, like OpenSSL.
thread.h defines |CRYPTO_num_locks| and friends.

Change-Id: Id28484d20226bf3ab49b2a75c48210167b96a2f3
Reviewed-on: https://boringssl-review.googlesource.com/5592
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:25:23 +00:00
Matt Braithwaite
f92930e30a Add |EVP_rc2_cbc| and implement |EVP_CTRL_SET_RC2_KEY_BITS|.
Add it to |EVP_get_cipherbynid|, along with |EVP_rc2_40_cbc| and
|EVP_aes_192_cbc|.

Change-Id: Iee7621a91262359d1650684652995884a6cef37a
Reviewed-on: https://boringssl-review.googlesource.com/5590
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:23:56 +00:00
David Benjamin
7446a3b77f Clean up DTLS1_BITMAP code.
Take the sequence number as a parameter. Also replace satsub64be with
the boring thing: convert to uint64_t and subtract normally.

BUG=468889

Change-Id: Icab75f872b5e55cf4e9d68b66934ec91afeb198b
Reviewed-on: https://boringssl-review.googlesource.com/5558
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:23:05 +00:00
David Benjamin
c8d5122538 Fold dtls1_process_record into dtls1_get_record.
The split was only needed for buffering records. Likewise, the extra
seq_num field is now unnecessary.

This also fixes a bug where dtls1_process_record will push an error on
the queue if the decrypted record is too large, which dtls1_get_record
will ignore but fail to clear, leaving garbage on the error queue. The
error is now treated as fatal; the reason DTLS silently drops invalid
packets is worrying about ease of DoS, but after SSL_AEAD_CTX_open, the
packet has been authenticated. (Unless it's the null cipher, but that's
during the handshake and the handshake is already DoS-able by breaking
handshake reassembly state.)

The function is still rather a mess. Later changes will clean this up.

BUG=468889

Change-Id: I96a54afe0755d43c34456f76e77fc4ee52ad01e3
Reviewed-on: https://boringssl-review.googlesource.com/5557
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:14:11 +00:00
David Benjamin
8e6db495d3 Add more aggressive DTLS replay tests.
The existing tests only went monotonic. Allow an arbitrary mapping
function. Also test by sending more app data. The handshake is fairly
resilient to replayed packets, whereas our test code intentionally
isn't.

Change-Id: I0fb74bbacc260c65ec5f6a1ca8f3cb23b4192855
Reviewed-on: https://boringssl-review.googlesource.com/5556
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:10:48 +00:00
David Benjamin
229adfb42b FALLBACK_SCSV is an RFC now.
Update references.

Change-Id: I56af31529cf6bfd00d3f0bb9b6281645ed134c5c
Reviewed-on: https://boringssl-review.googlesource.com/5555
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 20:51:51 +00:00
Adam Langley
8bc81df02b Revert "pound-define EVP_R_BAD_DECRYPT CIPHER_R_BAD_DECRYPT."
It will end up allowing some misuses of the error API to break silently,
so we're better off without it.

This reverts commit 0fba870578.

Change-Id: I486962c77cb18474ad9eee2acec86b631c99210d
2015-08-05 12:16:11 -07:00
David Benjamin
b143eca16e Consistently participate in err for PKCS12_* functions.
err is a horrible API, but functions should consistently participate or not
participate in it. We were missing a few codepaths.

Change-Id: I762074d5030b8e9d3e5bba9f8fa91fbdccbee25a
Reviewed-on: https://boringssl-review.googlesource.com/5571
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 18:53:06 +00:00
David Benjamin
43bd18f3b2 Don't define typedefs twice.
16f774f8bf adds forward declarations for
everything in x509.h, but the typedefs are still in x509.h. Some versions of
clang flag the duplicate typedefs in C code.

Change-Id: Ib6684a238681d8c4fb1f0f91c3a6110013b3f4d6
Reviewed-on: https://boringssl-review.googlesource.com/5580
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 05:35:23 +00:00
Brian Smith
78fe4fd297 Fix more warnings about old-style prototypes.
Replace |()| with |(void)| in some prototypes to avoid compiler
warnings about old-style prototypes when building in some non-default
configurations for ARM.

Change-Id: Id57825084941c997bb7c41ec8ed94962f97ff732
Reviewed-on: https://boringssl-review.googlesource.com/5570
Reviewed-by: Adam Langley <agl@google.com>
2015-08-04 02:09:39 +00:00
Matt Braithwaite
16f774f8bf base.h: add typedefs from x509.h, and sort them.
Change-Id: I333573631ebe4b01f91b1aeebf620812161db3ee
Reviewed-on: https://boringssl-review.googlesource.com/5560
Reviewed-by: Adam Langley <agl@google.com>
2015-08-03 21:25:22 +00:00
Matt Braithwaite
0fba870578 pound-define EVP_R_BAD_DECRYPT CIPHER_R_BAD_DECRYPT.
(This is one of the most common errors that callers test for.)

Change-Id: Ic39b8dc6b5551de4a25e8517b9bbedf8a4a94d60
Reviewed-on: https://boringssl-review.googlesource.com/5534
Reviewed-by: Adam Langley <agl@google.com>
2015-08-03 18:33:59 +00:00
Matt Braithwaite
6454a4cc21 pound-define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
Change-Id: Ic04e474759254397e8cc9220b2618058d43f71be
Reviewed-on: https://boringssl-review.googlesource.com/5533
Reviewed-by: Adam Langley <agl@google.com>
2015-08-03 18:32:53 +00:00
Matt Braithwaite
5acf6b5cb4 include base64.h in evp.h
Change-Id: I0abe925fb094e6d95e03aba144dc266c73a4bb75
Reviewed-on: https://boringssl-review.googlesource.com/5536
Reviewed-by: Adam Langley <agl@google.com>
2015-08-03 18:31:58 +00:00
David Benjamin
fc05994e24 Fold away EC point format negotiation.
The only point format that we ever support is uncompressed, which the
RFC says implementations MUST support. The TLS 1.3 and Curve25519
forecast is that point format negotiation is gone. Each curve has just
one point format and it's labeled, for historial reasons, as
"uncompressed".

Change-Id: I8ffc8556bed1127cf288d2a29671abe3c9b3c585
Reviewed-on: https://boringssl-review.googlesource.com/5542
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:46:36 +00:00
Brian Smith
8a36e53abb Avoid using |WIN32| and use |OPENSSL_WINDOWS| instead.
MSVC and clang-cl automatically define |_WIN32| but |WIN32| is only
defined if a Windows header file has been included or if -DWIN32 was
passed on the command line. Thus, it is always better to test |_WIN32|
than |WIN32|. The convention in BoringSSL is to test |OPENSSL_WINDOWS|
instead, except for the place where |OPENSSL_WINDOWS| is defined.

Change-Id: Icf3e03958895be32efe800e689d5ed6a2fed215f
Reviewed-on: https://boringssl-review.googlesource.com/5553
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:34:34 +00:00
Brian Smith
b748373286 Remove redundant declaration of OPENSSL_ia32cap_P from e_aes.c.
Some compilers warn about this duplicate declaration in some
configurations.

Change-Id: I3ff038a5feb0b2632b140e6632ea48acb0dcc118
Reviewed-on: https://boringssl-review.googlesource.com/5551
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:33:03 +00:00
David Benjamin
6de0e53919 Add tests for bad CertificateVerify signatures.
I don't think we had coverage for this check.

Change-Id: I5e454e69c1ee9f1b9760d2ef1431170d76f78d63
Reviewed-on: https://boringssl-review.googlesource.com/5544
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:32:17 +00:00
David Benjamin
50f1d00bee RT3774: double-free in DSA
(Imported from upstream's 374fd385c2347b965c3490aa1c10025e1339d265.)

This codepath is only reachable on malloc failure if putting DSA private
keys into a PKCS#8 PrivateKeyInfo.

Change-Id: I88052eab3f477c4cdf5749be525878278d966a69
Reviewed-on: https://boringssl-review.googlesource.com/5543
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:31:37 +00:00
David Benjamin
399e7c94bf Run go fmt on runner.
That got out of sync at some point.

Change-Id: I5a45f50f330ceb65053181afc916053a80aa2c5d
Reviewed-on: https://boringssl-review.googlesource.com/5541
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:27:05 +00:00
David Benjamin
cae932e85b Remove SSL_get0_ec_point_formats.
It's never called anywhere and doesn't return anything interesting.

Change-Id: I68e7e9cd7b74a72f61092ac5d2b5d2390e55a228
Reviewed-on: https://boringssl-review.googlesource.com/5540
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:26:41 +00:00
Matt Braithwaite
2f252fed10 Add |DES_set_key_unchecked| as an alias for |DES_set_key|.
Change-Id: I00296b0602a95b51366586b30ccd95261dd7007b
Reviewed-on: https://boringssl-review.googlesource.com/5532
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:26:15 +00:00
Adam Langley
c5b23a19ea Work around MSVC's limitations.
MSVC 2013 does not support constexpr:
https://msdn.microsoft.com/en-us/library/vstudio/hh567368.aspx

Change-Id: I73a98ace57356489efeb25384997d2d2891a271f
2015-07-30 18:19:26 -07:00
nagendra modadugu
601448aa13 Add server-side support for asynchronous signing.
The RSA key exchange needs decryption and is still unsupported.

Change-Id: I8c13b74e25a5424356afbe6e97b5f700a56de41f
Reviewed-on: https://boringssl-review.googlesource.com/5467
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 01:14:29 +00:00
Adam Langley
0950563a9b Implement custom extensions.
This change mirrors upstream's custom extension API because we have some
internal users that depend on it.

Change-Id: I408e442de0a55df7b05c872c953ff048cd406513
Reviewed-on: https://boringssl-review.googlesource.com/5471
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 01:12:00 +00:00
Matt Braithwaite
30bff60d33 EVP_get_cipherbyname: recognize "des-ede3-cbc", not "3des-cbc".
Change-Id: I497361020e225063fce55d72be57fabfbdf88405
Reviewed-on: https://boringssl-review.googlesource.com/5530
Reviewed-by: Adam Langley <agl@google.com>
2015-07-30 21:40:45 +00:00
Matt Braithwaite
6bfdc63114 Fix NID of |EVP_CIPHER des3_cbc|.
Change-Id: I0f27fa1897d2f0a148203610ccd5c6c7967f9f3d
Reviewed-on: https://boringssl-review.googlesource.com/5510
Reviewed-by: Adam Langley <agl@google.com>
2015-07-29 21:22:59 +00:00
David Benjamin
820731a2b0 Fix some typos in license headers.
These are not in upstream and were probably introduced on accident by stray vim
keystrokes.

Change-Id: I35f51f81fc37e75702e7d8ffc6f040ce71321b54
Reviewed-on: https://boringssl-review.googlesource.com/5490
Reviewed-by: Adam Langley <agl@google.com>
2015-07-29 19:23:51 +00:00