Commit Graph

4050 Commits

Author SHA1 Message Date
David Benjamin
e1d18a7a88 Vendor a copy of golang.org/x/crypto/ed25519.
This will be used for testing purposes.

BUG=187

Change-Id: I4a18c54c690921a4bbccf5bd03107c579a6e9393
Reviewed-on: https://boringssl-review.googlesource.com/14451
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 23:17:09 +00:00
David Benjamin
417830d981 Support EVP_PKEY_{sign,verify}_message with Ed25519.
It's amazing how short p_ed25519.c is.

BUG=187

Change-Id: Ib2a5fa7a4acf2087ece954506f81e91a1ed483e1
Reviewed-on: https://boringssl-review.googlesource.com/14449
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 23:05:14 +00:00
David Benjamin
05bb1c5033 Implement draft-ietf-curdle-pkix-04's serialization.
The resulting EVP_PKEYs do not do anything useful yet, but we are able
to parse them. Teaching them to sign will be done in a follow-up.

Creating these from in-memory keys is also slightly different from other
types. We don't have or need a public ED25519_KEY struct in
curve25519.h, so I've added tighter constructor functions which should
hopefully be easier to use anyway.

BUG=187

Change-Id: I0bbeea37350d4fdca05b6c6c0f152c15e6ade5bb
Reviewed-on: https://boringssl-review.googlesource.com/14446
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 23:02:22 +00:00
David Benjamin
cc17c24852 Stop pretending RSA and ECDSA sigalgs are configurable.
We don't allow consumers to enable and disable RSA and ECDSA signature
algorithms but will filter client-sent cipher suites and server-sent
client certificate types based on this hard-coded list.

This is two less places to update for Ed25519.

BUG=187

Change-Id: I62836b6980acc6d03ee254f0a84e9826668e9e57
Reviewed-on: https://boringssl-review.googlesource.com/14567
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 22:54:02 +00:00
David Benjamin
6114c3c5d4 Clean up signature algorithm logic.
With public keys reliably extractable from SSL_PRIVATE_KEY_METHOD keys,
we can share the pkey/sigalg check between signing and verifying.

BUG=188

Change-Id: Ieb9382807781e48ffed720b27f450847d3fca788
Reviewed-on: https://boringssl-review.googlesource.com/14566
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 22:52:22 +00:00
David Benjamin
a232a7159c Deprecate SSL_PRIVATE_KEY_METHOD type and max_signature_len.
Instead, extract it from the certificate, which is what everyone was
doing anyway. A follow-up change will take advantage of this cleanup to
deduplicate code between signing and verifying for which keys are good
for which signature algorithms.

BUG=188

Change-Id: Ic3f83a6477e8fa53e5e7233f4545f4d2c4b58d01
Reviewed-on: https://boringssl-review.googlesource.com/14565
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 22:43:20 +00:00
David Benjamin
bf833c346d Rename hs->public_key.
This is an unhelpfully generic name. Rename it to match SSL_ECDH_CTX.
Unqualified "public key" is typically assumed to be the certificate.

Change-Id: I8ba8c3f2bb1343d1c006845a1110e833451c5a56
Reviewed-on: https://boringssl-review.googlesource.com/14564
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 22:38:18 +00:00
David Benjamin
76feb1f97f Convert ssl_privkey.c to message-based signing APIs.
This allows us to share some of the is_ecdsa mess between signing and
verifying in a way that will generalize to Ed25519. This makes it a lot
shorter and gets us closer to Ed25519.

Later work will tidy this up further.

BUG=187

Change-Id: Ibf3c07c48824061389b8c86294225d9ef25dd82d
Reviewed-on: https://boringssl-review.googlesource.com/14448
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 22:37:51 +00:00
David Benjamin
7c83fdaf5b Add message-based EVP_PKEY APIs.
Right now this is just a wrapper over EVP_Digest and EVP_PKEY_sign. A
later change will introduce a sign_message hook to EVP_PKEY_METHOD which
Ed25519 and other single-shot-only algorithms can implement.
(EVP_PKEY_sign does not quite work for this purpose as all the other key
types believe EVP_PKEY_sign acts on a pre-hashed input.)

BUG=187

Change-Id: Ia4bbf61b25cc4a0d64bcb4364805fe9b5a6e829c
Reviewed-on: https://boringssl-review.googlesource.com/14447
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-04-05 22:30:53 +00:00
David Benjamin
712f372489 Make the bssl client -resume flag less confusing.
Empirically, people find the command-line flag and documentation
confusing. (I've seen people try using -session-in and -resume at the
same time.)

Also fail if both flags are passed together.

Change-Id: Idd59b019b4842fe99ec8974dbe6a3f4ce27eb855
Reviewed-on: https://boringssl-review.googlesource.com/14685
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-05 19:19:34 +00:00
David Benjamin
3e0b2ce12b Prune some dead constants.
Change-Id: Ie0d664ba01b152769185267d2d5c78320ca01473
Reviewed-on: https://boringssl-review.googlesource.com/14684
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-05 19:15:44 +00:00
David Benjamin
c8ff30cbe7 Add an option to allow unknown ALPN protocols.
We received an external request to add an option to undo the check added
in 3e51757de2.

Change-Id: Ifdd4b07705f2fa3d781d775d5cd139ea72d36734
Reviewed-on: https://boringssl-review.googlesource.com/14644
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-05 00:33:57 +00:00
David Benjamin
0686c09eea Fix CRYPTO_dup_ex_data.
On malloc error, CRYPTO_set_ex_data may fail. (See upstream's
62f488d31733e5dc77b339f905b44f165550e47d.)

It also failed to copy the reserved slots when we revised the app-data
machinery, although this is unreachable as EC_KEY is the only thing
which uses this function and EC_KEY has no reserved slots. (We probably
can/should also take CRYPTO_dup_ex_data out of there, as it's a little
bit weird...)

Change-Id: I60bbc301f919d4c0ee7fff362f979f6ec18d73b7
Reviewed-on: https://boringssl-review.googlesource.com/14604
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-04 18:21:49 +00:00
Adam Langley
b18cb6a5d0 Make the POWER hardware capability value a global in crypto.c.
(Thanks to Sam Panzer for the patch.)

At least some linkers will drop constructor functions if no symbols from
that translation unit are used elsewhere in the program. On POWER, since
the cached capability value isn't a global in crypto.o (like other
platforms), the constructor function is getting discarded.

The C++11 spec says (3.6.2, paragraph 4):

    It is implementation-defined whether the dynamic initialization of a
    non-local variable with static storage duration is done before the
    first statement of main. If the initialization is deferred to some
    point in time after the first statement of main, it shall occur
    before the first odr-use (3.2) of any function or variable defined
    in the same translation unit as the variable to be initialized.

Compilers appear to interpret that to mean they are allowed to drop
(i.e. indefinitely defer) constructors that occur in translation units
that are never used, so they can avoid initializing some part of a
library if it's dropped on the floor.

This change makes the hardware capability value for POWER a global in
crypto.c, which should prevent the constructor function from being
ignored.

Change-Id: I43ebe492d0ac1491f6f6c2097971a277f923dd3e
Reviewed-on: https://boringssl-review.googlesource.com/14664
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-04 18:19:19 +00:00
David Benjamin
42329a828b Clean up PKCS5_PBKDF2_HMAC.
This was a mess. HMAC_CTX_copy_ex would avoid having to cleanup and init
the HMAC_CTX repeatedly, but even that is unnecessary. hctx_tpl was just
to reuse the key. Instead, HMAC_CTX already can be reset with the same
key. (Alas, with a slightly odd API, but so it goes.) Do that, and use
goto err to cleanup the error-handling.

Thanks to upstream's b98530d6e09f4cb34c791b8840e936c1fc1467cf for
drawing attention to this. (Though we've diverged significantly from
upstream with all the heap-allocated bits, so I didn't use the change
itself.)

While I'm here, tidy up some variable names and cite the newer RFC.

Change-Id: Ic1259f46b7c5a14dc341b8cee385be5508ac4daf
Reviewed-on: https://boringssl-review.googlesource.com/14605
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-04 18:13:53 +00:00
Martin Kreichgauer
8b487b73aa util/generate_build_files.py: Filter test runner sources from BUILD files.
Change-Id: I6eb13647843b124b0cfeb7ea592736a80d723836
Reviewed-on: https://boringssl-review.googlesource.com/14624
Reviewed-by: Adam Langley <agl@google.com>
2017-04-03 23:12:33 +00:00
Alessandro Ghedini
67bb45f44b Support enabling early data on SSL
This moves the early data switch to CERT to make this
|SSL_set_SSL_CTX|-proof.

Change-Id: Icca96e76636d87578deb24b2d507cabee7e46a4a
Reviewed-on: https://boringssl-review.googlesource.com/14545
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-03 20:25:29 +00:00
Adam Langley
faa539f877 Remove static output buffers for hash & HMAC functions.
These static output buffers are a legacy from a time before processes
had threads. This change drops support and callers who were depending on
this (of which there are hopefully none) will crash.

Change-Id: I7b8eb3440def507f92543e55465f821dfa02c7da
Reviewed-on: https://boringssl-review.googlesource.com/14528
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-04-02 17:53:17 +00:00
David Benjamin
ebcb5beb19 Sync vendored copies of Go poly1305 and curve25519.
Taken from revision 3cb07270c9455e8ad27956a70891c962d121a228 of
go-crypto. Some of the changes look like they might fix some of the
crashes we've been having on ARM bots?

Change-Id: I127fd358db553eae4805e777011a89124f595ff0
Reviewed-on: https://boringssl-review.googlesource.com/14544
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-30 20:04:23 +00:00
Adam Langley
107d4388cb Gate assembly sources on !OPENSSL_NO_ASM.
Change-Id: I32b37306265e89afca568f20bfba2e04559c4f0b
Reviewed-on: https://boringssl-review.googlesource.com/14527
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-30 19:34:21 +00:00
David Benjamin
cbfd3c044c Refresh fuzzer corpora.
Change-Id: I04babe31dcea8198a88c8affd5f9f9e24e449e4a
Reviewed-on: https://boringssl-review.googlesource.com/14526
Reviewed-by: Steven Valdez <svaldez@google.com>
2017-03-30 16:55:36 +00:00
David Benjamin
0c05c37f93 Update fuzzer exclusions.
We've got to get a bot for this...

Change-Id: I6af0c466c10ec52bf2e67f1e6fa2513411aeb3c0
Reviewed-on: https://boringssl-review.googlesource.com/14524
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
2017-03-30 16:54:38 +00:00
David Benjamin
519118f984 Fix FUZZING.md typo.
Change-Id: Ie43ffabfdf5b10fbb0c8adcc2626a2913152e5e1
Reviewed-on: https://boringssl-review.googlesource.com/14525
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
2017-03-30 16:54:18 +00:00
Doug Kwan
a5f1b38de5 Use vec_vsx_ld to performance unaligned load instead of dereferencing a pointer
and relying on a compiler to generate code for unaligned access.  Both gcc
and llvm currently do that but llvm is going to change to generate code for
aligned access.  The change in llvm will break SHA-1 on POWER without this fix.

Change-Id: If9393968288cf94b684ad340e3ea295e03174aa9
Reviewed-on: https://boringssl-review.googlesource.com/14378
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:43:30 +00:00
David Benjamin
7e9949c30b Import additional test vectors from RFC 8032.
There are a few test vectors which were not imported from djb's. Mirror
those. Also as RFC 8032 uses a slightly different private key
representation, document this in curve25519.h.

BUG=187

Change-Id: I119381168ba1af9b332365fd8f974fba41759d57
Reviewed-on: https://boringssl-review.googlesource.com/14445
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:28:55 +00:00
David Benjamin
17eeb9820c Unwind the rest of EVP_PKEY_supports_digest.
This is a remnant of a previous iteration of the SSL client certificate
bridging logic in Chromium.

Change-Id: Ifa8e15cc970395f179e2f6db65c97a342af5498d
Reviewed-on: https://boringssl-review.googlesource.com/14444
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:28:25 +00:00
David Benjamin
6bb507bc9c Add missing tests for the Channel ID / 0-RTT interaction.
Clients or servers enabling both should not stop functioning.

Change-Id: I5cca09f8adfc8ff56b8943123847bbdaf8885cf4
Reviewed-on: https://boringssl-review.googlesource.com/14485
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-30 16:25:44 +00:00
David Benjamin
e94ec3f85b Use a union in tls_cbc.c.
This is slightly tidier than casting through function pointers. (Also
more defined? But we cast T* => void* within a function pointer all over
the place, so that's probably a lost cause.)

Change-Id: I8f435906f3066d1377eababf940e3db34c626acd
Reviewed-on: https://boringssl-review.googlesource.com/14313
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:25:11 +00:00
David Benjamin
79bc7a3212 Remove unsigned-based constant-time functions.
We only need the size_t ones now.

BUG=22

Change-Id: Ie6935656bbc4bd2b602b8fad78effc401c493416
Reviewed-on: https://boringssl-review.googlesource.com/14312
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:24:19 +00:00
David Benjamin
643b77e644 Convert tls_cbc.c to size_t.
Not that this is remotely necessary since the code bounds to 1MB, the
caller bounds to INT_MAX (due to EVP_CIPHER) and the grandcaller bounds
to 16k (due to TLS).

BUG=22

Change-Id: Ia75990a30bac26ca617532630340ff94a88e4e20
Reviewed-on: https://boringssl-review.googlesource.com/14311
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:23:38 +00:00
David Benjamin
053a8f728e Bound EVP_tls_cbc_digest_record at runtime.
This is redundant because these "AEAD"s are not meant to be used outside
of TLS, but since we've moved them into their own layer, they should
check internally.

Change-Id: Ieb3541b2e494902527c2bb56a816cef620cb237b
Reviewed-on: https://boringssl-review.googlesource.com/14310
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:20:55 +00:00
David Benjamin
8d979e5430 Push variable declarations in EVP_tls_cbc_digest_record.
This makes it a bit easier to see what is what.

Change-Id: I0f73f6ffa84bd30de3efcbf2bd34e1d3a889d1ee
Reviewed-on: https://boringssl-review.googlesource.com/14309
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:20:36 +00:00
David Benjamin
b0ad3d74db Convert more RSA padding check functions to size_t.
BUG=22

Change-Id: I9f392eef44e83efb4b13931acb2a3c642cbf1f29
Reviewed-on: https://boringssl-review.googlesource.com/14308
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:19:45 +00:00
David Benjamin
43ea204db7 Convert RSA_padding_check_PKCS1_type_1 to size_t.
BUG=22

Change-Id: I5bfa543c261623d125e7a25cea905e3b90b0c014
Reviewed-on: https://boringssl-review.googlesource.com/14307
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 16:03:20 +00:00
David Benjamin
d1c0de6fe0 Add size_t variants of constant-time functions.
These will be used in follow-up commits. The _s names are taken from
upstream, to ease importing code. I've also promoted the CONSTTIME_*
macros from the test. None of them are really necessary except
~0u cannot substitute for CONSTTIME_TRUE_S on 64-bit platforms, so
having the macros seems safer.

Once everything is converted, I expect the unsigned versions can be
removed, so I've made the _8 and _int functions act on size_t rather
than unsigned. The users of these functions basically only believe that
array indices and bytes exist.

BUG=22

Change-Id: I987bfb0c708dc726a6f2afcb05b6619bbd600564
Reviewed-on: https://boringssl-review.googlesource.com/14306
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-03-30 15:38:43 +00:00
Steven Valdez
f368c73826 Fix fuzzer excludes.
Change-Id: I013cf58528463ccca9e087c1c5d544beec3db24a
Reviewed-on: https://boringssl-review.googlesource.com/14466
Reviewed-by: David Benjamin <davidben@google.com>
2017-03-30 02:39:56 +00:00
David Benjamin
fef78b0356 Use an actual SCT for fuzzing.
SSL_CTX_set_signed_cert_timestamp_list fails now if its input is not
well-formed.

Change-Id: I84a4034f66868da11f98bf33e5b7f5c9fc958933
Reviewed-on: https://boringssl-review.googlesource.com/14484
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-29 23:00:36 +00:00
Steven Valdez
a507617e4d Adding server fuzzer for early data.
Since any ALPN mismatch and other cause for early data rejection will
cause the server to revert to the non-early data path, this is safe to
flip on for all the fuzzers.

BUG=76

Change-Id: I573740ef8f455915820943d82247fb6bfc37ae41
Reviewed-on: https://boringssl-review.googlesource.com/14465
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-29 22:51:46 +00:00
Adam Langley
764ab9802e Support and test P-224 certificates.
Previously we only needed to be able to serve P-224 certificates, but
now we anticipate a need to be able to connect and validate them also.
Since this requires advertising support for P-224 in the handshake, we
need to support P-224 ECDHE too.

P-224 support is disabled by default and so clients need to both set the
enabled curves explicitly and set a maximum version of TLS 1.2.

Change-Id: Idc69580f47334e0912eb431a0db0e78ee2eb5bbe
Reviewed-on: https://boringssl-review.googlesource.com/14225
Reviewed-by: Adam Langley <alangley@gmail.com>
Commit-Queue: Adam Langley <alangley@gmail.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-29 17:50:36 +00:00
Steven Valdez
a0ba400c33 Add cipher asserts for read/write app data.
Allow the fuzzers to treat this situation, if they ever discover it,
as a bug.

Change-Id: Ie6f1562e9b185d49463cf1a6db28d28780169b11
Reviewed-on: https://boringssl-review.googlesource.com/14424
Reviewed-by: David Benjamin <davidben@google.com>
2017-03-28 21:02:56 +00:00
David Benjamin
ccbb165d98 Tidy up ssl3_choose_cipher.
Change-Id: Ied6b73fde61eb133c9871b42a56aa5a64131b67b
Reviewed-on: https://boringssl-review.googlesource.com/14328
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-27 20:13:13 +00:00
David Benjamin
8c26d750e1 Test the behavior of running SSL_do_handshake twice in a row.
BUG=185

Change-Id: I4ce6735ca78cd687538a8c0fdbd78ee97b93585c
Reviewed-on: https://boringssl-review.googlesource.com/14382
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-27 18:30:44 +00:00
David Benjamin
7a60ca095d Synchronize bsaes-armv7.pl with upstream.
This pulls in upstream's 0822d41b6d54132df96c02cc6f6fa9b179378351 and a
portion of a285992763f3961f69a8d86bf7dfff020a08cef9. The former, in
particular, fixes a crash on iOS.

Change-Id: I3c083975d8d11e58b5a2919fcabbf83628f36340
Reviewed-on: https://boringssl-review.googlesource.com/14383
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-27 16:38:33 +00:00
David Benjamin
0f5d7d3f04 Just allocate what's needed for SSL write buffers.
When we refactored all the buffering logic, we retained upstream
OpenSSL's allocation patterns. In particular, we always allocated fixed
size write buffer, even though, unlike when reading, we trivially know a
tighter bound (namely however much we happen to be writing right now).

Since the cutoff for when Windows' malloc starts having a hard time is
just below the TLS maximum record size, do the more natural thing of
allocating what we need to hold outgoing ciphertext.

(This only does anything to the write half. Read half is a bit more
involved.)

BUG=chromium:524258

Change-Id: I0165f9ce822b9cc413f3c77e269e6154160537a7
Reviewed-on: https://boringssl-review.googlesource.com/14405
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-27 16:37:53 +00:00
David Benjamin
95321e15f2 Fix diff_asm.go.
We now have another non-OpenSSL perlasm file.

Change-Id: Id5ab606089f22a4cb4c7d29f2cf7d140b66861f7
Reviewed-on: https://boringssl-review.googlesource.com/14404
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-27 14:29:55 +00:00
David Benjamin
bbfe603519 Clean up end_of_early_data processing.
Remove another remnant of the SSL3_PROTOCOL_METHOD hook.

Change-Id: If6bf055e2ee318420e4c5c40b8eb5356eadda68c
Reviewed-on: https://boringssl-review.googlesource.com/14381
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2017-03-26 20:39:44 +00:00
David Benjamin
fc2d78dd1e Document server 0-RTT behavior.
BUG=76

Change-Id: I68bc1dce13af9155b385a7b589480aacf02ec0db
Reviewed-on: https://boringssl-review.googlesource.com/14380
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Reviewed-by: Steven Valdez <svaldez@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2017-03-26 20:39:31 +00:00
Steven Valdez
681eb6ac2d Adding support for receiving early data on the server.
BUG=76

Change-Id: Ie894ea5d327f88e66b234767de437dbe5c67c41d
Reviewed-on: https://boringssl-review.googlesource.com/12960
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-26 19:30:27 +00:00
David Benjamin
32c8927159 Add a test for missing end_of_early_data.
BUG=76

Change-Id: I43672ee82a50f8fe706a5d607ef774a6e96db252
Reviewed-on: https://boringssl-review.googlesource.com/14379
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-26 19:09:17 +00:00
David Benjamin
81a191dc4d Convert constant_time_test to GTest.
This ends up under half the size of the original file.

BUG=129

Change-Id: Idec69d9517bd57cee6b3b83bc0cce05396565b70
Reviewed-on: https://boringssl-review.googlesource.com/14305
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-03-26 19:04:07 +00:00