Commit Graph

2526 Commits

Author SHA1 Message Date
David Benjamin
e167976126 Make EVP_DigestVerifyFinal return only zero or one.
It was already almost there. Just a malloc failure away. now all the
EVP_Digest{Sign,Verify}* functions may be used without worrying about -1 return
values.

Change-Id: I96a9750b300010615979bd5f1522b1d241764665
Reviewed-on: https://boringssl-review.googlesource.com/2064
Reviewed-by: Adam Langley <agl@google.com>
2014-10-28 20:22:46 +00:00
Piotr Sikora
3b73c18fca Fix "integer constant is too large for 'long' type" errors.
Change-Id: I018cdc805e19284b057a57d04c9665f0a35ccc3b
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-on: https://boringssl-review.googlesource.com/2040
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 22:12:49 +00:00
Adam Langley
7571292eac Extended master secret support.
This change implements support for the extended master secret. See
https://tools.ietf.org/html/draft-ietf-tls-session-hash-01
https://secure-resumption.com/

Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93
Reviewed-on: https://boringssl-review.googlesource.com/1930
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 21:19:44 +00:00
David Benjamin
83fd6b686f Reimplement d2i_SSL_SESSION with CBS.
Do away with all those unreadable macros. Also fix many many memory leaks in
the SSL_SESSION reuse case. Add a number of helper functions in CBS to help
with parsing optional fields.

Change-Id: I2ce8fd0d5b060a1b56e7f99f7780997fabc5ce41
Reviewed-on: https://boringssl-review.googlesource.com/1998
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:26:41 +00:00
David Benjamin
fbe6f498cd The empty contents are not a valid ASN.1 INTEGER.
Zero is encoded as a single zero octet. Per X.690, 8.3.1:

  The encoding of an integer value shall be primitive. The contents octets
  shall consist of one or more octets.

Change-Id: If4304a2be5117b71446a3a62a2b8a6124f85a202
Reviewed-on: https://boringssl-review.googlesource.com/2010
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:26:11 +00:00
David Benjamin
b5b6854968 Add CBB_add_asn1_uint64.
Companion to CBS_get_asn1_uint64. Also add tests for both the parsing and the
serializing.

Change-Id: Ic5e9a0089c88b300f874712d0e9964cb35a8c40b
Reviewed-on: https://boringssl-review.googlesource.com/1999
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:25:52 +00:00
Adam Langley
4a674152fd Set the IV length for AES-ECB to zero.
This has been wrong since the initial rework of e_aes.c.

Change-Id: I91d92b643c151cd38a272a27f805e5f8ba6dc2df
Reviewed-on: https://boringssl-review.googlesource.com/1981
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 23:51:32 +00:00
David Benjamin
721e6e1500 Don't read past the end of the string in BUF_strndup.
BUF_strlcpy still assumes |src| is a NUL-terminated string and will call strlen
on it to determine the actual length. BUF_strndup's input need not be
NUL-terminated.

Change-Id: I9ca95e92533d12f1b0283412249bda4f8cf92433
Reviewed-on: https://boringssl-review.googlesource.com/1997
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 20:07:02 +00:00
David Benjamin
b698617007 Add CBS_peek_asn1_tag.
Intended to make parsing ASN.1 structures with OPTIONAL elements easier. (Just
attempting to parse the next tag doesn't distinguish between a malformed CBS
which has now been partially advanced and an optional tag mismatch.)

Change-Id: Idceb3dfd6ec028e87e1bc5aaddcec177b0c32150
Reviewed-on: https://boringssl-review.googlesource.com/1995
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:20:26 +00:00
David Benjamin
0248889950 Don't mix and match libraries and errors.
The same library code applies for both the error and the function, so modules
cannot easily report errors from each other. Switch evp/algorithm.c's error
codes to the EVP library. Remove the original error codes so it's obvious some
changes are needed.

- X509_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED -> EVP_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED
  ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED -> EVP_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED
  (Actually, the X509 version of this error code doesn't exist in OpenSSL. It should
   have been ASN1.)

- ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM -> EVP_R_UNKNOWN_SIGNATURE_ALGORITHM

- ASN1_R_WRONG_PUBLIC_KEY_TYPE -> EVP_R_WRONG_PUBLIC_KEY_TYPE

- ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM -> EVP_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM

Change-Id: I05b1a05b465d800c85f7d63ca74588edf40847b9
Reviewed-on: https://boringssl-review.googlesource.com/1940
Reviewed-by: Adam Langley <agl@google.com>
2014-10-13 22:56:28 +00:00
Adam Langley
7ea848165b Add generic OPERATION_NOT_SUPPORTED error code.
Implementations of ENGINEs often don't want to implement every function.
This change adds an error code for those situations.

Change-Id: Id6b7eace36d06ffad7f347f556d942d447d8a2fd
Reviewed-on: https://boringssl-review.googlesource.com/1920
Reviewed-by: Wan-Teh Chang <wtc@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 23:55:39 +00:00
David Benjamin
bc8d737807 Add tests for AlgorithmIdentifier support in EVP.
Change-Id: I6691c93cfebfb06132e847d7c0bd3dd6bf076cab
Reviewed-on: https://boringssl-review.googlesource.com/1917
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 22:07:32 +00:00
David Benjamin
8f160a680b Add EVP_DigestVerifyInitFromAlgorithm and EVP_DigestSignAlgorithm.
Factor the AlgorithmIdentifier portions of ASN1_item_sign and ASN1_item_verify
out. This makes it possible to initialize a signature context from an
AlgorithmIdentifier without needing the data parsed into an ASN1_ITEM/void*
pair and reserialized.

Change-Id: Idc2e06b1310a3f801aa25de323d39d2b7a44ef50
Reviewed-on: https://boringssl-review.googlesource.com/1916
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:52:52 +00:00
David Benjamin
2e1594dfb5 Remove #if-0'd ASN1_sign.
Verified that nothing uses it.

Change-Id: I1755144129e274f3d1680ddb8cb12273070eb078
Reviewed-on: https://boringssl-review.googlesource.com/1912
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:07:48 +00:00
David Benjamin
75a1dd0dbe Remove EVP_PKEY_CTX case in rsa_pss_to_ctx.
We only ever use the EVP_PKEY case, not the EVP_PKEY_CTX one.

Change-Id: Ibead854f793663da0a9e474599507d9c3ff920cb
Reviewed-on: https://boringssl-review.googlesource.com/1915
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:07:32 +00:00
David Benjamin
f4b4952719 Fix rsa_pss_to_ctx return value.
It should return 0 for failure, not -1; the call site was expecting 0 anyway.

Change-Id: I24ab5d3695b8ac438e40be1a4fd74ecd3b845f5a
Reviewed-on: https://boringssl-review.googlesource.com/1914
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:04:36 +00:00
David Benjamin
5db5d4e2b0 RSA_encrypt and RSA_sign_raw aren't the same.
Change-Id: Ie09ab12baf59b8c1d628396424ce6cadf43bf0e1
Reviewed-on: https://boringssl-review.googlesource.com/1913
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:04:07 +00:00
David Benjamin
a87941ad17 Remove misspelled error code.
One ASN1_R_UNKNOWN_FORMAT got mispelled into ASN1_R_UNKOWN_FORMAT and
duplicated.

Change-Id: If123ef848ffe68afa021f5f3e3fb08eac92c5f94
Reviewed-on: https://boringssl-review.googlesource.com/1911
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:03:42 +00:00
David Benjamin
b1659f597b Fix err_test.
ERR_FLAG_MALLOCED is now masked and isn't returned through
ERR_get_error_line_data.

Change-Id: Ida633bf1a5ca01f563c1323dbdfb2433c2ab5159
Reviewed-on: https://boringssl-review.googlesource.com/1910
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:03:11 +00:00
Adam Langley
57e52f2a63 Fix invariant broken in 5f1374e2.
If to_free is not a valid pointer then it should be NULL.

Change-Id: I6addb2b8e7aa61d3ba47baaf8d0606d10ff2545d
2014-10-06 19:30:44 -07:00
Adam Langley
5f1374e203 Retain ownership of malloced error data.
I misunderstood the OpenSSL semantics here. When receiving an error data
pointer via ERR_get_error_line_data and friends, although the error is
cleared, OpenSSL retains ownership of the data pointer. It's kept in the
cleared error until another error overrides it, or the whole error queue
is cleared.

It's pretty odd to have live pointers in empty errors so this change
allows an error queue to retain one data pointer. Thus the pointer
returned from ERR_get_error_line_data is valid until the next call to
ERR_get_error_line_data, or until the queue is freed.

From reviewing uses of the API, this is sufficient for all of them.

Change-Id: I73cb8e9c792452ae3c1a934ac8bbe8b5353b65b2
Reviewed-on: https://boringssl-review.googlesource.com/1880
Reviewed-by: Adam Langley <agl@google.com>
2014-10-07 01:38:05 +00:00
David Benjamin
bce495c9f3 Fix a_{digest,verify}.c error codepaths.
Not that these functions can actually fail. The only codepaths that do so are
user errors.

Change-Id: I9fcbd402ab6574b5423ae22b462a0e1192ef01d7
Reviewed-on: https://boringssl-review.googlesource.com/1900
Reviewed-by: Adam Langley <agl@google.com>
2014-10-06 23:50:31 +00:00
Adam Langley
51fcd87102 Fix NaCl build.
NaCl defines _POSIX_C_SOURCE on the command line for some reason, thus
we have to be defensive about defining it.

Change-Id: Icbc8afcb1ac0e0ca23b788b11ea911c3f55a8b7f
Reviewed-on: https://boringssl-review.googlesource.com/1891
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-02 22:45:22 +00:00
Adam Langley
ad912f348b Use _POSIX_C_SOURCE not _BSD_SOURCE.
_BSD_SOURCE has been deprecated (see bug). The manpage for printf
suggests that any _POSIX_C_SOURCE >= 200112L is also sufficient to bring
in the needed declarations and the bug reporter confirms that it's
sufficient for him.

https://code.google.com/p/chromium/issues/detail?id=419859

Change-Id: Ifc053f11c5aa1df35aae8e952d2c73a7f4599ec2
Reviewed-on: https://boringssl-review.googlesource.com/1890
Reviewed-by: Adam Langley <agl@google.com>
2014-10-02 21:35:33 +00:00
Ben Laurie
176b70efd1 Silence warnings about unused values.
Change-Id: Iabfb85d90554b25e0a545a8ef3a3e9a607770132
Reviewed-on: https://boringssl-review.googlesource.com/1850
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 17:27:08 +00:00
David Benjamin
b99106a7a5 Fix bio_test on Windows.
Winsock needs to be initialized. Also, perror doesn't do anything
useful and read/recv aren't interchangeable.

Change-Id: Ic9dfd6907b7b0d396eafe72072a29d027b66bc0c
Reviewed-on: https://boringssl-review.googlesource.com/1871
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 17:24:22 +00:00
David Benjamin
66a3531237 Fix BIO_printf on Windows.
vsnprintf returns -1 on Windows on truncation, not the needed
size.

Change-Id: I0a9f32504127b2fb740244c3b59132e201d14234
Reviewed-on: https://boringssl-review.googlesource.com/1870
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 17:22:56 +00:00
David Benjamin
fb3ff2c66c Don't compare signed vs. unsigned.
This resolves a pile of MSVC warnings in Chromium.

Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803
Reviewed-on: https://boringssl-review.googlesource.com/1865
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:17:38 +00:00
David Benjamin
5e77bd449e Use OPENSSL_64_BIT in rc4.c.
This avoids unnecessary differences between LP64 and LLP64. Also
MSVC throws overflow warnings in the big-endian 64-bit codepath,
so use the preprocessor.

Change-Id: I74cef2d631d39f282177e043ed24bc6ecbbcb8fd
Reviewed-on: https://boringssl-review.googlesource.com/1860
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:06:31 +00:00
David Benjamin
04284b8952 Account for Windows and UNIX socket API differences.
close is closesocket. Also some of the headers are different
and inet_aton should be inet_pton.

Change-Id: I9eee0880d91833bdd3bcf0f2a352923c9fb1a891
Reviewed-on: https://boringssl-review.googlesource.com/1864
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:05:43 +00:00
David Benjamin
357fd0a878 Remove meth_num in ex_data_impl.c.
It's unnecessary and Windows was unhappy about the signed/unsigned
comparisons.

Change-Id: If2c4a20de48a2cddb0a4e0ca01e84eef91b155db
Reviewed-on: https://boringssl-review.googlesource.com/1863
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:04:51 +00:00
David Benjamin
775b75f9de Fix Windows shared library build.
Windows is much pickier about dllimport/dllexport. Declare it on
the declaration, not the definition. Also ensure that the declaration
precedes the definition. Finally, remove a stray OPENSSL_EXPORT.

Change-Id: Id50b9de5acbe5adf1b15b22dd60b7a5c13a80cce
Reviewed-on: https://boringssl-review.googlesource.com/1862
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:01:53 +00:00
David Benjamin
de211dbd7b Don't use ssize_t in base64_test.c.
Windows doesn't have it, and it should have been size_t anyway.

Change-Id: I901b8d78182576eaa52384d3ffef4810ff48cf7b
Reviewed-on: https://boringssl-review.googlesource.com/1861
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 01:07:28 +00:00
Ben Laurie
6a3ecf37da _POSIX_C_SOURCE needs to be set to a date, at least on FreeBSD.
Change-Id: I4020bb6ecd3d7ed745cdba89e50536eafab1f1ee
Reviewed-on: https://boringssl-review.googlesource.com/1851
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 19:15:39 +00:00
Adam Langley
ddb300306d Don't include strings.h because of Windows.
This is a follow on to dab64ff9be.

Change-Id: I01644f058030c0fac3f636871cc55a082edf51f1
2014-09-29 17:57:38 -07:00
Adam Langley
dab64ff9be Use OPENSSL_strcasecmp.
Windows doesn't provide strcasecmp and I forgot to use the wrapper
function in 704453fa9c.

Change-Id: I291387d1f73328977fc9e0ba7c3b23eede9bc368
2014-09-29 10:23:48 -07:00
Adam Langley
704453fa9c Add deprecated functions for tcpdump.
This reduces the delta for getting Android to compile and avoids having
Android carry around diffs to upstream versions of tcpdump.

Change-Id: I7f4cbb22b7a0f246bbebe960ca2139f0f42e14a0
Reviewed-on: https://boringssl-review.googlesource.com/1830
Reviewed-by: Adam Langley <agl@google.com>
2014-09-26 22:10:45 +00:00
Adam Langley
e7fa75b74f Remove use of GOTPCREL in asm.
Now that symbol visibility is done correctly, this shouldn't be needed.

Change-Id: I608beed1de63c1309358ff17dd28e3191e87dbd4
Reviewed-on: https://boringssl-review.googlesource.com/1810
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-09-26 22:07:45 +00:00
Adam Langley
5127db3b4d Provide compatibility functions for PKCS#12 parsing.
In order to minimise the upstream diffs needed for bits of Android to
build with BoringSSL, this change implements the old style PKCS#12
functions as wrappers around the modern parser.

The function to read all the contents of a BIO could almost be a utility
function but I'll wait until there are two uses for it first.

The important change from the original functions is that these will
always read the complete buffer/BIO/FILE passed in. Based on a survey of
uses of d2i_PKCS12 that I found, this appears to be universally what
callers want anyway.

Change-Id: I3f5b84e710b161d975f91f4d16c83d44371368d1
Reviewed-on: https://boringssl-review.googlesource.com/1791
Reviewed-by: Adam Langley <agl@google.com>
2014-09-20 00:10:03 +00:00
Adam Langley
588d2528d1 Don't try to setup CPUID if NO_ASM.
Change-Id: Idec1cda87b0a58e9350d0e10c3251a2c47ac1929
Reviewed-on: https://boringssl-review.googlesource.com/1790
Reviewed-by: Adam Langley <agl@google.com>
2014-09-20 00:09:57 +00:00
Adam Langley
bed8ce78f0 Add misc functions for easier porting.
Android requested that the wpa_supplicant go upstream. This change adds
some dummy functions and reinstates DSA_dup_DH in order to make the diff
smaller and easier for upstream.

Change-Id: I77ac271b8652bae5a0bbe16afde51d9096f3dfb5
Reviewed-on: https://boringssl-review.googlesource.com/1740
Reviewed-by: Adam Langley <agl@google.com>
2014-09-18 22:38:11 +00:00
David Benjamin
a70c75cfc0 Add a CRYPTO_library_init and static-initializer-less build option.
Chromium does not like static initializers, and the CPU logic uses one to
initialize CPU bits. However, the crypto library lacks an explicit
initialization function, which could complicate (no compile-time errors)
porting existing code which uses crypto/, but not ssl/.

Add an explicit CRYPTO_library_init function, but make it a no-op by default.
It only does anything (and is required) if building with
BORINGSSL_NO_STATIC_INITIALIZER.

Change-Id: I6933bdc3447fb382b1f87c788e5b8142d6f3fe39
Reviewed-on: https://boringssl-review.googlesource.com/1770
Reviewed-by: Adam Langley <agl@google.com>
2014-09-12 00:10:53 +00:00
David Benjamin
1195796045 Ensure x86_64 perlasm output ends with a newline.
Appease the Mac build.

Change-Id: I8b93906d8c7059fd63da9622fd530cc82bd05f7c
Reviewed-on: https://boringssl-review.googlesource.com/1760
Reviewed-by: Adam Langley <agl@google.com>
2014-09-10 23:02:58 +00:00
Adam Langley
60d612fdcf Fix ARM build with OPENSSL_NO_ASM.
Change-Id: Id77fb7c904cbfe8172466dff20b6a715d90b806c
Reviewed-on: https://boringssl-review.googlesource.com/1710
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-09-03 19:23:25 +00:00
David Benjamin
8a5825e4c7 Don't export obj_dat.h.
This isn't a header file that makes sense to export; any compilation unit which
includes it will gain a bunch of static arrays.

Change-Id: Ic698b74bdf758506a53d4eba19ab8b0f49a11ef7
Reviewed-on: https://boringssl-review.googlesource.com/1692
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 22:41:28 +00:00
Adam Langley
b2cb0ece76 Fix minor issues found by Clang's analysis.
Thanks to Denis Denisov for running the analysis.

Change-Id: I80810261e013423e746fd8d8afefb3581cffccc0
Reviewed-on: https://boringssl-review.googlesource.com/1701
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 22:39:41 +00:00
David Benjamin
9b04d657be Export CBS_get_any_asn1_element.
Useful for parsing things when you don't know what tag to expect (e.g. a
CHOICE). Also allow its operands to be NULL, so that it can be used to skip
arbitrary elements.

Delete CBS_ASN1_ANY which wasn't doing anything.

Change-Id: I56413e68b4f2e13860ea3e55373d5830713d7e5c
Reviewed-on: https://boringssl-review.googlesource.com/1661
Reviewed-by: Adam Langley <agl@google.com>
2014-08-28 00:45:30 +00:00
David Benjamin
457112e197 unifdef a bunch of OPENSSL_NO_* ifdefs.
Get all this stuff out of the way.

- OPENSSL_NO_MD5
- OPENSSL_NO_SHA
- OPENSSL_NO_EC
- OPENSSL_NO_ECDSA
- OPENSSL_NO_ECDH
- OPENSSL_NO_NEXTPROTONEG
- OPENSSL_NO_DH
- OPENSSL_NO_SSL3
- OPENSSL_NO_RC4
- OPENSSL_NO_RSA

Also manually removed a couple instances of OPENSSL_NO_DSA that seemed to be
confused anyway. Did some minor manual cleanup. (Removed a few now-pointless
'if (0)'s.)

Change-Id: Id540ba97ee22ff2309ab20ceb24c7eabe766d4c4
Reviewed-on: https://boringssl-review.googlesource.com/1662
Reviewed-by: Adam Langley <agl@google.com>
2014-08-28 00:41:34 +00:00
Adam Langley
1f3591d4c7 Export CBS_asn1_ber_to_der.
We don't really want to expose this but the bytestring test calls this
function directly and, when linked against a shared library, thus needs
it to be in the dynamic symbol table.

Change-Id: Ife01da36fe142026a6a3e545cff746512b966ee6
2014-08-27 12:36:59 -07:00
Adam Langley
98ad22ec7a Fix "integer constant is too large for 'long' type" errors.
(Based on Piotr Sikora's change:
https://boringssl-review.googlesource.com/#/c/1361)

Change-Id: I7b62b81f4e4ef3064eee1b39334dc2e50d17f163
Reviewed-on: https://boringssl-review.googlesource.com/1641
Reviewed-by: Adam Langley <agl@google.com>
2014-08-26 22:07:14 +00:00
Adam Langley
58f90951eb Remove hack in parsing PKCS#12.
This change removes the previous OpenSSL/NSS hack in PKCS#12 parsing and
limits the hacks purely to the BER->DER conversion function, where they
belong.

PKCS#7 and #12 switch between implicit and explicit tags in different
places and sometimes only implicitly define that they are using implicit
tags. This change fixes a previous confusion where an implicit tag was
thought to be explicit.

Change-Id: Ib68c78cf2a1bfcbf90a296cb98313ab86ed2a1f3
Reviewed-on: https://boringssl-review.googlesource.com/1640
Reviewed-by: Adam Langley <agl@google.com>
2014-08-26 22:07:02 +00:00
Adam Langley
0eb1aae207 Readd EC_GROUP_get_curve_GFp.
wpa_supplicant needs this in order to get the order of the coordinate
field, apparently so that they can hash to a point.

Change-Id: I92d5df7b37b67ace5f497c25f53f16bbe134aced
Reviewed-on: https://boringssl-review.googlesource.com/1622
Reviewed-by: Adam Langley <agl@google.com>
2014-08-26 21:52:12 +00:00
Adam Langley
539112fd44 Readd EVP_CIPHER_CTX_set_key_length.
This only applies to RC4, but it is still used by some Android code.

Change-Id: I4cf86269ffb7a230576da1bb2bfef7e1d4f234d6
Reviewed-on: https://boringssl-review.googlesource.com/1621
Reviewed-by: Adam Langley <agl@google.com>
2014-08-26 21:52:01 +00:00
Adam Langley
c9eb7eac86 Readd MD4.
Sadly this is needed by wpa_supplicant for NTLM hashes.

Change-Id: I1c362c676a11ee01f301ff6fbd33d0669396ea23
Reviewed-on: https://boringssl-review.googlesource.com/1620
Reviewed-by: Adam Langley <agl@google.com>
2014-08-26 21:51:48 +00:00
David Benjamin
d698f322b5 Introduce EVP_DecodeBase64.
This fixes several of the problems with the old API.
- Padding was completely ignored.
- ='s in the middle of the input were accepted.
- It tries to be helpful and strips leading/trailing whitespace.

Change-Id: I99b9d5e6583f7eaf9bf0b6ee9ca39799811b58dc
Reviewed-on: https://boringssl-review.googlesource.com/1602
Reviewed-by: Adam Langley <agl@google.com>
2014-08-25 23:00:28 +00:00
Adam Langley
8e16b6e658 Add PKCS#12 parser.
This is cleaner than the OpenSSL code was, at least, but it's hardly
beautiful due to the "standard" that it's trying to implement. (See
[1].)

The references from the PKCS#8 code to various ciphers have digests have
been made into function pointer references rather than NIDs so that the
linker will be able to drop RC2 code for binaries that don't call PKCS#8
or #12 functions.

A bug that crashed OpenSSL/BoringSSL when parsing a malformed PKCS#8
structure has been fixed too.

See https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html

Change-Id: Iaa1039e04ed7877b90792835e8ce3ebc3b29f89e
Reviewed-on: https://boringssl-review.googlesource.com/1592
Reviewed-by: Adam Langley <agl@google.com>
2014-08-25 21:47:02 +00:00
Adam Langley
9c01e00c2e Rework support for ASN.1 BER.
Previously, the ASN.1 functions in bytestring were capable of processing
indefinite length elements when the _ber functions were used. That works
well enough for PKCS#3, but NSS goes a bit crazy with BER encoding and
PKCS#12. Rather than complicate the core bytestring functions further,
the BER support is removed from them and moved to a separate function
that converts from BER to DER (if needed).

Change-Id: I2212b28e99bab9fab8c61f80d2012d3e5a3cc2f0
Reviewed-on: https://boringssl-review.googlesource.com/1591
Reviewed-by: Adam Langley <agl@google.com>
2014-08-25 21:38:08 +00:00
Adam Langley
cc8fcf45bb Add 40-bit RC2 support.
As useless as it might seem, the certificates in PKCS#12 files appear to
always be encrypted with 40-bit RC2. OpenSSL, NSS and Windows are all
the same on this point. Thus, in order to be able to import PKCS#12
files we need RC2 support.

RC2 has deliberately not been added to EVP_get_cipherbynid so that the
linker can drop the RC2 code unless the PKCS#12 functions are actually
called.

Change-Id: I5b2062fdf78cb622a8038c326da01aac8fb58962
Reviewed-on: https://boringssl-review.googlesource.com/1590
Reviewed-by: Adam Langley <agl@google.com>
2014-08-25 21:37:20 +00:00
David Benjamin
c44d2f4cb8 Convert all zero-argument functions to '(void)'
Otherwise, in C, it becomes a K&R function declaration which doesn't actually
type-check the number of arguments.

Change-Id: I0731a9fefca46fb1c266bfb1c33d464cf451a22e
Reviewed-on: https://boringssl-review.googlesource.com/1582
Reviewed-by: Adam Langley <agl@google.com>
2014-08-21 01:06:07 +00:00
David Benjamin
5213df4e9e Prefer AES-GCM when hardware support is available.
BUG=396787

Change-Id: I72ddb0ec3c71dbc70054403163930cbbde4b6009
Reviewed-on: https://boringssl-review.googlesource.com/1581
Reviewed-by: Adam Langley <agl@google.com>
2014-08-20 20:53:31 +00:00
Adam Langley
66c249ce91 Remove some dead code.
This change removes the old ASN.1 functions (ASN1_seq_unpack and
ASN1_seq_pack) which have always been disabled in BoringSSL.

It also removes code enabled by OPENSSL_EXPORT_VAR_AS_FUNCTION, which
we have never used.

Change-Id: I1fe323abf945a8a5828a04cc195c072e100a5095
Reviewed-on: https://boringssl-review.googlesource.com/1556
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-19 19:00:49 +00:00
Adam Langley
6bc658d2e3 Split off private_transform function in RSA.
This change extracts two, common parts of RSA_decrypt and RSA_sign into
a function called |private_transform|. It also allows this to be
overridden in a method, which is convenient for opaque keys that only
expose the raw RSA transform as it means that the padding code from
BoringSSL can be easily reimplemented.

One significant change here is that short RSA ciphertexts will no longer
be accepted. I think this is correct and OpenSSL has a comment about PGP
mistakenly stripping leading zeros. However, these is the possibility
that it could break something.

Change-Id: I258c5cbbf21314cc9b6e8d2a2b898fd9a440cd40
Reviewed-on: https://boringssl-review.googlesource.com/1554
Reviewed-by: Adam Langley <agl@google.com>
2014-08-19 18:37:28 +00:00
Yoshisato Yanagisawa
b7725cf3ec Include Windows.h in some source files.
https://code.google.com/p/chromium/issues/detail?id=399172#c3

Change-Id: Ie5447f0d6901d802698eabadf3bd5d42d75f588d
2014-08-18 11:39:09 -07:00
David Benjamin
6f2600199c Mark all SSL_CIPHERs as const.
This lets us put the SSL_CIPHER table in the data section. For type-checking,
make STACK_OF(SSL_CIPHER) cast everything to const SSL_CIPHER*.

Note that this will require some changes in consumers which weren't using a
const SSL_CIPHER *.

Change-Id: Iff734ac0e36f9e5c4a0f3c8411c7f727b820469c
Reviewed-on: https://boringssl-review.googlesource.com/1541
Reviewed-by: Adam Langley <agl@google.com>
2014-08-18 17:55:05 +00:00
David Benjamin
c10dde465e Only allow indefinite lengths for constructed types.
Equivalent of e532f823d6 for CBS.

Change-Id: I5c31f589db119115c78da3f0d592d71254836f89
Reviewed-on: https://boringssl-review.googlesource.com/1508
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 16:54:56 +00:00
Adam Langley
b8b5478248 Expose two, rather internal, BIGNUM functions.
Android uses these for some conversions from Java formats. The code is
sufficiently bespoke that putting the conversion functions into
BoringSSL doesn't make a lot of sense, but the alternative is to expose
these ones.

Change-Id: If1362bc4a5c44cba4023c909e2ba6488ae019ddb
2014-08-14 09:42:45 -07:00
Adam Langley
660140206e Add EVP_EncodedLength.
Several callers of EVP_EncodeBlock are doing ad-hoc versions of this
function without any overflow checks.

Change-Id: I4d0cad2347ea8c44b42465e8b14b2783db69ee8f
Reviewed-on: https://boringssl-review.googlesource.com/1511
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 16:37:22 +00:00
Adam Langley
e2c4d26214 Recover BIO_number_{read|written}.
Android needs it. These functions were removed in the move to BoringSSL.

Change-Id: Ice24a0a1c390930cf07dbd00f72a3e12e6c241f9
Reviewed-on: https://boringssl-review.googlesource.com/1510
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-14 16:37:05 +00:00
David Benjamin
98e882ead1 Clean up s23_srvr.c.
ssl23_get_client_hello has lots of remnants of SSLv2 support and remnants of an
even older SSL_OP_NON_EXPORT_FIRST option (see upstream's
d92f0bb6e9ed94ac0c3aa0c939f2565f2ed95935) which complicates the logic.

Split it into three states and move V2ClientHello parsing into its own
function. Port it to CBS and CBB to give bounds checks on the V2ClientHello
parse.

This fixes a minor bug where, if the SSL_accept call in ssl23_get_client_hello
failed, cb would not be NULL'd and SSL_CB_ACCEPT_LOOP would get reported an
extra time.

It also unbreaks the invariant between s->packet, s->packet_length,
s->s3->rbuf.buf, and s->s3->rbuf.offset at the point the switch, although this
was of no consequence because the first ssl3_read_n call passes extend = 0
which resets s->packet and s->packet_length.

It also makes us tolerant to major version bumps in the ClientHello. Add tests
for TLS tolerance of both minor and major version bumps as well as the HTTP
request error codes.

Change-Id: I948337f4dc483f4ebe1742d3eba53b045b260257
Reviewed-on: https://boringssl-review.googlesource.com/1455
Reviewed-by: Adam Langley <agl@google.com>
2014-08-12 21:10:56 +00:00
Adam Langley
f476d30deb Fix err_test.
I forgot to commit before landing the last change and still had this
outstanding in my client.

Change-Id: Ie1f533e671be130f738d562b129b5151b7be9c1e
2014-08-11 16:58:33 -07:00
Adam Langley
03d31ed3e4 Add ERR_remove_thread_state (for Android).
Change-Id: I908d207ccd3d529ec09c687effc2aeb4631127d9
Reviewed-on: https://boringssl-review.googlesource.com/1470
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 23:55:44 +00:00
Adam Langley
ded93581f1 Windows build fixes.
Windows doesn't have ssize_t, sadly. There's SSIZE_T, but defining an
OPENSSL_SSIZE_T seems worse than just using an int.

Change-Id: I09bb5aa03f96da78b619e551f92ed52ce24d9f3f
Reviewed-on: https://boringssl-review.googlesource.com/1352
Reviewed-by: Adam Langley <agl@google.com>
2014-08-11 22:10:02 +00:00
Adam Langley
2cd63877b5 Use unified ARM assembly.
Clang's integrated as accepts unified ARM syntax only. This change
updates the GHASH ARM asm to use that syntax and thus be compatible.

Patch from Nico Weber.

https://code.google.com/p/chromium/issues/detail?id=124610

Change-Id: Ie6f3de4e37286f0af39196fad33905f7dee7402e
2014-08-08 16:52:36 -07:00
Emilia Kasper
0dccfbc6c7 Fix OID handling.
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing
  function.

CVE-2014-3508

(Imported from upstream's c01618dd822cc724c05eeb52455874ad068ec6a5)

Change-Id: I12bdeeaa700183195e4c2f474f964f8ae7a04549
Reviewed-on: https://boringssl-review.googlesource.com/1440
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 21:09:47 +00:00
Adam Langley
eeb9f491e8 Add PKCS7_bundle_certificates.
This function serialises a PKCS#7 structure containing a number of
certificates.

Change-Id: Iaf15887e1060d5d201d5a3dd3dca8d51105ee6d6
Reviewed-on: https://boringssl-review.googlesource.com/1431
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 18:12:25 +00:00
Adam Langley
8e89e64554 bytestring: fix ASN.1 data longer than 127 bytes.
When shifting data because extra ASN.1 length bytes were needed, the
data was moved from the start of the ASN.1 length, not the start of the
ASN.1 data.

Change-Id: Ib13d5e4e878774df2af0505c0297eff6cf781728
Reviewed-on: https://boringssl-review.googlesource.com/1430
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 18:09:01 +00:00
David Benjamin
150c617cfc Add X509_up_ref and use it internally.
Avoid needing to manually increment the reference count and using the right
lock, both here and in Chromium.

Change-Id: If116ebc224cfb1c4711f7e2c06f1fd2c97af21dd
Reviewed-on: https://boringssl-review.googlesource.com/1415
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 00:06:34 +00:00
David Benjamin
e6e15fc3a1 Use EVP_PKEY_dup instead of manually incrementing the refcount.
Reference counting should be internal to the type, otherwise callers need to
know which lock to use.

Change-Id: If4d805876a321ef6dece115c805e605584ff311e
Reviewed-on: https://boringssl-review.googlesource.com/1414
Reviewed-by: Adam Langley <agl@google.com>
2014-08-07 00:03:56 +00:00
David Benjamin
bf681a40d6 Fix out-of-bounds read in BN_mod_exp_mont_consttime.
bn_get_bits5 always reads two bytes, even when it doesn't need to. For some
sizes of |p|, this can result in reading just past the edge of the array.
Unroll the first iteration of the loop and avoid reading out of bounds.

Replace bn_get_bits5 altogether in C as it's not doing anything interesting.

Change-Id: Ibcc8cea7d9c644a2639445396455da47fe869a5c
Reviewed-on: https://boringssl-review.googlesource.com/1393
Reviewed-by: Adam Langley <agl@google.com>
2014-08-06 00:11:47 +00:00
Adam Langley
993fde5162 Simplify ec_GFp_simple_points_make_affine.
Replace the tree-like structure by a linear approach, with fewer special
cases to handle value 0.

(Imported from upstream's d5213519c0ed87c71136084e7e843a4125ecc024.)

Change-Id: Icdd4815066bdbab0d2c0020db6a8cacc49b3d82a
Reviewed-on: https://boringssl-review.googlesource.com/1400
Reviewed-by: Adam Langley <agl@google.com>
2014-08-05 21:22:38 +00:00
David Benjamin
dd1c246f7f Fix C99-ism in bio_test.c.
Change-Id: I7cd91d79f3a014de367976318c860914dd4c2f49
Reviewed-on: https://boringssl-review.googlesource.com/1392
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 22:34:50 +00:00
David Benjamin
aa4efe7669 Fix BIO_printf crash on Mac.
A single va_list may not be used twice. Nothing calls BIO_vprintf and it just
(v)snprintfs into a buffer anyway, so remove it. If it's actually needed, we
can fiddle with va_copy and the lack of it in C89 later, but anything that
actually cares can just assemble the output externally.

Add a test in bio_test.c.

BUG=399546

Change-Id: Ia40a68b31cb5984d817e9c55351f49d9d6c964c1
Reviewed-on: https://boringssl-review.googlesource.com/1391
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 21:11:21 +00:00
Alex Chernyakhovsky
a59fbb0edd Correct endif comment in md32_common.h
PEDANTIC was not closed, but rather the compiler being used.

Change-Id: I743118f1481adddcd163406be72926fff6c87338
Reviewed-on: https://boringssl-review.googlesource.com/1388
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 20:28:25 +00:00
Alex Chernyakhovsky
cbd056cd55 Remove OPENSSL_NO_CHAIN_VERIFY
Change-Id: Iaff2a1b4c394aa0d3d5a33cb75cf4f165d3c2abc
Reviewed-on: https://boringssl-review.googlesource.com/1387
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 19:22:26 +00:00
Alex Chernyakhovsky
dd11a10e30 Remove remnants of OPENSSL_FIPS
OPENSSL_FIPS was removed in 64f4c91b89,
but these definitions in crypto/pem remained.

Change-Id: Ia85dd3fd7161f0b33b471b17643767b2b33fdda6
Reviewed-on: https://boringssl-review.googlesource.com/1381
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 19:20:04 +00:00
David Benjamin
8cc0b24cdd Spell Bleichenbacher's name right.
Change-Id: I2096f760165f7aaa9b5d922a2e6d4d755365087b
Reviewed-on: https://boringssl-review.googlesource.com/1372
Reviewed-by: Adam Langley <agl@google.com>
2014-08-04 18:53:41 +00:00
David Benjamin
e216d6bb9f Add PKCS8_{decrypt,encrypt}_pbe.
The original functions do an ascii_to_ucs2 transformation on the password.
Deprecate them in favor of making that encoding the caller's problem.
ascii_to_ucs2 doesn't handle, say, UTF-8 anyway. And with the original OpenSSL
function, some ciphers would do the transformation, and some wouldn't making
the text-string/bytes-string confusion even messier.

BUG=399121

Change-Id: I7d1cea20a260f21eec2e8ffb7cd6be239fe92873
Reviewed-on: https://boringssl-review.googlesource.com/1347
Reviewed-by: Adam Langley <agl@google.com>
2014-08-01 17:17:36 +00:00
Adam Langley
cf052cf732 Fix build for PNaCl.
PNaCl builds BoringSSL with OPENSSL_NO_ASM, but the new OPENSSL_cleanse
was using inline assembly anyway. It appears that even though the inline
asm was empty, it still breaks the PNaCl build:

disallowed: inline assembly: call void asm sideeffect "", "r,~{memory}"(i8* %.asptr319), !dbg !96986

With this change, we don't have any compiler scarecrows for
OPENSSL_cleanse any longer when using OPENSSL_NO_ASM :( Maybe, one day,
we'll get memset_s in our base platform.

Change-Id: Ia359f6bcc2000be18a6f15de10fc683452151741
Reviewed-on: https://boringssl-review.googlesource.com/1353
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-08-01 17:17:21 +00:00
Adam Langley
581a17f5c8 Fix typo from eb7d2ed1.
The RC4_set_key was calling itself rather than the asm function that it
should be calling.

Change-Id: Idfc730c8a651540961e05bc8c8f663a44713f680
2014-07-31 19:24:57 -07:00
Adam Langley
31ebde9e5e Add a control to disable the Poly1305 NEON code.
Some phones have a buggy NEON unit and the Poly1305 NEON code fails on
them, even though other NEON code appears to work fine.

This change:

1) Fixes a bug where NEON was assumed even when the code wasn't compiled
   in NEON mode.

2) Adds a second NEON control bit that can be disabled in order to run
   NEON code, but not the Poly1305 NEON code.

https://code.google.com/p/chromium/issues/detail?id=341598

Change-Id: Icb121bf8dba47c7a46c7667f676ff7a4bc973625
Reviewed-on: https://boringssl-review.googlesource.com/1351
Reviewed-by: Adam Langley <agl@google.com>
2014-07-31 22:42:15 +00:00
Adam Langley
eb7d2ed1fe Add visibility rules.
This change marks public symbols as dynamically exported. This means
that it becomes viable to build a shared library of libcrypto and libssl
with -fvisibility=hidden.

On Windows, one not only needs to mark functions for export in a
component, but also for import when using them from a different
component. Because of this we have to build with
|BORINGSSL_IMPLEMENTATION| defined when building the code. Other
components, when including our headers, won't have that defined and then
the |OPENSSL_EXPORT| tag becomes an import tag instead. See the #defines
in base.h

In the asm code, symbols are now hidden by default and those that need
to be exported are wrapped by a C function.

In order to support Chromium, a couple of libssl functions were moved to
ssl.h from ssl_locl.h: ssl_get_new_session and ssl_update_cache.

Change-Id: Ib4b76e2f1983ee066e7806c24721e8626d08a261
Reviewed-on: https://boringssl-review.googlesource.com/1350
Reviewed-by: Adam Langley <agl@google.com>
2014-07-31 22:03:11 +00:00
Piotr Sikora
60d4c0e810 Fix "type qualifiers ignored on function return type" errors.
Change-Id: If0dbbadb33a073b4faee500fdff900a5094ec889
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-on: https://boringssl-review.googlesource.com/1362
Reviewed-by: Adam Langley <agl@google.com>
2014-07-31 18:56:34 +00:00
Adam Langley
ad1907fe73 Use asm directives to protect OPENSSL_cleanse.
Compilers have a bad habit of removing "superfluous" memset calls that
are trying to zero memory. For example, when memset()ing a buffer and
then free()ing it, the compiler might decide that the memset is
unobservable and thus can be removed.

Previously we tried to stop this by a) implementing memset in assembly
on x86 and b) putting the function in its own file for other platforms.

This change removes those tricks in favour of using asm directives to
scare the compiler away. As best as our compiler folks can tell, this is
sufficient and will continue to be so.

Change-Id: I40e0a62c3043038bafd8c63a91814a75a3c59269
Reviewed-on: https://boringssl-review.googlesource.com/1339
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-31 18:49:22 +00:00
Adam Langley
22bb031c43 Don't mark AES_set_{en|de}crypt_key arg as const.
Windows complains when the declaration of a function doesn't match the
definition. In this case, the |bits| argument (not a pointer, just an
unsigned) was marked as const in the definition only.

Normally const isn't used for non-pointer arguments so I've removed it
in this case to make Windows compile.

https://code.google.com/p/chromium/issues/detail?id=398960

Change-Id: If7386cf61f9dfbf6b32bfada1a49d5742fe94396
Reviewed-on: https://boringssl-review.googlesource.com/1338
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 18:19:02 +00:00
Adam Langley
a3d21e2101 Fix copy in AES-KW.
The AES-KW code from 93a3dcd572 would
write 8 bytes past the end of the out buffer.

https://code.google.com/p/chromium/issues/detail?id=398699

Change-Id: I6e1a2884790f69cdbefb59ed60d71459b7327b89
2014-07-29 19:44:50 -07:00
David Benjamin
7bbeead507 A bunch of dead assignments.
Caught by clang scan-build.

Change-Id: I4f10c879dc137d4a14a7a395764d28e5caa033ff
Reviewed-on: https://boringssl-review.googlesource.com/1342
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:44:03 +00:00
David Benjamin
61b66ffcc2 Fix error-handling bugs.
Caught by clang scan-build.

Change-Id: I133d0338fe38172d687c02099d909366a59ee95b
Reviewed-on: https://boringssl-review.googlesource.com/1343
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:34:55 +00:00
David Benjamin
b70da6a246 Fix mis-sized allocation in x509_vpm.c
Caught by clang scan-build. (The allocation was larger than it should have
been.)

Change-Id: Ideb800118f65aaba1ee85b7611c8a705671025a8
Reviewed-on: https://boringssl-review.googlesource.com/1340
Reviewed-by: Adam Langley <agl@google.com>
2014-07-30 00:33:49 +00:00
Adam Langley
5129e2d695 Align EVP return values with BoringSSL convention.
Where possible, functions should return one for success and zero for
error. The use of additional negative values to indicate an error is,
itself, error prone.

This change fixes many EVP functions to remove the possibility of
negative return values. Existing code that is testing for <= 0 will
continue to function, although there is the possibility that some code
was differentiating between negative values (error) and zero (invalid
signature) for the verify functions and will now show the wrong error
message.

Change-Id: I982512596bb18a82df65861394dbd7487783bd3d
Reviewed-on: https://boringssl-review.googlesource.com/1333
Reviewed-by: Adam Langley <agl@google.com>
2014-07-29 21:47:51 +00:00
Adam Langley
d82d79dffe "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

(Imported from upstream's 4ccc2c19e299741c8e0a8678a13f40e032709e9c)

Change-Id: Id6f5181ea99401145d7b3c4074b292cae8a1c660
2014-07-28 17:05:14 -07:00
Adam Langley
4b5979b3fa x86_64 assembly pack: improve masm support.
(Imported from upstream's 371feee876dd8b58531cb6e50fe79262db8e4ed7)

Change-Id: Id3b5ece6b5e5f0565060d5e598ea265d64dac9df
2014-07-28 17:05:13 -07:00
Adam Langley
c82087b31f Prevent infinite loop loading config files.
PR#2985

(Imported from upstream's 2cb761c1f4e0155743f4414932b5cff167389cf4)

Change-Id: I3e4f3c0c558dd2e1cc5ed2df1651834018627342
2014-07-28 17:05:13 -07:00
Adam Langley
43dca4d8bb fix x86_64-specific crash with one-word modulus.
PR: #3397

(Imported from upstream's 47b9e06cfd3a4fa89a690309e5839ed57e93f0f8)

Change-Id: I92d46a3132233c179f4b708d506bfb7212c26a33
2014-07-28 17:05:13 -07:00
Adam Langley
e532f823d6 ASN1 sanity check.
Primitive encodings shouldn't use indefinite length constructed form.

PR#2438 (partial).

(Imported from upstream's 9223a31eb72dc46085ce97736c119c541973511e)

Change-Id: I832d0bcda491c03c799b7b70184a1a3ec16b1592
2014-07-28 17:05:13 -07:00
Adam Langley
d33cbb583e sha512-x86_64.pl: fix linking problem under Windows.
(Imported from upstream's daa96141d31dbe6a6fadc6afc7cf9d1284d9bdd8)

Change-Id: Ibc55db0909585c6472b92af519ffbe717b79c90c
2014-07-28 17:05:13 -07:00
Adam Langley
7578f3f0de Make EVP_CIPHER_CTX_copy work in GCM mode.
PR#3272

(Imported from upstream's 14183e50e75f54c44df6be69670180860ac19550 and
802fdcda1ebc4241a8e02af0046ba2f5264f71f6)

Change-Id: Ied6183d938e320f953a18f6616890d88b74def3f
2014-07-28 17:05:13 -07:00
Adam Langley
2811da2eca x86_64 assembly pack: allow clang to compile AVX code.
(Imported from upstream's 912f08dd5ed4f68fb275f3b2db828349fcffba14,
52f856526c46ee80ef4c8c37844f084423a3eff7 and
377551b9c4e12aa7846f4d80cf3604f2e396c964)

Change-Id: Ic2bf93371f6d246818729810e7a45b3f0021845a
2014-07-28 17:05:13 -07:00
Adam Langley
b351d83875 bn/asm/rsaz-avx2.pl: fix occasional failures.
(Imported from upstream's 1067663d852435b1adff32ec01e9b8e54d2b5896)

Change-Id: I39e2a24176306f4170449145d3dee2c2edbf6dfe
2014-07-28 17:05:12 -07:00
Adam Langley
9036c26612 Tolerate critical AKID in CRLs.
PR#3014

(Imported from upstream's 22228d2d407763d234a2463f694df77dca8158fc)

Change-Id: I23ee7dd6b295c3141fe3f5897673dd932831a4f6
2014-07-28 17:05:12 -07:00
Adam Langley
29b6292841 Fix OID encoding for one component.
OIDs with one component don't have an encoding.

PR#2556 (Bug#1)

(Imported from upstream's ff4cfc4c588c41d5e8d2d530231bc36cbc525add and
65e4dca40cb15f3acc878e26d734ec93bd367dca)

Change-Id: I55b54f23e891abc2c1e0b2976531fba1f16070bb
2014-07-28 17:05:12 -07:00
Adam Langley
7893c008e6 Memory leak and NULL dereference fixes.
PR#3403

(Imported from upstream's e42c208235a86beee16ff0d0e6ca4e164a57d21a)

Change-Id: Ibcdd8c95604f661055bfb1e91b15fd3686a04c0d
2014-07-28 17:05:12 -07:00
Adam Langley
ac71c09529 Make sure BN_sqr can never return a negative value.
PR#3410

(Imported from upstream's b7a4f98b152e5b9a56da1501e73053d83a9799b6)

Change-Id: I382c12f205d9adbd418574f7938a1d55a07128e4
2014-07-28 17:05:12 -07:00
Adam Langley
25ba90e34a move check for AD*X to rsaz-avx2.pl.
This ensures high performance is situations when assembler supports
AVX2, but not AD*X.

(Imported from upstream's 82a9dafe32e1e39b5adff18f9061e43d8df3d3c5)

Change-Id: Ie67f49a1c5467807139b6a8a0d4e62162d8a974f
2014-07-28 17:05:12 -07:00
Adam Langley
05b7377065 Add RSA_check_key function.
This is function that is available in OpenSSL too. Here it only returns
zero or one and doesn't do expensive primality checks on p and q.

https://code.google.com/p/chromium/issues/detail?id=396250

Change-Id: I7a173da26e06440dbb595fb717e3a620edf23576
Reviewed-on: https://boringssl-review.googlesource.com/1334
Reviewed-by: Adam Langley <agl@google.com>
2014-07-28 21:36:57 +00:00
Adam Langley
93a3dcd572 Add AES Key Wrap mode.
This is needed in order to support Web Crypto.

https://code.google.com/p/chromium/issues/detail?id=396407

Change-Id: I900d8cad2716c2e3341eeae153659502326c9173
Reviewed-on: https://boringssl-review.googlesource.com/1335
Reviewed-by: Adam Langley <agl@google.com>
2014-07-28 21:32:39 +00:00
David Benjamin
0aa0767340 Improve constant-time padding check in RSA key exchange.
Although the PKCS#1 padding check is internally constant-time, it is not
constant time at the crypto/ ssl/ API boundary. Expose a constant-time
RSA_message_index_PKCS1_type_2 function and integrate it into the
timing-sensitive portion of the RSA key exchange logic.

Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3
Reviewed-on: https://boringssl-review.googlesource.com/1301
Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:25:15 +00:00
Adam Langley
794bf6e0ce Fix OAEP with non-SHA hash functions.
Due to merging our patched 1.0.1 code with the 1.0.2 code, some parts of
upstream's 25f93585a70fb05bb9f911884ab95e560f662a5d didn't make it into
the code.

https://code.google.com/p/chromium/issues/detail?id=397333

Change-Id: Iceb13e63a7ac91474fd39e7faad11fa52c56185d
Reviewed-on: https://boringssl-review.googlesource.com/1310
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 00:43:21 +00:00
Adam Langley
c0d9484902 ec: recognise known parameters when written in full.
Some EC ASN.1 structures are using a named curve, but include the full
parameters anyway. With this change, BoringSSL will recognise the order
of the curve.

Change-Id: Iff057178453f9fdc98c8c03bcabbccef89709887
Reviewed-on: https://boringssl-review.googlesource.com/1270
Reviewed-by: Adam Langley <agl@google.com>
2014-07-19 00:03:13 +00:00
David Benjamin
ecc0ce7e67 Introduce EVP_PKEY_is_opaque to replace RSA_METHOD_FLAG_NO_CHECK.
Custom RSA and ECDSA keys may not expose the key material. Plumb and "opaque"
bit out of the *_METHOD up to EVP_PKEY. Query that in ssl_rsa.c to skip the
sanity checks for certificate and key matching.

Change-Id: I362a2d5116bfd1803560dfca1d69a91153e895fc
Reviewed-on: https://boringssl-review.googlesource.com/1255
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 23:35:04 +00:00
David Benjamin
e14dcc45e8 Remove RSA_SSLV23_PADDING.
It's unused with SSLv2 gone. Also, being a decryption padding check, it really
should be constant-time and isn't.

Change-Id: I96be02cb50f9bf0229b9174eccd80fa338bf8e3e
Reviewed-on: https://boringssl-review.googlesource.com/1254
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 19:23:51 +00:00
Adam Langley
37a623cf29 Have BIO_get_mem_data return a size_t and uint8_t*
Change-Id: I883f9c3527b572a2140ae4899cf4409cdc25c6dc
Reviewed-on: https://boringssl-review.googlesource.com/1261
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 17:22:05 +00:00
David Benjamin
b5d725df63 Fix limit checks in RSA padding functions.
More signed/unsigned issues, and some other missing checks.

Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5
Reviewed-on: https://boringssl-review.googlesource.com/1252
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 17:07:19 +00:00
David Benjamin
e77dff61bd Preserve the address length in bio/connect.c.
On OS X, the length must be the length of the address and not of
sockaddr_storage.

Change-Id: Id962f2f3268f07327724b9867a83c15ec50cb9fd
Reviewed-on: https://boringssl-review.googlesource.com/1251
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 00:56:04 +00:00
David Benjamin
13f2710c37 Document that EVP_EncodeBlock writes a trailing NUL.
Fix base64_test.c to account for this.

Change-Id: I0b3e8062a2130fb01a7e6f175968484769c406f9
Reviewed-on: https://boringssl-review.googlesource.com/1250
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 00:55:18 +00:00
David Benjamin
515ee12d62 Ensure x86asm.pl ends with a newline.
Appease the Chromium build on OS X.

Change-Id: Idb7466b4d3e4cc9161cd09066b2f79a6290838b1
Reviewed-on: https://boringssl-review.googlesource.com/1240
Reviewed-by: Adam Langley <agl@google.com>
2014-07-17 19:20:22 +00:00
Adam Langley
904a32e975 Touchup a couple of blank lines from 7b35b58a.
Change-Id: I5ed3aaa5d57e5350c4a3779e501bf5fc143997fb
2014-07-17 10:33:16 -07:00
David Benjamin
7b35b58ae6 Fix EVP_DecodeBlock and add tests.
Another signedness error. Leave a TODO to possibly resolve EVP_DecodeBlock's
ignoring padding. Document some of the Init/Update/Finish versions' behavior.

Change-Id: I78a72c3163f8543172a7008b2d09fb10e003d957
Reviewed-on: https://boringssl-review.googlesource.com/1230
Reviewed-by: Adam Langley <agl@google.com>
2014-07-17 17:32:45 +00:00
Adam Langley
8750fe58f4 base64: fix underflow in EVP_EncodeBlock.
When I switched the base64 code to use size_t, I missed that one of the
loops was counting down, not up, and depended on the loop variable going
negative.

Additionally this change fixes a bug in NETSCAPE_SPKI_b64_encode where
the size of the result buffer was incorrectly calculated and a possible
memory leak.

Change-Id: Ibdf644244291274f50b314f3bb13a61b46858ca1
Reviewed-on: https://boringssl-review.googlesource.com/1220
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-16 18:14:32 +00:00
Adam Langley
0cc81ff04f Add functions for setting a BIO callback and arg.
These were omitted, but are needed by Chromium now.

Change-Id: I17e1672674311c8dc2ede21539c82b8e2e50f376
Reviewed-on: https://boringssl-review.googlesource.com/1201
Reviewed-by: Adam Langley <agl@google.com>
2014-07-15 23:31:50 +00:00
Adam Langley
449f16b947 Change ECDSA_METHOD's size() to group_order_size()
The |size| method was documented to return the same as |ECDSA_size| -
the max size of an ECDSA signature. However, this involves some ASN.1
calculations which is best done once. What custom implementations want
to give is the size of the group order on which the ASN.1 computations
are based.

This change switches the |size| method to allow that.

Change-Id: I95b6e0c2b52bfcd0d74850c2c4e9bc01269255e2
Reviewed-on: https://boringssl-review.googlesource.com/1200
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-15 22:26:08 +00:00
David Benjamin
22f9bccde5 Port ssl3_get_client_hello to CBS.
Also fix some DTLS cookie bugs. rcvd_cookie is never referenced after being
saved (and the length isn't saved, so it couldn't be used anyway), and the
cookie verification failed to check the length.

For convenience, add a CBS_mem_equal helper function. Saves a bit of
repetition.

Change-Id: I187137733b069f0ac8d8b1bf151eeb80d388b971
Reviewed-on: https://boringssl-review.googlesource.com/1174
Reviewed-by: Adam Langley <agl@google.com>
2014-07-15 18:30:09 +00:00
David Benjamin
ed43958853 Port ssl3_get_key_exchange to CBS.
Also tidy up some variable names and update RSA_verify call for it no longer
returning -1. Add CBS helper functions for dealing with C strings.

Change-Id: Ibc398d27714744f5d99d4f94ae38210cbc89471a
Reviewed-on: https://boringssl-review.googlesource.com/1164
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:37:29 +00:00
Adam Langley
4c921e1bbc Move public headers to include/openssl/
Previously, public headers lived next to the respective code and there
were symlinks from include/openssl to them.

This doesn't work on Windows.

This change moves the headers to live in include/openssl. In cases where
some symlinks pointed to the same header, I've added a file that just
includes the intended target. These cases are all for backwards-compat.

Change-Id: I6e285b74caf621c644b5168a4877db226b07fd92
Reviewed-on: https://boringssl-review.googlesource.com/1180
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 22:42:18 +00:00
Adam Langley
0113a4fb60 Support building with PNaCl.
PNaCl needs OPENSSL_NO_ASM to work and a couple of cases were missing
because it hasn't previously been tested.

Additionally, it defined _BSD_SOURCE and others on the command line,
causing duplicate definition errors when defined in source code.

It's missing readdir_r.

It uses newlib, which appears to use u_short in socket.h without ever
defining it.

Change-Id: Ieccfc7365723d0521f6327eebe9f44a2afc57406
Reviewed-on: https://boringssl-review.googlesource.com/1140
Reviewed-by: Adam Langley <agl@google.com>
2014-07-11 19:04:04 +00:00
David Benjamin
925fee36e1 Add a size hook to RSA_METHOD.
This is to avoid having to copy over the RSA modulus in all of Chromium's
platform-specific keys.

Change-Id: I20bf22446a5cfb633b900c3b392b7a1da81a5431
Reviewed-on: https://boringssl-review.googlesource.com/1151
Reviewed-by: Adam Langley <agl@google.com>
2014-07-11 18:47:26 +00:00
David Benjamin
e09170f8f5 Fix OPENSSL_PUT_ERROR typos.
Change-Id: Ie4c96643278a09774b324da4b286ceeadef8855b
Reviewed-on: https://boringssl-review.googlesource.com/1150
Reviewed-by: Adam Langley <agl@google.com>
2014-07-11 18:16:35 +00:00
David Benjamin
7bf334a9ff Perform bounds checks in hmac_signctx.
Match the other EVP_DigestSignFinal implementations. Fix the instances in
ssl/t1_enc.c which were not following the EVP_DigestSignFinal contract; on
entry, *out_len should contain the size of the buffer.

Change-Id: Icd44d97a4c98704dea975798c0101d5a37274d17
Reviewed-on: https://boringssl-review.googlesource.com/1130
Reviewed-by: Adam Langley <agl@google.com>
2014-07-10 20:59:10 +00:00
Adam Langley
09020c2f08 Recognise __mips__ as a generic, 32-bit CPU.
Change-Id: I60806486f40c5ac4c8fbb8371b83cb226113f4b5
2014-07-10 09:14:56 -07:00
David Benjamin
9b561e69b6 Fix EVP_PKEY_FLAG_AUTOARGLEN behavior.
Converting check_autoarg from a macro to a function lost the behavior. Instead,
just move the logic into p_rsa.c which was the only EVP_PKEY implementation
that even needed the flag.

Also document this behavior on each of the functions. Make note of the out =
NULL case only returning the maximum output size, and not necessarily the
actual size.

For testing, update example_sign to determine the signature size using the NULL
behavior rather than querying the RSA key.

Change-Id: Iec6c2862028a5cfdefe8faa0e8c471755070898a
Reviewed-on: https://boringssl-review.googlesource.com/1121
Reviewed-by: Adam Langley <agl@google.com>
2014-07-10 02:10:47 +00:00
Adam Langley
2f1f89d6af Switch from rand_r to rand in lhash_test.
Android doesn't support rand_r.

Change-Id: Iaea767f64da4f6b83907c20d891811a0023ce530
2014-07-08 16:10:12 -07:00
Adam Langley
23b460df02 Add #ifdefs so RSAZ is only built on x86-64.
Change-Id: I5ec6b59e75120029348ce71c76e49a2d6e010913
2014-07-08 15:27:43 -07:00
Alex Chernyakhovsky
3c5034e97c Remove OPENSSL_NO_RSA
Building without RSA support is unreasonable. Changes were made by
running

find . -type f -name *.c | xargs unifdef -m -U OPENSSL_NO_RSA
find . -type f -name *.h | xargs unifdef -m -U OPENSSL_NO_RSA

using unifdef 2.10 and some newlines were removed manually.

Change-Id: Iea559e2d4b3d1053f28a4a9cc2f7a3d1f6cabd61
Reviewed-on: https://boringssl-review.googlesource.com/1095
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:20:53 +00:00
Alex Chernyakhovsky
2897ed3634 Remove CHARSET_EBCDIC
Since crypto/ebcdic.{c,h} are not present in BoringSSL, remove the #ifdefs
Changes were made by running

find . -type f -name *.c | xargs unifdef -m -U CHARSET_EBCDIC
find . -type f -name *.h | xargs unifdef -m -U CHARSET_EBCDIC

using unifdef 2.10.

An additional two ifdefs (CHARSET_EBCDIC_not) were removed manually.

Change-Id: Ie174bb00782cc44c63b0f9fab69619b3a9f66d42
Reviewed-on: https://boringssl-review.googlesource.com/1093
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 19:30:35 +00:00
David Benjamin
d970488862 Typo in EVP_PKEY_asn1_find_str.
Other importing an EC PRIVATE KEY doesn't work.

Change-Id: I58b4e88d287cd7fc772a1958df5878ecff1c5b06
Reviewed-on: https://boringssl-review.googlesource.com/1090
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 21:06:57 +00:00
Adam Langley
7ac79ebe55 The asm files bn/asm/x86* weren't actually used.
(This appears to be the case with upstream too, it's not that BoringSSL
is missing optimisations from what I can see.)

Change-Id: I0e54762ef0d09e60994ec82c5cca1ff0b3b23ea4
Reviewed-on: https://boringssl-review.googlesource.com/1080
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:29:12 +00:00
Adam Langley
4042667eb9 Add ERR_get_next_error_library back.
It was removed in the fork but it turned out to need it.

Change-Id: I21030c8d5befecb63f2c40a59963bec1da1d96fb
Reviewed-on: https://boringssl-review.googlesource.com/1081
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:11:32 +00:00
Adam Langley
8a09146b87 Add license to charmap.pl.
I have confirmed with Dr. Stephen Henson (the author) that the file is
licensed under the OpenSSL license.

Change-Id: I97dc4c74b363184e1b36e5835bad684d66696d54
2014-06-30 16:48:53 -07:00
Adam Langley
45ec21b99c Add stitched RC4-MD5 as an AEAD.
This change adds the stitched RC4-MD5 code from upstream OpenSSL but
exposes it as an AEAD. It's not a normal AEAD (it's stateful thus
doesn't take an nonce) but forcing pre-AEAD cipher suites in the AEAD
interface is less painful than forcing AEADs into the EVP_CIPHER
interface. Over time, more and more cipher suites will be exposed as
TLS-specific AEADs and then ssl/ can drop support for EVP_CIPHER.

See original code from upstream:
https://github.com/openssl/openssl/blob/master/crypto/evp/e_rc4_hmac_md5.c

Change-Id: Ia9267b224747f02be6b934ea0b2b50e1f529fab9
Reviewed-on: https://boringssl-review.googlesource.com/1043
Reviewed-by: Adam Langley <agl@google.com>
2014-06-30 23:01:17 +00:00
Adam Langley
5d17dd64cc Very minor BN fixes.
Fixes one comment that mentioned the wrong function name. Also causes
two BN random functions to fail when the output is NULL. Previously they
would silently do nothing.

Change-Id: I89796ab855ea32787765c301a478352287e61190
2014-06-30 14:22:32 -07:00
David Benjamin
03973096f4 Port ServerHello extension parsing to CBS.
This gives us systematic bounds-checking on all the parses. Also adds a
convenience function, CBS_memdup, for saving the current contents of a CBS.

Change-Id: I17dad74575f03121aee3f771037b8806ff99d0c3
Reviewed-on: https://boringssl-review.googlesource.com/1031
Reviewed-by: Adam Langley <agl@google.com>
2014-06-26 20:42:27 +00:00
Adam Langley
8adf4f1d89 Merge "Remove references to AEAD in non-AEAD interface codepath" 2014-06-26 00:59:49 +00:00
Adam Langley
659de419c1 Add ISC header to a handful of files.
A handful of new files were missing the ISC license header.

Change-Id: I44507dd1361b0348d8e0e1bf12d38072030af53d
2014-06-26 10:26:42 -07:00
Victor Vasiliev
508c29fec9 Remove references to AEAD in non-AEAD interface codepath
Since all AEAD ciphers now go through EVP_AEAD interface, the code which
uses EVP_Cipher interface no longer needs any of AEAD handling logic.

This also removes EVP_CTRL_AEAD_TLS1_AAD from GCM interface, which was
duplicating non-TLS-specific GCM logic and is not used anymore.

Change-Id: I5ddae880e7bc921337f9149a0acfdd00c9a478c3
2014-06-25 15:56:05 -04:00
Adam Langley
d54dc249ea Run AEAD test cases at the end of a file.
aead_test reads test vectors from a file but used blank lines to
indicate the end of a test case. If the file ended without a blank line
to terminate the final test case, it would previously have been skipped.

Change-Id: Id8dd34e86f0b912596dfb33234a894f8d9aa0235
2014-06-24 17:00:54 -07:00
Adam Langley
54cdd120aa Merge "Include some build fixes for OS X." 2014-06-24 18:01:32 +00:00
Adam Langley
30eda1d2b8 Include some build fixes for OS X.
Apart from the obvious little issues, this also works around a
(seeming) libtool/linker:

a.c defines a symbol:

int kFoo;

b.c uses it:

extern int kFoo;

int f() {
  return kFoo;
}

compile them:

$ gcc -c a.c
$ gcc -c b.c

and create a dummy main in order to run it, main.c:

int f();

int main() {
  return f();
}

this works as expected:

$ gcc main.c a.o b.o

but, if we make an archive:

$ ar q lib.a a.o b.o

and use that:

$ gcc main.c lib.a
Undefined symbols for architecture x86_64
  "_kFoo", referenced from:
    _f in lib.a(b.o)

(It doesn't matter what order the .o files are put into the .a)

Linux and Windows don't seem to have this problem.

nm on a.o shows that the symbol is of type "C", which is a "common symbol"[1].
Basically the linker will merge multiple common symbol definitions together.

If ones makes a.c read:

int kFoo = 0;

Then one gets a type "D" symbol - a "data section symbol" and everything works
just fine.

This might actually be a libtool bug instead of an ld bug: Looking at `xxd
lib.a | less`, the __.SYMDEF SORTED index at the beginning of the archive
doesn't contain an entry for kFoo unless initialised.

Change-Id: I4cdad9ba46e9919221c3cbd79637508959359427
2014-06-24 11:15:12 -07:00
Adam Langley
3f4e13c7da Fix GCM in non-AESNI mode.
GCM was broken in non-AESNI mode because I fluffed a #define when
moving gcm128.c across.

Change-Id: I66d5fed6a3d83d641da55c5ca434f17db0d89237
2014-06-24 11:00:27 -07:00
David Benjamin
95463b311d Remove crypto/comp and SSL_COMP support code.
Now that the consuming code in ssl/ is removed, there is no need for this.
Leave SSL_COMP and STACK_OF(SSL_COMP) for now so as not to break any code which
manipulates the output of SSL_COMP_get_compression_methods to disable
compression.

Change-Id: Idf0a5debd96589ef6e7e56acf5d9259412b7d7a1
2014-06-24 17:22:06 +00:00
Adam Langley
7410689a30 Generate (EC)DSA nonces with truncate/test/reject.
Previously we generated a number that was 8 bytes too large and used a
modular reduction, which has a (tiny, tiny) bias towards zero.

Out of an excess of caution, instead truncate the generated nonce and
try again if it's out of range.

Change-Id: Ia9a7a57dd6d3e5f13d0b881b3e9b2e986d46e4ca
2014-06-23 15:41:44 -07:00
Adam Langley
d031f11596 Remove |num_rounds| argument from chacha_core.
The function was hard-coded to 20 rounds already so the argument was
already useless. Thanks to Huzaifa Sidhpurwala for noticing.

Change-Id: I5f9d6ca6d46c6ab769b19820f8f918349544846d
2014-06-23 13:14:13 -07:00
Adam Langley
4ac0b38cfc Try both old and new X.509 hashes.
Ensure the library can find the right files under /etc/ssl/certs when
running on older systems.

There are many symbolic links under /etc/ssl/certs created by using
hash of the PEM certificates in order for OpenSSL to find those
certificates. Openssl has a tool to help you create hash symbolic
links (tools/c_rehash). However newer versions of the library changed
the hash algorithm, which makes it unable to run properly on systems
that use the old /etc/ssl/certs layout (e.g. Ubuntu Lucid).

This patch gives a way to find a certificate according to its hash by
using both the old and new algorithms. http://crbug.com/111045 is used
to track this issue.

(Imported from Chromium:
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/openssl/patches.chromium/0003-x509_hash_name_algorithm_change.patch?revision=231571)

Change-Id: Idbc27aba7685c991f8b94cfea38cf4f3f4b38adc
2014-06-20 15:31:01 -07:00
Adam Langley
3ffd70ec36 crypto/sha/asm/sha[1,512]-x86_64.pl: Windows build
This change stops the Intel, SHA instruction code from breaking the
Windows build.
2014-06-20 13:17:43 -07:00
Adam Langley
b0d5fb6c74 Add OPENSSL_str[n]casecmp
Windows has different names for these functions and also doesn't have
the strings.h header in which they appear.

This change adds tiny wrapper functions for Windows.
2014-06-20 13:17:43 -07:00
Adam Langley
464f3a147c Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only
(Imported from upstream's cfbc10fb327cf8535d6e9b402d1d03140d23d753)
2014-06-20 13:17:43 -07:00
Adam Langley
956665b32b sha1-x86_64.pl: add missing rex prefix in shaext.
PR: 3405

(Imported from upstream's 1f6d2076256761b44e7336b496ab0887f90cea69)
2014-06-20 13:17:42 -07:00
Adam Langley
8241005bfa Client-side namecheck wildcards.
A client reference identity of ".example.com" matches a server certificate
presented identity that is any sub-domain of "example.com" (e.g.
"www.sub.example.com).

With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches only direct
child sub-domains (e.g. "www.sub.example.com"). (cherry picked from commit
e52c52f10bb8e34aaf8f28f3e5b56939e8f6b357)

(Imported from upstream's 3cc8a3f2343cda796de90c127b9e907ca3ec2da5)
2014-06-20 13:17:42 -07:00
Adam Langley
006779a02c Add benchmarks for hash functions to bssl speed. 2014-06-20 13:17:42 -07:00
Adam Langley
cb5dd63e5e Add support for Intel SHA extension.
(Imported from upstream's 70fddbe32a7b3400a6ad0a9265f2c0ed72988d27)
2014-06-20 13:17:42 -07:00
Adam Langley
20c57547d0 ghash-x86_64.pl: optimize for upcoming Atom.
(Imported from upstream's 66aeaec067680e4a4ab956dcf30a295aaba07e2c)
2014-06-20 13:17:42 -07:00
Adam Langley
a09d2127ea Set default global mask to UTF8 only.
(Imported from upstream's 08b172b975bcd5854f9201b9f89d05dc330adb79)
2014-06-20 13:17:41 -07:00
Adam Langley
467c87e318 remove duplicate 0x for default RSASSA-PSS salt len
(Imported from upstream's 42d73874edb4eb6681b769d9850afebe97adf329)
2014-06-20 13:17:40 -07:00
Adam Langley
dc160f84f5 Fixes to host checking.
Fixes to host checking wild card support and add support for setting
host checking flags when verifying a certificate chain.

(Imported from upstream's a2219f6be36d12f02b6420dd95f819cf364baf1d)
2014-06-20 13:17:40 -07:00
Adam Langley
3e449b1b05 Don't allocate more than is needed in BUF_strndup()
(Imported from upstream's 4ceb430a468e8226175aa3f169c0e746877c17e1,
4f7236edc7d5c384bdb148faf7b23f887cf18f69 and
ed693e43329383c0d68455d83778cdc9748a074d)
2014-06-20 13:17:40 -07:00
Adam Langley
c8e91d5798 bignum: allow concurrent BN_MONT_CTX_set_locked()
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as noted by
Daniel Sands and co at Sandia. This was to handle the case that 2 or more
threads race to lazy-init the same context, but stunted all scalability in the
case where 2 or more threads are doing unrelated things! We favour the latter
case by punishing the former. The init work gets done by each thread that finds
the context to be uninitialised, and we then lock the "set" logic after that
work is done - the winning thread's work gets used, the losing threads throw
away what they've done.

(Imported from upstream's bf43446835bfd3f9abf1898a99ae20f2285320f3)
2014-06-20 13:17:40 -07:00
Adam Langley
cdf96e5886 Double free in i2o_ECPublicKey
PR: 3338

(Imported from upstream's e34af3ec2b1230a8a523d383f7de505f7cbd381d)
2014-06-20 13:17:40 -07:00
Adam Langley
eceb33d3af bignum: fix boundary condition in montgomery logic
It's not clear whether this inconsistency could lead to an actual
computation error, but it involved a BIGNUM being passed around the
montgomery logic in an inconsistent state. This was found using flags
-DBN_DEBUG -DBN_DEBUG_RAND, and working backwards from this assertion
in 'ectest';

ectest: bn_mul.c:960: BN_mul: Assertion `(_bnum2->top == 0) ||
(_bnum2->d[_bnum2->top - 1] != 0)' failed

(Imported from upstream's 3cc546a3bbcbf26cd14fc45fb133d36820ed0a75)
2014-06-20 13:17:40 -07:00
Adam Langley
6a57f92195 bn/asm/armv4-gf2m.pl, modes/asm/ghash-armv4.pl: faster multiplication algorithm suggested in following paper:
Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
Polynomial Multiplication on ARM Processors using the NEON Engine.

http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf

(Imported from upstream's 0fb3d5b4fdc76b8d4a4700d03480cda135c6c117)
2014-06-20 13:17:40 -07:00
Adam Langley
89b73fbafa aes/asm/bsaes-x86_64.pl: Atom-specific optimization.
(Imported from upstream's ffdff9f12f028e4075b473a2a21e51c5bcc2bbd9)
2014-06-20 13:17:40 -07:00
Adam Langley
548523fd5e Extension checking fixes.
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309

(Imported from upstream's 5cd5e0219d2e9a8c1f2fec3d867f38179c3a86af)
2014-06-20 13:17:40 -07:00
Adam Langley
45ba42a94c vpaes-[x86_64|ppc].pl: fix typo, which for some reason triggers rkhunter.
(Imported from upstream's dacb698ada2579bccfc3d88662f8cca75fb1b9aa)
2014-06-20 13:17:39 -07:00
Adam Langley
e2c2f60c44 Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.

(Imported from upstream's e9b4b8afbd129adc18d3fe71ca2ab34fe61d8640)
2014-06-20 13:17:39 -07:00
Adam Langley
33685b82ec dh/check.c: check BN_CTX_get's return value.
(Imported from upstream's fe69e6be6e551c04d9d6a186c7fee1e635313ca6)
2014-06-20 13:17:39 -07:00
Adam Langley
e0ddf2706a For self signed root only indicate one error.
(Imported from upstream's bdfc0e284c89dd5781259cc19aa264aded538492.)
2014-06-20 13:17:39 -07:00
Adam Langley
8f5b6b9b0f perlasm/x86asm.pl: recognize elf-1 denoting old ELF platforms.
(Imported from upstream's ca88a1d439f72f124d0f23e2d130e56bbcbb93a9)
2014-06-20 13:17:39 -07:00
Adam Langley
9612b766ae perlasm/x86gas.pl: limit special OPENSSL_ia32cap_P treatment to ELF.
(Imported from upstream's 5615196f7bd467f1e56e275bf740a62caa04d107.)
2014-06-20 13:17:39 -07:00
Adam Langley
9a7cb38882 rc4/asm/rc4-586.pl: allow for 386-only build.
(Imported from upstream's 1f59eb5f111149eb0cf5cdc2b378cfa0fbdfa9c3)
2014-06-20 13:17:39 -07:00
Adam Langley
43134282d0 sha/asm/sha256-586.pl: don't try to compile SIMD with no-sse2.
(Imported from upstream's d00ae7cf7019847c5d35728b01b22461a01bb336)
2014-06-20 13:17:39 -07:00
Adam Langley
bd97c20c77 sha/asm/sha512-x86_64.pl: fix compilation error on Solaris.
(Imported from upstream's f92926e33175b0ef874244ba7d66dd987a862750)
2014-06-20 13:17:39 -07:00
Adam Langley
c83b1ceae2 x509/by_dir.c: fix run-away pointer.
fix run-away pointer (and potential SEGV) when adding duplicates in
add_cert_dir.

PR: 3261
Reported by: Marian Done

(Imported from upstream's 83fe7b9c8321d5ffb6bfe67df85ed66ceb97102f)
2014-06-20 13:17:38 -07:00
Adam Langley
5685363771 aes/asm/aesni-x86[_64].pl: minor Atom-specific performance tweak.
(Imported from upstream's 2d4d9623da229162ad4377174526af3c01b1707a)
2014-06-20 13:17:38 -07:00
Adam Langley
114a711f8b aes/asm/aesni-x86_64.pl: further optimization for Atom Silvermont.
Improve CBC decrypt and CTR by ~13/16%, which adds up to ~25/33%
improvement over "pre-Silvermont" version. [Add performance table to
aesni-x86.pl].

(Imported from upstream's b347341c75656cf8bc039bd0ea5e3571c9299687)
2014-06-20 13:17:38 -07:00
Adam Langley
a993a70d6d Include self-signed flag in certificates.
Include self-signed flag in certificates by checking SKID/AKID as well as
issuer and subject names. Although this is an incompatible change it should
have little impact in pratice because self-issued certificates that are not
self-signed are rarely encountered.

(Imported from upstream's c00f8d697aed17edbd002e2f6c989d8fbd7c4ecf)
2014-06-20 13:17:38 -07:00
Adam Langley
ec72cf5a1c Include TA in checks/callback with partial chains.
When a chain is complete and ends in a trusted root checks are also performed
on the TA and the callback notified with ok==1. For consistency do the same for
chains where the TA is not self signed.

(Imported from upstream's b07e4f2f46fc286c306353d5e362cbc22c8547fb)
2014-06-20 13:17:38 -07:00
Adam Langley
35163dc925 Add cert_self_signed function to simplify verify.
(Imported from upstream's ced6dc5cefca57b08e077951a9710c33b709e99e)
2014-06-20 13:17:38 -07:00
Adam Langley
a216d03d0e Simplify X509_STORE_CTX_get1_chain.
(Imported from upstream's bf2d129194d5a8f2ccf5ff5261ab755e4fc9f98e)
2014-06-20 13:17:38 -07:00
Adam Langley
d81f801f6d ghash-x86[_64].pl: ~15% improvement on Atom Silvermont
(other processors unaffected).

(Imported from upstream's 7078d93307d795cec577ec4a792b72fffed551ab)
2014-06-20 13:17:38 -07:00
Adam Langley
6d43d0c4d6 Add extension free function.
(Imported from upstream's 984a30423d70126ed1df30e4b52962398cdaa9b6.)
2014-06-20 13:17:38 -07:00
Adam Langley
29db55944b Remove redundant accessor.
You can do the same thing, and more, with X509_ALGOR_[gs]et0().

(Imported from upstream's 40b0d0765ec8d34654be099456dc1dfb6e1bd3ff)
2014-06-20 13:17:37 -07:00
Adam Langley
7b29449086 AES-NI asm update from master.
(Imported from upstream's 5572bc4e2fb485c0d85bd5b4ec430ae0af65f7ea)
2014-06-20 13:17:37 -07:00
Adam Langley
5c6ca976c8 Update SHA asm from master.
(Imported from upstream's 729d334106e6ef3a2b2f4f9cb2520669a07ae79d)
2014-06-20 13:17:37 -07:00
Adam Langley
bdf8acc2d2 Add more accessors.
(Imported from upstream's cacdfcb2479984d9bfcc79b623118d8af6fea169)
2014-06-20 13:17:37 -07:00
Adam Langley
b152b3d4ed Add accessor for x509.cert_info.
(Imported from upstream's 519ad9b3845c475d29db8b84b59bde7edecb4e70.)
2014-06-20 13:17:37 -07:00
Adam Langley
6887edb917 Improvements in constant-time OAEP decoding.
This change adds a new function, BN_bn2bin_padded, that attempts, as
much as possible, to serialise a BIGNUM in constant time.

This is used to avoid some timing leaks in RSA decryption.
2014-06-20 13:17:37 -07:00
Adam Langley
cd8128d618 This change merges upstream's updated ppc-xlate.pl. 2014-06-20 13:17:37 -07:00
Adam Langley
01797e309f psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.
2014-06-20 13:17:37 -07:00
Adam Langley
64bda23cad Base64 padding fix.
https://rt.openssl.org/Ticket/Display.html?id=2608

Previously, this input to the base64 code:

================================================================================-

Would cause the output length of EVP_DecodeUpdate to be negative. When
that happened in the base64 BIO, it would crash. In PEM decoding, the
ASN.1 code actually maintains signed lengths and manages to simply error
out!
2014-06-20 13:17:36 -07:00
Adam Langley
aeb088ac09 EC infinity fix.
Fix handling of points at infinity in ec_GFp_simple_points_make_affine.
When inverting an array of Z coordinates, the algorithm is supposed to
treat any 0 essentially like a 1 to remain in the multiplicative group;
however, for one of the cases, we incorrectly multiplied by 0 and thus
ended up with garbage.
2014-06-20 13:17:36 -07:00
Adam Langley
735107652b Const correctness.
This change fixes a number of build warnings.
2014-06-20 13:17:36 -07:00
Adam Langley
77b7e63311 Adjust stack pointer in AES-NI CBC decryption.
This change adjusts the stack pointer during CBC decryption. The code
was previously using the red zone across function calls and valgrind
thinks that the "unused" stack is undefined after a function call.
2014-06-20 13:17:35 -07:00
Adam Langley
409766d218 Add function to recover RSA CRT params.
Some RSA private keys are specified with only n, e and d. Although we
can use these keys directly, it's nice to have a uniform representation
that includes the precomputed CRT values. This change adds a function
that can recover the primes from a minimal private key of that form.
2014-06-20 13:17:35 -07:00
Adam Langley
de0b202684 ChaCha20-Poly1305 support. 2014-06-20 13:17:35 -07:00
Adam Langley
dfe3053086 AEAD tests. 2014-06-20 13:17:34 -07:00
Adam Langley
fd772a5aeb AEAD interface.
This change adds an AEAD interface to EVP and an AES-GCM implementation
suitable for use in TLS.
2014-06-20 13:17:34 -07:00
Adam Langley
acff73f227 Constant-time, RSA PMS processing.
This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.
2014-06-20 13:17:34 -07:00
Adam Langley
7d0a1d680c Fix padding side-channels.
This patch tweaks the OAEP padding check to be slightly more constant
time and rewrites the PKCS#1 v1.5 padding check to the same end.
2014-06-20 13:17:34 -07:00
Adam Langley
f71a27920a Fix EC crash.
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----
2014-06-20 13:17:34 -07:00
Adam Langley
27ae9ed774 Small prime generation.
Ensure that, when generating small primes, the result is actually of the
requested size. Fixes OpenSSL #2701.

This change does not address the cases of generating safe primes, or
where the |add| parameter is non-NULL.
2014-06-20 13:17:34 -07:00
Adam Langley
61bb3ddfab Ensure that x**0 mod 1 = 0. 2014-06-20 13:17:34 -07:00
Adam Langley
ebebf87d6d Add needed volatile qualifications.
Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.
2014-06-20 13:17:33 -07:00
Adam Langley
d4b4f085d9 Safe (EC)DSA nonces.
This change causes (EC)DSA nonces be to calculated by hashing the
message and private key along with entropy.
2014-06-20 13:17:33 -07:00
Adam Langley
6aea58d0ea Check for invalid divisors in BN_div. 2014-06-20 13:17:33 -07:00
Adam Langley
1258b6a756 ChannelID support.
Implement ChannelID as both a client and server.
2014-06-20 13:17:33 -07:00
Adam Langley
75b833cc81 OpenSSL: make final reduction in Montgomery multiplication constant-time.
(The issue was reported by Shay Gueron.)

The final reduction in Montgomery multiplication computes if (X >= m) then X =
X - m else X = X

In OpenSSL, this was done by computing T = X - m,  doing a constant-time
selection of the *addresses* of X and T, and loading from the resulting
address. But this is not cache-neutral.

This patch changes the behaviour by loading both X and T into registers, and
doing a constant-time selection of the *values*.

TODO(fork): only some of the fixes from the original patch still apply to
the 1.0.2 code.
2014-06-20 13:17:33 -07:00
Adam Langley
b36a3156b6 Add another bn modexp test.
Add a test based on multiplication optimizations from OpenSSL HEAD
(1.1.0-dev) Based on openssl-SNAP-20111003
2014-06-20 13:17:33 -07:00
Adam Langley
520ed0446c GOT-relative lookups in RC4 code. 2014-06-20 13:17:32 -07:00
Adam Langley
95c29f3cd1 Inital import.
Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta).

(This change contains substantial changes from the original and
effectively starts a new history.)
2014-06-20 13:17:32 -07:00