Commit Graph

5064 Commits

Author SHA1 Message Date
David Benjamin
2ee94aabf5 Rename ssl_locl.h to internal.h
Match the other internal headers.

Change-Id: Iff7e2dd06a1a7bf993053d0464cc15638ace3aaa
Reviewed-on: https://boringssl-review.googlesource.com/4280
Reviewed-by: Adam Langley <agl@google.com>
2015-04-10 22:14:09 +00:00
Adam Langley
0fd5639701 Fix up whitespace in headers for doc.go.
Also, set sensible defaults for the command-line arguments to doc.go.

Change-Id: Iefd2ade4c9095489efa0ae1059007593fc84923a
2015-04-08 17:32:55 -07:00
Brian Smith
d6405beb2c Avoid calling BN_CTX_end without BN_CTX_start in ec_wNAF_precompute_mult.
Prior to this change, when EC_GROUP_get0_generator fails, BN_CTX_end
would get called even though BN_CTX_start hadn't been called yet, in
the case where the caller-supplied |ctx| is not NULL.

Change-Id: I6f728e74f0167193891cdb6f122b20b0770283dc
Reviewed-on: https://boringssl-review.googlesource.com/4271
Reviewed-by: Adam Langley <agl@google.com>
2015-04-09 00:29:14 +00:00
David Benjamin
32fbdf2025 Remove anonymous cipher suites.
These are the remaining untested cipher suites. Rather than add support in
runner.go, just remove them altogether. Grepping for this is a little tricky,
but nothing enables aNULL (all occurrences disable it), and all occurrences of
["ALL:] seem to be either unused or explicitly disable anonymous ciphers.

Change-Id: I4fd4b8dc6a273d6c04a26e93839641ddf738343f
Reviewed-on: https://boringssl-review.googlesource.com/4258
Reviewed-by: Adam Langley <agl@google.com>
2015-04-08 23:29:07 +00:00
Adam Langley
33672736b7 Get rid of the THREADID stuff.
Now that ERR is using thread-local storage, there's very little that the
THREADID code is doing and it can be turned into stub functions.

Change-Id: I668613fec39b26c894d029b10a8173c3055f6019
2015-04-08 16:24:49 -07:00
Adam Langley
b9e77a0c0c Use thread-local storage for ERR.
Change-Id: I012bff37094ecb29621197ea1d52626bb87f2f0f
2015-04-08 16:23:03 -07:00
Adam Langley
2e0f0711dd Remove the implementation abstraction from ERR.
Since ERR will soon have thread-local storage, we don't need to worry
about high-performance implementations and thus don't need to be able to
switch two different implementations at run-time.

Change-Id: I0598054ee8a8b499ac686ea635a96f5d03c754e0
2015-04-08 16:20:07 -07:00
David Benjamin
e9a80ff8ce Add tests for CHACHA20_POLY1305 ciphers.
This drops in a copy of a subset of golang.org/x/crypto/poly1305 to implement
Poly1305. Hopefully this will keep them from regression as we rework the record
layer.

Change-Id: Ic1e0d941a0a9e5ec260151ced8acdf9215c4b887
Reviewed-on: https://boringssl-review.googlesource.com/4257
Reviewed-by: Adam Langley <agl@google.com>
2015-04-08 20:47:08 +00:00
David Benjamin
2f18c1babb Prune away (almost) all of asn1_mac.h
Amazingly, asn1_GetSequence isn't completely unused? Keep that around for now
and ditch everything else. This lets us enable C4311 in MSVC which is actually
a pretty reasonable warning.

Change-Id: I43bb9206b1745e8a68224f3a435713d2a74e04ea
Reviewed-on: https://boringssl-review.googlesource.com/4256
Reviewed-by: Adam Langley <agl@google.com>
2015-04-08 20:42:57 +00:00
Brian Smith
69fe82ae1e Remove unused ec_pre_comp_st.group back pointer to group.
Change-Id: If15f2f0e2b4627318c9cdfbc76d5ca56a6894e3f
Reviewed-on: https://boringssl-review.googlesource.com/4270
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-04-08 20:27:58 +00:00
David Benjamin
ef4962f5a3 Shush warning in alignment code.
MSVC doesn't like unary - on unsigned numbers. Also switch ssl3_read_n's
version to uintptr_t to match the write half. This gets us closer to clearing
through C4311 violations. (The remaining one is in asn1_add_error which can go
after verifying that most of asn1_mac.h is safe to drop.)

Change-Id: Idb33dda8863bf1a3408b14d5513a667338311b6b
Reviewed-on: https://boringssl-review.googlesource.com/4255
Reviewed-by: Adam Langley <agl@google.com>
2015-04-07 00:40:50 +00:00
David Benjamin
ff9c74f6f4 Fix bssl_shim build in MSVC.
MSVC can't initialiaze OPENSSL_timeval inline.

Change-Id: Ibb9f4d0666c87e690d247d713d5ff2e05a1aa257
Reviewed-on: https://boringssl-review.googlesource.com/4251
Reviewed-by: Adam Langley <agl@google.com>
2015-04-07 00:25:17 +00:00
David Benjamin
06e5161423 Fix the linux_shared bot.
all_tests.go will still complain if tab_test is missing.

Change-Id: I97c3684a4397caa55aaae2ec6555b16ee8366233
Reviewed-on: https://boringssl-review.googlesource.com/4250
Reviewed-by: Adam Langley <agl@google.com>
2015-04-07 00:24:57 +00:00
Brian Smith
57581da626 Remove unused ex_data indexes.
The unused ex_data index declarations are commented out instead of
removed so that it is clear which values to avoid for any new ex_data
indexes added in the future.

Change-Id: Ia19da9631324492c5c7eeacc71453e6240c73870
Reviewed-on: https://boringssl-review.googlesource.com/3940
Reviewed-by: Adam Langley <agl@google.com>
2015-04-07 00:09:47 +00:00
Brian Smith
a91762834e Implement ECDSA_SIG_new and ECDSA_SIG_free manually.
Implement ECDSA_SIG_new and ECDSA_SIG_free manually in preparation for
removing all crypto/asn1 dependencies from ECDSA signature verification.

Change-Id: I0e84d74fa8e757af0cfb09daef03d59f428143cc
Reviewed-on: https://boringssl-review.googlesource.com/4153
Reviewed-by: Adam Langley <agl@google.com>
2015-04-07 00:08:23 +00:00
Brian Smith
5d48b02a5b Remove TODO about removing ECDSA_do_sign/ECDSA_do_verify.
These functions are useful for implementing non-ASN.1-based protocols
like JSON Web Signature (JWS) and they are even already used within
Chromium.

Change-Id: I58f41ca7beedc5a0b7a8c3da53f319aadff4c0e7
Reviewed-on: https://boringssl-review.googlesource.com/3936
Reviewed-by: Adam Langley <agl@google.com>
2015-04-07 00:07:19 +00:00
Adam Langley
7e6c4c8945 Add a couple of compatibility #defines for DH.
Change-Id: Ic190c64ec571e798c22c7afa75ae6c2804c93fd4
2015-04-06 16:58:46 -07:00
Adam Langley
1049e26f6b Support several flavours of AES-192.
Change-Id: I28d302fad0d3d00fa69d3224a96366207729d8d5
2015-04-06 16:58:46 -07:00
Adam Langley
087930f5b5 Add OFB mode.
Change-Id: I267cf7897b5a9f73f8de729971cb9e92937011dd
2015-04-06 16:58:45 -07:00
Adam Langley
d4a5ecd869 Add NCONF_load_bio.
Change-Id: Icebf5c08dde01f07e4d16e782a75be990a078e1a
2015-04-06 16:58:45 -07:00
Adam Langley
c004dfc3d1 Add decrepit, initially containing CAST and Blowfish.
decrepit will contain algorithms that we really wish didn't exist any
longer. It won't be built by default in Chromium etc, but the code
will exist for crummy code that still needs it.

Change-Id: Ic307f5f0a69efe9e0a5fd54052f49d219e90dcdd
2015-04-06 16:58:45 -07:00
Adam Langley
765b66cf04 Add DSA support to EVP.
Sadly, it turns out that we have need of this, at least for now. The
code is taken from upstream and changed only as much as needed.

This only imports keys and doesn't know how to actually perform
operations on them for now.

Change-Id: I0db70fb938186cb7a91d03f068b386c59ed90b84
2015-04-06 16:58:45 -07:00
David Benjamin
ece3de95c6 Enforce that sessions are resumed at the version they're created.
After sharding the session cache for fallbacks, the numbers have been pretty
good; 0.03% on dev and 0.02% on canary. Stable is at 0.06% but does not have
the sharded session cache. Before sharding, stable, beta, and dev had been
fairly closely aligned. Between 0.03% being low and the fallback saving us in
all but extremely contrived cases, I think this should be fairly safe.

Add tests for both the cipher suite and protocol version mismatch checks.

BUG=441456

Change-Id: I2374bf64d0aee0119f293d207d45319c274d89ab
Reviewed-on: https://boringssl-review.googlesource.com/3972
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 21:40:32 +00:00
David Benjamin
883e49fdd8 Remove dead code in do_dtls1_write and document another bug.
Change-Id: I250d3cf5b8124f205d67268958a01cb02a6d05ac
Reviewed-on: https://boringssl-review.googlesource.com/4240
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 21:39:58 +00:00
David Benjamin
4417d055e2 Remove buffered_app_data as well.
This conceivably has a use, but NSS doesn't do this buffer either and it still
suffers from the same problems as the other uses of record_pqueue. This removes
the last use of record_pqueue. It also opens the door to removing pqueue
altogether as it isn't the right data structure for either of the remaining
uses either. (It's not clear it was right for record_pqueue either, but I don't
feel like digging into this code.)

Change-Id: If8a43e7332b3cd11a78a516f3e8ebf828052316f
Reviewed-on: https://boringssl-review.googlesource.com/4239
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 21:39:27 +00:00
David Benjamin
5933723b7b Check for leading zeros in CBS_get_asn1_uint64.
The encoding of an INTEGER should not have leading zeros, except to pad for the
sign bit.

Change-Id: I80d22818cf1d2ca9d27e215620392e1725372aa5
Reviewed-on: https://boringssl-review.googlesource.com/4218
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:54:53 +00:00
David Benjamin
0afbcc05e6 Remove buffering out records from the next epoch.
It was only ever enabled for handshake and alert messages. The comments cite
renego as a use case though even then I'm not clear on why. The only use I see
is if, say, the Finished message and ClientKeyExchange came in out-of-order.
DTLS is unreliable so leaning on retransmit seems fine, and usually flights
will be packed into one packet where possible. NSS doesn't have any such
buffer and doesn't seem to have problems.

The buffering mechanism is also rather dubious. It stows away the entire packet
and read buffer---all 16K of it---and there may have been other records in that
packet.

Change-Id: Ic3b7bf817be380dc73102eec62c690ed093e6667
Reviewed-on: https://boringssl-review.googlesource.com/4238
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:51:24 +00:00
David Benjamin
bc746e3e9c Don't switch s->version on record-layer version mismatch.
At this point, has_version has been set and we may even have a non-null cipher.
Trying to assign meaning to the record-layer version number is not worth making
s->version's semantics even more complicated.

Change-Id: Ia1cf341cf7306eb48d2d11241316dc2116306968
Reviewed-on: https://boringssl-review.googlesource.com/4237
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:50:54 +00:00
David Benjamin
4a3f0732fd Tidy record length check.
Compression is gone, so don't allow for compression overhead. With that fixed,
the second rr->length check in ssl3_get_record matches the length computation
which sizes the read buffer. The first is wrong and doesn't account for the
alignment padding. Move the second to the first.

Change-Id: I3f4f05de9fdf5c645ff24493bbfdf303dcc1aa90
Reviewed-on: https://boringssl-review.googlesource.com/4236
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:50:45 +00:00
David Benjamin
d81e73dcbb Factor out sequence number updates.
Also check for overflow, although it really shouldn't happen.

Change-Id: I34dfe8eaf635aeaa8bef2656fda3cd0bad7e1268
Reviewed-on: https://boringssl-review.googlesource.com/4235
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:50:37 +00:00
David Benjamin
2ab7a868ad runner and all_tests should exit with failure on failing tests.
Otherwise the bots don't notice.

BUG=473924

Change-Id: Idb8cc4c255723ebbe2d52478040a70648910bf37
Reviewed-on: https://boringssl-review.googlesource.com/4232
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:49:54 +00:00
David Benjamin
f8ba285535 Remove redundant SSL_READING lines after ssl_read_bytes.
These are redundant with the lower level ones in s3_pkt.c just before BIO_read.
Only the operation which actually failed an operation on the BIO should set
the wait state.

Not all failure paths in ssl3_read_bytes and dtls1_read_bytes set SSL_READING,
but those that don't leave the BIO in a retry state, so SSL_READING doesn't
matter.

Change-Id: I2ae064ecc8b2946cc8ae8f724be09dfe49e077b5
Reviewed-on: https://boringssl-review.googlesource.com/4230
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:49:00 +00:00
David Benjamin
cfd248b7f6 Clean up SSL_export_keying_material implementation.
Fix up the variable names. Also avoid the messy logic of checking whether the
label and context collide with the normal key expansion ones in the face of
adverserial inputs. Make that the caller's responsibility, just as it's already
the caller's responsibility to ensure that different calls don't overlap.  (The
label should be a constant string in an IANA registry anyway.)

Change-Id: I062fadb7b6a18fa946b883be660ea9b3f0f6277c
Reviewed-on: https://boringssl-review.googlesource.com/4216
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:47:54 +00:00
David Benjamin
c565ebbebc Add tests for SSL_export_keying_material.
Change-Id: Ic4d3ade08aa648ce70ada9981e894b6c1c4197c6
Reviewed-on: https://boringssl-review.googlesource.com/4215
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 20:47:33 +00:00
David Benjamin
9faafdaeb8 Clean up do_ssl3_write fragment handling.
Separate actually writing the fragment to the network from assembling it so
there is no need for is_fragment. record_split_done also needn't be a global;
as of 7fdeaf1101, it is always reset to 0 whether
or not SSL3_WANT_WRITE occurred, despite the comment.

I believe this is sound, but the pre-7fdeaf1 logic wasn't quiiite right;
ssl3_write_pending allows a retry to supply *additional* data, so not all
plaintext had been commited to before the IV was randomized. We could fix this
by tracking how many bytes were committed to the last time we fragmented, but
this is purely an optimization and doesn't seem worth the complexity.

This also fixes the alignment computation in the record-splitting case. The
extra byte was wrong, as demonstrated by the assert.

Change-Id: Ia087a45a6622f4faad32e501942cc910eca1237b
Reviewed-on: https://boringssl-review.googlesource.com/4234
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 18:53:15 +00:00
David Benjamin
a58c57822e Simplify the pointer management around do_ssl3_write.
It's still rather a mess, but this is at least somewhat clearer. The old one
had a lot of remnants of compression, etc.

Change-Id: Iffcb4dd4e8c4ab14f60abf917d22b7af960c93ba
Reviewed-on: https://boringssl-review.googlesource.com/4233
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 18:17:55 +00:00
David Benjamin
7ead605599 Add the is_unexpected key to the test output.
If the key is missing, it seems the failure is assumed to be expected.

BUG=473924

Change-Id: I62edd9110fa74bee5e6425fd6786badf5398728c
Reviewed-on: https://boringssl-review.googlesource.com/4231
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 18:13:27 +00:00
David Benjamin
6c2563e241 Refactor async logic in bssl_shim slightly.
Move the state to TestState rather than passing pointers to them everywhere.
Also move SSL_read and SSL_write retry loops into helper functions so they
aren't repeated everywhere. This also makes the SSL_write calls all
consistently account for partial writes.

Change-Id: I9bc083a03da6a77ab2fc03c29d4028435fc02620
Reviewed-on: https://boringssl-review.googlesource.com/4214
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 17:52:20 +00:00
David Benjamin
1c633159a7 Add negative False Start tests.
Extend the False Start tests to optionally send an alert (thus avoiding
deadlock) before waiting for the out-of-order app data. Based on whether the
peer shuts off the connection before or after sending app data, we can
determine whether the peer False Started by observing purely external effects.

Change-Id: I8b9fecc29668e0b0c34b5fd19d0f239545011bae
Reviewed-on: https://boringssl-review.googlesource.com/4213
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 17:41:53 +00:00
David Benjamin
87e4acd2f5 Test the interaction of SSL_CB_HANDSHAKE_DONE and False Start.
Based on whether -false-start is passed, we expect SSL_CB_HANDSHAKE_DONE to or
not to fire. Also add a flag that asserts SSL_CB_HANDSHAKE_DONE does *not* fire
in any False Start test where the handshake fails after SSL_connect returns.

Change-Id: I6c5b960fff15e297531e15b16abe0b98be95bec8
Reviewed-on: https://boringssl-review.googlesource.com/4212
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 17:39:46 +00:00
David Benjamin
513f0ea8cd Test that bad Finished messages are rejected.
That's a pretty obvious thing to test. I'm not sure how we forgot that one.

Change-Id: I7e1a7df6c6abbdd587e0f7723117f50d09faa5c4
Reviewed-on: https://boringssl-review.googlesource.com/4211
Reviewed-by: Adam Langley <agl@google.com>
2015-04-06 17:38:03 +00:00
David Benjamin
d0c6148ae5 No-op change to trigger a build on the bots.
Change-Id: I3b36680636b8e868b99104e032c6a2416cc7f382
2015-04-03 22:35:38 -04:00
David Benjamin
40acdaeb86 Rename p_thread_callback_base to p_thread_callback_boringssl.
This fixes the Windows build. Otherwise this collides with the symbol in
Chromium's //base. (The 'base' suffix is the name of the library, not some
Windows-ism.)

Change-Id: I65d755f08991978bd2040d53c401082b2fee65fa
Reviewed-on: https://boringssl-review.googlesource.com/4217
Reviewed-by: Adam Langley <agl@google.com>
2015-04-03 17:17:32 +00:00
David Benjamin
72f5911a16 Fix the standalone shared library build.
BUG=473360

Change-Id: I6dc06eb425dd10c8d6a40d17f94405ea6f2f3905
Reviewed-on: https://boringssl-review.googlesource.com/4210
Reviewed-by: Adam Langley <agl@google.com>
2015-04-02 21:07:17 +00:00
David Benjamin
4d78718cde OPENSSL_EXPORT the threading functions.
Otherwise thread_test doesn't build in a components build.

Change-Id: I05d88bd2abc6fcbc43097a50cea0c064beafdb74
Reviewed-on: https://boringssl-review.googlesource.com/4209
Reviewed-by: Adam Langley <agl@google.com>
2015-04-02 20:36:58 +00:00
David Benjamin
89baa72ed8 Define __STDC_FORMAT_MACROS before inttypes.h.
It seems Android's inttypes.h refuses to define those macros on C++ unless
__STDC_FORMAT_MACROS is set. This unbreaks the roll on Android.

Change-Id: Iad6c971b4789f0302534d9e5022534c6124e0ff0
Reviewed-on: https://boringssl-review.googlesource.com/4202
Reviewed-by: Adam Langley <agl@google.com>
2015-04-02 18:39:18 +00:00
David Benjamin
0e434b9470 Define NOMINMAX across the entire project.
This fixes the standalone build on Windows and matches Chromium.

Change-Id: I194f53e0a610c5ae9cef53c826b22f7bded5f357
Reviewed-on: https://boringssl-review.googlesource.com/4201
Reviewed-by: Adam Langley <agl@google.com>
2015-04-02 18:38:56 +00:00
David Benjamin
c0f763b080 Simplify server-side ECDH curve selection.
There's multiple sets of APIs for selecting the curve. Fold away
SSL_OP_SINGLE_ECDH_USE as failing to set it is either a no-op or a bug. With
that gone, the consumer only needs to control the selection of a curve, with
key generation from then on being uniform. Also clean up the interaction
between the three API modes in s3_srvr.c; they were already mutually exclusive
due to tls1_check_ec_tmp_key.

This also removes all callers of EC_KEY_dup (and thus CRYPTO_dup_ex_data)
within the library.

Change-Id: I477b13bd9e77eb03d944ef631dd521639968dc8c
Reviewed-on: https://boringssl-review.googlesource.com/4200
Reviewed-by: Adam Langley <agl@google.com>
2015-04-02 18:37:06 +00:00
Adam Langley
e631d9679e Don't False Start with DHE.
BUG=460271

Change-Id: I271a270067605ec629944633c3e22c2069ba9a24
Reviewed-on: https://boringssl-review.googlesource.com/4192
Reviewed-by: Adam Langley <agl@google.com>
2015-04-02 00:34:17 +00:00
David Benjamin
be55790652 Disable the malloc test interceptor on ASan.
ASan's own malloc interceptor isn't compatible with this mechanism; it doesn't
see calls to __libc_malloc.

Change-Id: Ibac5aa05c6e40f1c72dcee3a2597e96deffca62c
Reviewed-on: https://boringssl-review.googlesource.com/4191
Reviewed-by: Adam Langley <agl@google.com>
2015-04-01 20:08:18 +00:00