Commit Graph

2635 Commits

Author SHA1 Message Date
David Benjamin
9158637142 Make SHA256_Final actually only return one.
As with SHA512_Final, use the different APIs rather than store md_len.

Change-Id: Ie1150de6fefa96f283d47aa03de0f18de38c93eb
Reviewed-on: https://boringssl-review.googlesource.com/7722
Reviewed-by: Adam Langley <agl@google.com>
2016-04-27 18:46:17 +00:00
David Benjamin
a90aa64302 Pull HASH_MAKE_STRING out of md32_common.h.
This is in preparation for taking md_len out of SHA256_CTX by allowing us to do
something similar to SHA512_CTX. md32_common.h now emits a static "finish"
function which Final composes with the extraction step.

Change-Id: I314fb31e2482af642fd280500cc0e4716aef1ac6
Reviewed-on: https://boringssl-review.googlesource.com/7721
Reviewed-by: Adam Langley <agl@google.com>
2016-04-27 18:45:12 +00:00
David Benjamin
e3118b8dc4 Fix Windows build.
Change-Id: Ie35b8d0e2da0f7d2588c4a436fc4b2b2596aaf18
Reviewed-on: https://boringssl-review.googlesource.com/7791
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-27 18:44:58 +00:00
David Benjamin
c0d8b83b44 Make SHA512_Final actually only return one.
Rather than store md_len, factor out the common parts of SHA384_Final and
SHA512_Final and then extract the right state. Also add a missing
SHA384_Transform and be consistent about "1" vs "one" in comments.

This also removes the NULL output special-case which no other hash function
had.

Change-Id: If60008bae7d7d5b123046a46d8fd64139156a7c5
Reviewed-on: https://boringssl-review.googlesource.com/7720
Reviewed-by: Adam Langley <agl@google.com>
2016-04-27 18:42:37 +00:00
David Benjamin
3baee2a495 Banish SSL_add_dir_cert_subjects_to_stack and OPENSSL_DIR_CTX to decrepit.
There was only one function that required BoringSSL to know how to read
directories. Unfortunately, it does have some callers and it's not immediately
obvious whether the code is unreachable. Rather than worry about that, just
toss it all into decrepit.

In doing so, do away with the Windows and PNaCl codepaths. Only implement
OPENSSL_DIR_CTX on Linux.

Change-Id: Ie64d20254f2f632fadc3f248bbf5a8293ab2b451
Reviewed-on: https://boringssl-review.googlesource.com/7661
Reviewed-by: Adam Langley <agl@google.com>
2016-04-27 18:40:25 +00:00
Adam Langley
724dcbf5e2 Correct markdown misinterpretation.
The term “#define”, when the line breaking happens to put at the
beginning of a line, confuses markdown. This change escapes the '#'.

Change-Id: I8300324f9e8c7561f32aba6fa29c0132a188a58b
2016-04-27 11:09:31 -07:00
Adam Langley
a081423809 Add document about incorporating BoringSSL into a project.
Change-Id: Ia825300bae236e3133dd9a19313b7f5450f0c8e2
Reviewed-on: https://boringssl-review.googlesource.com/7781
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-27 18:04:37 +00:00
David Benjamin
a9959f2f50 Work around Android mingw issues.
The copy of mingw-w64 used by Android isn't new enough and is missing half of
the INIT_ONCE definitions. (But not the other half, strangely.) Work around
this for now.

Change-Id: I5c7e89db481f932e03477e50cfb3cbacaeb630e6
Reviewed-on: https://boringssl-review.googlesource.com/7790
Reviewed-by: Adam Langley <agl@google.com>
2016-04-27 14:36:23 +00:00
Adam Langley
7909aa7c23 Pass array by reference in newhope speed test.
This is another thing that MSVC can't cope with:

..\tool\speed.cc(537) : error C2536: 'SpeedNewHope::<⋯>::SpeedNewHope::<⋯>::clientmsg' : cannot specify explicit initializer for arrays

Change-Id: I6b4cb430895f7794e9cef1b1c12b57ba5d537c64
2016-04-26 16:31:38 -07:00
Adam Langley
e75f0530a0 More fixes for MSVC.
Change-Id: I2cde4d99974a28126452bb66c6e176b92b7f0bc9
2016-04-26 16:25:31 -07:00
Adam Langley
bc57d55c9f Corrupt the newhope secret key directly.
Rather than use an internal function in a test (which would need an
OPENSSL_EXPORT to work in a shared-library build), this change corrupts
the secret key directly.

Change-Id: Iee501910b23a0affaa0639dcc773d6ea2d0c5a82
Reviewed-on: https://boringssl-review.googlesource.com/7780
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2016-04-26 23:20:47 +00:00
Matt Braithwaite
945cf9a131 newhope: MSVC can't size array using static size_t
Change-Id: I5060b1a3e800db21d2205f11951b4ad8a5986133
Reviewed-on: https://boringssl-review.googlesource.com/7770
Reviewed-by: Adam Langley <agl@google.com>
2016-04-26 23:07:16 +00:00
Matt Braithwaite
045a0ffe35 Import `newhope' (post-quantum key exchange).
This derives from the reference implementation:

Source: https://github.com/tpoeppelmann/newhope/tree/master/ref at bc06c1ac
Paper: https://eprint.iacr.org/2015/1092

However, it does not interoperate, due to the replacement of SHAKE-128
with AES-CTR (for polynomial generation) and the replacement of SHA-3
with SHA-256 (for key whitening).

Change-Id: I6a55507aea85331245e2fbd41bae5cc049fdca3c
Reviewed-on: https://boringssl-review.googlesource.com/7690
Reviewed-by: Adam Langley <agl@google.com>
2016-04-26 22:53:59 +00:00
David Benjamin
c25d2e6379 Resolve -Wextern-c-compat warnings with OPENSSL_NO_THREADS.
C and C++ disagree on the sizes of empty structs, which can be rather bad for
structs embedded in public headers. Stick a char in them to avoid issues. (It
doesn't really matter for CRYPTO_STATIC_MUTEX, but it's easier to add a char in
there too.)

Thanks to Andrew Chi for reporting this issue.

Change-Id: Ic54fff710b688decaa94848e9c7e1e73f0c58fd3
Reviewed-on: https://boringssl-review.googlesource.com/7760
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-26 22:19:51 +00:00
Steven Valdez
ede2e2c5ce Fix buffer overrun in ASN1_parse() and signed/unsigned warning.
(Imported from upstream's 2442382e11c022aaab4fdc6975bd15d5a75c4db2 and
0ca67644ddedfd656d43a6639d89a6236ff64652)

Change-Id: I601ef07e39f936e8f3e30412fd90cd339d712dc4
Reviewed-on: https://boringssl-review.googlesource.com/7742
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-26 18:49:09 +00:00
Steven Valdez
b32a9151da Ensure we check i2d_X509 return val
The i2d_X509() function can return a negative value on error. Therefore
we should make sure we check it.

Issue reported by Yuan Jochen Kang.

(Imported from upstream's 8f43c80bfac15544820739bf035df946eeb603e8)

Change-Id: If247d5bf1d792eb7c6dc179b606ed21ea0ccdbb8
Reviewed-on: https://boringssl-review.googlesource.com/7743
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-26 17:12:01 +00:00
Steven Valdez
14b07a02a6 Harden ASN.1 BIO handling of large amounts of data.
If the ASN.1 BIO is presented with a large length field read it in
chunks of increasing size checking for EOF on each read. This prevents
small files allocating excessive amounts of data.

CVE-2016-2109

Thanks to Brian Carpenter for reporting this issue.

(Imported from upstream's f32774087f7b3db1f789688368d16d917757421e)

Change-Id: Id1b0d4436c4879d0ba7d3b7482b937cafffa28f7
Reviewed-on: https://boringssl-review.googlesource.com/7741
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-26 17:06:16 +00:00
David Benjamin
f040d3c7e1 Fix build.
Forgot to mark something static.

Change-Id: I497075d0ad27e2062f84528fb568b333e72a7d3b
Reviewed-on: https://boringssl-review.googlesource.com/7753
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-26 15:53:09 +00:00
David Benjamin
dc9194f78b Fix a bug in obj_dat.pl and add basic crypto/obj tests.
It's not possible to encode an OID with only one component, so some of
the NIDs do not have encodings. The logic to actually encode OIDs checks
for this (before calling der_it), but not the logic to compute the
sorted OID list.

Without this, OBJ_obj2nid, when given an empty OID, returns something
arbitrary based on the binary search implementation instead of
NID_undef.

Change-Id: Ib68bae349f66eff3d193616eb26491b6668d4b0a
Reviewed-on: https://boringssl-review.googlesource.com/7752
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-26 15:19:26 +00:00
David Benjamin
f13444a5ad Use different bit tricks to extend the LSB.
C gets grumpy when you shift into a sign bit. Replace it with a different bit
trick.

BUG=chromium:603502

Change-Id: Ia4cc2e2d68675528b7c0155882ff4d6230df482b
Reviewed-on: https://boringssl-review.googlesource.com/7740
Reviewed-by: Adam Langley <agl@google.com>
2016-04-25 23:05:20 +00:00
David Benjamin
1fc7564ba7 Add standalone PKCS#8 and SPKI fuzzers.
We already had coverage for our new EVP_PKEY parsers, but it's good to have
some that cover them directly. The initial corpus was generated manually with
der-ascii and should cover most of the insanity around EC key serialization.

BUG=15

Change-Id: I7aaf56876680bfd5a89f5e365c5052eee03ba862
Reviewed-on: https://boringssl-review.googlesource.com/7728
Reviewed-by: Adam Langley <agl@google.com>
2016-04-25 21:57:28 +00:00
David Benjamin
af18cdd733 Add a copyright header to run_android_tests.go.
Change-Id: Ifd60964e4074fa7900e9ebfbb669864bae0821dd
Reviewed-on: https://boringssl-review.googlesource.com/7729
Reviewed-by: Adam Langley <agl@google.com>
2016-04-25 21:55:36 +00:00
David Benjamin
6e96d2be3d Remove stale wpa_supplicant hacks.
aosp-master has been updated past the point that this is necessary. Sadly, all
the other hacks still are. I'll try to get things rolling so we can ditch the
others in time.

Change-Id: If7b3aad271141fb26108a53972d2d3273f956e8d
Reviewed-on: https://boringssl-review.googlesource.com/7751
Reviewed-by: Adam Langley <agl@google.com>
2016-04-25 21:19:12 +00:00
David Benjamin
1be6a7e442 Add another temporary hack for wpa_supplicant.
Due to Android's complex branching scheme, we have to keep building against a
snapshotted version of wpa_supplicant. wpa_supplicant, in preparation for
OpenSSL 1.1.0, added compatibility versions of some accessors that we, in
working towards opaquification, have imported. This causes a conflict (C does
not like having static and non-static functions share a name).

Add a hack in the headers to suppress the conflicting accessors when
BORINGSSL_SUPPRESS_ACCESSORS is defined. Android releases which include an
updated BoringSSL will also locally carry this #define in wpa_supplicant build
files. Once we can be sure releases of BoringSSL will only see a new enough
wpa_supplicant (one which includes a to-be-submitted patch), we can ditch this.

Change-Id: I3e27fde86bac1e59077498ee5cbd916cd880821e
Reviewed-on: https://boringssl-review.googlesource.com/7750
Reviewed-by: Adam Langley <agl@google.com>
2016-04-25 21:18:37 +00:00
Adam Langley
b70cd92c82 Add licenses to fuzz tests.
These source files previously didn't have the ISC license on them.

Change-Id: Ic0a2047d23b28d9d7f0a85b2fedb67574bdcab25
Reviewed-on: https://boringssl-review.googlesource.com/7735
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-25 20:15:27 +00:00
Adam Langley
3d907ed964 Remove RC4_options from rc4-586.pl.
The x86-64 version of this assembly doesn't include this function. It's
in decrepit/rc4 as a compatibility backfill but that means that 32-bit
builds end up with two definitions of this symbol.

Change-Id: Ib6da6b91aded8efc679ebbae6d60c96a78f3dc4e
Reviewed-on: https://boringssl-review.googlesource.com/7734
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-22 21:14:11 +00:00
David Benjamin
38d01c6b95 Improve generate_build_files.py gn support.
Split gn and gyp generators apart. Since we're pre-generating files, there's no
need to make BoringSSL's build depend on the gypi_to_gn.py script. Also emit
the tests and a list of fuzzers so we don't need to manually update BUILD.gn
each time.

The new gn generator is based on the bazel one since they're fairly similar.

BUG=chromium:429246

Change-Id: I5a819a964d6ac6e56e9251bb3fd3de1db08214a4
Reviewed-on: https://boringssl-review.googlesource.com/7726
Reviewed-by: Adam Langley <agl@google.com>
2016-04-22 18:56:55 +00:00
David Benjamin
818aff01fb Add SSL_SESSION_get_master_key.
Opaquifying SSL_SESSION is less important than the other structs, but this will
cause less turbulence in wpa_supplicant if we add this API too. Semantics and
name taken from OpenSSL 1.1.0 to match.

BUG=6

Change-Id: Ic39f58d74640fa19a60aafb434dd2c4cb43cdea9
Reviewed-on: https://boringssl-review.googlesource.com/7725
Reviewed-by: Adam Langley <agl@google.com>
2016-04-21 21:14:36 +00:00
David Benjamin
7fadfc6135 Move TLS-specific "AEAD" functions to the bottom of aead.h.
Probably better to keep it out of the way for someone just trying to figure out
how to use the library. Notably, we don't really want people to think they need
to use the directioned init function.

Change-Id: Icacc2061071581abf46e38eb1d7a52e7b1f8361b
Reviewed-on: https://boringssl-review.googlesource.com/7724
Reviewed-by: Adam Langley <agl@google.com>
2016-04-21 20:34:41 +00:00
David Benjamin
325664eec4 Add hkdf.h to doc.config.
It has all of one function in there.

Change-Id: I86f0fbb76d267389c62b63ac01df685acb70535e
Reviewed-on: https://boringssl-review.googlesource.com/7723
Reviewed-by: Adam Langley <agl@google.com>
2016-04-21 20:25:15 +00:00
Brian Smith
f01fb5dc0e Avoid minor waste in |ec_GFp_nistp256_point_get_affine_coordinates|.
Avoid calculating the affine Y coordinate when the caller didn't ask
for it, as occurs, for example, in ECDH.

For symmetry and clarity, avoid calculating the affine X coordinate in
the hypothetical case where the caller only asked for the Y coordinate.

Change-Id: I69f5993fa0dfac8b010c38e695b136cefc277fed
Reviewed-on: https://boringssl-review.googlesource.com/7590
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-20 23:00:27 +00:00
Brian Smith
3f3358ac15 Save one call to |ecp_nistz256_from_mont| in |ecp_nistz256_get_affine|.
Change-Id: I38faa5c4e9101c100614ebadf421bde0a05af360
Reviewed-on: https://boringssl-review.googlesource.com/7589
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-20 22:58:36 +00:00
Brian Smith
a7aa2bb8f8 Avoid a multiplication in |ecp_nistz256_get_affine| when |x| is NULL.
This is purely hypothetical, as in real life nobody cares about the
|y| component without also caring about the |x| component, but it
clarifies the code and makes a future change clearer.

Change-Id: Icaa4de83c87b82a8e68cd2942779a06e5db300c3
Reviewed-on: https://boringssl-review.googlesource.com/7588
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-20 22:53:46 +00:00
Brian Smith
d860b7b1cd Set output coordinates' |neg| field in |ecp_nistz256_get_affine|.
The result would not be correct if, on input, |x->neg != 0| or
|y->neg != 0|.

Change-Id: I645566a78c2e18e42492fbfca1df17baa05240f7
Reviewed-on: https://boringssl-review.googlesource.com/7587
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-20 22:52:45 +00:00
Brian Smith
97770d17d8 Use only Montgomery math in |ec_GFp_mont_point_get_affine_coordinates|.
Use only Montgomery math in |ec_GFp_mont_point_get_affine_coordinates|.
In particular, avoid |BN_mod_sqr| and |BN_mod_mul|.

Change-Id: I05c8f831d2865d1b105cda3871e9ae67083f8399
Reviewed-on: https://boringssl-review.googlesource.com/7586
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-20 22:51:34 +00:00
David Benjamin
f3835839b1 Use nanosleep instead of usleep.
usleep is guarded by feature macro insanity. Use nanosleep which looks to be
less unfriendly.

Change-Id: I75cb2284f26cdedabb19871610761ec7440b6ad3
Reviewed-on: https://boringssl-review.googlesource.com/7710
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-19 21:54:26 +00:00
David Benjamin
9dadc3b6e1 Replace CRYPTO_once_t on Windows with INIT_ONCE.
Now that we no longer support Windows XP, this function is available. In doing
so, remove the odd run_once_arg_t union and pass in a pointer to a function
pointer which is cleaner and still avoids C's silly rule where function
pointers can't be placed in a void*.

BUG=37

Change-Id: I44888bb3779dacdb660706debd33888ca389ebd5
Reviewed-on: https://boringssl-review.googlesource.com/7613
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-19 21:34:20 +00:00
David Benjamin
3ed24f0502 Test CRYPTO_once_t collisions.
The existing tests never actually tested this case.

Change-Id: Idb9cf0cbbe32fdf5cd353656a95fbedbaac09376
Reviewed-on: https://boringssl-review.googlesource.com/7612
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-19 21:33:59 +00:00
David Benjamin
582d2847ed Reimplement PKCS#12 key derivation.
This is avoids pulling in BIGNUM for doing a straight-forward addition on a
block-sized value, and avoids a ton of mallocs. It's also -Wconversion-clean,
unlike the old one.

In doing so, this replaces the HMAC_MAX_MD_CBLOCK with EVP_MAX_MD_BLOCK_SIZE.
By having the maximum block size available, most of the temporary values in the
key derivation don't need to be malloc'd.

BUG=22

Change-Id: I940a62bba4ea32bf82b1190098f3bf185d4cc7fe
Reviewed-on: https://boringssl-review.googlesource.com/7688
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-19 18:16:38 +00:00
David Benjamin
0e21f41fe8 Switch all 'num' parameters in crypto/modes to unsigned.
Also switch the EVP_CIPHER copy to cut down on how frequently we need to cast
back and forth.

BUG=22

Change-Id: I9af1e586ca27793a4ee6193bbb348cf2b28a126e
Reviewed-on: https://boringssl-review.googlesource.com/7689
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-19 17:56:25 +00:00
David Benjamin
1a0a8b6760 Make EVP_MD_CTX size functions return size_t.
The EVP_MD versions do, so the types should bubble up.

BUG=22

Change-Id: Ibccbc9ff35bbfd3d164fc28bcdd53ed97c0ab338
Reviewed-on: https://boringssl-review.googlesource.com/7687
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-19 15:12:41 +00:00
Brian Smith
86361a3910 Require the public exponent to be available in RSA blinding.
Require the public exponent to be available unless
|RSA_FLAG_NO_BLINDING| is set on the key. Also, document this.

If the public exponent |e| is not available, then we could compute it
from |p|, |q|, and |d|. However, there's no reasonable situation in
which we'd have |p| or |q| but not |e|; either we have all the CRT
parameters, or we have (e, d, n), or we have only (d, n). The
calculation to compute |e| exposes the private key to risk of side
channel attacks.

Also, it was particularly wasteful to compute |e| for each
|BN_BLINDING| created, instead of just once before the first
|BN_BLINDING| was created.

|BN_BLINDING| now no longer needs to contain a duplicate copy of |e|,
so it is now more space-efficient.

Note that the condition |b->e != NULL| in |bn_blinding_update| was
always true since commit cbf56a5683.

Change-Id: Ic2fd6980e0d359dcd53772a7c31bdd0267e316b4
Reviewed-on: https://boringssl-review.googlesource.com/7594
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 23:34:46 +00:00
Brian Smith
d035730ac7 Make return value of |BN_MONT_CTX_set_locked| int.
This reduces the chance of double-frees.

BUG=10

Change-Id: I11a240e2ea5572effeddc05acb94db08c54a2e0b
Reviewed-on: https://boringssl-review.googlesource.com/7583
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 23:19:08 +00:00
Brian Smith
51b0d5b1e8 Do not use the CRT when |rsa->e == NULL|.
When |rsa->e == NULL| we cannot verify the result, so using the CRT
would leave the key too vulnerable to fault attacks.

Change-Id: I154622cf6205ba4d5fb219143db6072a787c2d1f
Reviewed-on: https://boringssl-review.googlesource.com/7581
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 22:50:24 +00:00
Brian Smith
69f0532c85 Use |memcmp| instead of |CRYPTO_memcmp| in |RSA_verify|.
|CRYPTO_memcmp| isn't necessary because there is no secret data being
acted on here.

Change-Id: Ib678d5d4fc16958aca409a93df139bdff8cb73fb
Reviewed-on: https://boringssl-review.googlesource.com/7465
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 20:42:22 +00:00
Brian Smith
2a92031bb4 Clarify |RSA_verify_raw| error handling & cleanup.
Use the common pattern of returning early instead of |goto err;| when
there's no cleanup to do yet. Also, move the error checking of
|BN_CTX_get| failure closer to the the calls to |BN_CTX_get|. Avoid
calling |OPENSSL_cleanse| on public data. Clarify when/why |buf| is not
freed.

Change-Id: I9df833db7eb7041c5af9349c461297372b988f98
Reviewed-on: https://boringssl-review.googlesource.com/7464
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 20:42:15 +00:00
Brian Smith
9902262af6 Remove redundant check of |sig_len| in |RSA_verify|.
The same check is already done in |RSA_verify_raw|, so |RSA_verify|
doesn't need to do it.

Also, move the |RSA_verify_raw| check earlier.

Change-Id: I15f7db0aad386c0f764bba53e77dfc46574f7635
Reviewed-on: https://boringssl-review.googlesource.com/7463
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 20:40:41 +00:00
Brian Smith
c0b196d4eb Drop support for engines-provided signature verification.
We do not need to support engine-provided verification methods.

Change-Id: Iaad8369d403082b728c831167cc386fdcabfb067
Reviewed-on: https://boringssl-review.googlesource.com/7311
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 20:40:17 +00:00
David Benjamin
9b611e28e4 Simplify server_name extension parsing.
Although the server_name extension was intended to be extensible to new name
types, OpenSSL 1.0.x had a bug which meant different name types will cause an
error. Further, RFC 4366 originally defined syntax inextensibly. RFC 6066
corrected this mistake, but adding new name types is no longer feasible.

Act as if the extensibility does not exist to simplify parsing. This also
aligns with OpenSSL 1.1.x's behavior. See upstream's
062178678f5374b09f00d70796f6e692e8775aca and
https://www.ietf.org/mail-archive/web/tls/current/msg19425.html

Change-Id: I5af26516e8f777ddc1dab5581ff552daf2ea59b5
Reviewed-on: https://boringssl-review.googlesource.com/7294
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 20:33:35 +00:00
David Benjamin
4c5ddb8047 Set rwstate consistently.
We reset it to SSL_NOTHING at the start of ever SSL_get_error-using operation.
Then we only set it to a non-NOTHING value in the rest of the stack on error
paths.

Currently, ssl->rwstate is set all over the place. Sometimes the pattern is:

  ssl->rwstate = SSL_WRITING;
  if (BIO_write(...) <= 0) {
    goto err;
  }
  ssl->rwstate = SSL_NOTHING;

Sometimes we only set it to the non-NOTHING value on error.

  if (BIO_write(...) <= 0) {
    ssl->rwstate = SSL_WRITING;
  }
  ssl->rwstate = SSL_NOTHING;

Sometimes we just set it to SSL_NOTHING far from any callback in random places.

The third case is arbitrary and clearly should be removed.

But, in the second case, we sometimes forget to undo it afterwards. This is
largely harmless since an error in the error queue overrides rwstate, but we
don't always put something in the error queue (falling back to
SSL_ERROR_SYSCALL for "I'm not sure why it failed. Perhaps it was one of your
callbacks? Check your errno equivalent."), but in that case a stray rwstate
value will cause it to be wrong.

We could fix the cases where we fail to set SSL_NOTHING on success cases, but
this doesn't account for there being multiple SSL_get_error operations. The
consumer may have an SSL_read and an SSL_write running concurrently. Instead,
it seems the best option is to lift the SSL_NOTHING reset to the operations and
set SSL_WRITING and friends as in the second case.

(Someday hopefully we can fix this to just be an enum that is internally
returned. It can convert to something stateful at the API layer.)

Change-Id: I54665ec066a64eb0e48a06e2fcd0d2681a42df7f
Reviewed-on: https://boringssl-review.googlesource.com/7453
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-18 20:30:32 +00:00