Commit Graph

1844 Commits

Author SHA1 Message Date
Matt Braithwaite
cd6f54b193 Add method to query Extended Master Secret support
Change-Id: I4c285f4b3dd77f8fc7249c7504b5e4eb9b62959f
Reviewed-on: https://boringssl-review.googlesource.com/5920
Reviewed-by: Adam Langley <agl@google.com>
2015-09-17 21:18:28 +00:00
Paul Lietar
62be8ac8da Skip the SCT and OCSP extensions in ServerHello when resuming sessions.
SCT and OCSP are part of the session data and as such shouldn't be sent
again to the client when resuming.

Change-Id: Iaee3a3c4c167ea34b91504929e38aadee37da572
Reviewed-on: https://boringssl-review.googlesource.com/5900
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-17 21:15:00 +00:00
David Benjamin
e8814df699 Document PSK functions in ssl.h.
Change-Id: Iac58d28570d429236de1d2bc40b631e252b8e710
Reviewed-on: https://boringssl-review.googlesource.com/5893
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:34:12 +00:00
David Benjamin
9e4e01ee14 Align the SSL stack on #include style.
ssl.h should be first. Also two lines after includes and the rest of the
file.

Change-Id: Icb7586e00a3e64170082c96cf3f8bfbb2b7e1611
Reviewed-on: https://boringssl-review.googlesource.com/5892
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:32:07 +00:00
David Benjamin
1ac08feed6 Fix SSL and SSL_CTX ex_data variable names.
Forgot to fix these when I fixed the headers.

Change-Id: Ie45e624abc993e16e2d5a872ef00dba9029a38df
Reviewed-on: https://boringssl-review.googlesource.com/5891
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:22:07 +00:00
David Benjamin
2079ee70c6 Fix minor documentation mistake.
Change-Id: Ia31c0c04c0dbb00cf55db7fdf2c4641a2287f012
Reviewed-on: https://boringssl-review.googlesource.com/5890
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:19:57 +00:00
Brian Smith
1f5e9456a9 Remove superfluous SHA-1 dependency from EVP ECDSA code.
The documentation for |ECDSA_sign| and |ECDSA_verify| says that the
|type| parameter should be zero.

Change-Id: I875d3405455c5443f5a5a5c2960a9a9f486ca5bb
Reviewed-on: https://boringssl-review.googlesource.com/5832
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 23:18:44 +00:00
David Benjamin
231cb82145 Work around broken Estonian smart cards. Again.
Estonian IDs issued between September 2014 to September 2015 are broken and use
negative moduli. They last five years and are common enough that we need to
work around this bug.

Add parallel "buggy" versions of BN_cbs2unsigned and RSA_parse_public_key which
tolerate this mistake, to align with OpenSSL's previous behavior. This code is
currently hooked up to rsa_pub_decode in RSA_ASN1_METHOD so that d2i_X509 is
tolerant. (This isn't a huge deal as the rest of that stack still uses the
legacy ASN.1 code which is overly lenient in many other ways.)

In future, when Chromium isn't using crypto/x509 and has more unified
certificate handling code, we can put client certificates under a slightly
different codepath, so this needn't hold for all certificates forever. Then in
September 2019, when the broken Estonian certificates all expire, we can purge
this codepath altogether.

BUG=532048

Change-Id: Iadb245048c71dba2eec45dd066c4a6e077140751
Reviewed-on: https://boringssl-review.googlesource.com/5894
Reviewed-by: Adam Langley <agl@google.com>
2015-09-15 21:18:15 +00:00
David Benjamin
cfd65b60a6 Fold srtp.h into ssl.h.
This gets the documentation into the ssl.h documentation, and removes
one of the circularly-dependent headers hanging off ssl.h. Also fixes
some typos; there were a few instances of "SSL *ctx".

Change-Id: I2a41c6f518f4780af84d468ed220fe7b0b8eb0d3
Reviewed-on: https://boringssl-review.googlesource.com/5883
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:59:37 +00:00
David Benjamin
dafbdd49c7 Document session cache functions.
Also switch to the new variable names (SSL_CTX *ctx, SSL *ssl,
SSL_SESSION *session) for all documented functions.

Change-Id: I15e15a703b96af1727601108223c7ce3b0691f1d
Reviewed-on: https://boringssl-review.googlesource.com/5882
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:58:48 +00:00
David Benjamin
14e2b5070b const-correct a few SSL_SESSION functions.
Change-Id: I64d1e29d1e414add4ae522fd9603c550d426a557
Reviewed-on: https://boringssl-review.googlesource.com/5881
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:41:36 +00:00
David Benjamin
abb6c1c191 Reorder ssl_session.c slightly to match the header.
Change-Id: I43138057689a479ff7aba1543118af4b52bb821b
Reviewed-on: https://boringssl-review.googlesource.com/5880
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:40:55 +00:00
David Benjamin
190ab7f179 Move ex_data functions in ssl.h to a section.
Change-Id: Ie3b7c1956cc9d62091f649d0e621d84fce1d26ec
Reviewed-on: https://boringssl-review.googlesource.com/5879
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:40:34 +00:00
David Benjamin
8f3cc26812 Rename ssl_sess.c to ssl_session.c.
Change-Id: Ib730ffe49b30c79b3f30acae4070f6055081a0a3
Reviewed-on: https://boringssl-review.googlesource.com/5878
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:37:52 +00:00
David Benjamin
a6b8cdfbe9 Document functions acting on an SSL_SESSION.
Change-Id: I0b4386d1972af0ac10db397716de8161810a87f4
Reviewed-on: https://boringssl-review.googlesource.com/5877
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:37:42 +00:00
David Benjamin
79c117a4ac Move structs to a 'Private structures' section in ssl.h.
To be consistent with some of the other headers and because SSL_METHOD
no longer has a place to anchor documentation, move the type
documentation up to the corresponding section headers, rather than
attached to a convenient function.

Also document thread-safety properties of SSL and SSL_CTX.

Change-Id: I7109d704d28dda3f5d83c72d86fe31bc302b816e
Reviewed-on: https://boringssl-review.googlesource.com/5876
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:35:18 +00:00
David Benjamin
361ecc0236 Replace skipPast with strings.TrimPrefix.
There was a bug in skipPast; it was skipping to the start of the string,
rather than the end of it. But more of an issue is that it would skip if
it was in the middle of the string, which caused problems when
STACK_OF(FOO) was used as a parameter.

At some point, we'll probably need to give this a real C declaration
parser. We still have declarations (like those that return function
pointers) which we can't parse. But for now let's clear the low-hanging
fruit.

Change-Id: Ic2cee452cc8cf6887a6ff1b00cea353cec361955
Reviewed-on: https://boringssl-review.googlesource.com/5875
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:31:43 +00:00
David Benjamin
ee0c82789a Move SSL_get_peer_* to Connection information.
This is arguably more commonly queried connection information than the
tls-unique.

Change-Id: I1f080536153ba9f178af8e92cb43b03df37110b5
Reviewed-on: https://boringssl-review.googlesource.com/5874
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:30:54 +00:00
David Benjamin
27bbae4682 Reorder functions in ssl_lib.c to match ssl.h.
Just the stuff that has been pulled out into sections already.

Change-Id: I3da6bc61d79ccfe2b18d888075dc32026a656464
Reviewed-on: https://boringssl-review.googlesource.com/5873
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:30:23 +00:00
David Benjamin
3c1ccc017c Document a bunch of core functions in ssl.h.
Unfortunately, these are also some of the worst APIs in the SSL stack.
I've tried to capture all the things they expose to the caller. 0 vs -1
is intentionally left unexpanded on for now. Upstream's documentation
says 0 means transport EOF, which is a nice idea but isn't true. (A lot
of random functions return 0 on error and pass it up to the caller.)
https://crbug.com/466303 tracks fixing that.

SSL_set_bio is intentionally documented to NOT be usable when they're
already configured. The function tries to behave in this case and even
with additional cases when |rbio| and/or |wbio| are unchanged, but this
is buggy. For instance, this will explode:

     SSL_set_bio(ssl, bio1, bio1);
     SSL_set_bio(ssl, bio2, SSL_get_wbio(ssl));

As will this, though it's less clear this is part of the API contract
due to SSL taking ownership.

     SSL_set_bio(ssl, bio1, bio2);
     SSL_set_bio(ssl, bio2, bio1);

It also tries to handle ssl->bbio already existing, but I doubt it quite
works. Hopefully we can drop ssl->bbio eventually. (Why is this so
complicated...)

Change-Id: I5f9f3043915bffc67e2ebd282813e04afbe076e6
Reviewed-on: https://boringssl-review.googlesource.com/5872
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 23:29:18 +00:00
David Benjamin
72d8693ef2 No-op change to kick the documentation bot.
Change-Id: I8300ab8c4adda2ef4fb0f8b01d73469be6b8851a
2015-09-14 19:15:09 -04:00
David Benjamin
c0577626cb Run go fmt over runner.
Last set of changes didn't do that.

Change-Id: Iae24e75103529ce4d50099c5cbfbcef0e10ba663
Reviewed-on: https://boringssl-review.googlesource.com/5871
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 22:26:06 +00:00
David Benjamin
c99807d843 Tidy up dtls1_hm_fragment_new and fix (unreachable) memory leak.
clang scan-build found a memory leak if the overflow codepath in
dtls1_hm_fragment is hit. Along the way, tidy up that function.

Change-Id: I3c4b88916ee56ab3ab63f93d4a967ceae381d187
Reviewed-on: https://boringssl-review.googlesource.com/5870
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 22:25:17 +00:00
Adam Langley
626c68601c Initialise |supports_digest|.
We were getting this because of C's defaults, but it's fragile to leave
it like this because someone may add another field at the end in the
future.

Change-Id: I8b2dcbbc7cee8062915d15101f99f5a1aae6ad87
Reviewed-on: https://boringssl-review.googlesource.com/5860
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-14 21:51:18 +00:00
David Benjamin
1d128f369c Make SSL_get_client_CA_list slightly more OpenSSL-compatible.
SSL_get_client_CA_list is one of those dreaded functions which may query either
configuration state or handshake state. Moreover, it does so based on
|ssl->server|, which may not be configured until later. Also check
|ssl->handshake_func| to make sure |ssl| is not in an indeterminate state.

This also fixes a bug where SSL_get_client_CA_list wouldn't work in DTLS due to
the incorrect |ssl->version| check.

Change-Id: Ie564dbfeecd2c8257fd6bcb148bc5db827390c77
Reviewed-on: https://boringssl-review.googlesource.com/5827
Reviewed-by: Adam Langley <agl@google.com>
2015-09-11 22:30:55 +00:00
Matt Braithwaite
af096751e8 Restore the NULL-SHA ciphersuite. (Alas.)
Change-Id: Ia5398f3b86a13fb20dba053f730b51a0e57b9aa4
Reviewed-on: https://boringssl-review.googlesource.com/5791
Reviewed-by: Adam Langley <agl@google.com>
2015-09-11 22:18:08 +00:00
Paul Lietar
4fac72e638 Add server-side support for Signed Certificate Timestamps.
Change-Id: Ifa44fef160fc9d67771eed165f8fc277f28a0222
Reviewed-on: https://boringssl-review.googlesource.com/5840
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-11 21:52:26 +00:00
David Benjamin
1bfce80b44 Generate stable URL fragments.
Using numbers is sensitive to moving things around. Instead, use the
names and enforce, for sections, that they are unique. Names would be
enforced too, but there's a table-of-contents bug around #ifdefs to
resolve first.

Change-Id: I8822e8ba8da9ed3ee4984365b8a64932d16d5baf
Reviewed-on: https://boringssl-review.googlesource.com/5826
Reviewed-by: Adam Langley <agl@google.com>
2015-09-11 21:03:50 +00:00
David Benjamin
7e40d4e584 Deprecated functions get their own sections.
A small handful of functions got a 'Deprecated:' prefix instead in
documentation.

Change-Id: Ic151fb7d797514add66bc6465b6851b666a471bc
Reviewed-on: https://boringssl-review.googlesource.com/5825
Reviewed-by: Adam Langley <agl@google.com>
2015-09-11 20:57:36 +00:00
David Benjamin
6fad7bc586 Some documentation fixes.
We had a few duplicate section names.

Change-Id: I0c9b2a1669ac14392fd577097d5ee8dd80f7c73c
Reviewed-on: https://boringssl-review.googlesource.com/5824
Reviewed-by: Adam Langley <agl@google.com>
2015-09-11 20:56:53 +00:00
David Benjamin
c0125ef8f3 Fix SSL_CIPHER_is_AESGCM.
It was checking algorithm_mac rather than algorithm_enc.
(Coincidentally, it gave the right answer if you compiled out the
ChaCha20 ciphers since SSL_AES128GCM and SSL_AEAD shared a value.)

Change-Id: I17047425ef7fabb98969144965d8db9528ef8497
Reviewed-on: https://boringssl-review.googlesource.com/5850
Reviewed-by: Adam Langley <agl@google.com>
2015-09-09 17:56:59 +00:00
Adam Langley
a0a8dc208f Move large stack buffer in bssl_shim to heap.
The size of the stack caused by this object is problematic for systems
that have smaller stacks because they expect many threads.

Change-Id: Ib8f03741f9dd96bf474126f001947f879e50a781
Reviewed-on: https://boringssl-review.googlesource.com/5831
Reviewed-by: Matt Braithwaite <mab@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-09 17:54:24 +00:00
Adam Langley
f673831272 Drop urandom_test.
It didn't do too much and I didn't notice that CRYPTO_sysrand wasn't
OPENSSL_EXPORTed, which makes the test impossible on shared-library
builds.

Change-Id: I38986572aa34fa9c0f30075d562b8ee4e1a0c8b8
2015-09-08 18:10:15 -07:00
David Benjamin
7c6d09b9e5 Fold ssl_algs.c into ssl_lib.c.
There's not enough in that file to really justify its own file now.

Change-Id: I6130cfce6c40fe9d46aa83dd83e6f38d87fdcf64
Reviewed-on: https://boringssl-review.googlesource.com/5823
Reviewed-by: Adam Langley <agl@google.com>
2015-09-09 01:05:25 +00:00
Matt Braithwaite
cc2c7aa91c Buffer reads of urandom, if you promise no forking.
Callers that lack hardware random may obtain a speed improvement by
calling |RAND_enable_fork_unsafe_buffering|, which enables a
thread-local buffer around reads from /dev/urandom.

Change-Id: I46e675d1679b20434dd520c58ece0f888f38a241
Reviewed-on: https://boringssl-review.googlesource.com/5792
Reviewed-by: Adam Langley <agl@google.com>
2015-09-09 01:02:54 +00:00
David Benjamin
443a1f65e2 Toss file-related convenience bits of ssl/ into a corner.
Quite a lot of consumers of the SSL stack will never need to touch files from
the SSL stack, but enough do that we can't just ditch them. Toss that all into
their own file so a static linker can drop it.

Change-Id: Ia07de939889eb09e3ab16aebcc1b6869ca8b75a0
Reviewed-on: https://boringssl-review.googlesource.com/5820
Reviewed-by: Adam Langley <agl@google.com>
2015-09-08 23:34:40 +00:00
Adam Langley
06fa67c8d3 Stop using |ERR_peek_last_error| in RSA blinding.
History has shown there are bugs in not setting the error code
appropriately, which makes any decision making based on
|ERR_peek_last_error|, etc. suspect. Also, this call was interfering
with the link-time optimizer's ability to discard the implementations of
many functions in crypto/err during dead code elimination.

Change-Id: Iba9e553bf0a72a1370ceb17ff275f5a20fca31ec
Reviewed-on: https://boringssl-review.googlesource.com/5748
Reviewed-by: Adam Langley <agl@google.com>
2015-09-08 23:32:48 +00:00
Paul Lietar
8f1c268692 Wait for CertificateStatus message to verify certificate.
Applications may require the stapled OCSP response in order to verify
the certificate within the verification callback.

Change-Id: I8002e527f90c3ce7b6a66e3203c0a68371aac5ec
Reviewed-on: https://boringssl-review.googlesource.com/5730
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-09-08 19:04:43 +00:00
Adam Langley
8748920ca7 Don't forget to free the TLS 1.0 ciphers.
Change-Id: I38517e0b13c9fc75b3964bc980d16daee9aed5b5
2015-09-03 15:52:29 -07:00
Adam Langley
cef7583633 Add cipher suite settings for TLS ≥ 1.0.
This change adds the ability to configure ciphers specifically for
TLS ≥ 1.0. This compliments the existing ability to specify ciphers
for TLS ≥ 1.1.

This is useful because TLS 1.0 is the first version not to suffer from
POODLE. (Assuming that it's implemented correctly[1].) Thus one might
wish to reserve RC4 solely for SSLv3.

[1] https://www.imperialviolet.org/2014/12/08/poodleagain.html

Change-Id: I774d5336fead48f03d8a0a3cf80c369692ee60df
Reviewed-on: https://boringssl-review.googlesource.com/5793
Reviewed-by: Adam Langley <agl@google.com>
2015-09-03 22:44:36 +00:00
Paul Lietar
23b185a3cf Allow out_present to be NULL in CBS_get_optional_asn1
This is useful to skip an optional element, and mirrors the behaviour of
CBS_get_optional_asn1_octet_string.

Change-Id: Icb538c5e99a1d4e46412cae3c438184a94fab339
Reviewed-on: https://boringssl-review.googlesource.com/5800
Reviewed-by: Adam Langley <agl@google.com>
2015-09-03 18:46:17 +00:00
David Benjamin
c9d40ba5b0 Remove unnecessary field initializations.
SSL_CTX gets memset to zero, so many of the values needn't be explicitly
initialized.

Change-Id: I0e707a0dcc052cd6f0a5dc8d037400170bd75594
Reviewed-on: https://boringssl-review.googlesource.com/5812
Reviewed-by: Adam Langley <agl@google.com>
2015-09-03 18:39:54 +00:00
David Benjamin
95aaf4a61c Markdown-ify BUILDING.
Change-Id: Icd3cba6522ce47a4dfe699204982b5b692d3d62e
Reviewed-on: https://boringssl-review.googlesource.com/5811
Reviewed-by: Adam Langley <agl@google.com>
2015-09-03 18:38:21 +00:00
David Benjamin
0e3f1d80f8 Markdown-ify STYLE.
Since we're able to render it fancy, may as well.

Change-Id: Ia1ab4b7ad0cdd78c8ffb75342ee62365843e7d5f
Reviewed-on: https://boringssl-review.googlesource.com/5810
Reviewed-by: Adam Langley <agl@google.com>
2015-09-03 18:37:39 +00:00
David Benjamin
809829ee9f Fix a typo in PORTING.md and mention one more renego restriction.
Change-Id: I59b30882178222000dd90b051856bb2816eeb9fd
Reviewed-on: https://boringssl-review.googlesource.com/5789
Reviewed-by: Adam Langley <agl@google.com>
2015-09-03 18:37:14 +00:00
David Benjamin
65703b45c4 Add a PORTING document which describes some major API differences.
There are a few things that differ in ways that are not source-compatible, so
it's probably worth documenting them.

Change-Id: I4ef26173a9347d9fd517c1b5215e08ced660b79d
Reviewed-on: https://boringssl-review.googlesource.com/5788
Reviewed-by: Adam Langley <agl@google.com>
2015-09-02 21:58:35 +00:00
David Benjamin
ac8302a092 Don't set need_record_splitting until aead_write_ctx is set.
setup_key_block is called when the first CCS resolves, but for resumptions this
is the incoming CCS (see ssl3_do_change_cipher_spec). Rather than set
need_record_splitting there, it should be set in the write case of
tls1_change_cipher_state.

This fixes a crash from the new record layer code in resumption when
record-splitting is enabled. Tweak the record-splitting tests to cover this
case.

This also fixes a bug where renego from a cipher which does require record
splitting to one which doesn't continues splitting. Since version switches are
not allowed, this can only happen after a renego from CBC to RC4.

Change-Id: Ie4e1b91282b10f13887b51d1199f76be4fbf09ad
Reviewed-on: https://boringssl-review.googlesource.com/5787
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 22:30:48 +00:00
David Benjamin
4f75aaf661 Test various cases where plaintexts and ciphertexts are too large.
Note that DTLS treats oversized ciphertexts different from everything else.

Change-Id: I71cba69ebce0debdfc96a7fdeb2666252e8d28ed
Reviewed-on: https://boringssl-review.googlesource.com/5786
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 22:11:39 +00:00
David Benjamin
76c2efc0e9 Forbid a server from negotiating both ALPN and NPN.
If the two extensions select different next protocols (quite possible since one
is server-selected and the other is client-selected), things will break. This
matches the behavior of NSS (Firefox) and Go.

Change-Id: Ie1da97bf062b91a370c85c12bc61423220a22f36
Reviewed-on: https://boringssl-review.googlesource.com/5780
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 20:46:42 +00:00
David Benjamin
2c99d289fd Fix buffer size computation.
The maximum buffer size computation wasn't quite done right in
ssl_buffer.c, so we were failing with BUFFER_TOO_SMALL for sufficiently
large records. Fix this and, as penance, add 103 tests.

(Test that we can receive maximum-size records in all cipher suites.
Also test SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER while I'm here.)

BUG=526998

Change-Id: I714c16dda2ed13f49d8e6cd1b48adc5a8491f43c
Reviewed-on: https://boringssl-review.googlesource.com/5785
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 20:18:21 +00:00