Commit Graph

573 Commits

Author SHA1 Message Date
David Benjamin
eee7306c72 Get bssl tool building on Windows.
This lets us run bssl speed at least. bssl client is currently compiled
out until we clean up our socket story on Windows and get it working.

Change-Id: Ib1dc0d0e0a6eed7544207e7bbe138503731fda67
Reviewed-on: https://boringssl-review.googlesource.com/2103
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 22:02:01 +00:00
David Benjamin
f44aa68a26 Fix standalone Win64 build.
generic.c still needs to include generic implementations in Win64.
Those are currently done with inline assembly and won't work on
MSVC.

Change-Id: Ifeb5470872d8c97b2ccffeae6f3ccb5661051de3
Reviewed-on: https://boringssl-review.googlesource.com/2102
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 22:00:45 +00:00
David Benjamin
e92fc1812d Remove remnant of SRP.
Dead #ifdef.

Change-Id: Ic8fcd56a2ee15dc4f8be485cd784eb1399640365
Reviewed-on: https://boringssl-review.googlesource.com/2101
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 22:00:05 +00:00
David Benjamin
fd617a5030 Port ssl3_{get,send}_server_key_exchange to EVP_Digest{Verify,Sign}*.
Minor change, but they're the users of the old API left within
BoringSSL.

Change-Id: Ic24e0d006c97fa5265abc3373d3f98aa8d2f8b1e
Reviewed-on: https://boringssl-review.googlesource.com/2100
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 21:59:49 +00:00
Adam Langley
e6def376fe Remove ERR_LIB_PKCS12.
This is no longer used but, by retaining it, we might miss cases where
code is still testing against it.

Change-Id: I40ed47e41f903aaf2c5e5354d4348f8890021382
Reviewed-on: https://boringssl-review.googlesource.com/2110
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 18:25:06 +00:00
David Benjamin
03a739d8d2 Build Win32 with Yasm rather than MASM.
Although x86masm.pl exists, upstream's documentation suggest only x86nasm.pl is
supported. Yasm seems to handle it fine with a small change.

Change-Id: Ia77be57c6b743527225924b2b398f2f07a084a7f
Reviewed-on: https://boringssl-review.googlesource.com/2092
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 23:14:11 +00:00
David Benjamin
3e700bb3e8 Get MASM output working on Win32.
We were building the NASM flavor with MASM which is why it didn't work. Get the
MASM output working: cpuid and cmove are not available in MASM unless the file
declares .686. Also work around MASM rejecting a very long line in SHA-256.

The follow-up change will get the NASM flavor working. We should probably use
that one as it's documented as supported upstream. But let's make this one
functional too.

Change-Id: Ica69cc042a7250c7bc9ba9325caab597cd4ce616
Reviewed-on: https://boringssl-review.googlesource.com/2091
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 23:13:20 +00:00
David Benjamin
2a0f3420f7 Fix standalone bio_test and v3name_test on Win64.
Win32 still has assembly issues and bssl wants to select() on both sockets and
stdin (doesn't work on Windows). But this is a start.

Change-Id: Iafc5215be281aed836c5ac2dc8b379399848a2c2
Reviewed-on: https://boringssl-review.googlesource.com/2090
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 21:17:27 +00:00
Adam Langley
5f51c25303 Add -cipher option to bssl client.
Change-Id: I3da1af62de9a94317fa7f14fda00e230b32bf5d5
Reviewed-on: https://boringssl-review.googlesource.com/2081
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:48:23 +00:00
David Benjamin
8f1ef1d554 Fix double-frees on malloc failure in ssl3_get_client_key_exchange.
If generating the master secret or applying the PSK post-processing fails,
we'll double-free all the ECDH state.

Change-Id: Id52931af73bdef5eceb06f7e64d32fdda629521e
Reviewed-on: https://boringssl-review.googlesource.com/2063
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:34:25 +00:00
David Benjamin
93d67d36c5 Refactor ssl3_send_client_key_exchange slightly.
Like ssl3_get_client_key_exchange, it is split into three parts:
- If PSK, query the PSK and write out the PSK identity.
- Compute the base pre-master secret.
- If PSK, compute the final pre-master secret.

This also fixes some double-frees on malloc failures in the ECDHE case. And it
avoids using the handshake output buffer to start the premaster secret.

Change-Id: I8631ee33c1e9c19604b3dcce2c676c83893c308d
Reviewed-on: https://boringssl-review.googlesource.com/2062
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:34:07 +00:00
David Benjamin
2af684fa92 Add tests for ECDHE_PSK.
pskKeyAgreement is now a wrapper over a base key agreement.

Change-Id: Ic18862d3e98f7513476f878b8df5dcd8d36a0eac
Reviewed-on: https://boringssl-review.googlesource.com/2053
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:33:09 +00:00
David Benjamin
491956c866 Fix ECDHE_PSK key exchange.
The current implementation switches the order of other_secret and psk;
other_secret is first. Fix it and rewrite with CBB instead. The server half got
fixed on accident in a prior refactor.

Change-Id: Ib52a756aadd66e4bf22c66794447f71f4772da09
Reviewed-on: https://boringssl-review.googlesource.com/2052
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:32:45 +00:00
David Benjamin
48cae08563 Add tests for PSK cipher suites.
Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will
be in a follow-up.

Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3
Reviewed-on: https://boringssl-review.googlesource.com/2051
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:32:21 +00:00
David Benjamin
b06711ca34 Move the X509_NAME typedef into x509.h.
X509_NAME is one of the symbols that collide with wincrypt.h. Move it to x509.h
so libraries which only use the pure-crypto portions of BoringSSL without X.509
needn't have to resolve the collision.

Change-Id: I057873498e58fe4a4cf264356f9a58d7a15397b7
Reviewed-on: https://boringssl-review.googlesource.com/2080
Reviewed-by: Adam Langley <agl@google.com>
2014-10-28 22:38:38 +00:00
David Benjamin
e167976126 Make EVP_DigestVerifyFinal return only zero or one.
It was already almost there. Just a malloc failure away. now all the
EVP_Digest{Sign,Verify}* functions may be used without worrying about -1 return
values.

Change-Id: I96a9750b300010615979bd5f1522b1d241764665
Reviewed-on: https://boringssl-review.googlesource.com/2064
Reviewed-by: Adam Langley <agl@google.com>
2014-10-28 20:22:46 +00:00
David Benjamin
3cac450af5 Add SSL_SESSION_to_bytes to replace i2d_SSL_SESSION.
Deprecate the old two-pass version of the function. If the ticket is too long,
replace it with a placeholder value but keep the connection working.

Change-Id: Ib9fdea66389b171862143d79b5540ea90a9bd5fb
Reviewed-on: https://boringssl-review.googlesource.com/2011
Reviewed-by: Adam Langley <agl@google.com>
2014-10-28 19:02:59 +00:00
Piotr Sikora
773bb55c6f Fix build (broken by removal of key_arg from SSL_SESSION parsing).
This fixes error reported by clang:
unused variable 'kKeyArgTag' [-Werror,-Wunused-const-variable].

Change-Id: I1d5c9937064bfadd810cbe1b73e0070cc2ead684
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-on: https://boringssl-review.googlesource.com/2070
Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 23:00:20 +00:00
David Benjamin
eb380a4632 Fix build on Windows.
This broke in a19fc259f0.

Change-Id: Icbdb6c7ed7f1f4906cc9c948ecbd6cfd5a0d7e73
Reviewed-on: https://boringssl-review.googlesource.com/2061
Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 22:10:39 +00:00
David Benjamin
aeb8d00e76 Add less dangerous versions of SRTP functions.
The old ones inverted their return value. Add SSL_(CTX_)set_srtp_profiles which
return success/failure correctly and deprecate the old functions. Also align
srtp.h with the new style since it's very short.

When this rolls through, we can move WebRTC over to the new ones.

Change-Id: Ie55282e8858331910bba6ad330c8bcdd0e38f2f8
Reviewed-on: https://boringssl-review.googlesource.com/2060
Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 21:58:09 +00:00
David Benjamin
7001a7fce6 Don't bother accepting key_arg when parsing SSL_SESSION.
Doing some archeaology, since the initial OpenSSL commit, key_arg has been
omitted from the serialization if key_arg_length was 0. Since this is an
SSLv2-only field and resuming an SSLv2 session with SSLv3+ is not possible,
there is no need to support parsing those sessions.

Interestingly, it is actually not the case that key_arg_length was only ever
set in SSLv2, historically. In the initial commit of OpenSSL, SSLeay 0.8.1b,
key_arg was used to store what appears to be the IV. That was then removed in
the next commit, an import of SSLeay 0.9.0b, at which point key_arg was only
ever set in SSLv3. That is old enough that there is certainly no need to
parse pre-SSLeay-0.9.0b sessions...

Change-Id: Ia768a2d97ddbe60309be20e2efe488640c4776d9
Reviewed-on: https://boringssl-review.googlesource.com/2050
Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 21:55:26 +00:00
Piotr Sikora
3b73c18fca Fix "integer constant is too large for 'long' type" errors.
Change-Id: I018cdc805e19284b057a57d04c9665f0a35ccc3b
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-on: https://boringssl-review.googlesource.com/2040
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 22:12:49 +00:00
Adam Langley
7571292eac Extended master secret support.
This change implements support for the extended master secret. See
https://tools.ietf.org/html/draft-ietf-tls-session-hash-01
https://secure-resumption.com/

Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93
Reviewed-on: https://boringssl-review.googlesource.com/1930
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 21:19:44 +00:00
David Benjamin
89abaea141 Reimplement i2d_SSL_SESSION using CBB.
No more need for all the macros. For now, this still follows the two-pass i2d_*
API despite paying a now-unnecessary malloc. The follow-on commit will expose a
more reasonable API and deprecate this one.

Change-Id: I50ec63e65afbd455ad3bcd2f1ae3c782d9e8f9d2
Reviewed-on: https://boringssl-review.googlesource.com/2000
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:30:09 +00:00
David Benjamin
83fd6b686f Reimplement d2i_SSL_SESSION with CBS.
Do away with all those unreadable macros. Also fix many many memory leaks in
the SSL_SESSION reuse case. Add a number of helper functions in CBS to help
with parsing optional fields.

Change-Id: I2ce8fd0d5b060a1b56e7f99f7780997fabc5ce41
Reviewed-on: https://boringssl-review.googlesource.com/1998
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:26:41 +00:00
David Benjamin
fbe6f498cd The empty contents are not a valid ASN.1 INTEGER.
Zero is encoded as a single zero octet. Per X.690, 8.3.1:

  The encoding of an integer value shall be primitive. The contents octets
  shall consist of one or more octets.

Change-Id: If4304a2be5117b71446a3a62a2b8a6124f85a202
Reviewed-on: https://boringssl-review.googlesource.com/2010
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:26:11 +00:00
David Benjamin
b5b6854968 Add CBB_add_asn1_uint64.
Companion to CBS_get_asn1_uint64. Also add tests for both the parsing and the
serializing.

Change-Id: Ic5e9a0089c88b300f874712d0e9964cb35a8c40b
Reviewed-on: https://boringssl-review.googlesource.com/1999
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:25:52 +00:00
David Benjamin
9f2c0d7a94 Remove T** parameter to ssl_bytes_to_cipher_list.
There's only one caller and it doesn't use that feature. While I'm here, tidy
that function a little. Don't bother passing FALLBACK_SCSV into
ssl3_get_cipher_by_value.

Change-Id: Ie71298aeaaab6e24401e0a6c2c0d2281caa93ba4
Reviewed-on: https://boringssl-review.googlesource.com/2030
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 02:01:33 +00:00
David Benjamin
2a39eaeec7 Don't condition on another header's #include guard.
This was there since OpenSSL's initial commit and doesn't appear to serve any
purpose anymore. There's also an instance in x509_vfy.h, but this does not
actually appear to be a no-op because the headers include each other.

Change-Id: I6dee04538bdb3fd91a5da3c71c9d0027443b6bbc
Reviewed-on: https://boringssl-review.googlesource.com/2020
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 01:53:43 +00:00
David Benjamin
751e889b1d Add SSL_SESSION serialization and deserialization tests.
Change-Id: Ia59e4accb644c8807b7c4ab6267efa624be95c18
Reviewed-on: https://boringssl-review.googlesource.com/1992
Reviewed-by: Adam Langley <agl@google.com>
2014-10-21 17:56:14 +00:00
David Benjamin
d7a76e72c6 Remove key_arg and key_arg_length from SSL_SESSION.
Remnants of SSLv2 support.

Change-Id: If45035f1727f235e122121418770f75257b18026
Reviewed-on: https://boringssl-review.googlesource.com/1991
Reviewed-by: Adam Langley <agl@google.com>
2014-10-21 17:55:49 +00:00
David Benjamin
a19fc259f0 Move ECC extensions out of SSL_SESSION.
There's no need to store them on the session. They're temporary handshake
state and weren't serialized in d2i_SSL_SESSION anyway.

Change-Id: I830d378ab49aaa4fc6c4c7a6a8c035e2263fb763
Reviewed-on: https://boringssl-review.googlesource.com/1990
Reviewed-by: Adam Langley <agl@google.com>
2014-10-21 17:55:01 +00:00
Adam Langley
4a674152fd Set the IV length for AES-ECB to zero.
This has been wrong since the initial rework of e_aes.c.

Change-Id: I91d92b643c151cd38a272a27f805e5f8ba6dc2df
Reviewed-on: https://boringssl-review.googlesource.com/1981
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 23:51:32 +00:00
David Benjamin
721e6e1500 Don't read past the end of the string in BUF_strndup.
BUF_strlcpy still assumes |src| is a NUL-terminated string and will call strlen
on it to determine the actual length. BUF_strndup's input need not be
NUL-terminated.

Change-Id: I9ca95e92533d12f1b0283412249bda4f8cf92433
Reviewed-on: https://boringssl-review.googlesource.com/1997
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 20:07:02 +00:00
David Benjamin
b698617007 Add CBS_peek_asn1_tag.
Intended to make parsing ASN.1 structures with OPTIONAL elements easier. (Just
attempting to parse the next tag doesn't distinguish between a malformed CBS
which has now been partially advanced and an optional tag mismatch.)

Change-Id: Idceb3dfd6ec028e87e1bc5aaddcec177b0c32150
Reviewed-on: https://boringssl-review.googlesource.com/1995
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:20:26 +00:00
David Benjamin
7f7882f1a8 Remove obsolete TODO
Change-Id: I5b02f57615d4ab01efbf7199474ce4e43c6956b6
Reviewed-on: https://boringssl-review.googlesource.com/1994
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:19:07 +00:00
David Benjamin
a650e05484 Fix pqueue_test.c memory leak.
Change-Id: I0a93900f0ebb22893d86a454cda086be37d4bbad
Reviewed-on: https://boringssl-review.googlesource.com/1993
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:18:53 +00:00
Adam Langley
3831173740 Fix memory leak when decoding corrupt tickets.
This is CVE-2014-3567 from upstream. See
https://www.openssl.org/news/secadv_20141015.txt

Change-Id: I9aad422bf1b8055cb251c7ff9346cf47a448a815
Reviewed-on: https://boringssl-review.googlesource.com/1970
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:05:48 +00:00
Adam Langley
88333ef7d7 Fix switching between AEAD and non-AEAD in a renegotiation.
https://code.google.com/p/chromium/issues/detail?id=423998

Change-Id: I29d67db92b47d6cd303125b44e5ba552d97d54ff
Reviewed-on: https://boringssl-review.googlesource.com/1960
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:05:23 +00:00
David Benjamin
0248889950 Don't mix and match libraries and errors.
The same library code applies for both the error and the function, so modules
cannot easily report errors from each other. Switch evp/algorithm.c's error
codes to the EVP library. Remove the original error codes so it's obvious some
changes are needed.

- X509_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED -> EVP_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED
  ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED -> EVP_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED
  (Actually, the X509 version of this error code doesn't exist in OpenSSL. It should
   have been ASN1.)

- ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM -> EVP_R_UNKNOWN_SIGNATURE_ALGORITHM

- ASN1_R_WRONG_PUBLIC_KEY_TYPE -> EVP_R_WRONG_PUBLIC_KEY_TYPE

- ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM -> EVP_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM

Change-Id: I05b1a05b465d800c85f7d63ca74588edf40847b9
Reviewed-on: https://boringssl-review.googlesource.com/1940
Reviewed-by: Adam Langley <agl@google.com>
2014-10-13 22:56:28 +00:00
Adam Langley
7ea848165b Add generic OPERATION_NOT_SUPPORTED error code.
Implementations of ENGINEs often don't want to implement every function.
This change adds an error code for those situations.

Change-Id: Id6b7eace36d06ffad7f347f556d942d447d8a2fd
Reviewed-on: https://boringssl-review.googlesource.com/1920
Reviewed-by: Wan-Teh Chang <wtc@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 23:55:39 +00:00
David Benjamin
bc8d737807 Add tests for AlgorithmIdentifier support in EVP.
Change-Id: I6691c93cfebfb06132e847d7c0bd3dd6bf076cab
Reviewed-on: https://boringssl-review.googlesource.com/1917
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 22:07:32 +00:00
David Benjamin
8f160a680b Add EVP_DigestVerifyInitFromAlgorithm and EVP_DigestSignAlgorithm.
Factor the AlgorithmIdentifier portions of ASN1_item_sign and ASN1_item_verify
out. This makes it possible to initialize a signature context from an
AlgorithmIdentifier without needing the data parsed into an ASN1_ITEM/void*
pair and reserialized.

Change-Id: Idc2e06b1310a3f801aa25de323d39d2b7a44ef50
Reviewed-on: https://boringssl-review.googlesource.com/1916
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:52:52 +00:00
David Benjamin
2e1594dfb5 Remove #if-0'd ASN1_sign.
Verified that nothing uses it.

Change-Id: I1755144129e274f3d1680ddb8cb12273070eb078
Reviewed-on: https://boringssl-review.googlesource.com/1912
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:07:48 +00:00
David Benjamin
75a1dd0dbe Remove EVP_PKEY_CTX case in rsa_pss_to_ctx.
We only ever use the EVP_PKEY case, not the EVP_PKEY_CTX one.

Change-Id: Ibead854f793663da0a9e474599507d9c3ff920cb
Reviewed-on: https://boringssl-review.googlesource.com/1915
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:07:32 +00:00
David Benjamin
f4b4952719 Fix rsa_pss_to_ctx return value.
It should return 0 for failure, not -1; the call site was expecting 0 anyway.

Change-Id: I24ab5d3695b8ac438e40be1a4fd74ecd3b845f5a
Reviewed-on: https://boringssl-review.googlesource.com/1914
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:04:36 +00:00
David Benjamin
5db5d4e2b0 RSA_encrypt and RSA_sign_raw aren't the same.
Change-Id: Ie09ab12baf59b8c1d628396424ce6cadf43bf0e1
Reviewed-on: https://boringssl-review.googlesource.com/1913
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:04:07 +00:00
David Benjamin
a87941ad17 Remove misspelled error code.
One ASN1_R_UNKNOWN_FORMAT got mispelled into ASN1_R_UNKOWN_FORMAT and
duplicated.

Change-Id: If123ef848ffe68afa021f5f3e3fb08eac92c5f94
Reviewed-on: https://boringssl-review.googlesource.com/1911
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:03:42 +00:00
David Benjamin
b1659f597b Fix err_test.
ERR_FLAG_MALLOCED is now masked and isn't returned through
ERR_get_error_line_data.

Change-Id: Ida633bf1a5ca01f563c1323dbdfb2433c2ab5159
Reviewed-on: https://boringssl-review.googlesource.com/1910
Reviewed-by: Adam Langley <agl@google.com>
2014-10-09 21:03:11 +00:00
Adam Langley
57e52f2a63 Fix invariant broken in 5f1374e2.
If to_free is not a valid pointer then it should be NULL.

Change-Id: I6addb2b8e7aa61d3ba47baaf8d0606d10ff2545d
2014-10-06 19:30:44 -07:00