Commit Graph

5529 Commits

Author SHA1 Message Date
David Benjamin
f84c0dad7a Use newly-sharded ECDH tests.
Also remove some transition step for a recent format change. Together, this
removes the curve hacks in the converter, which can now be purely syntactic.
The RSA ones are still a bit all over the place in terms of sharded vs
combined, so leaving that alone for now.

Change-Id: I721d6b0de388a53a39543725e366dc5b52e83561
Reviewed-on: https://boringssl-review.googlesource.com/30845
Reviewed-by: Adam Langley <agl@google.com>
2018-08-10 18:25:51 +00:00
David Benjamin
367115b056 Fix SSL_CTX_set1_sigalgs fuzzer and make them all more type-safe.
The size of an int is 4, not 2. To avoid worrying about this, add a GetVector
counterpart to GetString that handles all this. Apply this uniformly to avoid
all the pointer casts. This is less important for vector<uint8_t>, but even
then we'll now notice a 1-byte OOB read since std::string is NUL-terminated.
Also it's shorter.

Change-Id: Ie96591cb8d8d52742f5fd30d70b6af0511109585
Reviewed-on: https://boringssl-review.googlesource.com/30864
Reviewed-by: Adam Langley <agl@google.com>
2018-08-10 18:24:36 +00:00
David Benjamin
a711b53e0b Update Wycheproof test vectors.
This only updates the repository. We'll catch up with the new tests in a
subsequent commit.

Change-Id: I074a041479159ce1141af3241e7158599b648365
Reviewed-on: https://boringssl-review.googlesource.com/30844
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2018-08-10 17:56:29 +00:00
David Benjamin
ad040c593f "Update" clang.
Chromium ended up reverting their most recent roll, so match that.

Change-Id: I54b6351591d9169651f450ec3e800c7c9c28735c
Reviewed-on: https://boringssl-review.googlesource.com/30806
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-10 16:39:23 +00:00
David Benjamin
e6fd125d31 Align on a single CMake style.
We currently write a mix of "if (FOO)" and "if(FOO)". While the former looks
more like a usual language, CMake believes everything, even "if" and "else", is
just a really really funny function call (a "command").

We should pick something for consistency. Upstream CMake writes "if(FOO)", so
go with that one.

Change-Id: I67e0eb650a52670110b417312a362c9f161c8721
Reviewed-on: https://boringssl-review.googlesource.com/30807
Reviewed-by: Adam Langley <agl@google.com>
2018-08-10 16:22:31 +00:00
David Benjamin
ddedf6d455 Fix SSL_CTX_set1_sigalgs_list fuzzer.
SSL_CTX_set1_sigalgs_list wants a NUL-terminated string, so we need to use
GetString to give it one.

Bug: oss-fuzz:9808
Change-Id: Id7f676aa514c36de9dea900763db3cbbf5c79a4c
Reviewed-on: https://boringssl-review.googlesource.com/30804
Reviewed-by: Adam Langley <agl@google.com>
2018-08-10 14:44:43 +00:00
David Benjamin
17dc94e874 Add -handshaker-path to run_test.
Otherwise ninja run_tests doesn't work right build directories named something
other than "build" on Linux.

Change-Id: I4d7ff319aed338870f5ac071e875fda549bbbd06
Reviewed-on: https://boringssl-review.googlesource.com/30824
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
2018-08-10 14:31:47 +00:00
David Benjamin
678c841cbe Use -flto=thin in the CFI bot.
The CFI bot is currently failing on a mysterious error message, coming from the
recent clang roll.

  Called function is not the same type as the call!
    call void @EVP_MD_CTX_init(%struct.env_md_ctx_st* %8), !dbg !72123
  LLVM ERROR: Broken function found, compilation aborted!

Chromium actually passes -flto=thin, which seems to avoid the error, testing
locally. Why it does, I haven't the slightest clue. The offending calls to
EVP_MD_CTX_init (and EVP_MD_CTX_cleanup) are those buried in
bssl::ScopedEVP_MD_CTX. However, not all calls are problematic, only the one in
test_config.cc. What's more, if I add a call in async_bio.cc, linked into all
the same targets, the copy in test_config.cc is suddenly fine!?

Maybe there's just a bug in the LTO logic that ThinLTO avoids...

Change-Id: I5266eec75edea2a38dee8ad5591db8d65d3bdede
Reviewed-on: https://boringssl-review.googlesource.com/30805
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-10 14:18:28 +00:00
David Benjamin
4e446f27d0 Update citations to RFC 8410.
Confirmed the section numbers and sample key still match.

Change-Id: I6901154a54972a18e8a582a25d902c4fe760a0fc
Reviewed-on: https://boringssl-review.googlesource.com/30464
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-10 14:14:38 +00:00
David Benjamin
8625ec4b43 No-op commit to kick the bots.
Let's see if the TSan bot is working now.

Change-Id: Id86532f4cd2c4e216a0389c5030448afd707fdb7
Reviewed-on: https://boringssl-review.googlesource.com/30764
Reviewed-by: David Benjamin <davidben@google.com>
2018-08-09 23:09:23 +00:00
David Benjamin
69e91902f7 Work around missing MSan interceptor for posix_spawn.
Change-Id: I910dbfd0f6b0b4ef5a0c5155ee45a1658e1f4e70
Reviewed-on: https://boringssl-review.googlesource.com/30704
Reviewed-by: Adam Langley <agl@google.com>
2018-08-09 22:09:48 +00:00
David Benjamin
e9ae99bba2 Add an option to statically link a custom libc++.
MSan and TSan both require instrumenting everything. Add some machinery so we
can do this on the bots.

Change-Id: I7d2106bc852ee976455d18787d3a20a35373a9e7
Reviewed-on: https://boringssl-review.googlesource.com/30644
Reviewed-by: Adam Langley <agl@google.com>
2018-08-09 21:37:04 +00:00
David Benjamin
1f0d54b8a1 Don't assert on uninitialized memory in tests.
ExpectTicketKeyChanged treats its input as an in/out parameter, but the first
time around there isn't a previous key. We could just call
SSL_CTX_get_tlsext_ticket_keys directly, but running it with the "previous"
keys as all zeros seems prudent; the ticket key rotation logic lazily
initializes keys and, were we to accidentally forget to initialize a key, the
zero key seems the most likely culprit.

Change-Id: I7167bef78e0bfcdb178195230ad84597f26d825c
Reviewed-on: https://boringssl-review.googlesource.com/30684
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2018-08-09 21:36:50 +00:00
David Benjamin
1beddac9ce Update tools.
Change-Id: Idb6818ad9b6af2b1cb604e71d936aaca7210aa57
Reviewed-on: https://boringssl-review.googlesource.com/30624
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-09 19:31:22 +00:00
Adam Langley
7c1f21a1d1 Add XChaCha20-Poly1305 AEAD.
This is a version of ChaCha20-Poly1305 that takes a 24-byte nonce,
making the nonce suitable for random generation. It's compatible with
the AEAD of the same name in libsodium.

Change-Id: Ie8b20ba551e5a290b390d362e487f06377166f4c
Reviewed-on: https://boringssl-review.googlesource.com/30384
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-08-09 18:49:09 +00:00
David Benjamin
a3202d7bc1 Add EVP_CTRL_AEAD_* constants.
Upstream generalized most of the EVP_CTRL_GCM_* constants to be their general
AEAD API in 1.1.0. Define them for better compatibility with code that targets
OpenSSL 1.1.0.

Change-Id: Ieaed8379eebde3718e3048f6290c21cdeac01efd
Reviewed-on: https://boringssl-review.googlesource.com/30604
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-09 17:08:15 +00:00
Adam Langley
826ce15092 Support OpenSSL APIs SSL[_CTX]_set1_sigalgs[_list].
These functions can be used to configure the signature algorithms. One
of them is a string mini-languaging parsing function, which we generally
dislike because it defeats static analysis. However, some dependent
projects (in this case TensorFlow) need it and we also dislike making
people patch.

Change-Id: I13f990c896a7f7332d78b1c351357d418ade8d11
Reviewed-on: https://boringssl-review.googlesource.com/30304
Reviewed-by: Steven Valdez <svaldez@google.com>
2018-08-09 16:57:09 +00:00
David Benjamin
e3ffaae0a3 Remove apparently unused cq_name field.
I got an automated email from the previous config update to remove this.

Change-Id: I45586d3bda3241a513bf2f6a8ec3b2a87fc4f2f9
Reviewed-on: https://boringssl-review.googlesource.com/30584
Reviewed-by: Ryan Tseng <hinoka@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 20:55:50 +00:00
David Benjamin
ad8e29b00d Add linux_fuzz to the CQ.
We keep tripping it due to weird quirks in fuzzer mode.

Change-Id: Ie09113d42b24070b1749d38f56253bb7d9147f3f
Reviewed-on: https://boringssl-review.googlesource.com/30564
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 20:28:14 +00:00
Adam Langley
3314d1570c Escape backslashes in crypto test data.
embed_test_data.go assumes that it's working with 8KB chunks. However,
if the input file contains a '\' then the Go code thinks that it counts
as a byte, but the C compiler will probably merge it with the following
char and thus that string will be slightly too short. ASAN will detect
the out-of-bounds read when 8192 bytes are copied from the string.

Change-Id: If40ccfd39ea013bd6935fcc313cfe188fe985f67
Reviewed-on: https://boringssl-review.googlesource.com/30444
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 18:36:11 +00:00
Adam Langley
04e149f840 Set the fuzzer PBKDF2 limit to 2048.
Our test data uses values to up 2048 so the 1024 limit was causing tests
to fail in fuzzing mode.

Change-Id: I71b97be26376a04c13d1f438e5e36a5ffff1c1a4
Reviewed-on: https://boringssl-review.googlesource.com/30484
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 18:33:00 +00:00
Adam Langley
c81965a8ad Set PBKDF2 limit in PKCS#12 to 100M.
The previous limit was |UINT_MAX|. Windows limits to 600K, but that's
already causing issues. This seems like a balance between being
completely crazy and still large enough not to have to worry for a long
time. It's still probably too large for backend systems wanting to
process arbitrary PKCS#12, but I don't think any fixed value will
satisfy all desires.

Change-Id: I01a3f78d5f2df086f8dbc0e8bacfb95153738f55
Reviewed-on: https://boringssl-review.googlesource.com/30424
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 17:09:36 +00:00
Adam Langley
2bcb315138 Limit the number of PBKDF2 iterations when fuzzing.
(Otherwise the fuzzer will discover that it can trigger extremely large
amounts of computation and start timing out.)

BUG=oss-fuzz:9767

Change-Id: Ibc1da5a90da169c7caf522f792530d1020f8cb54
Reviewed-on: https://boringssl-review.googlesource.com/30404
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-08 16:12:50 +00:00
Adam Langley
6410e18e91 Update several assembly files from upstream.
This change syncs several assembly files from upstream. The only meanful
additions are more CFI directives.

Change-Id: I6aec50b6fddbea297b79bae22cfd68d5c115220f
Reviewed-on: https://boringssl-review.googlesource.com/30364
Reviewed-by: Adam Langley <agl@google.com>
2018-08-07 18:57:17 +00:00
Adam Langley
e27793940e Don't accept “SSL client” as a substitute for S/MIME in the Netscape cert type extension.
I believe that case was the only way that X509_check_purpose could
return anything other than zero or one. Thus eliminate the last use of
X509_V_FLAG_X509_STRICT.

Change-Id: If2f071dfa934b924491db2b615ec17390564e7de
Reviewed-on: https://boringssl-review.googlesource.com/30344
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Matt Braithwaite <mab@google.com>
2018-08-06 21:52:28 +00:00
Matthew Braithwaite
e833a6dfa2 handshaker: kick PRNG when resuming in UNSAFE_DETERMINISTIC_MODE.
In fuzzing builds, session resumptions fail if the PRNG behaves the
same as in the initial session.  Not sure of the reason, but a kick to
the PRNG fixes the problem and doesn't compromise determinism, so
... *shrug*?

Change-Id: I8181d98fdff16ae82255e9cda33ce5c4c40b5399
Reviewed-on: https://boringssl-review.googlesource.com/30284
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-08-03 23:11:46 +00:00
Steven Valdez
74bfa0c082 Fix header include for handshake.
This should hopefully fix a build failure on the fuzzers.

Change-Id: If8db8dee768a83538cf37a65ec23c3f68f2be6a2
Reviewed-on: https://boringssl-review.googlesource.com/30264
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-02 13:55:01 +00:00
Steven Valdez
e5388e097a Add handshaker as run_tests dependency.
Change-Id: I545a61794d6dbb187d973351da6d54e33a608d0d
Reviewed-on: https://boringssl-review.googlesource.com/30244
Reviewed-by: Matt Braithwaite <mab@google.com>
2018-08-01 23:47:11 +00:00
Adam Langley
8bd1d07535 Require basicConstraints cA flag in intermediate certs.
OpenSSL 1.0.2 (and thus BoringSSL) accepts keyUsage certSign or a
Netscape CA certificate-type in lieu of basicConstraints in an
intermediate certificate (unless X509_V_FLAG_X509_STRICT) is set.

Update-Note: This change tightens the code so that basicConstraints is required for intermediate certificates when verifying chains. This was previously only enabled if X509_V_FLAG_X509_STRICT was set, but that flag also has other effects.

Change-Id: I9e41f4c567084cf30ed08f015a744959982940af
Reviewed-on: https://boringssl-review.googlesource.com/30185
Reviewed-by: Matt Braithwaite <mab@google.com>
2018-08-01 19:10:19 +00:00
Adam Langley
0224a3294a Add X509_V_FLAG_REQUIRE_CA_BASIC_CONSTRAINTS.
This change adds a new flag, X509_V_FLAG_REQUIRE_CA_BASIC_CONSTRAINTS,
which causes basicConstraints with isCA to be required for intermediate
CA certificates. Without this, intermediates are also acceptable if
they're missing basicConstraints, but include either a certSign
keyUsage, or a CA Netscape certificate type.

This is a short-term change for patching. I'll undo a lot of it and make
this the default in the next change.

Change-Id: I7f42ffd76c57de3037f054108951e230c1b4e415
Reviewed-on: https://boringssl-review.googlesource.com/30184
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Matt Braithwaite <mab@google.com>
2018-08-01 18:55:50 +00:00
Adam Langley
e7b78770ec Ask shim whether it supports split handshakes.
The runner currently expects split handshake tests to work is GOOS is
"linux", but that includes Android, which the shim doesn't support.

Rather than try to align these two conditions, have the runner ask the
shim whether it supports split handshakes or not.

Change-Id: I7bea0d94142c4b6ee42b8f54c67b8611da93feb3
Reviewed-on: https://boringssl-review.googlesource.com/30204
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-08-01 17:14:58 +00:00
Matthew Braithwaite
548c27646a shim: perform split handshakes in a separate binary.
The new binary, called |handshaker|, allows split-handshakes to be
tested using shim and handshaker binaries built at different
revisions.

The shim now proxies traffic to the handshaker during the split
handshake.  The handoff and handback steps serialize additional state
about the test being performed, and its results.

The proxy and handshaker make heavy use of Unix-isms, and so
split-handshake tests are now restricted to Linux.

Change-Id: I048f0540c3978a31b3e573e00da17caf41a8059e
Reviewed-on: https://boringssl-review.googlesource.com/29348
Reviewed-by: Adam Langley <agl@google.com>
2018-08-01 01:44:53 +00:00
Adam Langley
c448f1759a Fix the build with FIPS + NO_ASM.
Setting OPENSSL_NO_ASM skips enabling the “ASM” language in CMake.
However, the FIPS module fundamentally needs to build asm because
delocate works via textual assembly. Thus this combination is currently
broken with CMake.

This change ensures that support for building asm is enabled in CMake
for this combination.

Change-Id: I4516cf3a6f579ee7c72f04ac25d15785926cf125
Reviewed-on: https://boringssl-review.googlesource.com/29884
Reviewed-by: Adam Langley <agl@google.com>
2018-07-30 22:43:25 +00:00
Adam Langley
fadd8b4244 Add script for showing FIPS self-test failures.
Change-Id: I6e98a518ea9a29d9de7691a430fbbbd2a504c08d
Reviewed-on: https://boringssl-review.googlesource.com/30124
Reviewed-by: Adam Langley <agl@google.com>
2018-07-30 22:41:04 +00:00
Adam Langley
4732c544f7 Add ECDH_compute_key_fips inside the module.
This change adds a function so that an ECDH and the hashing of the
resulting 'x' coordinate can occur inside the FIPS boundary.

Change-Id: If93c20a70dc9dcbca49056f10915d3ce064f641f
Reviewed-on: https://boringssl-review.googlesource.com/30104
Reviewed-by: Adam Langley <agl@google.com>
2018-07-30 22:40:31 +00:00
Michał Janiszewski
c4f3b8a22a Add a compile time verification ciphers are sorted for bsearch()
Change-Id: Ibdf5b5194087a44088563141f1de2801cade231b
Reviewed-on: https://boringssl-review.googlesource.com/30144
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-07-30 22:17:31 +00:00
Adam Langley
23e9aec99b Support Wycheproof vectors with the curve given in the group.
Future versions of the Wycheproof vectors will specify the curve for a
group of tests, rather than for each test. This change works with both
the old and new style.

Change-Id: I0d9a503c8357eb4c617544e727d8f4a703c2c2b0
Reviewed-on: https://boringssl-review.googlesource.com/30084
Reviewed-by: Adam Langley <agl@google.com>
2018-07-27 16:45:12 +00:00
Ryan Tseng
f3bfab0035 Comment change in codereview.settings
gcl is long deprecated, "git cl" is what this is used for now.

TBR: davidben
Change-Id: I5980b8ff3a7c384f4650e195eb6e4daf52da5ae2
Reviewed-on: https://boringssl-review.googlesource.com/30064
Reviewed-by: Ryan Tseng <hinoka@google.com>
2018-07-26 00:23:04 +00:00
David Benjamin
ed09f2d5cd Move the MSan sanity check to a source file.
OSS-Fuzz builds fuzz/*.c without matching config, which pulls in
crypto/internal.h. See
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9583.

Change-Id: I4bd16f8741816ebef00d8102fd1f79b0cb16f6a3
Reviewed-on: https://boringssl-review.googlesource.com/30024
Reviewed-by: Adam Langley <agl@google.com>
2018-07-25 15:15:19 +00:00
Daniel Hirche
9af1edbe22 Don't build test/malloc.cc with TSAN.
Change-Id: I33c5259f066693c912ba751dff0205ae240f4a92
Reviewed-on: https://boringssl-review.googlesource.com/29964
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-07-24 15:38:09 +00:00
David Benjamin
22ac2d9b25 Fail the build if MSan is built with assembly.
MSan works by instrumenting memory accesses in the compiler. Accesses from
uninstrumented code, such as assembly, are invisible to it. MSan will
incorrectly report reads from assembly-initialized memory as uninitialized.

To avoid confusing downstream consumers with false positives, catch this at
compile-time with a more useful error.

Update-Note: BoringSSL with MSan and assembly doesn't work, but now rather than
crashing at runtime, it will fail to build altogether. It's possible someone
was building BoringSSL with MSan and either not running it at all or just not
exercising the codepaths that break.

Bug: 252
Change-Id: I0c8b0fa3c2d1e584b3f40d532a668a8c9be06cb7
Reviewed-on: https://boringssl-review.googlesource.com/29928
Reviewed-by: Adam Langley <agl@google.com>
2018-07-23 19:07:41 +00:00
David Benjamin
fc04cb217d Add some TSan coverage of CRYPTO_BUFFER.
There were some subtleties in this one. I'm not sure if TSan covers it all, but
it's better than nothing.

Change-Id: I239e3aee2fea84caa2e48f555d08c6d89f430402
Reviewed-on: https://boringssl-review.googlesource.com/29927
Reviewed-by: Adam Langley <agl@google.com>
2018-07-23 19:04:44 +00:00
David Benjamin
6c04bd1114 Add some basic SSL_CTX threading tests.
This covers some of the session cache bits and the SSL_CTX_get0_certificate
quirk.

Change-Id: Ia2a5e93075de43aaf5fce086e376954f58671536
Reviewed-on: https://boringssl-review.googlesource.com/29926
Reviewed-by: Adam Langley <agl@google.com>
2018-07-23 19:02:38 +00:00
David Benjamin
c5f680ec36 Add a thread test for RSA.
The business with cached Montgomery contexts is not trivial.

Change-Id: I60d34ed5f55509372c82534d1c2233a4ad67ab34
Reviewed-on: https://boringssl-review.googlesource.com/29925
Reviewed-by: Adam Langley <agl@google.com>
2018-07-23 19:00:03 +00:00
David Benjamin
5852cfccbc Add a basic TSan test for ref-counts.
Confirmed that, if the locks are commented out, TSan catches the threading
error.

Change-Id: I3e4ef9a7ca85fdbacf8c8b13694a5a54c6d5f99b
Reviewed-on: https://boringssl-review.googlesource.com/29924
Reviewed-by: Adam Langley <agl@google.com>
2018-07-23 18:57:19 +00:00
David Benjamin
20b6a4e2a1 Clear r->neg in bn_mod_{add,sub}_consttime.
Otherwise, if the output BIGNUM was previously negative, we'd incorrectly give
a negative result. Thanks to Guide Vranken for reporting this issue!

Fortunately, this does not appear to come up in any existing caller. This isn't
all that surprising as negative numbers never really come up in cryptography.
Were it not for OpenSSL historically designing a calculator API, we'd just
delete the bit altogether. :-(

Bug: chromium:865924
Change-Id: I28fdc986dfaba3e38435b14ebf07453d537cc60a
Reviewed-on: https://boringssl-review.googlesource.com/29944
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-07-20 23:45:06 +00:00
Matthew Braithwaite
d154c7ccbc shim: call SSL_CTX_set_tlsext_ticket_keys() only once.
rather than twice, with the second call overriding the first.

Change-Id: Ieb139928edcbe75f1d2e7c2c52c46950d6343a6c
Reviewed-on: https://boringssl-review.googlesource.com/29904
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-07-19 21:33:31 +00:00
Matthew Braithwaite
6d597a34b6 shim: rewrite MoveTestState() to use a serialized representation.
This helps with creating a separate binary to perform split
handshakes, in that the test state must be communicated to, and
retrieved from, the handshaker binary using a socket.

Change-Id: I9d70a9bb3d97dd339aab4f51c6de75f71e4fe72d
Reviewed-on: https://boringssl-review.googlesource.com/29704
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-07-19 21:20:01 +00:00
David Benjamin
0cbb1af41f Don't mint TLS 1.3 tickets if SSL_OP_NO_TICKETS is set.
Change-Id: I03e05acb024e34beaeaf2f02860da1763e08a093
Reviewed-on: https://boringssl-review.googlesource.com/29844
Reviewed-by: Adam Langley <agl@google.com>
2018-07-18 23:47:36 +00:00
David Benjamin
5869eb3951 Test cert_cb and certificate verify ordering.
In particular, although CertificateRequest comes before Certificate and
CertificateVerify in TLS 1.3, we must not resolve the CertificateRequest until
afterwards. (This is rather annoying ordering, but does mean the
CertificateRequest is covered in the signature, which is nice to have.)

Change-Id: Iab95813de5efd674aa8e2459cfc7456b146ee754
Reviewed-on: https://boringssl-review.googlesource.com/29826
Reviewed-by: Jesse Selover <jselover@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2018-07-17 20:40:35 +00:00