Commit Graph

1614 Commits

Author SHA1 Message Date
David Benjamin
396a441421 ssl3_cert_verify_hash should take the EVP_PKEY type.
After the custom key method support, the EVP_PKEY parameter is somewhat
confusing (to be resolved with the certificate slots removal) as it must
always refer to a private key. ssl3_cert_verify_hash is sometimes used
with the peer's public key. If custom keys were supported on the server,
this would break.

Fix this by passing a pkey_type parameter and letting the caller decide
whether this uses SSL_PRIVATE_KEY_METHOD or not.

Change-Id: I673b92579a84b4561f28026ec0b1c78a6bfee440
Reviewed-on: https://boringssl-review.googlesource.com/5341
Reviewed-by: Adam Langley <agl@google.com>
2015-07-07 01:10:35 +00:00
David Benjamin
67dc83851b Fix ssl3_send_client_certificate state machine.
If ssl_do_write takes more than one iteration, ssl3_output_cert_chain
would be called an extra time. This is very unlikely in practice because
of the buffer BIO.

Change-Id: Ic1ae9752a8837bb404429fc60306c659208c6185
Reviewed-on: https://boringssl-review.googlesource.com/5340
Reviewed-by: Adam Langley <agl@google.com>
2015-07-07 01:09:45 +00:00
David Benjamin
b9c579db6d Add crypto/bytestring-based BIGNUM DER functions.
RSA and ECDSA will both require being able to convert ASN.1 INTEGERs to
and from DER. Don't bother handling negative BIGNUMs for now. It doesn't
seem necessary and saves bothering with two's-complement vs
sign-and-magnitude.

BUG=499653

Change-Id: I1e80052067ed528809493af73b04f82539d564ff
Reviewed-on: https://boringssl-review.googlesource.com/5268
Reviewed-by: Adam Langley <agl@google.com>
2015-07-07 00:47:39 +00:00
Khem Raj
241364c6f4 Demand for newer POSIX macro
Reason for change: Define _POSIX_C_SOURCE such that it demands correct
posix interfaces, netdb.h declares interfaces such as
getaddrinfo if __USE_POSIX, i.e. POSIX.1:1990 or later.
However, these interfaces were new in the 2001 edition of POSIX
therefore ask for Extension from POSIX.1:2001 since we use addrinfo
structure here.

Change-Id: Icb1c92745d1a0ca958108ae80c270c630628729e
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Reviewed-on: https://boringssl-review.googlesource.com/5253
Reviewed-by: Adam Langley <agl@google.com>
2015-07-06 22:41:16 +00:00
David Benjamin
dfa4069a16 Fix MSVC build some more.
Missed that there were two of them.

Change-Id: Ibab169ef1f75be9c5ad1ffa0f232629e76a4512d
Reviewed-on: https://boringssl-review.googlesource.com/5332
Reviewed-by: Adam Langley <agl@google.com>
2015-07-02 00:02:27 +00:00
David Benjamin
3e536334be Fix Windows build.
It (incorrectly) thinks some variables are uninitialized. It also gets confused
about some const parameters.

Change-Id: Ie2b3a5336692e7293cf03d6a4cd5345d30b628b3
Reviewed-on: https://boringssl-review.googlesource.com/5330
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 23:01:05 +00:00
Matt Braithwaite
6a1275b627 typedef |COMP_METHOD| to void, for compatibility.
Change-Id: I2965c0d698e25f4eb08ddd9fc000b0e4adf6f2c0
Reviewed-on: https://boringssl-review.googlesource.com/5240
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 21:49:06 +00:00
David Benjamin
fd5603666c Call ERR_clear_error after functions that are expected to fail.
Otherwise we leave stuff in the error queue for the next test.

Change-Id: I167b7420b9d3fada69d1d35ac8132dd21a04797c
Reviewed-on: https://boringssl-review.googlesource.com/5310
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 21:47:44 +00:00
Håvard Molland
047d6f0f4d Remove ssl2.h and ssl23.h.
The SSL23_ST_foo macros are only used in ssl_stat.c.
However, these states are never set and can be removed.

Move the two remaining SSLv2 client hello record macros to ssl3.h

Change-Id: I76055405a9050cf873b4d1cbc689e54dd3490b8a
Reviewed-on: https://boringssl-review.googlesource.com/4160
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 21:47:01 +00:00
David Benjamin
cce5a98efb Remove EVP_PKEY_dup.
All callers have been moved to EVP_PKEY_up_ref. (Neither spelling exists
upstream so we only had our own callers to move.)

Change-Id: I267f14054780fe3d6dc1170b7b6ae3811a0d1a9a
Reviewed-on: https://boringssl-review.googlesource.com/5291
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 21:38:39 +00:00
David Benjamin
76e9a2ab97 Add tests for low-level AES functions.
May as well. Depending on the implementation chosen in cipher/e_aes.c,
AES_encrypt may or may not be hit, so test this entry point explicitly.

Change-Id: Icb02bf3f4b6e5ecbb9e5111f44fbb1b267ead6c3
Reviewed-on: https://boringssl-review.googlesource.com/5312
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 21:37:57 +00:00
David Benjamin
f078639d5a Test both streaming and single-shot EVP_CIPHER operations.
Run a variant of every test which feeds the input in one byte at a time.

Change-Id: I2a05372ea0fbb20484493fd14e9f3c23fbb8d875
Reviewed-on: https://boringssl-review.googlesource.com/5301
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 21:36:43 +00:00
David Benjamin
deedad1238 Fix documentation typo.
Change-Id: Iaa05acf1f775b0b35cc99e5f2c048f4e70f0a899
Reviewed-on: https://boringssl-review.googlesource.com/5300
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 21:33:29 +00:00
David Benjamin
a8653208ec Add CBB_zero to set a CBB to the zero state.
One tedious thing about using CBB is that you can't safely CBB_cleanup
until CBB_init is successful, which breaks the general 'goto err' style
of cleanup. This makes it possible:

  CBB_zero ~ EVP_MD_CTX_init
  CBB_init ~ EVP_DigestInit
  CBB_cleanup ~ EVP_MD_CTX_cleanup

Change-Id: I085ecc4405715368886dc4de02285a47e7fc4c52
Reviewed-on: https://boringssl-review.googlesource.com/5267
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:45:43 +00:00
David Benjamin
d63307199a Re-wrap kOAEPCipherText from rsa_test.
While I'm here, make them consistent with the keys.

Change-Id: Ib2804dd4f18bbb3b3735fb7772fca590e0d6d624
Reviewed-on: https://boringssl-review.googlesource.com/5266
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:40:22 +00:00
David Benjamin
cb41d77029 Fix kTwoPrimeKey and kSixPrimeKey samples in rsa_test.
They weren't valid DER. Some lengths were encoded with one more byte
than necessary.

Change-Id: I94c8c525ade835fdeca115af98ab7e5910d2aeb2
Reviewed-on: https://boringssl-review.googlesource.com/5265
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:40:04 +00:00
David Benjamin
d13a5e15d4 Fix crypto/bytestring test for too long lengths.
kData5 was meant to test lengths that are too long, but the input
gets rejected earlier for not using short-form encoding. Switch it to
testing a badly encoded element of length 128, the shortest element that
uses long-form encoding.

Change-Id: I35f4df89bfa7a681698eda569c525b5871288487
Reviewed-on: https://boringssl-review.googlesource.com/5264
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:39:16 +00:00
David Benjamin
961ad6ad2c Sign channel IDs with ECDSA_do_sign.
Rather than parse with d2i_ECDSA_SIG and reserialize, this is cleaner.
It's also clearer that i2d_PublicKey isn't being used for DER.

Change-Id: Iac57fb6badd1dfed1e66984e95a31f609b1538a4
Reviewed-on: https://boringssl-review.googlesource.com/5263
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:38:04 +00:00
David Benjamin
1db476e7a5 Include openssl/chacha.h rather than duplicate the prototype.
Less chance of problems should the prototype ever change. This doesn't
make it any more or less a circular dependency. (It actually isn't;
crypto/chacha doesn't use crypto/rand and CMakeLists.txt actually puts
rand above chacha anyway.)

Change-Id: Ia80289f801f76551737233f158755aac99ddd74a
Reviewed-on: https://boringssl-review.googlesource.com/5262
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:35:56 +00:00
David Benjamin
7e5f5944c8 Document i2d_PublicKey better.
The name is confusing. EC keys aren't serialized to DER.

DSA keys are also weird, but left alone for now. i2d_DSAPublicKey either
serializes to a DSAPublicKey per RFC 3279 if write_params is 0 or what
seems to be an OpenSSL-specific format that includes the group if
write_params is 1. See upstream's
ea6b07b54c1f8fc2275a121cdda071e2df7bd6c1.

Change-Id: I0d15140acc2d688a563b615fc6a9e3abec929753
Reviewed-on: https://boringssl-review.googlesource.com/5261
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:35:26 +00:00
David Benjamin
507b819304 Use typedef names in evp.h.
They're all forward-declared. There's no need to use the struct names.

Change-Id: I435ae2f5971128f08c730317ca644d97239f3b54
Reviewed-on: https://boringssl-review.googlesource.com/5260
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:33:44 +00:00
David Benjamin
e3aa1d9dd4 Cleanup ticket processing and session lookup.
Use more sensible variable names. Also move some work between the helpers and
s3_srvr.c a little; the session lookup functions now only return a new session.
Whether to send a ticket is now an additional output to avoid the enum
explosion around renewal. The actual SSL state is not modified.

This is somewhat cleaner as s3_srvr.c may still reject a session for other
reasons, so we avoid setting ssl->session and ssl->verify_result to a session
that wouldn't be used. (They get fixed up in ssl_get_new_session, so it didn't
actually matter.)

Change-Id: Ib52fabbe993b5e2b7408395a02cdea3dee66df7b
Reviewed-on: https://boringssl-review.googlesource.com/5235
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:33:23 +00:00
Adam Langley
5021b223d8 Convert the renegotiation extension to the new system.
This change also switches the behaviour of the client. Previously the
client would send the SCSV rather than the extension, but now it'll only
do that for SSLv3 connections.

Change-Id: I67a04b8abbef2234747c0dac450458deb6b0cd0a
Reviewed-on: https://boringssl-review.googlesource.com/5143
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 19:30:53 +00:00
Adam Langley
4cfa96bd26 Move compile-time asserts to the top-level.
It's still the case that we have many old compilers that can't cope with
anything else ☹.

Change-Id: Ie5a1987cd5164bdbde0c17effaa62aecb7d12352
Reviewed-on: https://boringssl-review.googlesource.com/5320
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 18:57:57 +00:00
Adam Langley
614c66a2f8 Add infrastructure for better extension handling.
Rather than four massive functions that handle every extension,
organise the code by extension with four smaller functions for each.

Change-Id: I876b31dacb05aca9884ed3ae7c48462e6ffe3b49
Reviewed-on: https://boringssl-review.googlesource.com/5142
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 18:25:28 +00:00
Adam Langley
be9eda4a88 Fix Renegotiate-Client-NoExt test.
This test shouldn't trigger a renegotiation: the test is trying to
assert that without the legacy-server flag set, a server that doesn't
echo the renegotiation extension can't be connected to.

Change-Id: I1368d15ebc8f296f3ff07040c0e6c48fdb49e56f
Reviewed-on: https://boringssl-review.googlesource.com/5141
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 17:56:19 +00:00
David Benjamin
705076ac91 Handle EINTR in open and dup calls in urandom.c.
Per review comment in
https://boringssl-review.googlesource.com/#/c/5302/7/crypto/rand/urandom.c

Change-Id: I9c279524a452cb97c60354213cbc6e2aeabe0bfa
Reviewed-on: https://boringssl-review.googlesource.com/5311
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 00:50:05 +00:00
David Benjamin
de24aadc5b Add RAND_set_urandom_fd.
Chromium uses a zygote process and a sandbox on Linux. In order for RAND_bytes
to be functional and guaranteed fork-safe inside the renderers, /dev/urandom
must be prewarmed. Calling RAND_bytes initializes a thread-local ChaCha20 key
when rdrand is available. So that key is fork-safe and to avoid tempting any
dragons by touching pthreads APIs before a non-exec fork, add a
RAND_set_urandom_fd API. It allows the consumer to supply the /dev/urandom fd
and promises to be fork-safe, both in initializing key material and use of
pthreads.

This doesn't affect any current shipping versions of Chrome.

BUG=462040

Change-Id: I1037e21e525918971380e4ea1371703c8237a0b0
Reviewed-on: https://boringssl-review.googlesource.com/5302
Reviewed-by: Adam Langley <agl@google.com>
2015-06-30 21:41:42 +00:00
David Benjamin
daeafc22c6 Move the session ticket functions to ssl.h.
Having them spread between ssl.h and tls1.h isn't terribly enlightening.

Change-Id: I5fec4b8e5260312b22bcef21bd4db7a8a8149ad8
Reviewed-on: https://boringssl-review.googlesource.com/5234
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:40:38 +00:00
David Benjamin
6cacac033b Promote SSL_CTX_[gs]et_tlsext_ticket_keys to functions.
BUG=404754

Change-Id: Iae75a7ab24d4aa3b30edf578cbfc1058aeadd863
Reviewed-on: https://boringssl-review.googlesource.com/5233
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:39:36 +00:00
David Benjamin
cb3872f546 Sort the preprocessor compatibility section.
Using the original numerical order made more sense before they were changed to
doesnt_exist.

BUG=404754

Change-Id: I2971eff7c6fbe7c5d340b103de71bbfa180f1f96
Reviewed-on: https://boringssl-review.googlesource.com/5232
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:36:37 +00:00
David Benjamin
bed63548d1 Increment the reference count of sessions inside the lock.
Otherwise another thread may cause the session to be destroyed first.

Change-Id: I2084a28ece11540e1b8f289553161d99395e2d1f
Reviewed-on: https://boringssl-review.googlesource.com/5231
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:35:51 +00:00
David Benjamin
d98452d2db Add a test for the ticket callback.
Change-Id: I7b2a4f617bd8d49c86fdaaf45bf67e0170bbd44f
Reviewed-on: https://boringssl-review.googlesource.com/5230
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:34:11 +00:00
David Benjamin
65ee9b7ce9 Remove EVP_PKEY_HMAC.
This removes EVP_PKEY_HMAC and all the support code around it. EVP_MD requires
a lot of extra glue to support HMAC. This lets us prune it all away.

As a bonus, it removes a (minor) dependency from EVP to the legacy ASN.1 stack.

Change-Id: I5a9e3e39f518429828dbf13d14647fb37d9dc35a
Reviewed-on: https://boringssl-review.googlesource.com/5120
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 00:03:02 +00:00
Adam Langley
a59347eb4c RAND_set_rand_method takes a const parameter.
Change-Id: I37e7c00deeb74aa0b71ee0d3a242d33d4d413cf0
2015-06-24 17:02:15 -07:00
Matt Braithwaite
3e5e99d834 Dummy |RAND_set_rand_method|, |RAND_egd|, and |RAND_SSLeay|.
Change-Id: Ide555c77748b4ba8106f69b037e5ff78d81a56dc
Reviewed-on: https://boringssl-review.googlesource.com/5220
Reviewed-by: Adam Langley <agl@google.com>
2015-06-24 23:53:29 +00:00
Matt Braithwaite
50365f25ba Restore |DES_ede3_cfb_encrypt| and |DES_ede3_cfb64_encrypt| from OpenSSL at ce7e647b.
Change-Id: I7ab7ea3cdabc697b2945a50c8d8f349d6b408848
Reviewed-on: https://boringssl-review.googlesource.com/5211
Reviewed-by: Adam Langley <agl@google.com>
2015-06-24 01:33:31 +00:00
Adam Langley
b3cda6565a Fix signed/unsigned warnings for MSVC.
c0fe12cd broke the Windows build because of signed/unsigned compares.

Change-Id: Ie63246a60d51a8ccab17d4e2af8d155ed31b7b0a
2015-06-23 15:46:00 -07:00
Matt Braithwaite
c0fe12cdf7 Restore |X509_REQ_print| and friends, from OpenSSL at ce7e647b.
Change-Id: Id388510834ac30b0dbccfef0b8276f57656f1dfd
Reviewed-on: https://boringssl-review.googlesource.com/5210
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 22:36:52 +00:00
Adam Langley
248abbd71f Add missing comma in .type pragma for rdrand code.
This tripped up some version of GCC or Clang.

Change-Id: I925423558f188ce39b65b2e2ecd01bf009fab071
2015-06-23 15:01:45 -07:00
Matt Braithwaite
4cd4edfc34 Restore |ERR_print_errors()|.
Change-Id: If289c4aa2804727d6c5e8386b5a2b559cf006415
Reviewed-on: https://boringssl-review.googlesource.com/5152
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 21:41:24 +00:00
Matt Braithwaite
1cb49cd2ac Restore |RSA_generate_key()| from OpenSSL at b4f0d1a.
The callback arguments are required to be NULL.

Change-Id: I266ec46efdaca411a7f0c2b645883b2c5bec1c96
Reviewed-on: https://boringssl-review.googlesource.com/5160
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 21:37:49 +00:00
Matt Braithwaite
e17d45f069 Restore |BIO_f_base64| from OpenSSL at b4f0d1a, modulo style fixes.
Change-Id: Ia7f4f4f6d063d882cf3d3ac0f5f33ad8d8cd9875
Reviewed-on: https://boringssl-review.googlesource.com/5151
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 21:20:04 +00:00
Adam Langley
9eaf07d460 Emit #if guards for ARM assembly files.
This change causes the generated assembly files for ARM and AArch64 to
have #if guards for __arm__ and __aarch64__, respectively. Since
building on ARM is only supported for Linux, we only have to worry about
GCC/Clang's predefines.

Change-Id: I7198eab6230bcfc26257f0fb6a0cc3166df0bb29
Reviewed-on: https://boringssl-review.googlesource.com/5173
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 21:00:32 +00:00
Adam Langley
2cac3506fa Handle RDRAND failures.
I mistakenly believed that only RDSEED could fail. However, the Intel
manuals state that RDRAND can fail too.

I can't actually observe it failing, even with all cores running RDRAND in a
tight loop. In any case, the ChaCha20 masking means that it wouldn't be
a big deal anyway.

Still, this change tests the carry flag after RDRAND and the code falls
back to |CRYPTO_sysrand| if RDRAND has a hiccup. (The Intel manuals
suggest[1] calling RDRAND in a loop, ten times, before considering it to
have failed. But a single failure appears to be such a rare event that
the complexity in the asm code doesn't seem worth it.)

This change also adds an asm function to fill a buffer with random data.
Otherwise the overhead of calling |CRYPTO_rdrand|, and bouncing the data
in and out of memory starts to add up.

Thanks to W. Mark Kubacki, who may have reported this. (There's some
confusion in the bug report.)

Before:

Did 6148000 RNG (16 bytes) operations in 1000080us: 98.4 MB/s
Did 649000 RNG (256 bytes) operations in 1000281us: 166.1 MB/s
Did 22000 RNG (8192 bytes) operations in 1033538us: 174.4 MB/s

After:

Did 6573000 RNG (16 bytes) operations in 1000002us: 105.2 MB/s
Did 693000 RNG (256 bytes) operations in 1000127us: 177.4 MB/s
Did 24000 RNG (8192 bytes) operations in 1028466us: 191.2 MB/s

[1] Intel Reference Manual, section 7.3.17.1.

Change-Id: Iba7f82e844ebacef535472a31f2dd749aad1190a
Reviewed-on: https://boringssl-review.googlesource.com/5180
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 20:56:33 +00:00
David Benjamin
50f54e2a5f AEADs don't go through ENGINE.
They'll probably stay that way too, so document it as being an ignored
parameter.

Change-Id: Iff385715f5413290a7186c38ea9ef2dd4fce9b38
Reviewed-on: https://boringssl-review.googlesource.com/5175
Reviewed-by: Adam Langley <agl@google.com>
2015-06-22 23:59:40 +00:00
Matt Braithwaite
e65886a520 dsa_pub_encode: Write out DSA parameters (p, q, g) in addition to key.
Change-Id: Id5ea49fc43aacfd1d348b2a230c9745484bed852
Reviewed-on: https://boringssl-review.googlesource.com/5174
Reviewed-by: Adam Langley <agl@google.com>
2015-06-22 23:58:26 +00:00
William Hesse
c618c402a5 Give generated assembly files different names for arm and aarch64.
Change-Id: I843e43ec56e14a2697bbdd5d6093fdb4d7cf15c2
Reviewed-on: https://boringssl-review.googlesource.com/5200
Reviewed-by: Adam Langley <agl@google.com>
2015-06-22 23:29:45 +00:00
Adam Langley
bc94929290 bssl_shim: move large buffer to heap.
This change reduces the amount of stack needed by bssl_shim by moving a
large buffer to the heap.

Change-Id: I3a4bcf119218d98046ff15320433a1012be1615d
2015-06-18 21:32:44 -07:00
Adam Langley
8de7aef05e Add a GCM test with non-standard nonce length.
AES-GCM should have a 12-byte nonce. However, non-standard nonce sizes
are defined by NIST and, although they are a bad idea, people have used
them because they've confused an IV with an nonce and passed in a
16-byte nonce.

This change adds a test for this.

Change-Id: If1efa1aaa19f0119ad4cab9a02a6417c040f45b2
2015-06-18 17:35:59 -07:00