Commit Graph

1838 Commits

Author SHA1 Message Date
David Benjamin
9a798ecc0e Document the hexadecimal casing thing in PORTING.md.
mab@ seems to be dealing with a fair number of these, so it's probably worth
adding to the list.

Change-Id: Ifaea3c96e7b089f28a87c7728ceb8c671786eb27
Reviewed-on: https://boringssl-review.googlesource.com/6030
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 23:37:50 +00:00
Matt Braithwaite
4d11aff33a Don't record handshake hashes if no Channel ID
Change-Id: Ic0dcde436024e8d11f9b5986998cf6e808ff036b
Reviewed-on: https://boringssl-review.googlesource.com/6007
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 21:47:05 +00:00
Adam Langley
2492586058 Add |PKCS12_verify_mac|.
This utility function is provided for API-compatibility and simply calls
|PKCS12_parse| internally.

BUG=536939

Change-Id: I86c548e5dfd64b6c473e497b95adfa5947fe9529
Reviewed-on: https://boringssl-review.googlesource.com/6008
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 20:30:35 +00:00
Adam Langley
5b61b9ebc5 Update ChaCha20 ARM asm with sections.
The ChaCha20 ARM asm is generated from GCC. This change updates the GCC
command line to include -ffunction-sections, which causes GCC to put
each function in its own section so that the linker with --gc-sections
can trim unused functions.

Since the file only has a single function, this is a bit useless, but
it'll now be consistent with the other ARM asm.

Change-Id: If12c675700310ea55af817b5433844eeffc9d029
Reviewed-on: https://boringssl-review.googlesource.com/6006
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 18:07:54 +00:00
Adam Langley
3f85e04f40 Add sections to Poly1305 ARM asm code.
This code isn't generated by perlasm and so the section directives need
to be added manually.

Change-Id: I46158741743859679decbce99097fe6071bf8012
Reviewed-on: https://boringssl-review.googlesource.com/6005
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 18:04:14 +00:00
Adam Langley
5f005ccd9d Make dummy functions static.
To avoid too much #if soup, e_aes.c uses a lot of dummy functions that
just call |abort|. This change makes them all static, which they should
have been all along.

Change-Id: I696f8a0560cf99631ed7adb42d1af10003db4a63
Reviewed-on: https://boringssl-review.googlesource.com/6004
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 18:03:04 +00:00
Adam Langley
2ab24a2d40 Put arm/aarch64 assembly functions in their own section.
This change causes each global arm or aarch64 asm function to be put
into its own section by default. This matches the behaviour of the
-ffunction-sections option to GCC and allows the --gc-sections option to
the linker to discard unused asm functions on a function-by-function
basis.

Sometimes several asm functions will share the same data an, in that
situation, the data is put into the section of one of the functions and
the section of the other function is merged with the added
“.global_with_section” directive.

Change-Id: I12c9b844d48d104d28beb816764358551eac4456
Reviewed-on: https://boringssl-review.googlesource.com/6003
Reviewed-by: Adam Langley <agl@google.com>
2015-09-29 18:02:14 +00:00
David Benjamin
502ca43fc8 Fix up pkcs8.h.
Somehow we ended up with duplicate 'Deprecated functions' sections.
PKCS12_get_key_and_certs ended up in one of them was probably an oversight.

Change-Id: Ia6d6a44132cb2730ee1f92a6bbcfa8ce168e7d08
Reviewed-on: https://boringssl-review.googlesource.com/6020
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 23:17:01 +00:00
David Benjamin
43a58ad436 Fix SSL_set_session documentation comment.
I put an extra space in there. Also document ownership and return value.

Change-Id: I0635423be7774a7db54dbf638cc548d291121529
Reviewed-on: https://boringssl-review.googlesource.com/6010
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:40:30 +00:00
David Benjamin
dbb0321014 Clarify that only top-level CBBs get CBB_cleanup.
Also add an assert to that effect.

Change-Id: I1bd0571e3889f1cba968fd99041121ac42ee9e89
Reviewed-on: https://boringssl-review.googlesource.com/5990
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:40:01 +00:00
David Benjamin
df6a3f8b95 Move SSL_CIPHER section just above cipher suite configuration.
Putting it at the top was probably a mistake? Even though SSL_CIPHER
(like SSL_SESSION) doesn't depend on SSL, if you're reading through the
header, SSL_CTX and SSL are the most important types. You could even use
the library without touch cipher suite configs if you don't care since
the default is decently reasonable, though it does include a lot of
ciphers. (Hard to change that if we wanted to because DEFAULT is often
used somewhat like ALL and then people subtract from it.)

Change-Id: Ic9ddfc921858f7a4c141972fe0d1e465ca196b9d
Reviewed-on: https://boringssl-review.googlesource.com/5963
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:39:39 +00:00
David Benjamin
32876b3dbb Document cipher suite configuration.
The cipher suite rules could also be anchored on SSL_TXT_* if desired. I
currently documented them in prose largely because SSL_TXT_* also
defines protocol version strings and those are weird; SSL_TXT_TLSV1_1
isn't even a cipher rule. (And, in fact, those are the only SSL_TXT_*
macros that we can't blindly remove. I found some code that #ifdef's the
version SSL_TXT_* macros to decide if version-locked SSL_METHODs are
available.)

Also they clutter the header. I was thinking maybe we should dump a lot
of the random constants into a separate undocumented header or perhaps
just unexport them.

I'm slightly torn on this though and could easily be convinced in the
other direction. (Playing devil's advocate, anchoring on SSL_TXT_* means
we're less likely to forget to document one so long as adding a
SSL_TXT_* macro is the convention.)

Change-Id: Ide2ae44db9d6d8f29c24943090c210da0108dc37
Reviewed-on: https://boringssl-review.googlesource.com/5962
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:36:22 +00:00
David Benjamin
d3a53c8fd9 OCSP stapling and SCT extensions go under certificate verification.
This mirrors how the server halves fall under configuring certificates.

Change-Id: I9bde85eecfaff6487eeb887c88cb8bb0c36b83d8
Reviewed-on: https://boringssl-review.googlesource.com/5961
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:27:01 +00:00
David Benjamin
0cfea3411a Move a few more functions to the catch-all 'obscure' bucket.
Change-Id: I493f26561db2bc8510963a0da5032a758bb1f3ef
Reviewed-on: https://boringssl-review.googlesource.com/5960
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:19:04 +00:00
David Benjamin
1cee7da07e Documentation typo.
Change-Id: I2dc4253a2456625057c8188c6cb9b0b7300d6c79
Reviewed-on: https://boringssl-review.googlesource.com/5951
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:18:40 +00:00
David Benjamin
93d8cf557f Add various tests for d2i_PrivateKey.
Change-Id: I030022c240d17df08cf6f59eede0e94373152c40
Reviewed-on: https://boringssl-review.googlesource.com/5950
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:18:23 +00:00
David Benjamin
382bc29251 Defensively avoid assuming d2i functions don't advance on error.
Although the previous commit should ensure this doesn't happen, the
uint8_t** pattern is very error-prone and we're trying to avoid doing
much to the legacy ASN.1 stack. To that end, maintaining the strong
exception guarantee w.r.t. the input pointer-pointer is best effort and
we won't rely on it, so we needn't spend our time chasing down problems.

Change-Id: Ib78974eb94377fe0b0b379f57d9695dc81f344bb
Reviewed-on: https://boringssl-review.googlesource.com/5949
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:15:42 +00:00
David Benjamin
15e4deb165 d2i: don't update input pointer on failure
(Imported from upstream's 728bcd59d3d41e152aead0d15acc51a8958536d3.)

Actually this one was reported by us, but the commit message doesn't
mention this.

This is slightly modified from upstream's version to fix some problems
noticed in import. Specifically one of d2i_X509_AUX's success paths is
bust and d2i_PrivateKey still updates on one error path. Resolve the
latter by changing both it and d2i_AutoPrivateKey to explicitly hit the
error path on ret == NULL. This lets us remove the NULL check in
d2i_AutoPrivateKey.

We'll want to report the problems back upstream.

Change-Id: Ifcfc965ca6d5ec0a08ac154854bd351cafbaba25
Reviewed-on: https://boringssl-review.googlesource.com/5948
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 22:15:17 +00:00
David Benjamin
97a33939a3 Deprecate basically the entire base64 implementation.
The IUF functions were added for PEM and internally are very lenient to
whitespace and include other PEM-specific behaviors (notably they treat
hyphens as EOF). They also decode a ton of invalid input (see upstream's
RT #3757).

Upstream has a rewrite with tests that resolves the latter issue which
we should review and import. But this is still a very PEM-specific
interface. As this code has basically no callers outside the PEM code
(and any such callers likely don't want a PEM-specific API), it's
probably not worth the trouble to massage this and PEM into a strict IUF
base64 API with PEM whitespace and hyphen bits outside. Just deprecate
it all and leave it in a corner.

Change-Id: I5b98111e87436e287547829daa65e9c1efc95119
Reviewed-on: https://boringssl-review.googlesource.com/5952
Reviewed-by: Adam Langley <agl@google.com>
2015-09-28 21:53:39 +00:00
Adam Langley
6daa8268a6 Move the ARM-AES functions inside an #if block.
This fixes an issue with Clang, which doesn't like static functions that
aren't used (to its eyes).

Change-Id: I7cb055aa9f0ab3934352c105abe45f9c30990250
2015-09-25 15:21:34 -07:00
Arve Hjønnevåg
7f64706e37 Use armv8 functions for of AES_[en|de]crypt and AES_set_[en|de]crypt_key, if available.
This change causes ARM and Aarch64 to use the ARMv8 AES instructions, if
provided by the current CPU.

Change-Id: I50cb36270139fcf4ce42e5ebb8afe24ffcab22e3
Reviewed-on: https://boringssl-review.googlesource.com/6002
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-25 22:08:29 +00:00
Adam Langley
d75545600d Merge hwrand.c into rand.c.
By doing this the compiler can notice that much of the code is unused in
the case that we know that we can't have a hardware RNG (i.e. ARM).

Change-Id: I72d364a30080364d700f855640e0164c2c62f0de
Reviewed-on: https://boringssl-review.googlesource.com/6001
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-25 22:07:42 +00:00
Adam Langley
c8e664b70a Fix several minor points noticed by Kenny.
∙ Some comments had the wrong function name at the beginning.
  ∙ Some ARM asm ended up with two #if defined(__arm__) lines – one from
    the .pl file and one inserted by the translation script.

Change-Id: Ia8032cd09f06a899bf205feebc2d535a5078b521
Reviewed-on: https://boringssl-review.googlesource.com/6000
Reviewed-by: Adam Langley <agl@google.com>
2015-09-24 22:08:50 +00:00
Eric Roman
8c9b8783e2 Change some "int" variables to "size_t" in ssl3_handshake_mac().
BUG=https://crbug.com/535039

Change-Id: I94d35ae5acee510b1e6874c37f35eddda9906e71
Reviewed-on: https://boringssl-review.googlesource.com/5974
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-24 00:04:59 +00:00
Eric Roman
f0e8d537de Update comments in digest.h to consistently mention that digest size and block size are measured in bytes.
Change-Id: Ie75c68132fd501549b2ad5203663f6e99867eed6
Reviewed-on: https://boringssl-review.googlesource.com/5970
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-24 00:04:12 +00:00
David Benjamin
b50c91b5df Cleaner handling of "cnid" in do_x509_check
Avoid using cnid = 0, use NID_undef instead, and return early instead of
trying to find an instance of that in the subject DN.

(Imported from upstrea's 40d5689458593aeca0d1a7f3591f7ccb48e459ac.)

Change-Id: I1bdf6bf7a4b1f4774a8dbec7e5df421b3a27c7e4
Reviewed-on: https://boringssl-review.googlesource.com/5947
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 23:59:43 +00:00
David Benjamin
5e4158fe12 Fix the comment for POINT_CONVERSION_UNCOMPRESSED
The |z| value should be 0x04 not 0x02

RT#3838

(Imported from upstream's 41fe7d2380617da515581503490f1467ee75a521.)

Change-Id: I35745cd2a5a32bd726cb4d3c0613cef2bcbef35b
Reviewed-on: https://boringssl-review.googlesource.com/5946
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 23:57:01 +00:00
David Benjamin
b86b0f2824 RT 3493: fix RSA test
- Pass in the right ciphertext length to ensure we're indeed testing
  ciphertext corruption (and not truncation).
- Only test one mutation per byte to not make the test too slow.
- Add a separate test for truncated ciphertexts.

(Imported from upstream's 5f623eb61655688501cb1817a7ad0592299d894a.)

Change-Id: I425a77668beac9d391387e3afad8d15ae387468f
Reviewed-on: https://boringssl-review.googlesource.com/5945
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 23:56:40 +00:00
David Benjamin
79c59a30b5 size_t RSA_private_decrypt's input.
Change-Id: If05761052e235b38d9798b2fe4d8ba44293af891
Reviewed-on: https://boringssl-review.googlesource.com/5944
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 23:55:18 +00:00
Adam Langley
d98dc1311e Upstream Android-specific things under |BORINGSSL_ANDROID_SYSTEM|
The Android system BoringSSL has a couple of changes:
  ∙ ChaCha20-Poly1305 is disabled because it's not an offical
    cipher suite.
  ∙ P-521 is offered in the ClientHello.

These changes were carried in the Android BoringSSL repo directly. This
change upstreams them when BORINGSSL_ANDROID_SYSTEM is defined.

Change-Id: If3e787c6694655b56e7701118aca661e97a5f26c
2015-09-23 16:41:33 -07:00
David Benjamin
907bd30dcd Banish more deprecated flags to the bottom.
Change-Id: I7959fc65afae8860804ab9f038e3b5a9c2c8ec7b
Reviewed-on: https://boringssl-review.googlesource.com/5943
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 23:33:02 +00:00
David Benjamin
59937045ec Document certificate verification functions in SSL.
Or at least group them together and make a passing attempt to document
them. The legacy X.509 stack itself remains largely untouched and most
of the parameters have to do with it.

Change-Id: I9e11e2ad1bbeef53478c787344398c0d8d1b3876
Reviewed-on: https://boringssl-review.googlesource.com/5942
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 23:31:18 +00:00
David Benjamin
df0905a803 Don't pretend to account for RSA_PSK.
RSA_PSK is really weird in that it takes a Certificate, but you're not
expected to verify it. It's just a funny way to transmit an RSA key.
(They probably should have used the RSA_EXPORT ServerKeyExchange
spelling.) Some code now already doesn't account for it right around
certificate verification.

Given ECDHE_PSK exists, hopefully there will never be any need to add
this.

Change-Id: Ia64dac28099eaa9021f8d915d45ccbfd62872317
Reviewed-on: https://boringssl-review.googlesource.com/5941
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 23:18:44 +00:00
David Benjamin
42fea37227 Document Channel ID functions and a few random extras.
Change-Id: I34a6352d265615ee08bb18fd537acf70a558f014
Reviewed-on: https://boringssl-review.googlesource.com/5940
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 23:08:59 +00:00
Adam Langley
67251f2da9 Use |strtok| rather than |strtok_r|.
As ever, Windows doesn't support the correct function.

Change-Id: If16c979e591abda01ce3bf591b9162c210f03932
2015-09-23 15:01:07 -07:00
Steven Valdez
0d62f26c36 Adding more options for signing digest fallback.
Allow configuring digest preferences for the private key. Some
smartcards have limited support for signing digests, notably Windows
CAPI keys and old Estonian smartcards. Chromium used the supports_digest
hook in SSL_PRIVATE_KEY_METHOD to limit such keys to SHA1. However,
detecting those keys was a heuristic, so some SHA256-capable keys
authenticating to SHA256-only servers regressed in the switch to
BoringSSL. Replace this mechanism with an API to configure digest
preference order. This way heuristically-detected SHA1-only keys may be
configured by Chromium as SHA1-preferring rather than SHA1-requiring.

In doing so, clean up the shared_sigalgs machinery somewhat.

BUG=468076

Change-Id: I996a2df213ae4d8b4062f0ab85b15262ca26f3c6
Reviewed-on: https://boringssl-review.googlesource.com/5755
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 21:55:01 +00:00
David Benjamin
4c60d356a9 Work around even more Estonian ID card misissuances.
Not content with signing negative RSA moduli, still other Estonian IDs have too
many leading zeros. Work around those too.

This workaround will be removed in six months.

BUG=534766

Change-Id: Ica23b1b1499f9dbe39e94cf7b540900860e8e135
Reviewed-on: https://boringssl-review.googlesource.com/5980
Reviewed-by: Adam Langley <agl@google.com>
2015-09-23 20:35:47 +00:00
Adam Langley
d7fe75ca5f Add |SSL_CIPHER_is_RC4|.
We wish to be able to detect the use of RC4 so that we can flag it and
investigate before it's disabled.

Change-Id: I6dc3a5d2211b281097531a43fadf08edb5a09646
Reviewed-on: https://boringssl-review.googlesource.com/5930
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-18 23:03:40 +00:00
David Benjamin
306ece31bc Fix some malloc failure crashes.
EVP_MD_CTX_copy_ex was implemented with a memcpy, which doesn't work well when
some of the pointers need to be copied, and ssl_verify_cert_chain didn't
account for set_ex_data failing.

Change-Id: Ieb556aeda6ab2e4c810f27012fefb1e65f860023
Reviewed-on: https://boringssl-review.googlesource.com/5911
Reviewed-by: Adam Langley <agl@google.com>
2015-09-18 19:30:09 +00:00
David Benjamin
c71567dd50 Update the Estonian workaround comments.
Target date for removal of the workaround is 6 months.

BUG=532048

Change-Id: I402f75e46736936725575559cd8eb194115ab0df
Reviewed-on: https://boringssl-review.googlesource.com/5910
Reviewed-by: Adam Langley <agl@google.com>
2015-09-18 18:42:34 +00:00
David Benjamin
3fb1ebc541 Deprecated things are deprecated.
Get them out of the way when reading through the header.

Change-Id: Ied3f3601262e74570769cb7f858dcff4eff44813
Reviewed-on: https://boringssl-review.googlesource.com/5898
Reviewed-by: Adam Langley <agl@google.com>
2015-09-18 18:41:27 +00:00
David Benjamin
977547b6f9 Group NPN functions in their own section.
Existing documentation was moved to the header, very slightly tweaked.

Change-Id: Ife3c2351e2d7e6a335854284f996918039414446
Reviewed-on: https://boringssl-review.googlesource.com/5897
Reviewed-by: Adam Langley <agl@google.com>
2015-09-18 18:39:53 +00:00
David Benjamin
8984f1f6e5 Group ALPN functions into their own section.
These were already documented, though some of the documentation was
expanded on slightly.

Change-Id: I04c6276a83a64a03ab9cce9b9c94d4dea9ddf638
Reviewed-on: https://boringssl-review.googlesource.com/5896
Reviewed-by: Adam Langley <agl@google.com>
2015-09-17 22:19:58 +00:00
David Benjamin
58fcfc18f0 ECDHE and DHE functions get grouped into sections.
All these functions were already documented, just not grouped. I put
these above DTLS-SRTP and PSK as they're considerably less niche of
features.

Change-Id: I610892ce9763fe0da4f65ec87e5c7aaecb10388b
Reviewed-on: https://boringssl-review.googlesource.com/5895
Reviewed-by: Adam Langley <agl@google.com>
2015-09-17 22:17:12 +00:00
Matt Braithwaite
cd6f54b193 Add method to query Extended Master Secret support
Change-Id: I4c285f4b3dd77f8fc7249c7504b5e4eb9b62959f
Reviewed-on: https://boringssl-review.googlesource.com/5920
Reviewed-by: Adam Langley <agl@google.com>
2015-09-17 21:18:28 +00:00
Paul Lietar
62be8ac8da Skip the SCT and OCSP extensions in ServerHello when resuming sessions.
SCT and OCSP are part of the session data and as such shouldn't be sent
again to the client when resuming.

Change-Id: Iaee3a3c4c167ea34b91504929e38aadee37da572
Reviewed-on: https://boringssl-review.googlesource.com/5900
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-17 21:15:00 +00:00
David Benjamin
e8814df699 Document PSK functions in ssl.h.
Change-Id: Iac58d28570d429236de1d2bc40b631e252b8e710
Reviewed-on: https://boringssl-review.googlesource.com/5893
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:34:12 +00:00
David Benjamin
9e4e01ee14 Align the SSL stack on #include style.
ssl.h should be first. Also two lines after includes and the rest of the
file.

Change-Id: Icb7586e00a3e64170082c96cf3f8bfbb2b7e1611
Reviewed-on: https://boringssl-review.googlesource.com/5892
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:32:07 +00:00
David Benjamin
1ac08feed6 Fix SSL and SSL_CTX ex_data variable names.
Forgot to fix these when I fixed the headers.

Change-Id: Ie45e624abc993e16e2d5a872ef00dba9029a38df
Reviewed-on: https://boringssl-review.googlesource.com/5891
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:22:07 +00:00
David Benjamin
2079ee70c6 Fix minor documentation mistake.
Change-Id: Ia31c0c04c0dbb00cf55db7fdf2c4641a2287f012
Reviewed-on: https://boringssl-review.googlesource.com/5890
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:19:57 +00:00