The old logic was quite messy and grew a number of no-ops over the
years. It was also unreasonably fond of the variable name |i|.
The current logic wasn't even correct. It's overly fond of sending no
certificate, even when it pushes errors on the error queue for a fatal
error.
Change-Id: Ie5b2b38dd309f535af1d17fa261da7dc23185866
Reviewed-on: https://boringssl-review.googlesource.com/7418
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
In TLS, you never skip the Certificate message. It may be empty, but its
presence is determined by CertificateRequest. (This is sensible.)
In SSL 3.0, the client omits the Certificate message. This means you need to
probe and may receive either Certificate or ClientKeyExchange (thankfully,
ClientKeyExchange is not optional, or we'd have to probe at ChangeCipherSpec).
We didn't have test coverage for this, despite some of this logic being a
little subtle asynchronously. Fix this.
Change-Id: I149490ae5506f02fa0136cb41f8fea381637bf45
Reviewed-on: https://boringssl-review.googlesource.com/7419
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
We never heap-allocate a GCM128_CONTEXT.
Change-Id: I7e89419ce4d81c1598a4b3a214c44dbbcd709651
Reviewed-on: https://boringssl-review.googlesource.com/7430
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Also add no-certificate cases to the state machine coverage tests.
Change-Id: I88a80df6f3ea69aabc978dd356abcb9e309e156f
Reviewed-on: https://boringssl-review.googlesource.com/7417
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Change-Id: I5b38e2938811520f52ece6055245248c80308b4d
Reviewed-on: https://boringssl-review.googlesource.com/7416
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Although exactly one iteration of cmov_cached will always initialize selected,
it ends up messing with uninitialized memory. Initialize |selected| before the
loop.
BUG=593540
Change-Id: I5921843f68c6dd1dc7f752538825bc43ba75df4a
Reviewed-on: https://boringssl-review.googlesource.com/7415
Reviewed-by: Arnar Birgisson <arnarb@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
This makes building OpenLDAP easier.
Change-Id: Id64699f95477fb8fb98957027c97070ebf41f4b1
Reviewed-on: https://boringssl-review.googlesource.com/7407
Reviewed-by: David Benjamin <davidben@google.com>
This makes building OpenLDAP easier.
Change-Id: Ic1c5bcb2ec35c61c048e780ebc56db033d8382d8
Reviewed-on: https://boringssl-review.googlesource.com/7406
Reviewed-by: David Benjamin <davidben@google.com>
Built from:
92c83ad8a4fd6224cf6319a60b399854f55b38ebe9d297c942408b792b1a9efa cmake-3.5.0.tar.gz
Update instructions in the UPDATING file.
Change-Id: I49d3f5ef353347c446a04797719227e9793e3e0d
Reviewed-on: https://boringssl-review.googlesource.com/7414
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
See 0d5e080ab9 for the previous version. Include
instructions on where to get the tools used.
807f96230c889b10f2957a47585426af4cdb116a8a77f1caecca83b7d7ab862b cmake-3.5.0-win32-x86.zip
e6bb5c3e4d936bb1067560a58a21260693a0fbe34e55afb0111fe14f7eebc92c strawberry-perl-5.22.1.2-32bit-portable.zip
Change-Id: I504cf779abce26087d09c0c974fb481886c9c459
Reviewed-on: https://boringssl-review.googlesource.com/7413
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Update the easy ones here. Also include instructions on how to do this. The
.sha1 files will be updated separately with instructions.
Change-Id: I2a3aba43b8ffbdf930b8a2602dc1460077f6d0e7
Reviewed-on: https://boringssl-review.googlesource.com/7412
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
libdecrepit wants some symbols visible. Also a build file typo.
Change-Id: I670d2324ab9048f84e7f80afdefc98cbab80335d
Reviewed-on: https://boringssl-review.googlesource.com/7411
Reviewed-by: Adam Langley <agl@google.com>
Interestingly, Windows caught this with:
..\decrepit\obj\obj_decrepit.c(33) : warning C4090: 'function' : different 'const' qualifiers
However, the value of |name| isn't const, only the thing that it points
to. So this seems like a bug in MSVC, but I'm ok with it this time.
Change-Id: I076f98339cb0b669a4f592fba89aafc0a580efc4
Reviewed-on: https://boringssl-review.googlesource.com/7404
Reviewed-by: David Benjamin <davidben@google.com>
The points are only converted to affine form when there are at least
three points being multiplied (in addition to the generator), but there
never is more than one point, so this is all dead code.
Also, I doubt that the comments "...point at infinity (which normally
shouldn't happen)" in the deleted code are accurate. And, the
projective->affine conversions that were removed from p224-64.c and
p256-64.c didn't seem to properly account for the possibility that any of
those points were at infinity.
Change-Id: I611d42d36dcb7515eabf3abf1857e52ff3b45c92
Reviewed-on: https://boringssl-review.googlesource.com/7100
Reviewed-by: David Benjamin <davidben@google.com>
This another of those functions that tries to turn C into Python. In
this case, implement it in terms of the similar functions in EVP so that
at least we only have one list of things.
This makes life with nmap easier.
Change-Id: I6d01c43f062748d4ba7d7020587c286322e610bb
Reviewed-on: https://boringssl-review.googlesource.com/7403
Reviewed-by: David Benjamin <davidben@google.com>
This version is taken from OpenSSL 1.0.2 with tweaks to support the
changes that we have made to md32_common.h. None of the assembly
implementations have been imported.
This makes supporting nmap easier.
Change-Id: Iae9241abdbc9021cc6bc35a65b40c3d739011ccc
Reviewed-on: https://boringssl-review.googlesource.com/7402
Reviewed-by: David Benjamin <davidben@google.com>
If the function returns early due to an error, then the coordinates of the
result will have their |top| value set to a value beyond what has actually
been been written. Fix that, and make it easier to avoid such issues in the
future by refactoring the code.
As a bonus, avoid a false positive MSVC 64-bit opt build "potentially
uninitialized value used" warning.
Change-Id: I8c48deb63163a27f739c8797962414f8ca2588cd
Reviewed-on: https://boringssl-review.googlesource.com/6579
Reviewed-by: David Benjamin <davidben@google.com>
Having |Z_is_one| be out of sync with |Z| could potentially be a very
bad thing, and in the past there have been multiple bugs of this sort,
including one currently in p256-x86_64.c (type confusion: Montgomery-
encoded vs unencoded). Avoid the issue entirely by getting rid of
|Z_is_one|.
Change-Id: Icb5aa0342df41d6bc443f15f952734295d0ee4ba
Reviewed-on: https://boringssl-review.googlesource.com/6576
Reviewed-by: David Benjamin <davidben@google.com>
I've no idea who thought that this function was a good idea in the first
place, but including it in decrepit makes supporting nmap easier.
Change-Id: I7433cda6a6ddf1cc545126edf779625e9fc70ada
Reviewed-on: https://boringssl-review.googlesource.com/7401
Reviewed-by: David Benjamin <davidben@google.com>
This could live in decrepit, but it's tiny and having it makes the
interface more uniform that what we have for MD5 so I put it in the main
code. This is to more easily support nmap.
Change-Id: Ia098cc7ef6e00a90d2f3f56ee7deba8329c9a82e
Reviewed-on: https://boringssl-review.googlesource.com/7400
Reviewed-by: David Benjamin <davidben@google.com>
This reverts commit b944882f26.
Recent Chrome canaries show a visible jump in ERR_SSL_PROTOCOL_ERROR which
coincided with a DEPS roll that included this change. Speculatively revert it
to see if they go back down afterwards.
Change-Id: I067798db144c348d666985986dfb9720d1153b7a
Reviewed-on: https://boringssl-review.googlesource.com/7391
Reviewed-by: David Benjamin <davidben@google.com>
This removes a hard dependency on |BN_mod_exp|, which will allow the
linker to drop it in programs that don't use other features that
require it.
Also, remove the |mont| member of |bn_blinding_st| in favor of having
callers pass it when necssaary. The |mont| member was a weak reference,
and weak references tend to be error-prone.
Finally, reduce the scope of some parts of the blinding code to
|static|.
Change-Id: I16d8ccc2d6d950c1bb40377988daf1a377a21fe6
Reviewed-on: https://boringssl-review.googlesource.com/7111
Reviewed-by: David Benjamin <davidben@google.com>
If a Read or Write blocks for too long, time out the operation. Otherwise, some
kinds of test failures result in hangs, which prevent the test harness from
progressing. (Notably, OpenSSL currently has a lot of those failure modes and
upstream expressed interest in being able to run the tests to completion.)
Go's APIs want you to send an absolute timeout, to avoid problems when a Read
is split into lots of little Reads. But we actively want the timer to reset in
that case, so this needs a trivial adapter.
The default timeout is set at 15 seconds for now. If this becomes a problem, we
can extend it or build a more robust deadlock detector given an out-of-band
channel (shim tells runner when it's waiting on data, abort if we're also
waiting on data at the same time). But I don't think we'll need that
complexity. 15 seconds appears fine for both valgrind and running tests on a
Nexus 4.
BUG=460189
Change-Id: I6463fd36058427d883b526044da1bbefba851785
Reviewed-on: https://boringssl-review.googlesource.com/7380
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
See also 1b0c438e1a.
Change-Id: Ifcfe15caa4d0db8ef725f8dacd0e8c5c94b00a09
Reviewed-on: https://boringssl-review.googlesource.com/7390
Reviewed-by: Emily Stark (Dunn) <estark@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
The bots will likely use different infrastructure (I expect I'll need to write
an isolate file and such). In the meantime, make it easier to run tests
manually.
BUG=487432
Change-Id: I0e10b23e5f3eb1c5cd60fb88f21ba4a8385b979e
Reviewed-on: https://boringssl-review.googlesource.com/7334
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Now that we have a GitHub mirror, set up a PULL_REQUEST_TEMPLATE so people know
not to file pull requests against us. Text borrowed from Go's version of this
file.
Change-Id: I7da127fbf36eb3a7cb68e3a91cc9dfbb7fc92155
Reviewed-on: https://boringssl-review.googlesource.com/7370
Reviewed-by: Adam Langley <agl@google.com>
This function is a deprecated version of |X509_EXT_nconf_nid| that takes
a hash of |CONF_VALUE|s directly rather than a |CONF|.
Change-Id: I5fd1025b31d73b988d9298b2624453017dd34ff4
Reviewed-on: https://boringssl-review.googlesource.com/7363
Reviewed-by: David Benjamin <davidben@google.com>
These functions are just like the _mgf1 versions but omit one of the
parameters. It's easier to add them than to patch the callers in some
cases.
Change-Id: Idee5b81374bf15f2ea89b7e0c06400c2badbb275
Reviewed-on: https://boringssl-review.googlesource.com/7362
Reviewed-by: David Benjamin <davidben@google.com>
We shouldn't really have to do this, but there's a lot of code that
doesn't always include what it uses. In this case, since bio.h
references |BUF_MEM| in function signatures, it seems a little less
distasteful.
Change-Id: Ifb50f8bce40639f977b4447404597168a68c8388
Reviewed-on: https://boringssl-review.googlesource.com/7361
Reviewed-by: David Benjamin <davidben@google.com>
This function was deprecated by OpenSSL in 0.9.8 but code that uses it
still exists. This change adds an implementation of this function to
decreipt/ to support these programs.
Change-Id: Ie99cd00ff8b0ab2675f2b1c821c3d664b9811f16
Reviewed-on: https://boringssl-review.googlesource.com/7360
Reviewed-by: David Benjamin <davidben@google.com>
In OpenSSL, they create socket BIOs. The distinction isn't important on UNIX.
On Windows, file descriptors are provided by the C runtime, while sockets must
use separate recv and send APIs. Document how these APIs are intended to work.
Also add a TODO to resolve the SOCKET vs int thing. This code assumes that
Windows HANDLEs only use the bottom 32 bits of precision. (Which is currently
true and probably will continue to be true for the foreseeable future[*], but
it'd be nice to do this right.)
Thanks to Gisle Vanem and Daniel Stenberg for reporting the bug.
[*] Both so Windows can continue to run 32-bit programs and because of all the
random UNIX software, like OpenSSL and ourselves, out there which happily
assumes sockets are ints.
Change-Id: I67408c218572228cb1a7d269892513cda4261c82
Reviewed-on: https://boringssl-review.googlesource.com/7333
Reviewed-by: David Benjamin <davidben@google.com>
This change adds a |SSL_CTX_set_private_key_method| method that sets key_method on a SSL_CTX's cert.
It allows the private key method to be set once and inherited.
A copy of key_method (from SSL_CTX's cert to SSL's cert) is added in |ssl_cert_dup|.
Change-Id: Icb62e9055e689cfe2d5caa3a638797120634b63f
Reviewed-on: https://boringssl-review.googlesource.com/7340
Reviewed-by: David Benjamin <davidben@google.com>
Instead of crashing when an empty key is passed to
EVP_marshal_public_key(), return with an
EVP_R_UNSUPPORTED_ALGORITHM_ERROR. This brings e.g. X509_PUBKEY_set()
closer to how it behaved before 68772b31 (previously, it returned an
error on an empty public key rather than dereferencing pkey->ameth).
Change-Id: Ieac368725adb7f22329c035d9d0685b44b885888
Reviewed-on: https://boringssl-review.googlesource.com/7351
Reviewed-by: David Benjamin <davidben@google.com>
I went with NID_x25519 to match NID_sha1 and friends in being lowercase.
However, upstream seems to have since chosen NID_X25519. Match their
name.
Change-Id: Icc7b183a2e2dfbe42c88e08e538fcbd242478ac3
Reviewed-on: https://boringssl-review.googlesource.com/7331
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Change-Id: I9540c931b6cdd4d65fa9ebfc52e1770d2174abd2
Reviewed-on: https://boringssl-review.googlesource.com/7330
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
C is still kind of unsure about the whole two's complement thing and leaves
left-shifting of negative numbers undefined. Sadly, some sanitizers believe in
teaching the controversy and complain when code relies on the theory of two's
complement.
Shushing these sanitizers in this case is easier than fighting with build
configuration, so replace the shifts with masks. (This is equivalent as the
left-shift was of a value right-shifted by the same amount. Instead, we store
the unshifted value in carry0, etc., and mask off the bottom bits.) A few other
places get casts to unsigned types which, by some miracle, C compilers are
forbidden from miscompiling.
This is imported from upstream's b95779846dc876cf959ccf96c49d4c0a48ea3082 and
5b7af0dd6c9315ca76fba16813b66f5792c7fe6e.
Change-Id: I6bf8156ba692165940c0c4ea1edd5b3e88ca263e
Reviewed-on: https://boringssl-review.googlesource.com/7320
Reviewed-by: Adam Langley <agl@google.com>
Now that client.cc and server.cc run through application data, regenerate the
corpus.
Change-Id: I8278ebfe47fd2ba74f67db6f9b545aabf9fd1f84
Reviewed-on: https://boringssl-review.googlesource.com/7301
Reviewed-by: Adam Langley <agl@google.com>
As long as the HTTP/1.1 client auth hack forces use to support renego, having
it on seems much more useful than having it off for fuzzing purposes. Also read
app data to exercise that code and, on the client, trigger renegotiations as
needed.
Change-Id: I1941ded6ec9bd764abd199d1518420a1075ed1b2
Reviewed-on: https://boringssl-review.googlesource.com/7291
Reviewed-by: Adam Langley <agl@google.com>
Also pass set -e instead of chaining things with &&. (One line was missing the
&&.)
Change-Id: Ia04e7f40f46688c9664101efefef1d1ea069de71
Reviewed-on: https://boringssl-review.googlesource.com/7300
Reviewed-by: Adam Langley <agl@google.com>
The coverage tool revealed that we weren't testing all codepaths of the ChaCha
assembly. Add a standalone test as it's much easier to iterate over all lengths
when there isn't the entire AEAD in the way.
I wasn't able to find a really long test vector, so I generated a random one
with the Go implementation we have in runner.
This test gives us full coverage on the ChaCha20_ssse3 variant. (We'll see how
it fares on the other codepaths when the multi-variant test harnesses get in. I
certainly hope there isn't a more novel way to call ChaCha20 than this...)
Change-Id: I087e421c7351f46ea65dacdc7127e4fbf5f4c0aa
Reviewed-on: https://boringssl-review.googlesource.com/7299
Reviewed-by: Adam Langley <agl@google.com>
This is in preparation for adding AES_256_GCM in Chromium below AES_128_GCM.
For now, AES_128_GCM is preferable over AES_256_GCM for performance reasons.
While I'm here, swap the order of 3DES and RC4. Chromium has already disabled
RC4, but the default order should probably reflect that until we can delete it
altogether.
BUG=591516
Change-Id: I1b4df0c0b7897930be726fb8321cee59b5d93a6d
Reviewed-on: https://boringssl-review.googlesource.com/7296
Reviewed-by: Adam Langley <agl@google.com>
Only the 32-bit AVX2 code path needs this, but upstream choose to harmonize all
vector code paths.
RT#4346
(Imported from 1ea8ae5090f557fea2e5b4d5758b10566825d74b.)
Tested the new code manually on arm and aarch64, NEON and non-NEON. Steven
reports that all variants pass on x86 and x86-64 too.
I've left the 32-bit x86 AVX2 code disabled since valgrind can't measure the
code coverage, but this avoids diff with upstream. We can enable it if we ever
end up caring.
Change-Id: Id9becc2adfbe44b84764f8e9c1fb5e8349c4d5a8
Reviewed-on: https://boringssl-review.googlesource.com/7295
Reviewed-by: Adam Langley <agl@google.com>
Uses LCOV for C(++) line coverage and Valgrind's Callgrind tool to
generate assembly-level line coverage for the generated assembly
code.
BUG=590332
Change-Id: Ic70300a272c38f4fa6dd615747db568aa0853584
Reviewed-on: https://boringssl-review.googlesource.com/7251
Reviewed-by: David Benjamin <davidben@google.com>
This results from running the fuzzers for a little while with both the
8bit-counters change and after taking the transcripts from the runner
tests as seeds for the `client` and `server` fuzzers.
Change-Id: I545a89d8dccd7ef69dd97546ed61610eea4a27a3
Reviewed-on: https://boringssl-review.googlesource.com/7276
Reviewed-by: David Benjamin <davidben@google.com>
EC point format negotiation is dead and gone.
Change-Id: If13ed7c5f31b64df2bbe90c018b2683b6371a980
Reviewed-on: https://boringssl-review.googlesource.com/7293
Reviewed-by: Adam Langley <agl@google.com>