Commit Graph

1357 Commits

Author SHA1 Message Date
David Benjamin
897e5e0013 Default renegotiations to off.
As of crbug.com/484543, Chromium's SSLClientSocket is not sensitive to whether
renegotiation is enabled or not. Disable it by default and require consumers to
opt into enabling this protocol mistake.

BUG=429450

Change-Id: I2329068284dbb851da010ff1fd398df3d663bcc3
Reviewed-on: https://boringssl-review.googlesource.com/4723
Reviewed-by: Adam Langley <agl@google.com>
2015-05-13 17:02:14 +00:00
David Benjamin
4690bb5fc3 Port cipher_test to file_test.
Derived from upstream's new evp_test. The tests were taken from upstream
but tweaked so the diff from the old cipher_test.txt is more obvious.

Change-Id: Ic82593a8bb6aaee9b69fdc42a8b75516b03c1c5a
Reviewed-on: https://boringssl-review.googlesource.com/4707
Reviewed-by: Adam Langley <agl@google.com>
2015-05-13 17:00:55 +00:00
David Benjamin
771a138f26 Add missing #include for abort()
http://build.chromium.org/p/chromium.linux/builders/Android%20Arm64%20Builder%20%28dbg%29/builds/17339

Change-Id: I1cf015bb188282363aa5ddbf4e8ef88932370b62
Reviewed-on: https://boringssl-review.googlesource.com/4714
Reviewed-by: Adam Langley <agl@google.com>
2015-05-12 22:04:32 +00:00
David Benjamin
de12d6cd7a Mind the end of the buffer in aligned case of generic RC4 implementation.
The generic RC4 implementation may read and write just past the end of the
buffer; when input and output are aligned, it always reads an RC4_CHUNK at a
time. It appropriately masks off and preserves the excess bytes off the end, so
this can only have practical effects if it crosses a page boundary. There's an
alignment check, so that can't happen; page boundaries are always aligned. But
it makes ASan unhappy and strictly speaking is a memory error.

Instead, fall through to the generic codepath which just reads it byte by byte.
This should fix the other bot failure.

Change-Id: I3cbd3bfc6cb0537e87f3252dea12d40ffa78d590
Reviewed-on: https://boringssl-review.googlesource.com/4722
Reviewed-by: Adam Langley <agl@google.com>
2015-05-12 19:31:09 +00:00
David Benjamin
5694b3a84b Fix invalid assert in CRYPTO_ctr128_encrypt.
As with CRYPTO_ctr128_encrypt_ctr32, NULL in and out are legal in the
degenerate case when len is 0. This fixes one of the two failures on the bots.

Change-Id: If6016dfc3963d9c06c849fc8eba9908556f66666
Reviewed-on: https://boringssl-review.googlesource.com/4721
Reviewed-by: Adam Langley <agl@google.com>
2015-05-12 19:26:53 +00:00
Matt Braithwaite
9b68e72d18 Define compatibility function |ERR_remove_state|.
(It was already declared.)

Change-Id: Ifcda07fe85a6d5d9e2d3b5c387793413f5048515
Reviewed-on: https://boringssl-review.googlesource.com/4713
Reviewed-by: Adam Langley <agl@google.com>
2015-05-12 19:06:18 +00:00
David Benjamin
2607383e72 Fix generate_build_files.py to account for crypto/test.
crypto/test contains not tests, but a test support library that should be
linked into each test.

Change-Id: If1c85eda2a3df1717edd38575e1ec792323c400b
Reviewed-on: https://boringssl-review.googlesource.com/4720
Reviewed-by: Adam Langley <agl@google.com>
2015-05-12 01:06:32 +00:00
Matt Braithwaite
af3d5bd5a4 Add no-op |RAND_load_file| function for compatibility.
Change-Id: I9493a1509a75d3f0d99ce2b699d8781ad9b1bafa
Reviewed-on: https://boringssl-review.googlesource.com/4540
Reviewed-by: Adam Langley <agl@google.com>
2015-05-12 00:36:11 +00:00
Matt Braithwaite
58e95fc759 Remove a spurious semicolon after |DECLARE_LHASH_OF|.
Change-Id: I47873c4221a6d257a1cd5d6f431deb0fb1dc2566
Reviewed-on: https://boringssl-review.googlesource.com/4712
Reviewed-by: Adam Langley <agl@google.com>
2015-05-12 00:13:04 +00:00
Matt Braithwaite
3c651718e4 Add buffer.h for compatibility.
(OpenSSL defines |BUF_MEM| there.)

Change-Id: Id889100d2adff7ca8f7428fdfda1efdfd1003f37
Reviewed-on: https://boringssl-review.googlesource.com/4711
Reviewed-by: Adam Langley <agl@google.com>
2015-05-12 00:09:57 +00:00
Adam Langley
c85373da00 Use EVP_AEAD_CTX in crypto/cipher/internal.h.
Change-Id: I3002d95d2b9db4dd05e1c56ef6ae410315b97ab9
Reviewed-on: https://boringssl-review.googlesource.com/4710
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 23:37:21 +00:00
Adam Langley
5aa8a86438 AEAD: allow _cleanup after failed _init.
This change makes it safe to call EVP_AEAD_CTX_cleanup after a failed
EVP_AEAD_CTX_init.

Change-Id: I608ed550e08d638cd7e941f5067edd3da4c850ab
Reviewed-on: https://boringssl-review.googlesource.com/4692
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 23:18:43 +00:00
Adam Langley
9624b405a8 aead_test: make AEAD selection table driven.
(The huge if-else was hard to visually parse.)

Change-Id: Ic2c94120f345085b619304181e861f662a931a29
Reviewed-on: https://boringssl-review.googlesource.com/4691
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 22:24:45 +00:00
David Benjamin
5c694e3fef Add evp_test, loosely based on upstream's version.
This imports the EVP_PKEY test data of upstream's evptests.txt, but
modified to fit our test framework and with a new test driver. The
remainder of the test data will be imported separately into aead_test
and cipher_test.

Some minor changes to the test format were made to account for test
framework differences. One test has different results since we don't
support RSA signatures with omitted (rather than NULL) parameters.
Otherwise, the biggest difference in test format is that the ad-hoc
result strings are replaced with checking ERR_peek_error.

Change-Id: I758869abbeb843f5f2ac6c1cbd87333baec08ec3
Reviewed-on: https://boringssl-review.googlesource.com/4703
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 21:44:36 +00:00
David Benjamin
074e3d2dfd Convert aead_test to the file_test framework.
Change-Id: I119929177d3c2135778b567f89923784a3a730ae
Reviewed-on: https://boringssl-review.googlesource.com/4706
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 21:38:49 +00:00
David Benjamin
0f86965ca0 Rename evp_test to evp_extra_test.
This matches how upstream imported that test. evp_test will be used for
the subset of upstream's evp_test which land in our crypto/evp layer.
(Some of crypto/evp is in crypto/cipher for us, so those tests will be
in a ported cipher_test.)

Change-Id: Ic899442794b66350e73a706bb7c77a6ff3d2564b
Reviewed-on: https://boringssl-review.googlesource.com/4702
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 21:35:00 +00:00
David Benjamin
06b94de820 Add file-based test framework and convert hmac_test.
This adds a file-based test framework to crypto/test. It knows how to
parse formats similar to either upstream's evp_test and our aead_test.

hmac_test has been converted to that with tests from upstream's
evp_test. Upstream tests it against the deprecated EVP_PKEY_HMAC API,
which will be tested by running evp_test against the same input file, to
avoid having to duplicate the test vectors. hmac_test runs those same
inputs against the supported HMAC_CTX APIs.

Change-Id: I9d2b6adb9be519760d1db282b9d43efd6f9adffb
Reviewed-on: https://boringssl-review.googlesource.com/4701
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 21:34:42 +00:00
David Benjamin
6a08da2cf8 Remove redundant setup buffer calls.
Nothing should call ssl3_setup_read_buffer or ssl3_setup_write_buffer unless it
intends to write into the buffer. This way buffer management can later be an
implementation detail of the record layer.

Change-Id: Idb0effba00e77c6169764843793f40ec37868b61
Reviewed-on: https://boringssl-review.googlesource.com/4687
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 21:31:59 +00:00
David Benjamin
4a5982813f Fix asserts in CRYPTO_ctr128_encrypt_ctr32.
NULL in and out are legal in the degenerate case when len is 0.

Change-Id: Ibf0600a4f635a03103b1ae914918fdcf23a75a39
Reviewed-on: https://boringssl-review.googlesource.com/4705
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 19:17:10 +00:00
David Benjamin
bc1fde3206 Check max_out against in_len, not plaintext_len in RC4/MD5 AEAD.
Like the non-stitched variant, this "AEAD" uses the output buffer as
scratch space for the MAC. Thus it should require that max_out_len is
large enough to fit that, even though it will never return that large of
input.

Change-Id: I5b30b0756408c2e433448f540e7c65251336d2f8
Reviewed-on: https://boringssl-review.googlesource.com/4704
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 19:15:38 +00:00
David Benjamin
353d7cba24 Convert pkcs12_test to C++.
Change-Id: If5caf6bb17a5efc9d0cb2c6c52194685d90614d9
Reviewed-on: https://boringssl-review.googlesource.com/4700
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 18:51:13 +00:00
David Benjamin
6610118d65 Convert dh_test to C++.
Change-Id: I68fb6b152b587442ce085806ed1f11280ab8adfb
Reviewed-on: https://boringssl-review.googlesource.com/4689
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 18:47:30 +00:00
David Benjamin
b1f5bca538 Remove max parameter to ssl3_read_n.
It's completely redundant with the extend bit. If extend is 0, we're reading a
new record, and rbuf.len is passed. Then it needs to get clamped by ssl3_read_n
post alignment anyway. If extend is 1, we're reading the rest of the current
record and max is always n. (For TLS, we actually could just read more, but not
for DTLS. Basically no one sets it on the TLS side of things, so instead, after
WebRTC's broken DTLS handling is fixed, read_ahead can go away altogether and
DTLS/TLS record layers can be separated.)

This removes ssl3_read_n's callers' dependency on ssl3_setup_read_buffer
setting up rbuf.len.

Change-Id: Iaf11535d01017507a52a33b19240f42984d6cf52
Reviewed-on: https://boringssl-review.googlesource.com/4686
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 18:41:41 +00:00
David Benjamin
9417b7649f Remove DTLS special-cases in buffer releasing.
They date to https://rt.openssl.org/Ticket/Display.html?id=2533, but no
particularly good justification was given for them. It seems it was just a
bandaid because d1_pkt.c forgot to initialize the buffer. I went through
codesearch for all accesses to SSL3_BUFFER::buf and SSL::packet. They seem
appropriately guarded but for this one.

Change-Id: Ife4e7afdb7a7c137d6be4791542eb5de6dd5b1b6
Reviewed-on: https://boringssl-review.googlesource.com/4685
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 18:40:04 +00:00
David Benjamin
ac4de241b1 Zero s->packet when releasing the read buffer.
s->packet points into the read buffer. It shouldn't leave a dangling pointer.

Change-Id: Ia7def2f50928ea9fca8cb0b69d614a92f9f47f57
Reviewed-on: https://boringssl-review.googlesource.com/4684
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 18:39:26 +00:00
David Benjamin
aebefed905 Always enable SSL_MODE_RELEASE_BUFFERS.
There's no real need to ever disable it, so this is one fewer configuration to
test. It's still disabled for DTLS, but a follow-up will resolve that.

Change-Id: Ia95ad8c17ae8236ada516b3968a81c684bf37fd9
Reviewed-on: https://boringssl-review.googlesource.com/4683
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 18:39:09 +00:00
David Benjamin
c561aa64b6 Require source files define __STDC_FORMAT_MACROS to use BN FMT macros.
inttypes.h kindly requires a feature macro in C++ on some platforms, due
to a bizarre footnote in C99 (see footnote 191 in section 7.8.1). As
bn.h is a public header, we must leak this wart to the consumer. On
platforms with unfriendly inttypes.h headers, using BN_DEC_FMT1 and
friends now require the feature macro be defined externally.

This broke the Chromium Android Clang builder:
http://build.chromium.org/p/chromium.linux/builders/Android%20Clang%20Builder%20%28dbg%29/builds/59288

Change-Id: I88275a6788c7babd0eae32cae86f115bfa93a591
Reviewed-on: https://boringssl-review.googlesource.com/4688
Reviewed-by: Adam Langley <agl@google.com>
2015-05-11 18:38:08 +00:00
Matt Braithwaite
3bf1cca262 Don't report |ERR_R_MALLOC_FAILURE| on failure of |EC_KEY_new_by_curve_name|.
Change |EC_KEY_new_by_curve_name| to report |ERR_R_MALLOC_FAILURE|
itself, so that reporting of |EC_R_UNKNOWN_GROUP| is not confused by
the caller's addition of a spurious |ERR_R_MALLOC_FAILURE|.

Change-Id: Id3f5364f01eb8e3597bcddd6484bc03d5578befb
Reviewed-on: https://boringssl-review.googlesource.com/4690
Reviewed-by: Adam Langley <agl@google.com>
2015-05-09 00:05:30 +00:00
Adam Langley
d100c2498f Fix doc reference to EVP_AEAD_max_overhead.
The documentation referred to the old name of |EVP_AEAD_overhead|.

Merged from Android's
https://android-review.googlesource.com/#/c/149947/

Change-Id: Ifd1b850355c8f7d9f3e990f514fa072d4cacef1c
2015-05-08 13:41:58 -07:00
Adam Langley
65a7e9442c Support Trusty, an embedded platform.
Trusty doesn't have setjmp.h and nor does it have threads.

Change-Id: I005f7a009a13e6632513be9fab2bbe62294519a4
Reviewed-on: https://boringssl-review.googlesource.com/4660
Reviewed-by: Adam Langley <agl@google.com>
2015-05-08 18:34:55 +00:00
David Benjamin
4d2e7ce47b Remove OPENSSL_timeval.
With DTLSv1_get_timeout de-ctrl-ified, the type checker complains about
OPENSSL_timeval. Existing callers all use the real timeval.

Now that OPENSSL_timeval is not included in any public structs, simply
forward-declare timeval itself in ssl.h and pull in winsock2.h in internal
headers.

Change-Id: Ieaf110e141578488048c28cdadb14881301a2ce1
Reviewed-on: https://boringssl-review.googlesource.com/4682
Reviewed-by: Adam Langley <agl@google.com>
2015-05-08 18:03:07 +00:00
David Benjamin
593047fd80 Opaquify DTLS structs.
Nothing ever uses those structs. This to avoid having any structs in the
public header which use struct timeval.

In doing so, move the protocol version constants up to ssl.h so dtls1.h
may be empty. This also removes TLS1_get_version and TLS1_get_client_version
as they're unused and depend on TLS1_VERSION_MAJOR. This still lets tls1.h
be included independently from ssl.h (though I don't think anyone ever includes
it...).

Change-Id: Ieac8b90cf94f7f1e742a88bb75c0ee0aa4b1414c
Reviewed-on: https://boringssl-review.googlesource.com/4681
Reviewed-by: Adam Langley <agl@google.com>
2015-05-08 18:02:02 +00:00
David Benjamin
dfb67134dc Define CRYPTO_once_t as LONG on Windows.
This is used with a platform API, so it should use the corresponding
platform type, saving us the size assert. It's ever defined in an
internal header, so we can freely use windows.h and friends.

Change-Id: Idc979309436adcf54524c835ddc2c98c3870d2e2
Reviewed-on: https://boringssl-review.googlesource.com/4680
Reviewed-by: Adam Langley <agl@google.com>
2015-05-08 18:00:46 +00:00
Adam Langley
0d107e183e Add support for CMAC (RFC 4493).
The interface for this is very similar to upstream, but the code is
quite different.

Support for “resuming” (i.e. calling |CMAC_Final| and then computing the
CMAC for an extension of the message) has been dropped. Also, calling
|CMAC_Init| with magic argument to reset it has been replaced with
|CMAC_Reset|.

Lastly, a one-shot function has been added because it can save an
allocation and that's what most callers actually appear to want to do.

Change-Id: I9345220218bdb16ebe6ca356928d7c6f055d83f6
Reviewed-on: https://boringssl-review.googlesource.com/4630
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-05-07 21:13:41 +00:00
David Benjamin
ae5fdd9648 Revert "Work around missing PTHREAD_RWLOCK_INITIALIZER in NaCl newlib."
This reverts commit 68de407b5f. The NaCl fix has
rolled into Chromium.

Change-Id: I9fd6a6ae727c95fa89b8ce27e301f2a748d0acc9
Reviewed-on: https://boringssl-review.googlesource.com/4651
Reviewed-by: Adam Langley <agl@google.com>
2015-05-07 17:25:09 +00:00
David Benjamin
a24265cfb1 Fix random magic number in ssl3_output_cert_chain.
Per earlier review comment. The number is wrong anyway. (Neither version does
anything since init_buf is initialized to a large size and most functions don't
bother sizing it. Future work should rewrite all of this to use a CBB.)

Change-Id: I3b58672b328396459a34c6403f8bfb77c96efe9c
Reviewed-on: https://boringssl-review.googlesource.com/4650
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 23:25:58 +00:00
Adam Langley
9e1a66070b Add generate_build_files.py.
generate_build_files.py is a generalisation of update_gypi_and_asm.py
that works for both Chromium and Android. In the future, these projects
will drop their copies of update_gypi_and_asm.py and will use this
script instead.

Change-Id: Ie32ce629ef44a6c070e329c7bc5e4531205b9709
Reviewed-on: https://boringssl-review.googlesource.com/4631
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 23:25:36 +00:00
David Benjamin
9a10f8fd88 Switch EVP_PKEY_dup calls to EVP_PKEY_up_ref.
Keep internal callers up-to-date with deprecations.

Change-Id: I7ee171afc669592d170f83bd4064857d59332878
Reviewed-on: https://boringssl-review.googlesource.com/4640
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:57:09 +00:00
David Benjamin
6abb37016e Remove ciphers_raw.
With SSL_get0_raw_cipherlist gone, there's no need to hold onto it.

Change-Id: I258f8bfe21cc354211a777660df680df6c49df2a
Reviewed-on: https://boringssl-review.googlesource.com/4616
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:56:31 +00:00
David Benjamin
d6e95eefba Get rid of ssl_undefined_*
The only place using it is export keying material which can do the
version check inline.

Change-Id: I1893966c130aa43fa97a6116d91bb8b04f80c6fb
Reviewed-on: https://boringssl-review.googlesource.com/4615
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:56:02 +00:00
David Benjamin
60da0cd7c6 Fix STACK_OF pointer style.
clang-format got a little confused there.

Change-Id: I46df523e8a7813a2b4e243da3df22851b3393873
Reviewed-on: https://boringssl-review.googlesource.com/4614
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:55:16 +00:00
David Benjamin
605641ed95 Move the NULL case in ssl_add_cert_chain up.
It's only called for client certificates with NULL. The interaction with
extra_certs is more obvious if we handle that case externally. (We
shouldn't attach extra_certs if there is no leaf.)

Change-Id: I9dc26f32f582be8c48a4da9aae0ceee8741813dc
Reviewed-on: https://boringssl-review.googlesource.com/4613
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:53:53 +00:00
Adam Langley
e92d24f323 Build fix.
(Semantic no-op.)

Change-Id: I94d3ae12bc82f5080e3cf1405cca79acb316f798
2015-05-06 15:47:17 -07:00
David Benjamin
8eb65e814c Remove dead field from CIPHER_ORDER.
It's unused.

Change-Id: I039ecc40f90cbeed6e95b1dd8414161670ae5b6c
Reviewed-on: https://boringssl-review.googlesource.com/4612
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:36:31 +00:00
David Benjamin
7133d428dd Promote SNI macros to functions.
BUG=404754

Change-Id: I2b2e27f3db0c97f2db65ca5e226c6488d2bee2fc
Reviewed-on: https://boringssl-review.googlesource.com/4570
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:36:19 +00:00
David Benjamin
c2807582fd Promote channel ID macros to proper functions.
BUG=404754

Change-Id: I002d4602720e207f92a985d90f0d58e89562affa
Reviewed-on: https://boringssl-review.googlesource.com/4569
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:33:59 +00:00
David Benjamin
15a3b000cf Promote set_tmp_dh and set_tmp_ecdh to functions.
BUG=404754

Change-Id: I7c75dd88fe9338b1d3b90745f742d15d6b84775a
Reviewed-on: https://boringssl-review.googlesource.com/4568
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:30:22 +00:00
David Benjamin
255fa1be81 Fix EVP_PKEY_assign_DH.
Or rather fix in so far as that call will always fail now, rather than
mix up EC and DH EVP_PKEY. We don't implement EVP_PKEY_DH.

Change-Id: I752978f3440b59d963b5c13f2349284d7d799182
Reviewed-on: https://boringssl-review.googlesource.com/4567
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:28:49 +00:00
David Benjamin
c045469817 Promote a few more macros.
Next batch. Mostly a bunch of deprecated things. This switches
SSL_CTX_set_tmp_rsa from always failing to always succeeding. The latter
is probably a safer behavior; a consumer may defensively set a temporary
RSA key. We'll successfully "set it" and just never use the result.

Change-Id: Idd3d6bf4fc1a20bc9a26605bb9c77c9f799f993c
Reviewed-on: https://boringssl-review.googlesource.com/4566
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:28:12 +00:00
David Benjamin
9f226a5f51 Always set SSL_OP_SINGLE_DH_USE.
This is an API wart that makes it easy to accidentally reuse the server
DHE half for every handshake. It's much simpler to have only one mode.
This mirrors the change made to the ECDHE code; align with that logic.

Change-Id: I47cccbb354d70127ab458f99a6d390b213e4e515
Reviewed-on: https://boringssl-review.googlesource.com/4565
Reviewed-by: Adam Langley <agl@google.com>
2015-05-06 22:24:53 +00:00