Commit Graph

111 Commits

Author SHA1 Message Date
David Benjamin
0aa0767340 Improve constant-time padding check in RSA key exchange.
Although the PKCS#1 padding check is internally constant-time, it is not
constant time at the crypto/ ssl/ API boundary. Expose a constant-time
RSA_message_index_PKCS1_type_2 function and integrate it into the
timing-sensitive portion of the RSA key exchange logic.

Change-Id: I6fa64ddc9d65564d05529d9b2985da7650d058c3
Reviewed-on: https://boringssl-review.googlesource.com/1301
Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 20:25:15 +00:00
Adam Langley
794bf6e0ce Fix OAEP with non-SHA hash functions.
Due to merging our patched 1.0.1 code with the 1.0.2 code, some parts of
upstream's 25f93585a70fb05bb9f911884ab95e560f662a5d didn't make it into
the code.

https://code.google.com/p/chromium/issues/detail?id=397333

Change-Id: Iceb13e63a7ac91474fd39e7faad11fa52c56185d
Reviewed-on: https://boringssl-review.googlesource.com/1310
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-25 00:43:21 +00:00
Adam Langley
c0d9484902 ec: recognise known parameters when written in full.
Some EC ASN.1 structures are using a named curve, but include the full
parameters anyway. With this change, BoringSSL will recognise the order
of the curve.

Change-Id: Iff057178453f9fdc98c8c03bcabbccef89709887
Reviewed-on: https://boringssl-review.googlesource.com/1270
Reviewed-by: Adam Langley <agl@google.com>
2014-07-19 00:03:13 +00:00
David Benjamin
ecc0ce7e67 Introduce EVP_PKEY_is_opaque to replace RSA_METHOD_FLAG_NO_CHECK.
Custom RSA and ECDSA keys may not expose the key material. Plumb and "opaque"
bit out of the *_METHOD up to EVP_PKEY. Query that in ssl_rsa.c to skip the
sanity checks for certificate and key matching.

Change-Id: I362a2d5116bfd1803560dfca1d69a91153e895fc
Reviewed-on: https://boringssl-review.googlesource.com/1255
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 23:35:04 +00:00
David Benjamin
e14dcc45e8 Remove RSA_SSLV23_PADDING.
It's unused with SSLv2 gone. Also, being a decryption padding check, it really
should be constant-time and isn't.

Change-Id: I96be02cb50f9bf0229b9174eccd80fa338bf8e3e
Reviewed-on: https://boringssl-review.googlesource.com/1254
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 19:23:51 +00:00
Adam Langley
37a623cf29 Have BIO_get_mem_data return a size_t and uint8_t*
Change-Id: I883f9c3527b572a2140ae4899cf4409cdc25c6dc
Reviewed-on: https://boringssl-review.googlesource.com/1261
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 17:22:05 +00:00
David Benjamin
b5d725df63 Fix limit checks in RSA padding functions.
More signed/unsigned issues, and some other missing checks.

Change-Id: Ib64429a609ca2d64b74a4744092aac67ad0af4e5
Reviewed-on: https://boringssl-review.googlesource.com/1252
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 17:07:19 +00:00
David Benjamin
e77dff61bd Preserve the address length in bio/connect.c.
On OS X, the length must be the length of the address and not of
sockaddr_storage.

Change-Id: Id962f2f3268f07327724b9867a83c15ec50cb9fd
Reviewed-on: https://boringssl-review.googlesource.com/1251
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 00:56:04 +00:00
David Benjamin
13f2710c37 Document that EVP_EncodeBlock writes a trailing NUL.
Fix base64_test.c to account for this.

Change-Id: I0b3e8062a2130fb01a7e6f175968484769c406f9
Reviewed-on: https://boringssl-review.googlesource.com/1250
Reviewed-by: Adam Langley <agl@google.com>
2014-07-18 00:55:18 +00:00
David Benjamin
515ee12d62 Ensure x86asm.pl ends with a newline.
Appease the Chromium build on OS X.

Change-Id: Idb7466b4d3e4cc9161cd09066b2f79a6290838b1
Reviewed-on: https://boringssl-review.googlesource.com/1240
Reviewed-by: Adam Langley <agl@google.com>
2014-07-17 19:20:22 +00:00
Adam Langley
904a32e975 Touchup a couple of blank lines from 7b35b58a.
Change-Id: I5ed3aaa5d57e5350c4a3779e501bf5fc143997fb
2014-07-17 10:33:16 -07:00
David Benjamin
7b35b58ae6 Fix EVP_DecodeBlock and add tests.
Another signedness error. Leave a TODO to possibly resolve EVP_DecodeBlock's
ignoring padding. Document some of the Init/Update/Finish versions' behavior.

Change-Id: I78a72c3163f8543172a7008b2d09fb10e003d957
Reviewed-on: https://boringssl-review.googlesource.com/1230
Reviewed-by: Adam Langley <agl@google.com>
2014-07-17 17:32:45 +00:00
Adam Langley
8750fe58f4 base64: fix underflow in EVP_EncodeBlock.
When I switched the base64 code to use size_t, I missed that one of the
loops was counting down, not up, and depended on the loop variable going
negative.

Additionally this change fixes a bug in NETSCAPE_SPKI_b64_encode where
the size of the result buffer was incorrectly calculated and a possible
memory leak.

Change-Id: Ibdf644244291274f50b314f3bb13a61b46858ca1
Reviewed-on: https://boringssl-review.googlesource.com/1220
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-16 18:14:32 +00:00
Adam Langley
0cc81ff04f Add functions for setting a BIO callback and arg.
These were omitted, but are needed by Chromium now.

Change-Id: I17e1672674311c8dc2ede21539c82b8e2e50f376
Reviewed-on: https://boringssl-review.googlesource.com/1201
Reviewed-by: Adam Langley <agl@google.com>
2014-07-15 23:31:50 +00:00
Adam Langley
449f16b947 Change ECDSA_METHOD's size() to group_order_size()
The |size| method was documented to return the same as |ECDSA_size| -
the max size of an ECDSA signature. However, this involves some ASN.1
calculations which is best done once. What custom implementations want
to give is the size of the group order on which the ASN.1 computations
are based.

This change switches the |size| method to allow that.

Change-Id: I95b6e0c2b52bfcd0d74850c2c4e9bc01269255e2
Reviewed-on: https://boringssl-review.googlesource.com/1200
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-15 22:26:08 +00:00
David Benjamin
22f9bccde5 Port ssl3_get_client_hello to CBS.
Also fix some DTLS cookie bugs. rcvd_cookie is never referenced after being
saved (and the length isn't saved, so it couldn't be used anyway), and the
cookie verification failed to check the length.

For convenience, add a CBS_mem_equal helper function. Saves a bit of
repetition.

Change-Id: I187137733b069f0ac8d8b1bf151eeb80d388b971
Reviewed-on: https://boringssl-review.googlesource.com/1174
Reviewed-by: Adam Langley <agl@google.com>
2014-07-15 18:30:09 +00:00
David Benjamin
ed43958853 Port ssl3_get_key_exchange to CBS.
Also tidy up some variable names and update RSA_verify call for it no longer
returning -1. Add CBS helper functions for dealing with C strings.

Change-Id: Ibc398d27714744f5d99d4f94ae38210cbc89471a
Reviewed-on: https://boringssl-review.googlesource.com/1164
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 23:37:29 +00:00
Adam Langley
4c921e1bbc Move public headers to include/openssl/
Previously, public headers lived next to the respective code and there
were symlinks from include/openssl to them.

This doesn't work on Windows.

This change moves the headers to live in include/openssl. In cases where
some symlinks pointed to the same header, I've added a file that just
includes the intended target. These cases are all for backwards-compat.

Change-Id: I6e285b74caf621c644b5168a4877db226b07fd92
Reviewed-on: https://boringssl-review.googlesource.com/1180
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-14 22:42:18 +00:00
Adam Langley
0113a4fb60 Support building with PNaCl.
PNaCl needs OPENSSL_NO_ASM to work and a couple of cases were missing
because it hasn't previously been tested.

Additionally, it defined _BSD_SOURCE and others on the command line,
causing duplicate definition errors when defined in source code.

It's missing readdir_r.

It uses newlib, which appears to use u_short in socket.h without ever
defining it.

Change-Id: Ieccfc7365723d0521f6327eebe9f44a2afc57406
Reviewed-on: https://boringssl-review.googlesource.com/1140
Reviewed-by: Adam Langley <agl@google.com>
2014-07-11 19:04:04 +00:00
David Benjamin
925fee36e1 Add a size hook to RSA_METHOD.
This is to avoid having to copy over the RSA modulus in all of Chromium's
platform-specific keys.

Change-Id: I20bf22446a5cfb633b900c3b392b7a1da81a5431
Reviewed-on: https://boringssl-review.googlesource.com/1151
Reviewed-by: Adam Langley <agl@google.com>
2014-07-11 18:47:26 +00:00
David Benjamin
e09170f8f5 Fix OPENSSL_PUT_ERROR typos.
Change-Id: Ie4c96643278a09774b324da4b286ceeadef8855b
Reviewed-on: https://boringssl-review.googlesource.com/1150
Reviewed-by: Adam Langley <agl@google.com>
2014-07-11 18:16:35 +00:00
David Benjamin
7bf334a9ff Perform bounds checks in hmac_signctx.
Match the other EVP_DigestSignFinal implementations. Fix the instances in
ssl/t1_enc.c which were not following the EVP_DigestSignFinal contract; on
entry, *out_len should contain the size of the buffer.

Change-Id: Icd44d97a4c98704dea975798c0101d5a37274d17
Reviewed-on: https://boringssl-review.googlesource.com/1130
Reviewed-by: Adam Langley <agl@google.com>
2014-07-10 20:59:10 +00:00
Adam Langley
09020c2f08 Recognise __mips__ as a generic, 32-bit CPU.
Change-Id: I60806486f40c5ac4c8fbb8371b83cb226113f4b5
2014-07-10 09:14:56 -07:00
David Benjamin
9b561e69b6 Fix EVP_PKEY_FLAG_AUTOARGLEN behavior.
Converting check_autoarg from a macro to a function lost the behavior. Instead,
just move the logic into p_rsa.c which was the only EVP_PKEY implementation
that even needed the flag.

Also document this behavior on each of the functions. Make note of the out =
NULL case only returning the maximum output size, and not necessarily the
actual size.

For testing, update example_sign to determine the signature size using the NULL
behavior rather than querying the RSA key.

Change-Id: Iec6c2862028a5cfdefe8faa0e8c471755070898a
Reviewed-on: https://boringssl-review.googlesource.com/1121
Reviewed-by: Adam Langley <agl@google.com>
2014-07-10 02:10:47 +00:00
Adam Langley
2f1f89d6af Switch from rand_r to rand in lhash_test.
Android doesn't support rand_r.

Change-Id: Iaea767f64da4f6b83907c20d891811a0023ce530
2014-07-08 16:10:12 -07:00
Adam Langley
23b460df02 Add #ifdefs so RSAZ is only built on x86-64.
Change-Id: I5ec6b59e75120029348ce71c76e49a2d6e010913
2014-07-08 15:27:43 -07:00
Alex Chernyakhovsky
3c5034e97c Remove OPENSSL_NO_RSA
Building without RSA support is unreasonable. Changes were made by
running

find . -type f -name *.c | xargs unifdef -m -U OPENSSL_NO_RSA
find . -type f -name *.h | xargs unifdef -m -U OPENSSL_NO_RSA

using unifdef 2.10 and some newlines were removed manually.

Change-Id: Iea559e2d4b3d1053f28a4a9cc2f7a3d1f6cabd61
Reviewed-on: https://boringssl-review.googlesource.com/1095
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 20:20:53 +00:00
Alex Chernyakhovsky
2897ed3634 Remove CHARSET_EBCDIC
Since crypto/ebcdic.{c,h} are not present in BoringSSL, remove the #ifdefs
Changes were made by running

find . -type f -name *.c | xargs unifdef -m -U CHARSET_EBCDIC
find . -type f -name *.h | xargs unifdef -m -U CHARSET_EBCDIC

using unifdef 2.10.

An additional two ifdefs (CHARSET_EBCDIC_not) were removed manually.

Change-Id: Ie174bb00782cc44c63b0f9fab69619b3a9f66d42
Reviewed-on: https://boringssl-review.googlesource.com/1093
Reviewed-by: Adam Langley <agl@google.com>
2014-07-07 19:30:35 +00:00
David Benjamin
d970488862 Typo in EVP_PKEY_asn1_find_str.
Other importing an EC PRIVATE KEY doesn't work.

Change-Id: I58b4e88d287cd7fc772a1958df5878ecff1c5b06
Reviewed-on: https://boringssl-review.googlesource.com/1090
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 21:06:57 +00:00
Adam Langley
7ac79ebe55 The asm files bn/asm/x86* weren't actually used.
(This appears to be the case with upstream too, it's not that BoringSSL
is missing optimisations from what I can see.)

Change-Id: I0e54762ef0d09e60994ec82c5cca1ff0b3b23ea4
Reviewed-on: https://boringssl-review.googlesource.com/1080
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:29:12 +00:00
Adam Langley
4042667eb9 Add ERR_get_next_error_library back.
It was removed in the fork but it turned out to need it.

Change-Id: I21030c8d5befecb63f2c40a59963bec1da1d96fb
Reviewed-on: https://boringssl-review.googlesource.com/1081
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-07-02 00:11:32 +00:00
Adam Langley
8a09146b87 Add license to charmap.pl.
I have confirmed with Dr. Stephen Henson (the author) that the file is
licensed under the OpenSSL license.

Change-Id: I97dc4c74b363184e1b36e5835bad684d66696d54
2014-06-30 16:48:53 -07:00
Adam Langley
45ec21b99c Add stitched RC4-MD5 as an AEAD.
This change adds the stitched RC4-MD5 code from upstream OpenSSL but
exposes it as an AEAD. It's not a normal AEAD (it's stateful thus
doesn't take an nonce) but forcing pre-AEAD cipher suites in the AEAD
interface is less painful than forcing AEADs into the EVP_CIPHER
interface. Over time, more and more cipher suites will be exposed as
TLS-specific AEADs and then ssl/ can drop support for EVP_CIPHER.

See original code from upstream:
https://github.com/openssl/openssl/blob/master/crypto/evp/e_rc4_hmac_md5.c

Change-Id: Ia9267b224747f02be6b934ea0b2b50e1f529fab9
Reviewed-on: https://boringssl-review.googlesource.com/1043
Reviewed-by: Adam Langley <agl@google.com>
2014-06-30 23:01:17 +00:00
Adam Langley
5d17dd64cc Very minor BN fixes.
Fixes one comment that mentioned the wrong function name. Also causes
two BN random functions to fail when the output is NULL. Previously they
would silently do nothing.

Change-Id: I89796ab855ea32787765c301a478352287e61190
2014-06-30 14:22:32 -07:00
David Benjamin
03973096f4 Port ServerHello extension parsing to CBS.
This gives us systematic bounds-checking on all the parses. Also adds a
convenience function, CBS_memdup, for saving the current contents of a CBS.

Change-Id: I17dad74575f03121aee3f771037b8806ff99d0c3
Reviewed-on: https://boringssl-review.googlesource.com/1031
Reviewed-by: Adam Langley <agl@google.com>
2014-06-26 20:42:27 +00:00
Adam Langley
8adf4f1d89 Merge "Remove references to AEAD in non-AEAD interface codepath" 2014-06-26 00:59:49 +00:00
Adam Langley
659de419c1 Add ISC header to a handful of files.
A handful of new files were missing the ISC license header.

Change-Id: I44507dd1361b0348d8e0e1bf12d38072030af53d
2014-06-26 10:26:42 -07:00
Victor Vasiliev
508c29fec9 Remove references to AEAD in non-AEAD interface codepath
Since all AEAD ciphers now go through EVP_AEAD interface, the code which
uses EVP_Cipher interface no longer needs any of AEAD handling logic.

This also removes EVP_CTRL_AEAD_TLS1_AAD from GCM interface, which was
duplicating non-TLS-specific GCM logic and is not used anymore.

Change-Id: I5ddae880e7bc921337f9149a0acfdd00c9a478c3
2014-06-25 15:56:05 -04:00
Adam Langley
d54dc249ea Run AEAD test cases at the end of a file.
aead_test reads test vectors from a file but used blank lines to
indicate the end of a test case. If the file ended without a blank line
to terminate the final test case, it would previously have been skipped.

Change-Id: Id8dd34e86f0b912596dfb33234a894f8d9aa0235
2014-06-24 17:00:54 -07:00
Adam Langley
54cdd120aa Merge "Include some build fixes for OS X." 2014-06-24 18:01:32 +00:00
Adam Langley
30eda1d2b8 Include some build fixes for OS X.
Apart from the obvious little issues, this also works around a
(seeming) libtool/linker:

a.c defines a symbol:

int kFoo;

b.c uses it:

extern int kFoo;

int f() {
  return kFoo;
}

compile them:

$ gcc -c a.c
$ gcc -c b.c

and create a dummy main in order to run it, main.c:

int f();

int main() {
  return f();
}

this works as expected:

$ gcc main.c a.o b.o

but, if we make an archive:

$ ar q lib.a a.o b.o

and use that:

$ gcc main.c lib.a
Undefined symbols for architecture x86_64
  "_kFoo", referenced from:
    _f in lib.a(b.o)

(It doesn't matter what order the .o files are put into the .a)

Linux and Windows don't seem to have this problem.

nm on a.o shows that the symbol is of type "C", which is a "common symbol"[1].
Basically the linker will merge multiple common symbol definitions together.

If ones makes a.c read:

int kFoo = 0;

Then one gets a type "D" symbol - a "data section symbol" and everything works
just fine.

This might actually be a libtool bug instead of an ld bug: Looking at `xxd
lib.a | less`, the __.SYMDEF SORTED index at the beginning of the archive
doesn't contain an entry for kFoo unless initialised.

Change-Id: I4cdad9ba46e9919221c3cbd79637508959359427
2014-06-24 11:15:12 -07:00
Adam Langley
3f4e13c7da Fix GCM in non-AESNI mode.
GCM was broken in non-AESNI mode because I fluffed a #define when
moving gcm128.c across.

Change-Id: I66d5fed6a3d83d641da55c5ca434f17db0d89237
2014-06-24 11:00:27 -07:00
David Benjamin
95463b311d Remove crypto/comp and SSL_COMP support code.
Now that the consuming code in ssl/ is removed, there is no need for this.
Leave SSL_COMP and STACK_OF(SSL_COMP) for now so as not to break any code which
manipulates the output of SSL_COMP_get_compression_methods to disable
compression.

Change-Id: Idf0a5debd96589ef6e7e56acf5d9259412b7d7a1
2014-06-24 17:22:06 +00:00
Adam Langley
7410689a30 Generate (EC)DSA nonces with truncate/test/reject.
Previously we generated a number that was 8 bytes too large and used a
modular reduction, which has a (tiny, tiny) bias towards zero.

Out of an excess of caution, instead truncate the generated nonce and
try again if it's out of range.

Change-Id: Ia9a7a57dd6d3e5f13d0b881b3e9b2e986d46e4ca
2014-06-23 15:41:44 -07:00
Adam Langley
d031f11596 Remove |num_rounds| argument from chacha_core.
The function was hard-coded to 20 rounds already so the argument was
already useless. Thanks to Huzaifa Sidhpurwala for noticing.

Change-Id: I5f9d6ca6d46c6ab769b19820f8f918349544846d
2014-06-23 13:14:13 -07:00
Adam Langley
4ac0b38cfc Try both old and new X.509 hashes.
Ensure the library can find the right files under /etc/ssl/certs when
running on older systems.

There are many symbolic links under /etc/ssl/certs created by using
hash of the PEM certificates in order for OpenSSL to find those
certificates. Openssl has a tool to help you create hash symbolic
links (tools/c_rehash). However newer versions of the library changed
the hash algorithm, which makes it unable to run properly on systems
that use the old /etc/ssl/certs layout (e.g. Ubuntu Lucid).

This patch gives a way to find a certificate according to its hash by
using both the old and new algorithms. http://crbug.com/111045 is used
to track this issue.

(Imported from Chromium:
http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/openssl/patches.chromium/0003-x509_hash_name_algorithm_change.patch?revision=231571)

Change-Id: Idbc27aba7685c991f8b94cfea38cf4f3f4b38adc
2014-06-20 15:31:01 -07:00
Adam Langley
3ffd70ec36 crypto/sha/asm/sha[1,512]-x86_64.pl: Windows build
This change stops the Intel, SHA instruction code from breaking the
Windows build.
2014-06-20 13:17:43 -07:00
Adam Langley
b0d5fb6c74 Add OPENSSL_str[n]casecmp
Windows has different names for these functions and also doesn't have
the strings.h header in which they appear.

This change adds tiny wrapper functions for Windows.
2014-06-20 13:17:43 -07:00
Adam Langley
464f3a147c Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only
(Imported from upstream's cfbc10fb327cf8535d6e9b402d1d03140d23d753)
2014-06-20 13:17:43 -07:00
Adam Langley
956665b32b sha1-x86_64.pl: add missing rex prefix in shaext.
PR: 3405

(Imported from upstream's 1f6d2076256761b44e7336b496ab0887f90cea69)
2014-06-20 13:17:42 -07:00