Commit Graph

520 Commits

Author SHA1 Message Date
David Benjamin
129992360a Check EVP_Cipher return values.
PR#1767

(Imported from upstream's fe78f08d1541211566a5656395186bfbdc61b6f8)

Not sure this is reachable (upstream's PR references custom engines), but
better be tidy. Note this is slightly different from upstream's: EVP_Cipher is
documented to return -1 on failure, not 0.

Change-Id: I836f12b73c6912a8ae8cbd37cfd3d33466acbc9e
Reviewed-on: https://boringssl-review.googlesource.com/2478
Reviewed-by: Adam Langley <agl@google.com>
2014-12-05 17:30:13 +00:00
David Benjamin
8278184631 Remove redundant checks in ssl_cert_dup.
PR#3613

(Imported from upstream's fc3968a25ce0c16cab8730ec0d68a59856158029)

We don't care about GOST, but removing redundant code is reasonable. Also
switch that CRYPTO_add to EVP_PKEY_dup. Missed a spot.

Change-Id: I768ec546d987fb3d8bc3decf7ebf1a5590fbb6c2
Reviewed-on: https://boringssl-review.googlesource.com/2477
Reviewed-by: Adam Langley <agl@google.com>
2014-12-05 17:27:23 +00:00
David Benjamin
83abdd6e58 Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask
PR#3608

(Imported from upstream's 8a35dbb6d89a16d792b79b157b3e89443639ec94.)

Change-Id: Iab9d91f9b96793f2275a23770f1275ff4edf0386
Reviewed-on: https://boringssl-review.googlesource.com/2476
Reviewed-by: Adam Langley <agl@google.com>
2014-12-05 17:26:48 +00:00
David Benjamin
e518f65d2c Update references to RFCs.
Some code predated the RFCs themselves, but the RFCs now exist. Also remove
now obsolete comments and some unused #defines.

See upstream's cffeacd91e70712c99c431bf32a655fa1b561482. (Though this predates
it; I just remembered I never uploaded it.)

Change-Id: I5e56f0ab6b7f558820f72e84dfdbc71a8c23cb91
Reviewed-on: https://boringssl-review.googlesource.com/2475
Reviewed-by: Adam Langley <agl@google.com>
2014-12-05 17:26:13 +00:00
Feng Lu
41aa325c6a ClientHello Padding for Fast Radio Opening in 3G.
The ClientHello record is padded to 1024 bytes when
fastradio_padding is enabled. As a result, the 3G cellular radio
is fast forwarded to DCH (high data rate) state. This mechanism
leads to a substantial redunction in terms of TLS handshake
latency, and benefits mobile apps that are running on top of TLS.

Change-Id: I3d55197b6d601761c94c0f22871774b5a3dad614
2014-12-04 14:30:16 -08:00
David Benjamin
d8a3e78223 Shush a MSVC bool/int comparison warning.
MSVC doesn't like it when you compare the two.

Change-Id: I03c5ff2e2668ac2e536de8278e3a7c98a3dfd117
Reviewed-on: https://boringssl-review.googlesource.com/2460
Reviewed-by: Adam Langley <agl@google.com>
2014-12-04 00:22:31 +00:00
David Benjamin
90eeb11652 Remove SSL_set_debug.
It just inserts extra flushes everywhere and isn't used.

Change-Id: I082e4bada405611f4986ba852dd5575265854036
Reviewed-on: https://boringssl-review.googlesource.com/2456
Reviewed-by: Adam Langley <agl@google.com>
2014-12-04 00:22:14 +00:00
David Benjamin
00505ec2e1 Add EVP_md5_sha1.
Use it in ssl3_cert_verify_hash so signing a pre-TLS-1.2 handshake hash can go
through RSA_sign and be intercepted via RSA_METHOD appropriately. This avoids
Windows needing to intercept sign_raw. (CAPI keys cannot provide sign_raw,
unless the input size happens to be that of NID_md5_sha1.)

Also use it in processing ServerKeyExchange to avoid special-casing RSA.

BUG=crbug.com/437023

Change-Id: Ia07433f468b75fdf7bfc8fa90c9751639b2478e6
Reviewed-on: https://boringssl-review.googlesource.com/2420
Reviewed-by: David Benjamin <davidben@google.com>
2014-12-02 20:45:07 +00:00
David Benjamin
0105ece171 Fix standalone Windows build.
Don't link with dl, except on Linux where we have malloc tests.

Change-Id: I7b23acc854172e64628a55acecfaa9a661f74f77
Reviewed-on: https://boringssl-review.googlesource.com/2453
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 20:27:57 +00:00
David Benjamin
94d701b7e8 Left-pad a V2ClientHello's random, not right-pad.
The comment has it right, but the rewritten code was wrong.

Change-Id: I450193c39fb62eae32aae090a3834dd83db53421
Reviewed-on: https://boringssl-review.googlesource.com/2444
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:44:12 +00:00
David Benjamin
128dbc30f6 Factor out the client max-version logic into a helper function.
Replace the comment with a clearer one and reimplement it much more tidily. The
mask thing was more complicated than was needed.

This slightly changes behavior on the DTLS_ANY_VERSION side in that, if only
one method is enabled, we no longer short-circuit to the version-locked method
early. This "optimization" seems unnecessary.

Change-Id: I571c8b60ed16bd4357c67d65df0dd1ef9cc5eb57
Reviewed-on: https://boringssl-review.googlesource.com/2451
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:42:39 +00:00
David Benjamin
beb47022b0 Remove redundant s->server assignments in handshake.
It should be set correctly prior to entering the handshake. Don't mask bugs by
assigning it.

Change-Id: Ib9bca8fad68916b3b242aad8819e3760e59e777a
Reviewed-on: https://boringssl-review.googlesource.com/2443
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:35:38 +00:00
David Benjamin
8c6fe45c2f Replace s->first_packet with a s->s3->have_version bit.
first_packet is a temporary connection-global flag set for the duration of some
call and then queried from other code. This kind of logic is too difficult to
reason through. It also incorrectly treats renegotiate ClientHellos as
pre-version-negotiation records. This eliminates the need to query
enc_write_ctx (which wasn't EVP_AEAD-aware anyway).

Instead, take a leaf from Go TLS's book and add a have_version bit. This is
placed on s->s3 as it is connection state; s->s3 automatically gets reset on
SSL_clear while s doesn't.

This new flag will also be used to determine whether to do the V2ClientHello
sniff when the version-locked methods merge into SSLv23_method. It will also
replace needing to condition s->method against a dummy DTLS_ANY_VERSION value
to determine whether DTLS version negotiation has happened yet.

Change-Id: I5c8bc6258b182ba4ab175a48a84eab6d3a001333
Reviewed-on: https://boringssl-review.googlesource.com/2442
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:35:27 +00:00
David Benjamin
cde8abae14 Merge client/server SSL_METHODs into the generic one.
Supporting both schemes seems pointless. Now that s->server and s->state are
set appropriately late and get_ssl_method is gone, the only difference is that
the client/server ones have non-functional ssl_accept or ssl_connect hooks. We
can't lose the generic ones, so let's unify on that.

Note: this means a static linker will no longer drop the client or server
handshake code if unused by a consumer linking statically. However, Chromium
needs the server half anyway for DTLS and WebRTC, so that's probably a lost
cause. Android also exposes server APIs.

Change-Id: I290f5fb4ed558f59fadb5d1f84e9d9c405004c23
Reviewed-on: https://boringssl-review.googlesource.com/2440
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:35:15 +00:00
David Benjamin
f34a009834 Don't set s->state and s->server before the side is known.
If SSL_clear is called before SSL_set_{connect,accept}_state (as SSL_new does
internally), s->state will get set prematurely. Likewise, s->server is set
based on the method's ssl_accept hook, but client SSL's may be initialized from
a generic SSL_METHOD too.

Since we can't easily get rid of the generic SSL_METHODs, defer s->state and
s->server initialization until the side is known.

Change-Id: I0972e17083df22a3c09f6f087011b54c699a22e7
Reviewed-on: https://boringssl-review.googlesource.com/2439
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:34:49 +00:00
David Benjamin
63246e8a99 Remove s->type from SSL.
It's redundant with s->server.

Change-Id: Idb4ca44618477b54f3be5f0630f0295f0708b0f4
Reviewed-on: https://boringssl-review.googlesource.com/2438
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:34:28 +00:00
David Benjamin
e319a2f73a Remove SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
It's unused. Also per the previous commit message, it historically had a bug
anyway.

Change-Id: I5868641e7938ddebbc0ffd72d218c81cd17c7739
Reviewed-on: https://boringssl-review.googlesource.com/2437
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:33:04 +00:00
David Benjamin
533ef7304d Remove SSL_clear calls in handshake functions.
If the state is SSL_ST_BEFORE, the SSL* was just initialized. Otherwise, we
don't want to call SSL_clear. The one case I found where we do is if a
handshake message is received and someone sets
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. This is apparently intended for external
consumers to set, but I see no code in Google that does.

Which is fortunate because it'll trigger SSL_clear. This retains the BIOs but
drops all connection state, including the record. If the client just initiated
renego, that's the ClientHello that's lost. The connection then hangs: the now
reset SSL* wants a ClientHello (under the null cipher because that too's been
dropped) while the peer wants an encrypted ServerHello.

Change-Id: Iddb3e0bb86d39d98155b060f9273a0856f2d1409
Reviewed-on: https://boringssl-review.googlesource.com/2436
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:32:39 +00:00
David Benjamin
8c88153465 Remove a place where SSL_clear cleans up after client/server confusion.
SSL_clear sets s->state and dtls1_clear sets cookie_len on the server. Setting
cookie_len on the server seems to serve no purpose but to let the callback know
how large the buffer is. This can be done just before calling the callback.

It also avoids a bug where the cookie check can be bypassed, should the server
not specify an app_verify_cookie_cb, by supplying a cookie of all zeros of the
maximum size. (Zero is fine because an empty cookie is rejected.)

The goal here is to avoid needing the SSL_clear calls in the handshake
functions. They are currently needed to fix the cookie_len setting when using
the generic method. (They get set wrong and then flipped back.)

Change-Id: I5095891bc0f7df62d83a9c84312fcf0b84826faa
Reviewed-on: https://boringssl-review.googlesource.com/2435
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:31:57 +00:00
David Benjamin
ff42cc1eac Fix FALLBACK_SCSV, Channel ID, OCSP stapling, and SCTs with the generic method.
s->server's value isn't final until SSL_connect or SSL_accept is called when
using the generic SSLv23_method or DTLS_method rather than the version-locked
ones. This makes the tests pass if bssl_shim uses those methods.

It would be nicer if the generic methods were gone and an SSL* could know from
creation which half it's destined for. Unfortunately, there's a lot of code
that uses those generic methods, so we probably can't get rid of them. If they
have to stay, it seems better to standardize on only having those, rather than
support both, even if standardizing on the side-specific ones would be
preferable.

Change-Id: I40e65a8842cd6706da92263a263f664336a7f3b3
Reviewed-on: https://boringssl-review.googlesource.com/2434
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:31:35 +00:00
David Benjamin
e58a71b9b3 Trim impossible state combinations.
SSL_ST_BEFORE is never standalone. As of upstream's
413c4f45ed0508d2242638696b7665f499d68265, SSL_ST_BEFORE is only ever set paired
with SSL_ST_ACCEPT or SSL_ST_CONNECT.

Conversely, SSL_ST_OK is never paired with SSL_ST_ACCEPT or SSL_ST_CONNECT. As
far as I can tell, this combination has never been possible.

Change-Id: Ifbc8f147be821026cf59f3d5038f0dbad3b0a1d2
Reviewed-on: https://boringssl-review.googlesource.com/2433
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:31:00 +00:00
David Benjamin
0b145c29a3 Don't assign handshake_func in the handshake functions.
It should already be assigned, as of upstream's
b31b04d951e9b65bde29657e1ae057b76f0f0a73. I believe these assignments are part
of the reason it used to appear to work. Replace them with assertions. So the
assertions are actually valid, check in SSL_connect / SSL_accept that they are
never called if the socket had been placed in the opposite state. (Or we'd be
in another place where it would have appeared to work with the handshake
functions fixing things afterwards.)

Now the only places handshake_func is set are in SSL_set_{connect,accept}_state
and the method switches.

Change-Id: Ib249212bf4aa889b94c35965a62ca06bdbcf52e1
Reviewed-on: https://boringssl-review.googlesource.com/2432
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:30:49 +00:00
David Benjamin
8c6a295c39 Remove obsolete comment.
This comment is no longer true. It dates from OpenSSL's initial commit, but
stopped being true in upstream's 413c4f45ed0508d2242638696b7665f499d68265.

Change-Id: I47377d992a00e3d57c795fef893e19e109dd6945
Reviewed-on: https://boringssl-review.googlesource.com/2431
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:30:37 +00:00
David Benjamin
9cbd4a809e Remove SSL_(CTX_)get_ssl_method.
We intend to deprecate the version-locked methods and unify them. Don't expose
that there's a method swap. (The existing version-locked methods will merely be
a shorthand for configuring minimum/maximum versions.)

There is one consumer of SSL_get_ssl_method in internal code, but it's just
some logging in test-only code. All it's doing is getting the version as a
string which should be SSL_get_version instead.

While here, also remove dead ssl_bad_method function. Also the bogus
ssl_crock_st forward-declaration. The forward declaration in base.h should be
perfectly sufficient.

Change-Id: I50480808f51022e05b078a285f58ec85d5ad7c8e
Reviewed-on: https://boringssl-review.googlesource.com/2408
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:30:25 +00:00
David Benjamin
c44b1df459 Add test for renego client_version quirk.
In upstream's f4e1169341ad1217e670387db5b0c12d680f95f4, the client_version was
made constant across renegotiations, even if the server negotiated a lower
version. NSS has the same quirk, reportedly for SChannel:

https://code.google.com/p/chromium/codesearch#chromium/src/net/third_party/nss/ssl/ssl3con.c&sq=package:chromium&l=5103

Add a test to ensure we do not regress this.

Change-Id: I214e062463c203b86a9bab00f8503442e1bf74fe
Reviewed-on: https://boringssl-review.googlesource.com/2405
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:29:23 +00:00
David Benjamin
81ea0bf538 Delay creating s->session until resumption is resolved.
When not offering to resume a session, the client populates s->session with a
fresh SSL_SESSION before the ServerHello is processed and, in DTLS_ANY_VERSION,
before the version is even determined. Don't create a fresh SSL_SESSION until
we know we are doing a full handshake.

This brings ssl3_send_client_hello closer to ssl23_client_hello in behavior. It
also fixes ssl_version in the client in DTLS_ANY_VERSION.

SSLv23_client_method is largely unchanged. If no session is offered, s->session
continues to be NULL until the ServerHello is received. The one difference is
that s->session isn't populated until the entire ServerHello is received,
rather than just the first half, in the case of a fragmented ServerHello. Apart
from info_callback, no external hooks get called between those points, so this
shouldn't expose new missing NULL checks.

The other client methods change significantly to match SSLv23_client_method's
behavior. For TLS, any exposed missing NULL checks are also in
SSLv23_client_method (and version-specific methods are already weird), so that
should be safe. For DTLS, I've verified that accesses in d1_*.c either handle
NULL or are after the ServerHello.

Change-Id: Idcae6bd242480e28a57dbba76ce67f1ac1ae1d1d
Reviewed-on: https://boringssl-review.googlesource.com/2404
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:28:18 +00:00
David Benjamin
8b8c006564 Fix DTLS_ANY_VERSION and add tests.
This fixes bugs that kept the tests from working:

- Resolve DTLS version and cookie before the session.

- In DTLS_ANY_VERSION, ServerHello should be read with first_packet = 1. This
  is a regression from f2fedefdca. We'll want to
  do the same for TLS, but first let's change this to a boolean has_version in a
  follow-up.

Things not yet fixed:

- DTLS code is not EVP_AEAD-aware. Those ciphers are disabled for now.

- On the client, DTLS_ANY_VERSION creates SSL_SESSIONs with the wrong
  ssl_version. The tests pass because we no longer enforce the match as of
  e37216f56009fbf48c3a1e733b7a546ca6dfc2af. (In fact, we've gone from the server
  ignoring ssl_version and client enforcing to the client mostly ignoring
  ssl_version and the server enforcing.)

- ssl3_send_client_hello's ssl_version check checks for equality against
  s->version rather than >.

Change-Id: I5a0dde221b2009413df9b9443882b9bf3b29519c
Reviewed-on: https://boringssl-review.googlesource.com/2403
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:27:54 +00:00
David Benjamin
65ea8ff84c Debug resumption connections with -debug too.
Change-Id: Ib33cceed561698310f369d63de602123af146a45
Reviewed-on: https://boringssl-review.googlesource.com/2402
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:27:33 +00:00
David Benjamin
0f1e64bf7f Remove method swap in SSL_set_session.
This is a bit of cleanup that probably should have been done at the same time
as 30ddb434bf.

For now, version negotiation is implemented with a method swap. It also
performs this swap on SSL_set_session, but this was neutered in
30ddb434bf. Rather than hackishly neuter it,
remove it outright.  In addition, remove SSL_set_ssl_method. Now all method
swaps are internal: SSLv23_method switch to a version-specific method and
SSL_clear undoing it.

Note that this does change behavior: if an SSL* is created with one
version-specific method and we SSL_set_session to a session from a /different/
version, we would switch to the /other/ version-specific method. This is
extremely confusing, so it's unlikely anyone was actually expecting it.
Version-specific methods in general don't work well.

Change-Id: I72a5c1f321ca9aeb1b52ebe0317072950ba25092
Reviewed-on: https://boringssl-review.googlesource.com/2390
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:26:30 +00:00
David Benjamin
61f95277d4 Add tests for OCSP stapling and SCT lists.
We forgot to add those when we implemented the features. (Also relevant because
they will provide test coverage later for configuring features when using the
generic method tables rather than *_client_method.)

Change-Id: Ie08b27de893095e01a05a7084775676616459807
Reviewed-on: https://boringssl-review.googlesource.com/2410
Reviewed-by: Adam Langley <agl@google.com>
2014-12-02 19:26:01 +00:00
David Benjamin
bb15e3ddb5 Remove method-switching codepath in SSL_clear.
Although the comment suggests this was added with an s->session check to
account for SSL_set_session switching methods (which we will remove in the next
commit) and to account for SSLv23_method switching methods (which we hope to
remove after a long tower of cleanup), the current codepath never runs and
can't work:

If it is called prior to handshaking or setting a session, no method switch has
happened so that codepath is dead. If it is called after setting a session, the
s->session check will keep it from running. If it is called after a handshake,
we will have established a session so that check will again keep it from
running. (Finally, if it is called during the handshake, the in_handshake check
will stop; that there is an SSL_clear call in the handshake state machine at
all is a bug that will be addressed once more things are disentangled. See
upstream's 979689aa5cfa100ccbc1f25064e9398be4b7b05c.)

Were that code to ever run, the SSL* would be in an inconsistent state. It
switches the method, but not the handshake_func. The handshake_func isn't
switched to NULL, so that will keep the SSL_connect and SSL_accept code from fixing it.

It seems the intent was that the caller would always call
SSL_set_{connect,accept}_state to fix this. But as of upstream's
b31b04d951e9b65bde29657e1ae057b76f0f0a73, this is not necessary and indeed
isn't called by a lot of consumer code.

Change-Id: I710652b1d565b77bc26f913c2066ce749a9025c9
Reviewed-on: https://boringssl-review.googlesource.com/2430
Reviewed-by: Adam Langley <agl@google.com>
2014-12-01 21:43:13 +00:00
David Benjamin
52d699f668 Make OCSP response and SCT list getter const-correct.
The data is owned by the SSL_SESSION, so the caller should not modify it. This
will require changes in Chromium, but they should be trivial.

Change-Id: I314718530c7d810f7c7b8852339b782b4c2dace1
Reviewed-on: https://boringssl-review.googlesource.com/2409
Reviewed-by: Adam Langley <agl@google.com>
2014-12-01 21:20:56 +00:00
David Benjamin
d1681e614f Remove SSL_set_session_secret_cb (EAP-FAST)
This is only used for EAP-FAST which we apparently don't need to support.
Remove it outright. We broke it in 9eaeef81fa by
failing to account for session misses.

If this changes and we need it later, we can resurrect it. Preferably
implemented differently: the current implementation is bolted badly onto the
handshake. Ideally use the supplied callbacks to fabricate an appropriate
SSL_SESSION and resume that with as much of the normal session ticket flow as
possible.

The one difference is that EAP-FAST seems to require the probing mechanism for
session tickets rather than the sane session ID echoing version.  We can
reimplement that by asking the record layer to probe ahead for one byte.

Change-Id: I38304953cc36b2020611556a91e8ac091691edac
Reviewed-on: https://boringssl-review.googlesource.com/2360
Reviewed-by: Adam Langley <agl@google.com>
2014-11-21 21:51:10 +00:00
David Benjamin
fe8eb9a603 Add tests for session-ID-based resumption.
This implements session IDs in client and server in runner.go.

Change-Id: I26655f996b7b44c7eb56340ef6a415d3f2ac3503
Reviewed-on: https://boringssl-review.googlesource.com/2350
Reviewed-by: Adam Langley <agl@google.com>
2014-11-21 21:35:39 +00:00
David Benjamin
ae3e487d51 Fix a couple more malloc test crashes.
The ex_data index may fail to be allocated. Also don't leave a dangling pointer
in handshake_dgst if EVP_DigestInit_ex fails and check a few more init function
failures.

Change-Id: I2e99a89b2171c9d73ccc925a2f35651af34ac5fb
Reviewed-on: https://boringssl-review.googlesource.com/2342
Reviewed-by: Adam Langley <agl@google.com>
2014-11-19 22:17:50 +00:00
Adam Langley
69a01608f3 Add malloc failure tests.
This commit fixes a number of crashes caused by malloc failures. They
were found using the -malloc-test=0 option to runner.go which runs tests
many times, causing a different allocation call to fail in each case.

(This test only works on Linux and only looks for crashes caused by
allocation failures, not memory leaks or other errors.)

This is not the complete set of crashes! More can be found by collecting
core dumps from running with -malloc-test=0.

Change-Id: Ia61d19f51e373bccb7bc604642c51e043a74bd83
Reviewed-on: https://boringssl-review.googlesource.com/2320
Reviewed-by: Adam Langley <agl@google.com>
2014-11-19 01:24:46 +00:00
David Benjamin
000800a306 Add tests for signature algorithm negotiation.
Change-Id: I5a263734560997b774014b5742877aa4b2940664
Reviewed-on: https://boringssl-review.googlesource.com/2289
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:30:03 +00:00
David Benjamin
ec2f27dee1 Account for EVP_PKEY capabilities in selecting hash functions.
tls1_process_sigalgs now only determines the intersection between the peer
algorithms and those configured locally. That list is queried later to
determine the hash algorithm to use when signing CertificateVerify or
ServerKeyExchange.

This is needed to support client auth on Windows where smartcards or CAPI may
not support all hash functions.

As a bonus, this does away with more connection-global state. This avoids the
current situation where digests are chosen before keys are known (for
CertificateVerify) or for slots that don't exist.

Change-Id: Iec3619a103d691291d8ebe08ef77d574f2faf0e8
Reviewed-on: https://boringssl-review.googlesource.com/2280
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:22:33 +00:00
David Benjamin
033e5f47d1 Remove CERT_PKEY::valid_flags.
CERT_PKEY_SIGN isn't meaningful since, without strict mode, we always fall back
to SHA-1 anyway. So the digest is never NULL when CERT_PKEY_SIGN is computed.
The entire valid_flags is now back to it's pre-1.0.2 check of seeing if the
certificate and key are configured.

This finally removes the sensitivity between valid_flags and selecting the
digest, so we can defer choosing the digest all we like.

Change-Id: I9f9952498f512d7f0cc799497f7c5b52145a48af
Reviewed-on: https://boringssl-review.googlesource.com/2288
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:22:23 +00:00
David Benjamin
f31e681acf Clean up ssl_set_cert_masks.
It doesn't depend on the cipher now that export ciphers are gone. It need only
be called once. Also remove the valid bit; nothing ever reads it. Its output is
also only used within a function, so make mask_k and mask_a local variables.

So all the configuration-based checks are in one place, change the input
parameter from CERT to SSL and move the PSK and ECDHE checks to the mask
computation. This avoids having to evaluate the temporary EC key for each
cipher.

The remaining uses are on the client which uses them differently (disabled
features rather than enabled ones). Those too may as well be local variables,
so leave a TODO.

Change-Id: Ibcb574341795d4016ea749f0290a793eed798874
Reviewed-on: https://boringssl-review.googlesource.com/2287
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:21:52 +00:00
David Benjamin
6a8d70c528 Trim tls1_check_chain and CERT_PKEY flags.
Many are now unused. Only two are currently considered in cipher selection:
CERT_PKEY_VALID and CERT_PKEY_SIGN. (As per previous commits, this is either
bizarre due to limited slots or redundant with ssl_early_callback_ctx. We can
probably prune this too.)

This also fixes a bug where DTLS 1.0 went through a TLS 1.2 codepath. As the
DTLS code is currently arranged, all version comparisons must be done via
macros like SSL_USE_SIGALGS. (Probably we should add functions to map from DTLS
to TLS versions and slowly move the library to using the TLS version as
in-memory representation.)

Change-Id: I89bcf5b7b9ea5cdecf54f4445156586377328fe0
Reviewed-on: https://boringssl-review.googlesource.com/2286
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:20:53 +00:00
David Benjamin
253b3e76dc Remove TLS strict mode.
It's new in OpenSSL 1.0.2 so it's never set by existing code. This removes gobs
and gobs of complexity from tls1_check_chain. It only checks the local
certificate, not the peer certificate. The uses appear to be:

- Sanity-check configuration. Not worth the complexity.

- Guide in selecting ciphers based on ClientHello parameters and which
  certificates in the CERT_PKEY are compatible. This isn't very useful one its
  own since the CERT_PKEY array only stores one slot per type (e.g. you cannot
  configure RSA/SHA-1 and RSA/SHA-256).

- For the (currently removed) SSL_check_chain to return more information based
  on ClientHello parameters and guide selecting a certificate. This is
  potentially useful but, as noted in the commit which removed it, redundant
  with ssl_early_callback_ctx.

This CL is largely mechanical removing of dead codepaths. The follow-up will
clean up the now unnecessary parts of this function.

Change-Id: I2ebfa17e4f73e59aa1ee9e4ae7f615af2c6cf590
Reviewed-on: https://boringssl-review.googlesource.com/2285
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:20:33 +00:00
David Benjamin
1ad868176d check_flags is always 0.
Get rid of now dead codepaths.

Change-Id: I3b5d49097cba70c5698a230cc6c1d79bdd0f0880
Reviewed-on: https://boringssl-review.googlesource.com/2284
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:20:10 +00:00
David Benjamin
b398d16c1d Remove SSL_check_chain and unexport CERT_PKEY flags.
Both of these are newly-exported in OpenSSL 1.0.2, so they cannot be used by
current consumers.

This was added in upstream's 18d7158809c9722f4c6d2a8af7513577274f9b56 to
support custom selection of certificates. The intent seems to be that you
listen to cert_cb and use SSL_check_chain to lean on OpenSSL to process
signature algorithms list for you.

Unfortunately, the implementation is slightly suspect: it uses the same
function as the codepath which mutates and refers to the CERT_PKEY of the
matching type.  Some access was guarded by check_flags, but this is too
complex. Part of it is also because the matching digest is selected early and
we intend to connect this to EVP_PKEY_supports_digest so it is no longer a
property of just the key type.

Let's remove the hook for now, to unblock removing a lot of complexity. After
cleaning up this area, a function like this could be cleaner to support, but
we already have a version of this: select_certificate_cb and
ssl_early_callback_ctx.

Change-Id: I3add425b3996e5e32d4a88e14cc607b4fdaa5aec
Reviewed-on: https://boringssl-review.googlesource.com/2283
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:19:24 +00:00
David Benjamin
675227e0d2 Remove CERT_PKEY_EXPLICIT_SIGN flag.
This is maintained just to distinguish whether the digest was negotiated or we
simply fell back to assuming SHA-1 support. No code is sensitive to this flag
and it adds complexity because it is set at a different time, for now, from the
rest of valid_flags.

The flag is new in OpenSSL 1.0.2, so nothing external could be sensitive to it.

Change-Id: I9304e358d56f44d912d78beabf14316d456bf389
Reviewed-on: https://boringssl-review.googlesource.com/2282
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:19:06 +00:00
David Benjamin
248f350ed8 Remove SSL_get_peer_signature_nid and don't compute digests for peer_key.
This is new in OpenSSL 1.0.2 so it isn't used anywhere. Cuts down slightly on
connection-global state associated with signature algorithm processing.
Repurposing the digest field to mean both "the digest we choose to sign with
this key" and "the digest the last signature we saw happened to use" is
confusing.

Change-Id: Iec4d5078c33e271c8c7b0ab221c356ee8480b89d
Reviewed-on: https://boringssl-review.googlesource.com/2281
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:18:54 +00:00
David Benjamin
ca6c82643a Add DTLS-SRTP tests.
Just the negotiation portion as everything else is external. This feature is
used in WebRTC.

Change-Id: Iccc3983ea99e7d054b59010182f9a56a8099e116
Reviewed-on: https://boringssl-review.googlesource.com/2310
Reviewed-by: Adam Langley <agl@google.com>
2014-11-18 22:16:53 +00:00
David Benjamin
5e4f6e9247 Remove some remnants of SSLv2.
Change-Id: Id294821162c4c9ea6f2fce2a0be65bafcb616068
Reviewed-on: https://boringssl-review.googlesource.com/2311
Reviewed-by: Adam Langley <agl@google.com>
2014-11-17 20:27:13 +00:00
Alex Chernyakhovsky
4cd8c43e73 Remove support for processing fragmented alerts
Prior to this change, BoringSSL maintained a 2-byte buffer for alerts,
and would support reassembly of fragmented alerts.

NSS does not support fragmented alerts, nor would any reasonable
implementation produce them. Remove fragmented alert handling and
produce an error if a fragmented alert has ever been encountered.

Change-Id: I31530ac372e8a90b47cf89404630c1c207cfb048
Reviewed-on: https://boringssl-review.googlesource.com/2125
Reviewed-by: Adam Langley <agl@google.com>
2014-11-13 22:58:30 +00:00
David Benjamin
bdf5e72f50 Don't resume sessions if the negotiated version doesn't match.
All of NSS, upstream OpenSSL, SChannel, and Secure Transport require, on the
client, that the ServerHello version match the session's version on resumption.
OpenSSL's current behavior is incompatible with all of these. Fall back to a
full handshake on the server instead of mismatch.

Add a comment on the client for why we are, as of
30ddb434bf, not currently enforcing the same in
the client.

Change-Id: I60aec972d81368c4ec30e2fd515dabd69401d175
Reviewed-on: https://boringssl-review.googlesource.com/2244
Reviewed-by: Adam Langley <agl@google.com>
2014-11-13 22:05:12 +00:00
David Benjamin
e18d821dfc runner: Refuse to resume sessions on mismatching versions.
Clients all consistently reject mismatches. If a different version was
negotiated, a server should ignore the resumption. This doesn't actually affect
current tests.  We really want to be making this change in BoringSSL (and then
upstream), but get the Go half into shape first.

Change-Id: Ieee7e141331d9e08573592e661889bd756dccfa9
Reviewed-on: https://boringssl-review.googlesource.com/2243
Reviewed-by: Adam Langley <agl@google.com>
2014-11-11 18:25:28 +00:00
David Benjamin
d0297db108 Remove TODO about DTLS cookie lengths.
The limit increased from 32 to 255 between DTLS 1.0 and DTLS 1.2.

Change-Id: I329a59f9ba2bccc70282e2b47679c57b67e5ed43
Reviewed-on: https://boringssl-review.googlesource.com/2242
Reviewed-by: Adam Langley <agl@google.com>
2014-11-11 18:24:23 +00:00
David Benjamin
ca6554b133 Add tests for client-initiated renegotiation.
These'll get removed once most of renego support is gone, but this is to prove
removing the warning alert from the previous commit still prevents legacy
renegotiations.

Change-Id: I7d9d95e1d4c5d23d3b6d170938a5499a65f2d5ea
Reviewed-on: https://boringssl-review.googlesource.com/2236
Reviewed-by: Adam Langley <agl@google.com>
2014-11-11 00:00:49 +00:00
David Benjamin
9114fae39e Add a test for RSA ServerKeyExchange.
Ensure that the client rejects it with UNEXPECTED_MESSAGE, not by attempting to
decode it.

Change-Id: Ifc5613cf1152e0f7dcbee73e05df1ef367dfbfd5
Reviewed-on: https://boringssl-review.googlesource.com/2232
Reviewed-by: Adam Langley <agl@google.com>
2014-11-11 00:00:39 +00:00
David Benjamin
688d8dfe48 Remove psk_identity_hint from SSL_SESSION.
There's not much point in retaining the identity hint in the SSL_SESSION. This
avoids the complexity around setting psk_identity hint on either the SSL or the
SSL_SESSION. Introduce a peer_psk_identity_hint for the client to store the one
received from the server.

This changes the semantics of SSL_get_psk_identity_hint; it now only returns
the value configured for the server. The client learns the hint through the
callback. This is compatible with the one use of this API in conscrypt (it
pulls the hint back out to pass to a callback).

Change-Id: I6d9131636b47f13ac5800b4451436a057021054a
Reviewed-on: https://boringssl-review.googlesource.com/2213
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:59:47 +00:00
David Benjamin
e1b20a0136 Remove SSL3_FLAGS_POP_BUFFER.
This is an experimental flag that dates back to SSLeay 0.8.1b or earlier. It's
never set internally and never set in consumers.

Change-Id: I922583635c9f3d8d93f08f1707531ad22a26ae6a
Reviewed-on: https://boringssl-review.googlesource.com/2214
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:59:13 +00:00
David Benjamin
5e961c1ff1 Add DTLS replay tests.
At the record layer, DTLS maintains a window of seen sequence numbers to detect
replays. Add tests to cover that case. Test both repeated sequence numbers
within the window and sequence numbers past the window's left edge. Also test
receiving sequence numbers far past the window's right edge.

Change-Id: If6a7a24869db37fdd8fb3c4b3521b730e31f8f86
Reviewed-on: https://boringssl-review.googlesource.com/2221
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:58:56 +00:00
David Benjamin
1f10d9c8e1 Remove redundant PSK length check.
If psk_len were 0, it would already have been an error earlier. The PSK cipher
suites don't lose the other_secret || psk construction if the PSK happens to be
empty.

Change-Id: I1917236720d0862658562bc8f014cb827ee9aed5
Reviewed-on: https://boringssl-review.googlesource.com/2233
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:02:11 +00:00
David Benjamin
1df112448b Fix memory leak in ssl3_send_client_key_exchange error handling.
Change-Id: I0f0d7a3d4cb6448582ae4945e732611bb9bf5d9f
Reviewed-on: https://boringssl-review.googlesource.com/2231
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:01:07 +00:00
David Benjamin
525a0fe315 Remove client-side support for ServerKeyExchange in the RSA key exchange.
Server-side support was removed in 77a942b7fe,
but client-side support was retained as it appeared NSS supported this.
However, this is not the case: ssl3_HandleServerKeyExchange only allows a
ServerKeyExchange message if hs.ws is in an appropriate state.
ssl3_AuthCertificate only sets it to allow ServerKeyExchange if it is a key
exchange that normally uses it or if is_limited is set. is_limited is only set
for the export cipher suites.

Thus we can safely remove this without waiting on gathering UMA data.

BUG=chromium:400587

Change-Id: I9aefb742dbb2d99c13340ab48017e1ceee04bc2f
Reviewed-on: https://boringssl-review.googlesource.com/2230
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 23:00:09 +00:00
David Benjamin
b4188f0c9d Don't be lenient if the client attempts unsafe renego.
This was added in upstream's 82e610e2cfbbb5fd29c09785b6909a91e606f347. The
commit message cites draft-ietf-tls-renegotiation which was on
draft-ietf-tls-renegotiation-01 at the time. The text in question (6.2 Server
Considerations) is no longer in RFC 5746. The RFC now recommends terminating
the connection which is much simpler.

It also was wrong anyway as it checked s->ctx->options instead of s->options
for SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION.

Removing that block will result in the connection being terminated in
ssl_scan_clienthello_tlsext.

Change-Id: Ie222c78babd3654c5023ad07ac0d8e0adde68698
Reviewed-on: https://boringssl-review.googlesource.com/2235
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 22:46:17 +00:00
David Benjamin
6867f4854e Remove #if 0'd code documenting an old bug.
It was a bug anyway.

Change-Id: I59d680ce3615a4b24e72a9b6fa16939d83cc15ac
Reviewed-on: https://boringssl-review.googlesource.com/2234
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 22:45:17 +00:00
David Benjamin
d8138e91d0 Keep retransmit window size architecture-independent.
Parameters like these should not change between 32-bit and 64-bit. 64 is also
the value recommended in RFC 6347, section 4.1.2.6. Document those fields while
I'm here.

Change-Id: I8481ee0765ff3d261a96a2e1a53b6ad6695b2d42
Reviewed-on: https://boringssl-review.googlesource.com/2222
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 22:44:56 +00:00
David Benjamin
60e7992764 Remove DTLSv1_listen.
This was added in http://rt.openssl.org/Ticket/Display.html?id=2033 to support
a mode where a DTLS socket would statelessly perform the ClientHello /
HelloVerifyRequest portion of the handshake, to be handed off to a socket
specific to this peer address.

This is not used by WebRTC or other current consumers. If we need to support
something like this, it would be cleaner to do the listen portion (cookieless
ClientHello + HelloVerifyRequest) externally and then spin up an SSL instance
on receipt of a cookied ClientHello. This would require a slightly more complex
BIO to replay the second ClientHello but would avoid peppering the DTLS
handshake state with a special short-circuiting mode.

Change-Id: I7a413932edfb62f8b9368912a9a0621d4155f1aa
Reviewed-on: https://boringssl-review.googlesource.com/2220
Reviewed-by: Adam Langley <agl@google.com>
2014-11-10 22:39:24 +00:00
Adam Langley
af6e45bde5 Simplify constant-time RSA padding check.
(Imported form upstream's 455b65dfab0de51c9f67b3c909311770f2b3f801 and
0d6a11a91f4de238ce533c40bd9507fe5d95f288)

Change-Id: Ia195c7fe753cfa3a7f8c91d2d7b2cd40a547be43
2014-11-10 13:45:33 -08:00
Adam Langley
a952d96656 Add a few more constant-time utility functions.
Imported from upstream's 9bed73adaa6f834177f29e478d9a2247a6577c04.

Upstream's commit appears to have been based on BoringSSL's commits to
improve the constant-time behaviour of RSA padding checks and thus I've
not tried to import those bits of the change.

Change-Id: I0ea5775b0f1e18741bbbc9f792a6af0d3d2a4caf
2014-11-10 13:45:32 -08:00
Adam Langley
b15d8132c7 Constant-time utilities.
Pull constant-time methods out to a separate header, add tests.

(Imported from upstream's 9a9b0c0401cae443f115ff19921d347b20aa396b and
27739e92659d38cdefa21e51b7f52b81a7ac3388)

Change-Id: Id570f5c531aca791112929e6258989f43c8a78d7
2014-11-10 13:45:32 -08:00
David Benjamin
1a8b549098 Fix memory leak in calling SSL_clear.
State hanging off the SSL gets freed in two places.

Change-Id: I41a8d2a7cab35f0098396006e1f6380038ec471a
Reviewed-on: https://boringssl-review.googlesource.com/2212
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 02:03:05 +00:00
David Benjamin
23586e1e0e Test insertion of duplicates in pqueue_test.
Also add a few other assertions.

Change-Id: Iae0c65802f4d05c7585e2790be5295f478e1f614
Reviewed-on: https://boringssl-review.googlesource.com/2210
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:46:57 +00:00
David Benjamin
e2793a7189 Remove redundant s->s3 check.
s->s3 is never NULL if an ssl3_* function is called, and we'll crash later
anyway. (This also makes scan-build stop believing it can be NULL.)

Change-Id: Ibf8433bd4d945f9bf5416d72946102a9e50d2787
Reviewed-on: https://boringssl-review.googlesource.com/2206
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:34:52 +00:00
David Benjamin
f2b32a2de2 Switch ssl3_send_channel_id to BN_bn2bin_padded.
Check the return value while we're here. This avoids some arithmetic and
appease scan-build's dead assignment flagger.

Change-Id: If3615076e091eb44b9e3e9d50cd64f80e645337e
Reviewed-on: https://boringssl-review.googlesource.com/2204
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:32:27 +00:00
David Benjamin
3f383908e2 Properly clean up on ssl_cert_dup failure.
Caught by scan-build.

Change-Id: I7c09b176d6a9e5d4fcd6e4fba184ac0679983cff
Reviewed-on: https://boringssl-review.googlesource.com/2200
Reviewed-by: Adam Langley <agl@google.com>
2014-11-06 01:28:30 +00:00
Adam Langley
0e2a3cf98a Remove KSSL_DEBUG.
As far as I know, this is scar tissue left over from a Solaris feature:
http://www.c0t0d0s0.org/archives/5575-Less-known-Solaris-Features-kssl.html

Change-Id: I9fdc21de225f15d29bf856174bcd42e2592f8d95
Reviewed-on: https://boringssl-review.googlesource.com/2141
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-11-04 19:35:38 +00:00
Adam Langley
cf2d4f4033 Test renegotiation with BoringSSL as the client.
This also contains a test for the issue fixed in
88333ef7d7.

Change-Id: Id705a82cee34c018491dc301eba8b5097b9c83d5
Reviewed-on: https://boringssl-review.googlesource.com/2083
Reviewed-by: Adam Langley <agl@google.com>
2014-11-04 01:25:31 +00:00
Adam Langley
ec48af40a7 Make SSL_MODE_AUTO_RETRY the default.
Without SSL_MODE_AUTO_RETRY, even blocking mode will return
SSL_ERROR_WANT_{READ|WRITE} in the event of a renegotiation.

The comments in the code speak only of "nasty problems" unless this is
done. The original commit that added SSL_MODE_AUTO_RETRY
(54f10e6adce56eb2e59936e32216162aadc5d050) gives a little more detail:

    The [...] behaviour is needed by applications such as s_client and
    s_server that use select() to determine when to use SSL_read.

Without the -nbio flag, s_client will use select() to find when the
socket is readable and then call SSL_read with a blocking socket.
However, this will still block in the event of an incomplete record, so
the delay is already unbounded. This it's very unclear what the point of
this behaviour ever was.

Perhaps if the read and write paths were different sockets where the
read socket was non-blocking but the write socket was blocking. But that
seems like an implausible situation to worry too much about.

Change-Id: I9d9f2526afc2e0fd0e5440e9a047f419a2d61afa
Reviewed-on: https://boringssl-review.googlesource.com/2140
Reviewed-by: Adam Langley <agl@google.com>
2014-11-04 01:25:22 +00:00
David Benjamin
a0ca1b742f DTLS1_AD_MISSING_HANDSHAKE_MESSAGE does not exist.
This code isn't compiled in. It seems there was some half-baked logic for a
7-byte alert that includes more information about handshake messages
retransmit.

No such alert exists, and the code had a FIXME anyway. If it gets resurrected
in DTLS 1.3 or some extension, we can deal with it then.

Change-Id: I8784ea8ee44bb8da4b0fe5d5d507997526557432
Reviewed-on: https://boringssl-review.googlesource.com/2121
Reviewed-by: Adam Langley <agl@google.com>
2014-11-04 00:26:01 +00:00
David Benjamin
be700c6328 Remove remnant of MS SGC second ClientHello.
This code was dead as ssl3_get_client_certificate no longer allows a
ClientHello; the hash would be reset, but then the handshake would fail anyway.

Change-Id: Ib98e6a319c048c263d7ee3a27832ea57bdd0e2ad
Reviewed-on: https://boringssl-review.googlesource.com/2120
Reviewed-by: Adam Langley <agl@google.com>
2014-11-04 00:25:13 +00:00
Adam Langley
2ae77d2784 Test server-side renegotiation.
This change adds support to the Go code for renegotiation as a client,
meaning that we can test BoringSSL's renegotiation as a server.

Change-Id: Iaa9fb1a6022c51023bce36c47d4ef7abee74344b
Reviewed-on: https://boringssl-review.googlesource.com/2082
Reviewed-by: Adam Langley <agl@google.com>
2014-11-03 23:18:58 +00:00
David Benjamin
e92fc1812d Remove remnant of SRP.
Dead #ifdef.

Change-Id: Ic8fcd56a2ee15dc4f8be485cd784eb1399640365
Reviewed-on: https://boringssl-review.googlesource.com/2101
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 22:00:05 +00:00
David Benjamin
fd617a5030 Port ssl3_{get,send}_server_key_exchange to EVP_Digest{Verify,Sign}*.
Minor change, but they're the users of the old API left within
BoringSSL.

Change-Id: Ic24e0d006c97fa5265abc3373d3f98aa8d2f8b1e
Reviewed-on: https://boringssl-review.googlesource.com/2100
Reviewed-by: Adam Langley <agl@google.com>
2014-10-31 21:59:49 +00:00
David Benjamin
8f1ef1d554 Fix double-frees on malloc failure in ssl3_get_client_key_exchange.
If generating the master secret or applying the PSK post-processing fails,
we'll double-free all the ECDH state.

Change-Id: Id52931af73bdef5eceb06f7e64d32fdda629521e
Reviewed-on: https://boringssl-review.googlesource.com/2063
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:34:25 +00:00
David Benjamin
93d67d36c5 Refactor ssl3_send_client_key_exchange slightly.
Like ssl3_get_client_key_exchange, it is split into three parts:
- If PSK, query the PSK and write out the PSK identity.
- Compute the base pre-master secret.
- If PSK, compute the final pre-master secret.

This also fixes some double-frees on malloc failures in the ECDHE case. And it
avoids using the handshake output buffer to start the premaster secret.

Change-Id: I8631ee33c1e9c19604b3dcce2c676c83893c308d
Reviewed-on: https://boringssl-review.googlesource.com/2062
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:34:07 +00:00
David Benjamin
2af684fa92 Add tests for ECDHE_PSK.
pskKeyAgreement is now a wrapper over a base key agreement.

Change-Id: Ic18862d3e98f7513476f878b8df5dcd8d36a0eac
Reviewed-on: https://boringssl-review.googlesource.com/2053
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:33:09 +00:00
David Benjamin
491956c866 Fix ECDHE_PSK key exchange.
The current implementation switches the order of other_secret and psk;
other_secret is first. Fix it and rewrite with CBB instead. The server half got
fixed on accident in a prior refactor.

Change-Id: Ib52a756aadd66e4bf22c66794447f71f4772da09
Reviewed-on: https://boringssl-review.googlesource.com/2052
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:32:45 +00:00
David Benjamin
48cae08563 Add tests for PSK cipher suites.
Only the three plain PSK suites for now. ECDHE_PSK_WITH_AES_128_GCM_SHA256 will
be in a follow-up.

Change-Id: Iafc116a5b2798c61d90c139b461cf98897ae23b3
Reviewed-on: https://boringssl-review.googlesource.com/2051
Reviewed-by: Adam Langley <agl@google.com>
2014-10-29 20:32:21 +00:00
David Benjamin
3cac450af5 Add SSL_SESSION_to_bytes to replace i2d_SSL_SESSION.
Deprecate the old two-pass version of the function. If the ticket is too long,
replace it with a placeholder value but keep the connection working.

Change-Id: Ib9fdea66389b171862143d79b5540ea90a9bd5fb
Reviewed-on: https://boringssl-review.googlesource.com/2011
Reviewed-by: Adam Langley <agl@google.com>
2014-10-28 19:02:59 +00:00
Piotr Sikora
773bb55c6f Fix build (broken by removal of key_arg from SSL_SESSION parsing).
This fixes error reported by clang:
unused variable 'kKeyArgTag' [-Werror,-Wunused-const-variable].

Change-Id: I1d5c9937064bfadd810cbe1b73e0070cc2ead684
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-on: https://boringssl-review.googlesource.com/2070
Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 23:00:20 +00:00
David Benjamin
eb380a4632 Fix build on Windows.
This broke in a19fc259f0.

Change-Id: Icbdb6c7ed7f1f4906cc9c948ecbd6cfd5a0d7e73
Reviewed-on: https://boringssl-review.googlesource.com/2061
Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 22:10:39 +00:00
David Benjamin
aeb8d00e76 Add less dangerous versions of SRTP functions.
The old ones inverted their return value. Add SSL_(CTX_)set_srtp_profiles which
return success/failure correctly and deprecate the old functions. Also align
srtp.h with the new style since it's very short.

When this rolls through, we can move WebRTC over to the new ones.

Change-Id: Ie55282e8858331910bba6ad330c8bcdd0e38f2f8
Reviewed-on: https://boringssl-review.googlesource.com/2060
Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 21:58:09 +00:00
David Benjamin
7001a7fce6 Don't bother accepting key_arg when parsing SSL_SESSION.
Doing some archeaology, since the initial OpenSSL commit, key_arg has been
omitted from the serialization if key_arg_length was 0. Since this is an
SSLv2-only field and resuming an SSLv2 session with SSLv3+ is not possible,
there is no need to support parsing those sessions.

Interestingly, it is actually not the case that key_arg_length was only ever
set in SSLv2, historically. In the initial commit of OpenSSL, SSLeay 0.8.1b,
key_arg was used to store what appears to be the IV. That was then removed in
the next commit, an import of SSLeay 0.9.0b, at which point key_arg was only
ever set in SSLv3. That is old enough that there is certainly no need to
parse pre-SSLeay-0.9.0b sessions...

Change-Id: Ia768a2d97ddbe60309be20e2efe488640c4776d9
Reviewed-on: https://boringssl-review.googlesource.com/2050
Reviewed-by: Adam Langley <agl@google.com>
2014-10-27 21:55:26 +00:00
Adam Langley
7571292eac Extended master secret support.
This change implements support for the extended master secret. See
https://tools.ietf.org/html/draft-ietf-tls-session-hash-01
https://secure-resumption.com/

Change-Id: Ifc7327763149ab0894b4f1d48cdc35e0f1093b93
Reviewed-on: https://boringssl-review.googlesource.com/1930
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 21:19:44 +00:00
David Benjamin
89abaea141 Reimplement i2d_SSL_SESSION using CBB.
No more need for all the macros. For now, this still follows the two-pass i2d_*
API despite paying a now-unnecessary malloc. The follow-on commit will expose a
more reasonable API and deprecate this one.

Change-Id: I50ec63e65afbd455ad3bcd2f1ae3c782d9e8f9d2
Reviewed-on: https://boringssl-review.googlesource.com/2000
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:30:09 +00:00
David Benjamin
83fd6b686f Reimplement d2i_SSL_SESSION with CBS.
Do away with all those unreadable macros. Also fix many many memory leaks in
the SSL_SESSION reuse case. Add a number of helper functions in CBS to help
with parsing optional fields.

Change-Id: I2ce8fd0d5b060a1b56e7f99f7780997fabc5ce41
Reviewed-on: https://boringssl-review.googlesource.com/1998
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 18:26:41 +00:00
David Benjamin
9f2c0d7a94 Remove T** parameter to ssl_bytes_to_cipher_list.
There's only one caller and it doesn't use that feature. While I'm here, tidy
that function a little. Don't bother passing FALLBACK_SCSV into
ssl3_get_cipher_by_value.

Change-Id: Ie71298aeaaab6e24401e0a6c2c0d2281caa93ba4
Reviewed-on: https://boringssl-review.googlesource.com/2030
Reviewed-by: Adam Langley <agl@google.com>
2014-10-24 02:01:33 +00:00
David Benjamin
751e889b1d Add SSL_SESSION serialization and deserialization tests.
Change-Id: Ia59e4accb644c8807b7c4ab6267efa624be95c18
Reviewed-on: https://boringssl-review.googlesource.com/1992
Reviewed-by: Adam Langley <agl@google.com>
2014-10-21 17:56:14 +00:00
David Benjamin
d7a76e72c6 Remove key_arg and key_arg_length from SSL_SESSION.
Remnants of SSLv2 support.

Change-Id: If45035f1727f235e122121418770f75257b18026
Reviewed-on: https://boringssl-review.googlesource.com/1991
Reviewed-by: Adam Langley <agl@google.com>
2014-10-21 17:55:49 +00:00
David Benjamin
a19fc259f0 Move ECC extensions out of SSL_SESSION.
There's no need to store them on the session. They're temporary handshake
state and weren't serialized in d2i_SSL_SESSION anyway.

Change-Id: I830d378ab49aaa4fc6c4c7a6a8c035e2263fb763
Reviewed-on: https://boringssl-review.googlesource.com/1990
Reviewed-by: Adam Langley <agl@google.com>
2014-10-21 17:55:01 +00:00
David Benjamin
7f7882f1a8 Remove obsolete TODO
Change-Id: I5b02f57615d4ab01efbf7199474ce4e43c6956b6
Reviewed-on: https://boringssl-review.googlesource.com/1994
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:19:07 +00:00
David Benjamin
a650e05484 Fix pqueue_test.c memory leak.
Change-Id: I0a93900f0ebb22893d86a454cda086be37d4bbad
Reviewed-on: https://boringssl-review.googlesource.com/1993
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:18:53 +00:00
Adam Langley
3831173740 Fix memory leak when decoding corrupt tickets.
This is CVE-2014-3567 from upstream. See
https://www.openssl.org/news/secadv_20141015.txt

Change-Id: I9aad422bf1b8055cb251c7ff9346cf47a448a815
Reviewed-on: https://boringssl-review.googlesource.com/1970
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:05:48 +00:00
Adam Langley
88333ef7d7 Fix switching between AEAD and non-AEAD in a renegotiation.
https://code.google.com/p/chromium/issues/detail?id=423998

Change-Id: I29d67db92b47d6cd303125b44e5ba552d97d54ff
Reviewed-on: https://boringssl-review.googlesource.com/1960
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-10-20 19:05:23 +00:00
David Benjamin
180d1eb04c Remove SSL_get_shared_ciphers.
This removes the need to track the client cipher list in the SSL_SESSION. It
also eliminates a field in SSL_SESSION that wasn't serialized by
i2d_SSL_SESSION. It's only used to implement SSL_get_shared_ciphers which is
only used by debug code.

Moreover, it doesn't work anyway. The SSLv2 logic pruned that field to the
common ciphers, but the SSLv3+ logic just stores the client list as-is. I found
no internal callers that were actually compiled (if need be we can stub in
something that always returns the empty string or so).

Change-Id: I55ad45964fb4037fd623f7591bc574b2983c0698
Reviewed-on: https://boringssl-review.googlesource.com/1866
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 18:59:14 +00:00
David Benjamin
fb3ff2c66c Don't compare signed vs. unsigned.
This resolves a pile of MSVC warnings in Chromium.

Change-Id: Ib9a29cb88d8ed8ec4118d153260f775be059a803
Reviewed-on: https://boringssl-review.googlesource.com/1865
Reviewed-by: Adam Langley <agl@google.com>
2014-10-01 02:17:38 +00:00
David Benjamin
ef5c4946f3 Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
We patch bugs into the runner implementation for testing, not our own.

Change-Id: I0a8ac73eaeb70db131c01a0fd9c84f258589a884
Reviewed-on: https://boringssl-review.googlesource.com/1845
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 22:59:23 +00:00
David Benjamin
5b33a5e0dd Merge the get_ssl_method hooks between TLS and SSLv3.
Remove one more difference to worry about switching between TLS and SSLv3
method tables.

Although this does change the get_ssl_method hook for the version-specific
tables (before TLS and SSLv3 would be somewhat partitioned), it does not appear
to do anything. get_ssl_method is only ever called in SSL_set_session for
client session resumption. Either you're using the version-specific method
tables and don't know about other versions anyway or you're using SSLv23 and
don't partition TLS vs SSL3 anyway.

BUG=chromium:403378

Change-Id: I8cbdf02847653a01b04dbbcaf61fcb3fa4753a99
Reviewed-on: https://boringssl-review.googlesource.com/1842
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 22:58:59 +00:00
David Benjamin
a9ca90abbb Fix ServerHello EC point format extension check.
Use the newly split out tls1_check_point_format. Also don't condition it on
s->tlsext_ecpointformatlist which is unrelated and made this code never run.

Change-Id: I9d77654c8eaebde07079d989cd60fbcf06025d75
Reviewed-on: https://boringssl-review.googlesource.com/1844
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 22:58:21 +00:00
David Benjamin
42e9a77c43 Split tls1_check_ec_key.
This avoids the strange optional parameter thing by moving it to the client.
Also document what the functions should do.

Change-Id: I361266acadedfd2bfc4731f0900821fc2c2f954d
Reviewed-on: https://boringssl-review.googlesource.com/1843
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 22:57:53 +00:00
David Benjamin
00075b80ca Merge IMPLEMENT_tls_meth_func and IMPLEMENT_ssl3_meth_func.
The TLS-specific hooks have been removed. We aim to no longer perform version
negotiation as a pre-processing step, so ensure the only differences to worry
about are the version, get_method hook, and the enc_data.

BUG=chromium:403378

Change-Id: I628ec6f4c50ceed01d7af8f4110b6dc95cfbe023
Reviewed-on: https://boringssl-review.googlesource.com/1841
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 22:56:47 +00:00
David Benjamin
5491e3fdb7 Clean up ssl_cipher_list_to_bytes a little.
Still need to convert serializing code to CBB, but the current one is kinda
crazy.

Change-Id: I00e12a812c815bf01c53a26ccbb7c6727ea8c8fc
Reviewed-on: https://boringssl-review.googlesource.com/1840
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 19:17:40 +00:00
Ben Laurie
eba2384e53 Missing includes for FreeBSD.
Change-Id: I4ea02a41ed614047ecda156d0c572b04baa174e6
Reviewed-on: https://boringssl-review.googlesource.com/1852
Reviewed-by: Adam Langley <agl@google.com>
2014-09-30 19:15:15 +00:00
Adam Langley
5d0c163b37 Also clean the last byte of the PSK identity.
Patch by Alex Kljubin.

Change-Id: Ieec830dce11b501aaa82f03c82ff04c3cdde41e1
Reviewed-on: https://boringssl-review.googlesource.com/1831
Reviewed-by: Adam Langley <agl@google.com>
2014-09-26 22:10:53 +00:00
David Benjamin
01fe820ab9 Add tests for client version negotiation and session resumption.
BUG=chromium:417134

Change-Id: If5914be98026d899000fde267b2d329861ca3136
Reviewed-on: https://boringssl-review.googlesource.com/1822
Reviewed-by: Adam Langley <agl@google.com>
2014-09-25 22:09:18 +00:00
David Benjamin
30ddb434bf Handle session resumption in SSLv23_client_method.
This fixes version mismatches on resumption without rewriting the entirety of
OpenSSL's version negotiation logic. (Which still badly needs to happen.)

BUG=chromium:417134

Change-Id: Ifa0c5dd2145e37fcd39eec25dfb3561ddb87c9f0
Reviewed-on: https://boringssl-review.googlesource.com/1823
Reviewed-by: Adam Langley <agl@google.com>
2014-09-25 22:04:20 +00:00
David Benjamin
b0c8db7347 runner: don't resume sessions if SessionTicketsDisabled is true.
Change-Id: I1cf4a11d66871fff71a5fa93e39471ffb40d3132
Reviewed-on: https://boringssl-review.googlesource.com/1821
Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 23:56:03 +00:00
David Benjamin
7f520dbd8d Remove OPENSSL_NO_TLS1_2_CLIENT and OPENSSL_NO_DTLS1.
Get those out of the way.

Change-Id: Ia1be476e383fc90c2373a24a072944fe377da6ef
Reviewed-on: https://boringssl-review.googlesource.com/1820
Reviewed-by: Adam Langley <agl@google.com>
2014-09-24 22:33:37 +00:00
David Benjamin
37d924640a Disallow all special operators once groups are used.
+ and - should also be forbidden. Any operation other than appending will mix
up the in_group bits and give unexpected behavior.

Change-Id: Ieaebb9ee6393aa36243d0765e45cae667f977ef5
Reviewed-on: https://boringssl-review.googlesource.com/1803
Reviewed-by: Adam Langley <agl@google.com>
2014-09-22 17:22:56 +00:00
David Benjamin
2a5ea98a46 Remove redundant check in cipher rule parsing.
It's redundant with the check at the top of the loop.

Change-Id: If64e5396658ca28cad937411c6fc8671a2abfdcd
Reviewed-on: https://boringssl-review.googlesource.com/1802
Reviewed-by: Adam Langley <agl@google.com>
2014-09-22 17:22:47 +00:00
David Benjamin
bb0a17c5e1 Add a set of tests for cipher string parsing.
Change-Id: I4f9cdfa443bc5916f1899a7fc90aca2bf3c6027c
Reviewed-on: https://boringssl-review.googlesource.com/1801
Reviewed-by: Adam Langley <agl@google.com>
2014-09-22 16:47:44 +00:00
David Benjamin
e113608a1c Switch the reason code check to a compile-time assert.
It's just checking some constants. Also the comment's off now.

Change-Id: I934d32b76c705758ae7c18009d867e9820a4c5a8
Reviewed-on: https://boringssl-review.googlesource.com/1800
Reviewed-by: Adam Langley <agl@google.com>
2014-09-22 16:43:56 +00:00
David Benjamin
d7c5368a0f Add missing errors codes for alerts.
This gives inappropriate_fallback and close_notify sent during the handshake
error strings. It'd also avoid having to write
  case SSL_AD_REASON_OFFSET + SSL_AD_CLOSE_NOTIFY:
in Chromium.

Change-Id: I42123d5452eb7843ead883d112e58b3f087d3067
Reviewed-on: https://boringssl-review.googlesource.com/1780
Reviewed-by: Adam Langley <agl@google.com>
2014-09-17 16:42:14 +00:00
David Benjamin
fc7b086305 Test that ALPN is preferred over NPN.
Change-Id: Ia9d10f672c8a83f507b46f75869b7c00fe1a4fda
Reviewed-on: https://boringssl-review.googlesource.com/1755
Reviewed-by: Adam Langley <agl@google.com>
2014-09-15 21:10:59 +00:00
David Benjamin
ae2888fbdc Add tests for ALPN support.
Both as client and as server. Also tests that ALPN causes False Start to kick
in.

Change-Id: Ib570346f3c511834152cd2df2ef29541946d3ab4
Reviewed-on: https://boringssl-review.googlesource.com/1753
Reviewed-by: Adam Langley <agl@google.com>
2014-09-15 21:10:46 +00:00
David Benjamin
fa055a2b77 Implement ALPN in runner.go.
Imported from upstream's https://codereview.appspot.com/108710046.

Change-Id: I66c879dcc9fd09446ac1a8380f796b1d68c89e4e
Reviewed-on: https://boringssl-review.googlesource.com/1751
Reviewed-by: Adam Langley <agl@google.com>
2014-09-15 21:09:45 +00:00
David Benjamin
812152aa3b Don't deadlock if a resume test fails the first half.
Otherwise the child is busy waiting for its second handshake.

Change-Id: Ic613eeb04c5d6c1ec1e1bbcb13946d3ac31d05f1
Reviewed-on: https://boringssl-review.googlesource.com/1752
Reviewed-by: Adam Langley <agl@google.com>
2014-09-15 21:08:11 +00:00
David Benjamin
e78bfded9f Improve test coverage for server_name extension.
Notably, this would have caught ed8270a55c
(although, apart from staring at code coverage, knowing to set resumeSession on
the server test isn't exactly obvious). Perhaps we should systematically set it
on all extension server tests; ClientHello extension parsing happens after
resumption has been determined and is often sensitive to it.

Change-Id: Ie83f294a26881a6a41969e9dbd102d0a93cb68b5
Reviewed-on: https://boringssl-review.googlesource.com/1750
Reviewed-by: Adam Langley <agl@google.com>
2014-09-15 21:07:57 +00:00
David Benjamin
594a58e078 Remove remnants of export cipher suite selection.
Splitting the strength mask between SSL_EXP_MASK and SSL_STRONG_MASK no longer
does anything. Also remove the SSL_NOT_EXP bit and condense the strength bits.

Change-Id: I9e61acdde008c3ce06bb37f78a72099fc53ed080
Reviewed-on: https://boringssl-review.googlesource.com/1757
Reviewed-by: Adam Langley <agl@google.com>
2014-09-15 21:06:24 +00:00
David Benjamin
d633d6303c Remove indirection in loading ciphers.
Simplify all the cipher gathering logic. The set of supported ciphers is known,
so there is no need to determine if some cipher exists but doesn't work.

Change-Id: Idcaae67e7bfc40a3deb925d85ee1a99a931b67e7
Reviewed-on: https://boringssl-review.googlesource.com/1756
Reviewed-by: Adam Langley <agl@google.com>
2014-09-15 21:06:10 +00:00
David Benjamin
172fc2c427 Fix some OPENSSL_PUT_ERROR calls.
Change-Id: I6a49eb5225208eed160f9bce7cb9af5145ae0df1
Reviewed-on: https://boringssl-review.googlesource.com/1754
Reviewed-by: Adam Langley <agl@google.com>
2014-09-15 19:02:28 +00:00
David Benjamin
a70c75cfc0 Add a CRYPTO_library_init and static-initializer-less build option.
Chromium does not like static initializers, and the CPU logic uses one to
initialize CPU bits. However, the crypto library lacks an explicit
initialization function, which could complicate (no compile-time errors)
porting existing code which uses crypto/, but not ssl/.

Add an explicit CRYPTO_library_init function, but make it a no-op by default.
It only does anything (and is required) if building with
BORINGSSL_NO_STATIC_INITIALIZER.

Change-Id: I6933bdc3447fb382b1f87c788e5b8142d6f3fe39
Reviewed-on: https://boringssl-review.googlesource.com/1770
Reviewed-by: Adam Langley <agl@google.com>
2014-09-12 00:10:53 +00:00
David Benjamin
f7768e43b2 Test SHA-256 and SHA-384 CBC-mode cipher suites.
These were added in TLS 1.2. They are like the standard AES-CBC cipher suites,
but use different HMACs.

Change-Id: Ib89ddebd1aa398b1347f8285f5d827068b1bd181
Reviewed-on: https://boringssl-review.googlesource.com/1730
Reviewed-by: Adam Langley <agl@google.com>
2014-09-06 00:17:08 +00:00
David Benjamin
c92c2d7a07 Prune some dead quirks and document the SSL_OP_ALL ones.
Update SSL_OP_ALL to account for SSL_OP_CRYPTOPRO_TLSEXT_BUG being gone,
and update ssl3_setup_write_buffer to account for SSL_MODE_CBC_RECORD_SPLITTING
rather than the now defunct SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.

Also remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is to allow for a buggy peer
which pads CBC with N bytes of value N rather than N+1 bytes of value N. This
quirk has been broken since CBC padding checks became constant-time, as
demonstrated by this attempt at a test. (Instead of just decrementing
padding_length, it needs to also keep track of a separate padding_value and not
decrement that one.)

https://boringssl-review.googlesource.com/#/c/1690/

(The quirk would also fall over anyway if the buggy client ever did a session
resumption; then the server speaks first rather than the client, and the quirk
triggered on reading the first encrypted record from the peer.)

Change-Id: I19942dc629a47832aead77a46bb50e0b0a9780b3
Reviewed-on: https://boringssl-review.googlesource.com/1694
Reviewed-by: Adam Langley <agl@google.com>
2014-09-03 20:17:45 +00:00
David Benjamin
859ec3cc09 Add SSL_CTX_set_keylog_bio.
Configures the SSL stack to log session information to a BIO. The intent is to
support NSS's SSLKEYLOGFILE environment variable. Add support for the same
environment variable to tool/client.cc.

Tested against Wireshark 1.12.0.

BUG=393477

Change-Id: I4c231f9abebf194eb2df4aaeeafa337516774c95
Reviewed-on: https://boringssl-review.googlesource.com/1699
Reviewed-by: Adam Langley <agl@google.com>
2014-09-03 20:15:55 +00:00
David Benjamin
df90a64483 Remove MD5, SHA-224, and SHA-512 handling from s3_cbc.c.
The only MD5 CBC-mode cipher suites are TLS_KRB5_WITH_DES_CBC_MD5,
TLS_KRB5_WITH_3DES_EDE_CBC_MD5, and TLS_KRB5_WITH_IDEA_CBC_MD5. We do not
support those, and it seems quite safe to assume that list will not grow.

No current cipher suites use SHA-224 or SHA-512 MACs. We can restore those
cases if that ever changes, but hopefully any future cipher suites we care
about will be using the AEAD construction.

Change-Id: I7f2d30238e2156a59b5fed1e48fabe6660fc9b67
Reviewed-on: https://boringssl-review.googlesource.com/1697
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 23:42:15 +00:00
David Benjamin
39ebf53dd3 Check the server did not use a TLS 1.2 cipher suite pre-TLS 1.2.
This check got refactored in OpenSSL 1.0.2 and broke in the process. Fix this
and add a test. Otherwise things like client auth can get slightly confused; it
will try to sign the MD5/SHA-1 hash, but the TLS 1.2 cipher suite may not use
SSL_HANDSHAKE_MAC_DEFAULT, so those digests won't be available.

Based on upstream's 226751ae4a1f3e00021c43399d7bb51a99c22c17.

Change-Id: I5b864d3a696f3187b849c53b872c24fb7df27924
Reviewed-on: https://boringssl-review.googlesource.com/1696
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 23:41:34 +00:00
David Benjamin
120a674c00 Fix the return values for most of SRTP.
Switch all of SRTP code to the standard return value convention with two
exceptions. Unfortunately, OpenSSL exposed API with the wrong error code. Keep
the public API flipped and document.

Change-Id: I43ac82513f4f52bb36a0b54aba9b9e0fa285730e
Reviewed-on: https://boringssl-review.googlesource.com/1691
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 23:41:22 +00:00
David Benjamin
5c24a1d6b6 Add a test for SSL_OP_TLS_D5_BUG.
If this is part of SSL_OP_ALL, we should have a test for it.

Change-Id: Ia72422beb2da6434726e78e174f3416f90f7c897
Reviewed-on: https://boringssl-review.googlesource.com/1695
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 22:43:54 +00:00
David Benjamin
f0fd37323b Remove remnants of EVP_CIPHER-based AES_GCM cipher.
Those codepaths are never hit.

Change-Id: Ib6908ebe90ab667774785298fdc3f96acc4b50df
Reviewed-on: https://boringssl-review.googlesource.com/1693
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 22:42:26 +00:00
Adam Langley
b2cb0ece76 Fix minor issues found by Clang's analysis.
Thanks to Denis Denisov for running the analysis.

Change-Id: I80810261e013423e746fd8d8afefb3581cffccc0
Reviewed-on: https://boringssl-review.googlesource.com/1701
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 22:39:41 +00:00
Adam Langley
ed8270a55c Fix crash as server when resuming with SNI.
Thanks to Denis Denisov for noting that |host_name| could be used while
uninitialised in the resumption case.

While in the area, this change also renames |servername_done| to
something more reasonable and removes a documented value that was never
used. Additionally, the SNI ack was only sent when not resuming so
calculating whether it should be sent when processing ClientHello
extensions (which is after s->hit has been set) is superfluous.

Lastly, since SNI is only acked by servers, there's no need to worry
about the SNI callback returning NOACK in the client case.

Change-Id: Ie4ecfc347bd7afaf93b12526ff9311cc45da4df6
Reviewed-on: https://boringssl-review.googlesource.com/1700
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 21:30:50 +00:00
Alex Chernyakhovsky
04dbb7f1d1 Add tests for pqueue
Reorder the tests in all_tests.sh to be in alphabetical order.

Change-Id: Idc6df6ab4a25709312a6f58635061bb643582c70
Reviewed-on: https://boringssl-review.googlesource.com/1680
Reviewed-by: Adam Langley <agl@google.com>
2014-09-02 20:09:23 +00:00
David Benjamin
6c7aed048c Client-side OCSP stapling support.
Remove the old implementation which was excessively general. This mirrors the
SCT support and adds a single boolean flag to request an OCSP response with no
responder IDs, extensions, or frills. The response, if received, is stored on
the SSL_SESSION so that it is available for (re)validation on session
resumption; Chromium revalidates the saved auth parameters on resume.

Server support is unimplemented for now. This API will also need to be adjusted
in the future if we implement RFC 6961.

Change-Id: I533c029b7f7ea622d814d05f934fdace2da85cb1
Reviewed-on: https://boringssl-review.googlesource.com/1671
Reviewed-by: Adam Langley <agl@google.com>
2014-08-29 00:39:33 +00:00
David Benjamin
e098ec2460 Test client auth under TLS 1.2 hash mismatch and SSL 3.
Maintain a handshake buffer in prf.go to implement TLS 1.2 client auth. Also
use it for SSL 3. This isn't strictly necessary as we know the hash functions,
but Go's hash.Hash interface lacks a Copy method.

Also fix the server-side tests which failed to test every TLS version.

Change-Id: I98492c334fbb9f2f0f89ee9c5c8345cafc025600
Reviewed-on: https://boringssl-review.googlesource.com/1664
Reviewed-by: Adam Langley <agl@google.com>
2014-08-29 00:23:50 +00:00
David Benjamin
041b58a668 Remove session_ctx macro.
Don't pollute the embedder's namespace with a session_ctx macro. It looks like
the difference was that, without TLS extensions, session_ctx was ctx rather
than initial_ctx. Now it's always initial_ctx. Retain the semantics of
switching SSL_CTX's out after the fact, until/unless we decide to replace that
with something less scary-sounding.

Change-Id: Ie5df5138aec25218ca80031cf645671968b8a54a
Reviewed-on: https://boringssl-review.googlesource.com/1663
Reviewed-by: Adam Langley <agl@google.com>
2014-08-28 00:42:20 +00:00
David Benjamin
457112e197 unifdef a bunch of OPENSSL_NO_* ifdefs.
Get all this stuff out of the way.

- OPENSSL_NO_MD5
- OPENSSL_NO_SHA
- OPENSSL_NO_EC
- OPENSSL_NO_ECDSA
- OPENSSL_NO_ECDH
- OPENSSL_NO_NEXTPROTONEG
- OPENSSL_NO_DH
- OPENSSL_NO_SSL3
- OPENSSL_NO_RC4
- OPENSSL_NO_RSA

Also manually removed a couple instances of OPENSSL_NO_DSA that seemed to be
confused anyway. Did some minor manual cleanup. (Removed a few now-pointless
'if (0)'s.)

Change-Id: Id540ba97ee22ff2309ab20ceb24c7eabe766d4c4
Reviewed-on: https://boringssl-review.googlesource.com/1662
Reviewed-by: Adam Langley <agl@google.com>
2014-08-28 00:41:34 +00:00
David Benjamin
854dd654d1 Refactor server-side CertificateVerify handling.
This moves CertificateVerify digest processing to the new
SSL_GET_MESSAGE_DONT_HASH_MESSAGE flag. It also refactors it similarly to
ssl3_send_cert_verify and moves that logic to a common ssl3_cert_verify_hash
function to compute the handshake hash.

This removes a large chunk of duplicate (and divergent!) logic between TLS and
DTLS. It also removes TLS1_FLAGS_KEEP_HANDSHAKE.

Change-Id: Ia63c94f7d76d901bc9c4c33454fbfede411adf63
Reviewed-on: https://boringssl-review.googlesource.com/1633
Reviewed-by: Adam Langley <agl@google.com>
2014-08-27 01:55:27 +00:00
David Benjamin
5b8f104ee8 Revise hash management for reading the Finished message.
Upstream originally sampled the Finished message's hash at ChangeCipherSpec,
but our patches to add messages between the two complicated this. Move DTLS to
this path, but use the new SSL_GET_MESSAGE_DONT_HASH_MESSAGE flag to avoid
special-casing message types in ssl3_get_message.

Change-Id: I9c8ddd9cc500c94dff2ec2f696f89d50ab01b3ad
Reviewed-on: https://boringssl-review.googlesource.com/1632
Reviewed-by: Adam Langley <agl@google.com>
2014-08-27 01:55:17 +00:00
David Benjamin
880b14e98c Compute the Channel ID hash after ssl_get_message.
This avoids needing the save the hash on the SSL* (and use some field for two
purposes). Instead, use the new SSL_GET_MESSAGE_DONT_HASH_MESSAGE flag (which
actually was already used here, but at the time, pointlessly). Also fix a minor
bug where the hash would be recomputed in non-blocking mode because init_num
may stay zero for a few state machine iterations.

Change-Id: I3d8331cf3134c5f9a3eda9e988bba5bcebe40933
Reviewed-on: https://boringssl-review.googlesource.com/1631
Reviewed-by: Adam Langley <agl@google.com>
2014-08-27 01:55:06 +00:00
David Benjamin
590cbe970c Introduce a hash_message parameter to ssl_get_message.
This replaces the special-case in ssl3_get_message for Channel ID. Also add
ssl3_hash_current_message to hash the current message, taking TLS vs DTLS
handshake header size into account.

One subtlety with this flag is that a message intended to be processed with
SSL_GET_MESSAGE_DONT_HASH_MESSAGE cannot follow an optional message
(reprocessed with reuse_message, etc.).  There is an assertion to that effect.
If need be, we can loosen it to requiring that the preceeding optional message
also pass SSL_GET_MESSAGE_DONT_HASH_MESSAGE and then maintain some state to
perform the more accurate assertion, but this is sufficient for now.

Change-Id: If8c87342b291ac041a35885b9b5ee961aee86eab
Reviewed-on: https://boringssl-review.googlesource.com/1630
Reviewed-by: Adam Langley <agl@google.com>
2014-08-27 01:54:50 +00:00
Adam Langley
3cb50e0699 Move a variable declaration to function start.
(Fixes the Windows build.)

Change-Id: Ibc7e3fe7cee275c8bc24198e996e4f92100ea9fc
Reviewed-on: https://boringssl-review.googlesource.com/1642
Reviewed-by: Adam Langley <agl@google.com>
2014-08-26 22:07:33 +00:00
David Benjamin
8da990677b Rename some message functions for consistency.
Make the get/send functions match.

ssl3_client_hello -> ssl3_send_client_hello.
ssl3_send_newsession_ticket -> ssl3_send_new_session_ticket.
ssl3_send_client_verify -> ssl3_send_cert_verify

Change-Id: Iea5579479b8a8f392167b8fb3b7e9fe961d0f007
Reviewed-on: https://boringssl-review.googlesource.com/1613
Reviewed-by: Adam Langley <agl@google.com>
2014-08-26 21:09:40 +00:00