Commit Graph

4586 Commits

Author SHA1 Message Date
David Benjamin
8d43674b8e Convert the tests in x509v3 to GTest.
Bug: 129
Change-Id: Ia9819fab436857dd6364a1f1abff49ad3e3b682a
Reviewed-on: https://boringssl-review.googlesource.com/17668
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
2017-07-10 19:05:04 +00:00
Steven Valdez
520e1220bb Implement experimental alternate encoding of TLS 1.3.
TLS 1.3 deployment is currently blocked by buggy middleboxes
throughout the ecosystem. As an experiment to better understand these bugs
and the problems they are causing, implement TLS 1.3 variants with
alternate encodings. These are still the same protocol, only encoded
slightly differently. We will use what we learn from these experiments to
guide the TLS 1.3 deployment strategy and proposals to the IETF, if any.

These experiments only target the basic 1-RTT TLS 1.3 handshake. Based on
what we learn from this experiment, we may try future variations to
explore 0-RTT and HelloRetryRequest.

When enabled, the server supports all TLS 1.3 variants while the client
is configured to use a particular variant.

Change-Id: I532411d1abc41314dc76acce0246879b754b4c61
Reviewed-on: https://boringssl-review.googlesource.com/17327
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-10 18:15:08 +00:00
David Benjamin
a818134b67 Simplify ChangeCipherSpec code in runner.
Not sure why it was expanded out like that.

Change-Id: I6899dbd23130ed7196c45c2784330b2a4fe9bdba
Reviewed-on: https://boringssl-review.googlesource.com/17666
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
2017-07-10 17:39:43 +00:00
David Benjamin
be483dbe2d Revise SSL_CTX_sess_set_new_cb documentation.
This is a bit verbose, but this API is goofy and causes a lot of
confusion. This may be clearer.

Change-Id: I9affff99b838958058e56ee3062521421c9accc5
Reviewed-on: https://boringssl-review.googlesource.com/17645
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
2017-07-10 16:37:21 +00:00
David Benjamin
ee7aa02744 Implement basic HTTP tunnel support in bssl client.
For testing purposes.

Change-Id: Ied1b130e805bcf8cc5d1bd30a1ba5049d6f13a6d
Reviewed-on: https://boringssl-review.googlesource.com/17665
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
2017-07-07 20:55:03 +00:00
David Benjamin
d9cbb53562 Fix SSL_version on 0-RTT.
Like other handshake properties, when in 0-RTT on the client,
SSL_version should report the predicted version. This used to work on
accident because of how ssl->version got set in handshake_client.c early
(and that TLS 1.4 does not exist), but we no longer do that.

Change-Id: Ifb63a22b795fe8964ac553844a46040acd5d7323
Reviewed-on: https://boringssl-review.googlesource.com/17664
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-07 17:43:07 +00:00
David Benjamin
2ec3b31548 Unify RSA errors somewhat.
We've got three versions of DATA_TOO_LARGE and two versions of
DATA_TOO_SMALL with no apparent distinction between them.

Change-Id: I18ca2cb71ffc31b04c8fd0be316c362da4d7daf9
Reviewed-on: https://boringssl-review.googlesource.com/17529
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-06 22:16:17 +00:00
David Benjamin
35dd4c8fcd Avoid possible memleak in X509_policy_check()
When tree_calculate_user_set() fails, a jump to error failed to
deallocate a possibly allocated |auth_nodes|.

(Imported from upstream's 58314197b54cc1417cfa62d1987462f72a2559e0.)

Also sync up a couple of comments from that revision. Upstream's
reformat script mangled them and we never did the manual fixup.

Change-Id: I1ed896d13ec94d122d71df72af5a3be4eb0eb9d1
Reviewed-on: https://boringssl-review.googlesource.com/17644
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-06 18:53:18 +00:00
David Benjamin
13f1f17b43 Fix typo in FUZZING.md.
-shim-config, not -shim-path.

Change-Id: I338085b5b5b533f9d511e1b9d82dc44d1161bd26
Reviewed-on: https://boringssl-review.googlesource.com/17604
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-06 18:25:07 +00:00
Adam Langley
d68618b21e <sup> doesn't work in Markdown, use Unicode instead.
Change-Id: I7302b9d9926bb09e53898142b5513d66ef792aa3
Reviewed-on: https://boringssl-review.googlesource.com/17624
Reviewed-by: Adam Langley <agl@google.com>
2017-07-06 15:19:26 +00:00
Adam Langley
fed35d3224 Update the FIPS documentation.
This adds sections on running CAVP tests, breaking FIPS tests and the
RNG design.

Change-Id: I859290e8e2e6ab087aa2b6570a30176b42b01073
Reviewed-on: https://boringssl-review.googlesource.com/17585
Reviewed-by: Adam Langley <agl@google.com>
2017-07-06 15:16:13 +00:00
Adam Langley
d2e872faf4 Test that overflowing AEAD ciphertext length is handled.
Change-Id: I683481b12e66966729297466748f1869de0b913b
Reviewed-on: https://boringssl-review.googlesource.com/17584
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-06 05:33:54 +00:00
David Benjamin
00019f2193 Add text about build logic to the style guide.
This would be unfamiliar to anyone coming from Chromium.

Change-Id: If9fbdbbadfd874c25dc6ff447ab4af36de0dcd22
Reviewed-on: https://boringssl-review.googlesource.com/17544
Reviewed-by: Adam Langley <agl@google.com>
2017-07-06 01:38:28 +00:00
David Benjamin
a1ce85696d Test record splitting at all ciphers.
We were missing AES256 and 3DES. Though this test dates to the old
record-splitting code which was much scarier than the new one.

Change-Id: Ia84a8c1a2bbd79fa70941f80cf6393013e4f13d5
Reviewed-on: https://boringssl-review.googlesource.com/17543
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:52:12 +00:00
David Benjamin
bf5f192310 Add some addition tests for the cipher parsing code and tidy.
The in_group check is redundant and test an extremely absurd corner of
the syntax.

Change-Id: Ia54bcd7cda7ba05415d3a250ee93e1acedcc43d6
Reviewed-on: https://boringssl-review.googlesource.com/17542
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:52:05 +00:00
David Benjamin
634f475255 Test the Channel IDs are not requested without ECDHE.
This was a workaround for triple handshake put in way back, before
extended master secret.

Change-Id: Ie0112fa6323522b17c90a833d558f7182586d2c3
Reviewed-on: https://boringssl-review.googlesource.com/17541
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:51:59 +00:00
David Benjamin
99a93d4327 Remove some unnecessary error codes.
Each of these cases should be rejected before we get to negotiating
anything. Save us a little bit of trouble.

Change-Id: I18cb66be1040dff7f25532da7e4c7d9c5ecd2748
Reviewed-on: https://boringssl-review.googlesource.com/17540
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:50:47 +00:00
David Benjamin
c3648faaa7 Add tests for SSL_VERIFY_PEER_IF_NO_OBC and fix TLS 1.3.
Also mirror the structure of the TLS 1.2 and TLS 1.3 code a bit.

Change-Id: I7b34bf30de63fa0bd47a39a90570846fb2314ad5
Reviewed-on: https://boringssl-review.googlesource.com/17539
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:50:41 +00:00
David Benjamin
364af78407 Add some cipher negotiation tests.
We've never actually written tests for equipreference groups at the
BoringSSL level.

Change-Id: I571c081534efbfa8e7b84846fafed0b772721da1
Reviewed-on: https://boringssl-review.googlesource.com/17538
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:50:36 +00:00
David Benjamin
eb083b0d35 Remove some dead code.
This function isn't used in TLS 1.3.

Change-Id: Icb6209396a36f243a84f0675b8f0c2435b08ad6c
Reviewed-on: https://boringssl-review.googlesource.com/17537
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:50:27 +00:00
David Benjamin
413e79e947 Test the client rejects invalid compression methods from the server.
Change-Id: I90286da596d5822d4cfedf40995d80cf76adaf97
Reviewed-on: https://boringssl-review.googlesource.com/17536
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
2017-07-05 23:50:21 +00:00
David Benjamin
7d7ed9f51b Refresh TLS fuzzer corpora.
These are re-recorded with the new fuzzer format.

Bug: 104
Change-Id: I00798f8f2026ae4570ffdcdae4a47999fd277212
Reviewed-on: https://boringssl-review.googlesource.com/17535
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:49:44 +00:00
David Benjamin
cd4d981bba Update the existing corpora for the format change.
This was done by prepending each file with kDataTag, or 0x0000. This
causes them to behave as they did before the fuzzer updates.

Bug: 104
Change-Id: Ic768606911e1310fb59bed647990c237fe15776b
Reviewed-on: https://boringssl-review.googlesource.com/17534
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:48:54 +00:00
David Benjamin
09114ae285 Restore SSLv3 fuzzer coverage.
So long as the code is there, it should be fuzzed.

Bug: 104
Change-Id: Iffaa832cc50c2d3c064eb511ba3a133d7f5758f2
Reviewed-on: https://boringssl-review.googlesource.com/17533
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:48:48 +00:00
David Benjamin
9343b0b8b3 Don't check renegotiation_info in fuzzer mode.
Otherwise the fuzzer gets stuck at renegotiations.

Bug: 104
Change-Id: If37f9ab165d06e37bfc5c423fba35edaabed293b
Reviewed-on: https://boringssl-review.googlesource.com/17532
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 23:48:42 +00:00
David Benjamin
0fde2eb0e3 Update TLS fuzzer format with prepended settings.
This allows us to fill in holes in our fuzzer coverage, notably client
resumption (and thus early data) and server client certificates. The
corpora are not refreshed yet. This will be done in upcoming changes.

Also add an option for debugging fuzzers. It's very useful to test it on
transcripts and make sure that fuzzer mode successfully makes things
compatible.

Bug: 104
Change-Id: I02f0be4045d1baf68efc9a4157f573df1429575d
Reviewed-on: https://boringssl-review.googlesource.com/17531
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-05 23:48:26 +00:00
David Benjamin
04017c17db Overhaul session resumption documentation.
This has come up a few times and our docs aren't great. This hopefully
describes the sharp edges better.

Change-Id: I5d4044449f74ec116838fd1bba629cd90dc0d1ac
Reviewed-on: https://boringssl-review.googlesource.com/17504
Reviewed-by: Adam Langley <agl@google.com>
2017-07-05 21:40:20 +00:00
David Benjamin
e59703c72b Sync asn1_gen.c with upstream 1.0.2.
This imports bf5b8ff17dd7039b15cbc6468cd865cbc219581d and
a696708ae6bbe42f409748b3e31bb2f3034edbf3 from upstream. I missed them at
some point.

Change-Id: I882d995868e4c0461b7ca51a854691cf4faa7260
Reviewed-on: https://boringssl-review.googlesource.com/17384
Reviewed-by: Adam Langley <agl@google.com>
2017-07-05 21:37:08 +00:00
David Benjamin
a6bae93bf8 Never set not_resumable on an immutable session.
Once passed to the outside world, an SSL_SESSION is immutable. It is not
thread-safe to set not_resumable. In most cases, the session is already
expired anyway. In other cases, making all this remove session be unlink rather than
destroy is sound and consistent with how we treat sessions elsewhere.

In particular, SSL_CTX_free calls SSL_CTX_flush_sessions(0), and
bulk-invalidating everything like this is interfering with some
follow-up changes to improve the fuzzer.

Change-Id: I2a19b8ce32d9effc1efaa72e934e015ebbbfbf9a
Reviewed-on: https://boringssl-review.googlesource.com/17530
Reviewed-by: David Benjamin <davidben@google.com>
2017-07-05 20:32:47 +00:00
Steven Valdez
c94998ae95 Revise version negotiation on the Go half.
This is in preparation for supporting multiple TLS 1.3 variants.

Change-Id: Ia2caf984f576f1b9e5915bdaf6ff952c8be10417
Reviewed-on: https://boringssl-review.googlesource.com/17526
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
2017-07-05 20:18:09 +00:00
David Benjamin
353577cdc7 Fix SSL_set_{min,max}_proto_version APIs in invalid versions.
SSL_set_max_proto_version(TLS1_3_DRAFT_VERSION) worked unintentionally.
Fix that. Also add an error when it fails.

Change-Id: I1048fede7b163e1c170e17bf4370b468221a7077
Reviewed-on: https://boringssl-review.googlesource.com/17525
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-05 19:43:26 +00:00
Steven Valdez
8f36c51f98 Revise version negotiation logic on the C side.
This is in preparation for upcoming experiments which will require
supporting multiple experimental versions of TLS 1.3 with, on the
server, the ability to enable multiple variants at once. This means the
version <-> wire bijection no longer exists, even when limiting to a
single SSL*.  Thus version_to_wire is removed and instead we treat the
wire version as the canonical version value.

There is a mapping from valid wire versions to protocol versions which
describe the high-level handshake protocol in use. This mapping is not
injective, so uses of version_from_wire are rewritten differently.

All the version-munging logic is moved to ssl_versions.c with a master
preference list of all TLS and DTLS versions. The legacy version
negotiation is converted to the new scheme. The version lists and
negotiation are driven by the preference lists and a
ssl_supports_version API.

To simplify the mess around SSL_SESSION and versions, version_from_wire
is now DTLS/TLS-agnostic, with any filtering being done by
ssl_supports_version. This is screwy but allows parsing SSL_SESSIONs to
sanity-check it and reject all bogus versions in SSL_SESSION. This
reduces a mess of error cases.

As part of this, the weird logic where ssl->version is set early when
sending the ClientHello is removed. The one place where we were relying
on this behavior is tweaked to query hs->max_version instead.

Change-Id: Ic91b348481ceba94d9ae06d6781187c11adc15b0
Reviewed-on: https://boringssl-review.googlesource.com/17524
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
2017-07-05 19:13:17 +00:00
Piotr Sikora
06a6ed0170 Clarify use of |SSL_VERIFY_FAIL_IF_NO_PEER_CERT| flag.
Change-Id: I819a5b565e4380f3d816a2e4a68572935c612eae
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/17564
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-07-05 16:05:03 +00:00
David Benjamin
a93bc1124c Update other bot tools.
Also document what versions of everything we're using as the .sha1 files
don't say.

Change-Id: I2d496c86761f6df6acd20e1af62094b7d89e5c1d
Reviewed-on: https://boringssl-review.googlesource.com/17485
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
2017-06-29 20:12:53 +00:00
David Benjamin
97ca762b2a Update to the latest Intel SDE.
efa4339adde7e627370ed7c46ed00fed5d23310007ef0334ae17510d00e22b8d sde-external-8.5.0-2017-06-08-lin.tar.bz2

Change-Id: I201ca78cbbb3c769ed45705f87b6013758b68349
Reviewed-on: https://boringssl-review.googlesource.com/17484
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
2017-06-29 19:36:23 +00:00
David Benjamin
2b0444e01d Keep the same listening socket in bssl server -loop.
When testing against a browser, multiple connections will be made in
parallel. Keeping the same listening socket lets the other connections
queue up at least rather than fail with ECONNREFUSED. Of course, this is
still far from a realistic server.

Change-Id: I984fb29da4bf8808eb40938b12782dc1730f2e19
Reviewed-on: https://boringssl-review.googlesource.com/17405
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-29 19:04:29 +00:00
David Benjamin
0cf201e917 Empty commit to kick the bots.
Change-Id: I497df3c92da808f5636cc46efd989ac32485aa54
2017-06-29 14:55:36 -04:00
David Benjamin
3c9729212b Fix chacha-armv4.pl with clang -fno-integrated-as.
The __clang__-guarded #defines cause gas to complain if clang is passed
-fno-integrated-as. Emitting .syntax unified when those are used fixes
this. This matches the change made to ghash-armv4.pl in upstream's
6cf412c473d8145562b76219ce3da73b201b3255.

See also https://github.com/openssl/openssl/pull/3694. This fixes the
build with the latest Android NDK (use the NDK-supplied toolchain file)
with the armeabi ABI.

Bug: chromium:732066
Change-Id: Ic6ca633a58edbe8ae8c7d501bd9515c2476fd7c2
Reviewed-on: https://boringssl-review.googlesource.com/17404
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-28 13:35:29 +00:00
Martin Kreichgauer
d977eaa125 Make AES-GCM AEADs support the optional second input argument to seal_scatter.
Change-Id: I8cf7c7ef9c3fdcc2cd1bf6669fbcd616f4c0e0ef
Reviewed-on: https://boringssl-review.googlesource.com/17364
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-06-27 23:39:48 +00:00
Martin Kreichgauer
74bce29965 Change EVP_AEAD_CTX_seal_scatter to support an additional plaintext input.
Change-Id: I7e2fc8588d799d01d94cb5d94e49b53b367380ab
Reviewed-on: https://boringssl-review.googlesource.com/17344
Reviewed-by: Adam Langley <agl@google.com>
2017-06-27 23:09:31 +00:00
Adam Langley
946dd62ac0 AES-GCM shouldn't keep its own version of the tag length.
There's a |tag_len| in the generic AEAD context now so keeping a second
copy only invites confusion.

Change-Id: I029d8a8ee366e3af7f61408177c950d5b1a740a9
Reviewed-on: https://boringssl-review.googlesource.com/17424
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2017-06-27 23:09:16 +00:00
David Benjamin
3120950b1e Size TLS read buffers based on the size requested.
Like the write half, rather than allocating the maximum size needed and
relying on the malloc implementation to pool this sanely, allocate the
size the TLS record-layer code believes it needs.

As currently arranged, this will cause us to alternate from a small
allocation (for the record header) and then an allocation sized to the
record itself. Windows is reportedly bad at pooling large allocations,
so, *if the server sends us smaller records*, this will avoid hitting
the problem cases.

If the server sends us size 16k records, the maximum allowed by ther
protocol, we simply must buffer up to that amount and will continue to
allocate similar sizes as before (although slightly smaller; this CL
also fixes small double-counting we did on the allocation sizes).

Separately, we'll gather some metrics in Chromium to see what common
record sizes are to determine if this optimization is sufficient. This
is intended as an easy optimization we can do now, in advance of ongoing
work to fix the extra layer of buffering between Chromium and BoringSSL
with an in-place decrypt API.

Bug: chromium:524258
Change-Id: I233df29df1212154c49fee4285ccc37be12f81dc
Reviewed-on: https://boringssl-review.googlesource.com/17329
Reviewed-by: Adam Langley <agl@google.com>
2017-06-23 23:08:35 +00:00
David Benjamin
5df5be1a4b Fix record header callback on writes.
These broke at some point. Add a test for them.

Change-Id: Ie45869e07d9615ae33aae4613f6d9b996af39528
Reviewed-on: https://boringssl-review.googlesource.com/17330
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-23 23:01:36 +00:00
David Benjamin
5aaaa98f8c Detect WatchGuard's TLS 1.3 interference failure mode.
WatchGuard's bug is very distinctive. Report a dedicated error code out
of BoringSSL so we can better track this.

Bug: chromium:733223
Change-Id: Ia42abd8654e7987b1d43c63a4f454f35f6aa873b
Reviewed-on: https://boringssl-review.googlesource.com/17328
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-22 19:49:23 +00:00
David Benjamin
bfd94db72c Trim RSA_METHOD and ECDSA_METHOD.
Consumers should now all be using a pattern that allows us to remove
unset fields from the struct.

Change-Id: Ia3cf4941589d624cf25c5173501bedeab73fb7b8
Reviewed-on: https://boringssl-review.googlesource.com/17326
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-22 19:06:29 +00:00
David Benjamin
e55b32ddff Don't crash when decrypting with public keys.
Public and private RSA keys have the same type in OpenSSL, so it's
probably prudent for us to catch this case with an error rather than
crash. (As we do if you, say, configure RSA-PSS parameters on an Ed25519
EVP_PKEY.) Bindings libraries, in particular, tend to hit this sort of
then when their callers do silly things.

Change-Id: I2555e9bfe716a9f15273abd887a8459c682432dd
Reviewed-on: https://boringssl-review.googlesource.com/17325
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-22 15:20:15 +00:00
David Benjamin
6fff386492 Support standard RFC cipher suite names alongside OpenSSL ones.
Both Conscrypt and Netty have a lot of logic to map between the two
kinds of names. WebRTC needed an SSL_CIPHER_get_rfc_name for something.
Just have both in the library. Also deprecate SSL_CIPHER_get_rfc_name
in favor of SSL_CIPHER_standard_name, which matches upstream if built
with enable-ssl-trace. And, unlike SSL_CIPHER_get_rfc_name, this does
not require dealing with the malloc.

(Strangely this decreases bssl's binary size, even though we're carrying
more strings around. It seems the old SSL_CIPHER_get_rfc_name was
somewhat large in comparison. Regardless, a consumer that disliked 30
short strings probably also disliked the OpenSSL names. That would be
better solved by opaquifying SSL_CIPHER and adding a less stringy API
for configuring cipher lists. That's something we can explore later if
needed.)

I also made the command-line tool print out the standard names since
they're more standard. May as well push folks towards those going
forward.

Change-Id: Ieeb3d63e67ef4da87458e68d130166a4c1090596
Reviewed-on: https://boringssl-review.googlesource.com/17324
Reviewed-by: Robert Sloan <varomodt@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-22 02:45:37 +00:00
David Benjamin
cd60bf0e0a Fix PPC redirectors.
Our old redirectors were emitting code to call their target functions normally.
However, the PPC ABI expects callers to set up parameter save areas for their
callees, notably if the target is a varargs function.

Instead, mimic the pattern used when calling an external function or function
pointer and avoid touching the stack.

Change-Id: Ia28c9d2b82fcd99c4a2f70f5f587d0e0463a6f0e
Reviewed-on: https://boringssl-review.googlesource.com/17284
Reviewed-by: Adam Langley <agl@google.com>
2017-06-22 02:37:19 +00:00
David Benjamin
05d4c9727f Simplify SSL_get0_next_proto_negotiated.
The pointer and length fields should always be kept in sync. Other code
already assumes this anyway.

Change-Id: I62bc77b805cd4d81f2caa4aa49ad3e9d96faa25e
Reviewed-on: https://boringssl-review.googlesource.com/17306
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-22 00:00:44 +00:00
David Benjamin
44c0772c80 Remove some unnecessary indirections.
Embedding curve_data into built_in_curve simplifies things a bit.

Change-Id: Ibd364df7bb39a04c257df30ad28f26223c25c196
Reviewed-on: https://boringssl-review.googlesource.com/17304
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-06-21 21:29:38 +00:00