Commit Graph

1539 Commits

Author SHA1 Message Date
Adam Langley
be9eda4a88 Fix Renegotiate-Client-NoExt test.
This test shouldn't trigger a renegotiation: the test is trying to
assert that without the legacy-server flag set, a server that doesn't
echo the renegotiation extension can't be connected to.

Change-Id: I1368d15ebc8f296f3ff07040c0e6c48fdb49e56f
Reviewed-on: https://boringssl-review.googlesource.com/5141
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 17:56:19 +00:00
David Benjamin
705076ac91 Handle EINTR in open and dup calls in urandom.c.
Per review comment in
https://boringssl-review.googlesource.com/#/c/5302/7/crypto/rand/urandom.c

Change-Id: I9c279524a452cb97c60354213cbc6e2aeabe0bfa
Reviewed-on: https://boringssl-review.googlesource.com/5311
Reviewed-by: Adam Langley <agl@google.com>
2015-07-01 00:50:05 +00:00
David Benjamin
de24aadc5b Add RAND_set_urandom_fd.
Chromium uses a zygote process and a sandbox on Linux. In order for RAND_bytes
to be functional and guaranteed fork-safe inside the renderers, /dev/urandom
must be prewarmed. Calling RAND_bytes initializes a thread-local ChaCha20 key
when rdrand is available. So that key is fork-safe and to avoid tempting any
dragons by touching pthreads APIs before a non-exec fork, add a
RAND_set_urandom_fd API. It allows the consumer to supply the /dev/urandom fd
and promises to be fork-safe, both in initializing key material and use of
pthreads.

This doesn't affect any current shipping versions of Chrome.

BUG=462040

Change-Id: I1037e21e525918971380e4ea1371703c8237a0b0
Reviewed-on: https://boringssl-review.googlesource.com/5302
Reviewed-by: Adam Langley <agl@google.com>
2015-06-30 21:41:42 +00:00
David Benjamin
daeafc22c6 Move the session ticket functions to ssl.h.
Having them spread between ssl.h and tls1.h isn't terribly enlightening.

Change-Id: I5fec4b8e5260312b22bcef21bd4db7a8a8149ad8
Reviewed-on: https://boringssl-review.googlesource.com/5234
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:40:38 +00:00
David Benjamin
6cacac033b Promote SSL_CTX_[gs]et_tlsext_ticket_keys to functions.
BUG=404754

Change-Id: Iae75a7ab24d4aa3b30edf578cbfc1058aeadd863
Reviewed-on: https://boringssl-review.googlesource.com/5233
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:39:36 +00:00
David Benjamin
cb3872f546 Sort the preprocessor compatibility section.
Using the original numerical order made more sense before they were changed to
doesnt_exist.

BUG=404754

Change-Id: I2971eff7c6fbe7c5d340b103de71bbfa180f1f96
Reviewed-on: https://boringssl-review.googlesource.com/5232
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:36:37 +00:00
David Benjamin
bed63548d1 Increment the reference count of sessions inside the lock.
Otherwise another thread may cause the session to be destroyed first.

Change-Id: I2084a28ece11540e1b8f289553161d99395e2d1f
Reviewed-on: https://boringssl-review.googlesource.com/5231
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:35:51 +00:00
David Benjamin
d98452d2db Add a test for the ticket callback.
Change-Id: I7b2a4f617bd8d49c86fdaaf45bf67e0170bbd44f
Reviewed-on: https://boringssl-review.googlesource.com/5230
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 22:34:11 +00:00
David Benjamin
65ee9b7ce9 Remove EVP_PKEY_HMAC.
This removes EVP_PKEY_HMAC and all the support code around it. EVP_MD requires
a lot of extra glue to support HMAC. This lets us prune it all away.

As a bonus, it removes a (minor) dependency from EVP to the legacy ASN.1 stack.

Change-Id: I5a9e3e39f518429828dbf13d14647fb37d9dc35a
Reviewed-on: https://boringssl-review.googlesource.com/5120
Reviewed-by: Adam Langley <agl@google.com>
2015-06-25 00:03:02 +00:00
Adam Langley
a59347eb4c RAND_set_rand_method takes a const parameter.
Change-Id: I37e7c00deeb74aa0b71ee0d3a242d33d4d413cf0
2015-06-24 17:02:15 -07:00
Matt Braithwaite
3e5e99d834 Dummy |RAND_set_rand_method|, |RAND_egd|, and |RAND_SSLeay|.
Change-Id: Ide555c77748b4ba8106f69b037e5ff78d81a56dc
Reviewed-on: https://boringssl-review.googlesource.com/5220
Reviewed-by: Adam Langley <agl@google.com>
2015-06-24 23:53:29 +00:00
Matt Braithwaite
50365f25ba Restore |DES_ede3_cfb_encrypt| and |DES_ede3_cfb64_encrypt| from OpenSSL at ce7e647b.
Change-Id: I7ab7ea3cdabc697b2945a50c8d8f349d6b408848
Reviewed-on: https://boringssl-review.googlesource.com/5211
Reviewed-by: Adam Langley <agl@google.com>
2015-06-24 01:33:31 +00:00
Adam Langley
b3cda6565a Fix signed/unsigned warnings for MSVC.
c0fe12cd broke the Windows build because of signed/unsigned compares.

Change-Id: Ie63246a60d51a8ccab17d4e2af8d155ed31b7b0a
2015-06-23 15:46:00 -07:00
Matt Braithwaite
c0fe12cdf7 Restore |X509_REQ_print| and friends, from OpenSSL at ce7e647b.
Change-Id: Id388510834ac30b0dbccfef0b8276f57656f1dfd
Reviewed-on: https://boringssl-review.googlesource.com/5210
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 22:36:52 +00:00
Adam Langley
248abbd71f Add missing comma in .type pragma for rdrand code.
This tripped up some version of GCC or Clang.

Change-Id: I925423558f188ce39b65b2e2ecd01bf009fab071
2015-06-23 15:01:45 -07:00
Matt Braithwaite
4cd4edfc34 Restore |ERR_print_errors()|.
Change-Id: If289c4aa2804727d6c5e8386b5a2b559cf006415
Reviewed-on: https://boringssl-review.googlesource.com/5152
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 21:41:24 +00:00
Matt Braithwaite
1cb49cd2ac Restore |RSA_generate_key()| from OpenSSL at b4f0d1a.
The callback arguments are required to be NULL.

Change-Id: I266ec46efdaca411a7f0c2b645883b2c5bec1c96
Reviewed-on: https://boringssl-review.googlesource.com/5160
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 21:37:49 +00:00
Matt Braithwaite
e17d45f069 Restore |BIO_f_base64| from OpenSSL at b4f0d1a, modulo style fixes.
Change-Id: Ia7f4f4f6d063d882cf3d3ac0f5f33ad8d8cd9875
Reviewed-on: https://boringssl-review.googlesource.com/5151
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 21:20:04 +00:00
Adam Langley
9eaf07d460 Emit #if guards for ARM assembly files.
This change causes the generated assembly files for ARM and AArch64 to
have #if guards for __arm__ and __aarch64__, respectively. Since
building on ARM is only supported for Linux, we only have to worry about
GCC/Clang's predefines.

Change-Id: I7198eab6230bcfc26257f0fb6a0cc3166df0bb29
Reviewed-on: https://boringssl-review.googlesource.com/5173
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 21:00:32 +00:00
Adam Langley
2cac3506fa Handle RDRAND failures.
I mistakenly believed that only RDSEED could fail. However, the Intel
manuals state that RDRAND can fail too.

I can't actually observe it failing, even with all cores running RDRAND in a
tight loop. In any case, the ChaCha20 masking means that it wouldn't be
a big deal anyway.

Still, this change tests the carry flag after RDRAND and the code falls
back to |CRYPTO_sysrand| if RDRAND has a hiccup. (The Intel manuals
suggest[1] calling RDRAND in a loop, ten times, before considering it to
have failed. But a single failure appears to be such a rare event that
the complexity in the asm code doesn't seem worth it.)

This change also adds an asm function to fill a buffer with random data.
Otherwise the overhead of calling |CRYPTO_rdrand|, and bouncing the data
in and out of memory starts to add up.

Thanks to W. Mark Kubacki, who may have reported this. (There's some
confusion in the bug report.)

Before:

Did 6148000 RNG (16 bytes) operations in 1000080us: 98.4 MB/s
Did 649000 RNG (256 bytes) operations in 1000281us: 166.1 MB/s
Did 22000 RNG (8192 bytes) operations in 1033538us: 174.4 MB/s

After:

Did 6573000 RNG (16 bytes) operations in 1000002us: 105.2 MB/s
Did 693000 RNG (256 bytes) operations in 1000127us: 177.4 MB/s
Did 24000 RNG (8192 bytes) operations in 1028466us: 191.2 MB/s

[1] Intel Reference Manual, section 7.3.17.1.

Change-Id: Iba7f82e844ebacef535472a31f2dd749aad1190a
Reviewed-on: https://boringssl-review.googlesource.com/5180
Reviewed-by: Adam Langley <agl@google.com>
2015-06-23 20:56:33 +00:00
David Benjamin
50f54e2a5f AEADs don't go through ENGINE.
They'll probably stay that way too, so document it as being an ignored
parameter.

Change-Id: Iff385715f5413290a7186c38ea9ef2dd4fce9b38
Reviewed-on: https://boringssl-review.googlesource.com/5175
Reviewed-by: Adam Langley <agl@google.com>
2015-06-22 23:59:40 +00:00
Matt Braithwaite
e65886a520 dsa_pub_encode: Write out DSA parameters (p, q, g) in addition to key.
Change-Id: Id5ea49fc43aacfd1d348b2a230c9745484bed852
Reviewed-on: https://boringssl-review.googlesource.com/5174
Reviewed-by: Adam Langley <agl@google.com>
2015-06-22 23:58:26 +00:00
William Hesse
c618c402a5 Give generated assembly files different names for arm and aarch64.
Change-Id: I843e43ec56e14a2697bbdd5d6093fdb4d7cf15c2
Reviewed-on: https://boringssl-review.googlesource.com/5200
Reviewed-by: Adam Langley <agl@google.com>
2015-06-22 23:29:45 +00:00
Adam Langley
bc94929290 bssl_shim: move large buffer to heap.
This change reduces the amount of stack needed by bssl_shim by moving a
large buffer to the heap.

Change-Id: I3a4bcf119218d98046ff15320433a1012be1615d
2015-06-18 21:32:44 -07:00
Adam Langley
8de7aef05e Add a GCM test with non-standard nonce length.
AES-GCM should have a 12-byte nonce. However, non-standard nonce sizes
are defined by NIST and, although they are a bad idea, people have used
them because they've confused an IV with an nonce and passed in a
16-byte nonce.

This change adds a test for this.

Change-Id: If1efa1aaa19f0119ad4cab9a02a6417c040f45b2
2015-06-18 17:35:59 -07:00
Adam Langley
5148c67e43 Suggest building at Android API level 16.
Android >= L requires that binaries be position independent. However,
this is only enabled with API level 16 or above. Since developers are
likely to have modern Android versions, suggest API level 16 in the
BUILDING file to save someone in the future having to figure this out.

Change-Id: I66db7228e3d6fef0aa8dcfcfff67a71cb630a2b9
2015-06-18 17:32:29 -07:00
Matt Braithwaite
7e8f2baeb7 Restore implementation of |NETSCAPE_SPKI_verify|.
Change-Id: I42c185a47af7e96e000ec1704e046b33a8571d1e
Reviewed-on: https://boringssl-review.googlesource.com/5153
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 23:41:42 +00:00
David Benjamin
ba4594aee6 Don't put sessions from renegotiations in the cache.
Rather than rely on Chromium to query SSL_initial_handshake_complete in the
callback (which didn't work anyway because the callback is called afterwards),
move the logic into BoringSSL. BoringSSL already enforces that clients never
offer resumptions on renegotiation (it wouldn't work well anyway as client
session cache lookup is external), so it's reasonable to also implement
in-library that sessions established on a renegotiation are not cached.

Add a bunch of tests that new_session_cb is called when expected.

BUG=501418

Change-Id: I42d44c82b043af72b60a0f8fdb57799e20f13ed5
Reviewed-on: https://boringssl-review.googlesource.com/5171
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 23:40:51 +00:00
David Benjamin
91eab5c9df Move all the bssl_shim handshake checks to their own function.
DoExchange is getting unwieldy.

Change-Id: I4eae6eb7471d1bb53b5305191dd9c52bb097a24f
Reviewed-on: https://boringssl-review.googlesource.com/5172
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 23:34:59 +00:00
Adam Langley
288d8d5ada runner: prepend the resource directory for async-signing tests.
b4d65fda70 was written concurrently with
my updating runner to handle -resource-dir (in
7c803a65d5) and thus it didn't include the
needed change for the test that it added to handle it.

This change fixes that added test so that it can run with -resource-dir.

Change-Id: I06b0adfb3fcf3f11c061fe1c8332a45cd7cd2dbc
2015-06-18 16:24:31 -07:00
Adam Langley
6b40394638 Revert "Restore ocsp.h, with (just) the CRLReason enum from RFC 2459."
This reverts commit d213885c04.

It's in x509v3.h under the name |CRL_REASON_*|.
2015-06-18 16:16:05 -07:00
Matt Braithwaite
d213885c04 Restore ocsp.h, with (just) the CRLReason enum from RFC 2459.
Change-Id: If4e53858b5c6ab4467da50fb24f1fad6974b49f3
Reviewed-on: https://boringssl-review.googlesource.com/5154
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 23:07:38 +00:00
Matt Braithwaite
979c87add8 pem_lib: make |cipher_by_name| recognize some more ciphers.
Change-Id: I3130eec5d902ad22d1af185556955ff806b05097
Reviewed-on: https://boringssl-review.googlesource.com/5150
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 23:04:46 +00:00
David Benjamin
7244fa46f7 Expose ECDSA_SIG_max_len to size a DER ECDSA-Sig-Value.
Also implement it without reference to crypto/asn1 or fake ASN1_INTEGERs and
add a test. Some platform crypto APIs only give back the key size, and not the
encoded signature length. No sense in implementing it twice.

BUG=347404,499653

Change-Id: I9aa27d52674375f8b036e57bb5850f091c9b25dd
Reviewed-on: https://boringssl-review.googlesource.com/5080
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 22:23:12 +00:00
David Benjamin
b4d65fda70 Implement asynchronous private key operations for client auth.
This adds a new API, SSL_set_private_key_method, which allows the consumer to
customize private key operations. For simplicity, it is incompatible with the
multiple slots feature (which will hopefully go away) but does not, for now,
break it.

The new method is only routed up for the client for now. The server will
require a decrypt hook as well for the plain RSA key exchange.

BUG=347404

Change-Id: I35d69095c29134c34c2af88c613ad557d6957614
Reviewed-on: https://boringssl-review.googlesource.com/5049
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 22:14:51 +00:00
David Benjamin
680ca961f9 Preserve session->sess_cert on ticket renewal.
Turns out the safer/simpler method still wasn't quite right. :-)
session->sess_cert isn't serialized and deserialized, which is poor. Duplicate
it manually for now. Leave a TODO to get rid of that field altogether as it's
not especially helpful. The certificate-related fields should be in the
session. The others probably have no reason to be preserved on resumptions at
all.

Test by making bssl_shim.cc assert the peer cert chain is there or not as
expected.

BUG=501220

Change-Id: I44034167629720d6e2b7b0b938d58bcab3ab0abe
Reviewed-on: https://boringssl-review.googlesource.com/5170
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 17:53:57 +00:00
David Benjamin
d65bb78c6c Add SSL_initial_handshake_complete.
To account for the changes in ticket renewal, Chromium will need to listen for
new_session_cb to determine whether the handshake produced a new session.
Chromium currently never caches sessions produced on a renegotiation. To retain
that behavior, it'll need to know whether new_session_cb is initial or not.
Rather than maintain duplicate state and listen for SSL_HANDSHAKE_DONE, it's
simpler to just let it query ssl->s3->initial_handshake_complete.

BUG=501418

Change-Id: Ib2f2541460bd09cf16106388e9cfdf3662e02681
Reviewed-on: https://boringssl-review.googlesource.com/5126
Reviewed-by: Adam Langley <agl@google.com>
2015-06-18 17:46:33 +00:00
David Benjamin
b0acb7743f Export pkcs1_prefixed_msg as RSA_add_pkcs1_prefix.
Platform crypto APIs for PKCS#1 RSA signatures vary between expecting the
caller to prepend the DigestInfo prefix (RSA_sign_raw) and prepending it
internally (RSA_sign). Currently, Chromium implements sign or sign_raw as
appropriate. To avoid needing both variants, the new asynchronous methods will
only expose the higher-level one, sign.

To satisfy ports which previously implemented sign_raw, expose the DigestInfo
prefix as a utility function.

BUG=347404

Change-Id: I04c397b5e9502b2942f6698ecf81662a3c9282e6
Reviewed-on: https://boringssl-review.googlesource.com/4940
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 19:09:45 +00:00
David Benjamin
d87021d246 Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789

(Imported from upstream's 9bc3665ac9e3c36f7762acd3691e1115d250b030)

Change-Id: I2091b2d1b691c177d58dc7960e2e7eb4c97b1f69
Reviewed-on: https://boringssl-review.googlesource.com/5124
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 19:07:15 +00:00
David Benjamin
184494dfcc Raise SIGTRAP rather than abort on failure.
If gdb is attached, it's convenient to be able to continue running.

Change-Id: I3bbb2634d05a08f6bad5425f71da2210dbb80cfe
Reviewed-on: https://boringssl-review.googlesource.com/5125
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:25:30 +00:00
Adam Langley
7c803a65d5 Allow runner to run from anywhere.
This change adds flags to runner to allow it to be sufficiently
configured that it can run from any directory.

Change-Id: I82c08da4ffd26c5b11637480b0a79eaba0904d38
Reviewed-on: https://boringssl-review.googlesource.com/5130
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:24:36 +00:00
David Benjamin
11fc66a04c DTLS fragments may not be split across two records.
See also upstream's 9dcab127e14467733523ff7626da8906e67eedd6. The root problem
is dtls1_read_bytes is wrong, but we can get the right behavior now and add a
regression test for it before cleaning it up.

Change-Id: I4e5c39ab254a872d9f64242c9b77b020bdded6e6
Reviewed-on: https://boringssl-review.googlesource.com/5123
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:20:56 +00:00
David Benjamin
95d3182576 Duplicate SSL_SESSIONs when renewing them.
See also upstream's 27c76b9b8010b536687318739c6f631ce4194688, CVE-2015-1791.
Rather than write a dup function, serializing and deserializing the object is
simpler. It also fixes a bug in the original fix where it never calls
new_session_cb to store the new session (for clients which use that callback;
how clients should handle the session cache is much less clear).

The old session isn't pruned as we haven't processed the Finished message yet.
RFC 5077 says:

   The server MUST NOT assume that the client actually received the updated
   ticket until it successfully verifies the client's Finished message.

Moreover, because network messages are asynchronous, a new SSL connection may
have began just before the client received the new ticket, so any such servers
are broken regardless.

Change-Id: I13b3dc986dc58ea2ce66659dbb29e14cd02a641b
Reviewed-on: https://boringssl-review.googlesource.com/5122
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:15:12 +00:00
David Benjamin
fd67aa8c95 Add SSL_SESSION_from_bytes.
Mirrors SSL_SESSION_to_bytes. It avoids having to deal with object-reuse, the
non-size_t length parameter, and trailing data. Both it and the object-reuse
variant back onto an unexposed SSL_SESSION_parse which reads a CBS.

Note that this changes the object reuse story slightly. It's now merely an
optional output pointer that frees its old contents. No d2i_SSL_SESSION
consumer in Google that's built does reuse, much less reuse with the assumption
that the top-level object won't be overridden.

Change-Id: I5cb8522f96909bb222cab0f342423f2dd7814282
Reviewed-on: https://boringssl-review.googlesource.com/5121
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:12:39 +00:00
Adam Langley
cc7e11f2af Define OPENSSL_64_BIT for PowerPC chips.
We had aarch64 handled twice, which was a mistake.

Change-Id: Id27fc86cb701a87c11c54b98534108f87e49262d
Reviewed-on: https://boringssl-review.googlesource.com/5131
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:09:33 +00:00
Adam Langley
9c164b26bf Output test configs for Bazel builds.
This change amends generate_build_files.py so that Bazel output includes
rules for the (no-Go) tests.

Change-Id: I0c8dca599d6f828191eb665332af3193c650bc1a
Reviewed-on: https://boringssl-review.googlesource.com/5102
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:07:58 +00:00
Adam Langley
117da41b7f Move test configuration into a separate file.
Change-Id: I4e84a5fa1c73ed3da06d5a277df4eb2a85a6534a
Reviewed-on: https://boringssl-review.googlesource.com/5100
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:07:42 +00:00
Adam Langley
a89fac585f Rename tabtest.c and v3nametest.c
The binaries for these already have underscores in, best to have the
source files match.

Change-Id: I32a419f32ec7786fe2537d061eb0706a7bc73f4a
Reviewed-on: https://boringssl-review.googlesource.com/5101
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:07:27 +00:00
Adam Langley
049ef415c5 Updates to the build-file generation script.
This change adds ‘android-standalone’ and ‘bazel’ targets to the
build-file generation script. It also allows multiple build outputs to
be written in one invocation, which saves the cost of Perl to build all
the assembly files multiple times.

Note that this will require changes to the Chromium GYP files when its
rolled out because “boringssl_lib_sources” has been broken into
“boringssl_crypto_sources” and “boringssl_ssl_sources”.

Change-Id: Icfe9678d08fba74fd215cf92521831e9cdc265da
Reviewed-on: https://boringssl-review.googlesource.com/5070
Reviewed-by: Adam Langley <agl@google.com>
2015-06-16 18:07:12 +00:00
David Benjamin
2b2b0f909d Set errno to ENOMEM when simulating a malloc failure.
Per malloc(3):

    The  UNIX  98  standard requires malloc(), calloc(), and realloc() to set
    errno to ENOMEM upon failure.  Glibc assumes that this is done (and the
    glibc versions of these routines do this); if you use a private malloc
    implementation that does not set errno, then certain library routines may
    fail without having a reason in errno.

Notably, thread_test otherwise fails an assertion deep in glibc.

Change-Id: Ia2c0ab306987476e7d6570d4bbf04a2641398925
Reviewed-on: https://boringssl-review.googlesource.com/5111
Reviewed-by: Adam Langley <agl@google.com>
2015-06-15 17:53:08 +00:00