Commit Graph

2194 Commits

Author SHA1 Message Date
Adam Langley
c2d3280f0f Add SSL_get_ivs.
This function allows one to extract the current IVs from an SSL
connection. This is needed for the CBC cipher suites with implicit IVs
because, for those, the IV can't be extracted from the handshake key
material.

Change-Id: I247a1d0813b7a434b3cfc88db86d2fe8754344b6
Reviewed-on: https://boringssl-review.googlesource.com/6433
Reviewed-by: Adam Langley <agl@google.com>
2015-11-04 19:45:28 +00:00
David Benjamin
a97b737fb0 Separate CCS and handshake writing in DTLS.
They run through completely different logic as only handshake is fragmented.
This'll make it easier to rewrite the handshake logic in a follow-up.

Change-Id: I9515feafc06bf069b261073873966e72fcbe13cb
Reviewed-on: https://boringssl-review.googlesource.com/6420
Reviewed-by: Adam Langley <agl@google.com>
2015-11-04 00:11:14 +00:00
Brian Smith
ac9404c3a8 Improve crypto/digest/md32_common.h mechanism.
The documentation in md32_common.h is now (more) correct with respect
to the most important details of the layout of |HASH_CTX|. The
documentation explaining why sha512.c doesn't use md32_common.h is now
more accurate as well.

Before, the C implementations of HASH_BLOCK_DATA_ORDER took a pointer
to the |HASH_CTX| and the assembly language implementations took a
pointer to the hash state |h| member of |HASH_CTX|. (This worked
because |h| is always the first member of |HASH_CTX|.) Now, the C
implementations take a pointer directly to |h| too.

The definitions of |MD4_CTX|, |MD5_CTX|, and |SHA1_CTX| were changed to
be consistent with |SHA256_CTX| and |SHA512_CTX| in storing the hash
state in an array. This will break source compatibility with any
external code that accesses the hash state directly, but will not
affect binary compatibility.

The second parameter of |HASH_BLOCK_DATA_ORDER| is now of type
|const uint8_t *|; previously it was |void *| and all implementations
had a |uint8_t *data| variable to access it as an array of bytes.

This change paves the way for future refactorings such as automatically
generating the |*_Init| functions and/or sharing one I-U-F
implementation across all digest algorithms.

Change-Id: I6e9dd09ff057c67941021d324a4fa1d39f58b0db
Reviewed-on: https://boringssl-review.googlesource.com/6405
Reviewed-by: Adam Langley <agl@google.com>
2015-11-04 00:01:09 +00:00
David Benjamin
8fb0f525e1 Free BN_MONT_CTX in generic code.
Although those are only created by code owned by RSA_METHOD, custom RSA_METHODs
shouldn't be allowed to squat our internal fields and then change how you free
things.

Remove 'method' from their names now that they're not method-specific.

Change-Id: I9494ef9a7754ad59ac9fba7fd463b3336d826e0b
Reviewed-on: https://boringssl-review.googlesource.com/6423
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 23:39:41 +00:00
David Benjamin
bb875350b3 Fix ASan bot.
This restores the original semantics of the finished hook.

Change-Id: I70da393c7e66fb6e3be1e2511e08b34bb54fc0b4
Reviewed-on: https://boringssl-review.googlesource.com/6422
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 23:28:56 +00:00
David Benjamin
d93831d71a Make it possible for a static linker to discard unused RSA functions.
Having a single RSA_METHOD means they all get pulled in. Notably, RSA key
generation pulls in the primality-checking code.

Change-Id: Iece480113754da090ddf87b64d8769f01e05d26c
Reviewed-on: https://boringssl-review.googlesource.com/6389
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 23:02:38 +00:00
David Benjamin
e8f783ac0d Unwind DH_METHOD and DSA_METHOD.
This will allow a static linker (with -ffunction-sections since things aren't
split into files) to drop unused parts of DH and DSA. Notably, the parameter
generation bits pull in primality-checking code.

Change-Id: I25087e4cb91bc9d0ab43bcb267c2e2c164e56b59
Reviewed-on: https://boringssl-review.googlesource.com/6388
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 22:54:36 +00:00
David Benjamin
3fc138eccd Don't bother sampling __func__.
Removing the function codes continued to sample __func__ for compatibility with
ERR_print_errors_cb, but not ERR_error_string_n. We can just emit
OPENSSL_internal for both. ERR_print_errors_cb already has the file and line
number available which is strictly more information than the function name.
(ERR_error_string_n does not, but we'd already turned that to
OPENSSL_internal.)

This shaves 100kb from a release build of the bssl tool.

In doing so, put an unused function code parameter back into ERR_put_error to
align with OpenSSL. We don't need to pass an additional string in anymore, so
OpenSSL compatibility with anything which uses ERR_LIB_USER or
ERR_get_next_error_library costs nothing. (Not that we need it.)

Change-Id: If6af34628319ade4145190b6f30a0d820e00b20d
Reviewed-on: https://boringssl-review.googlesource.com/6387
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 22:50:59 +00:00
Adam Langley
165248c24f Fix several MSVC warnings.
MSVC reports lots of:
warning C4090: 'function' : different 'const' qualifiers

Change-Id: If8184538c44e657f6234252d0147396d1a18b36c
2015-11-03 14:31:33 -08:00
Adam Langley
8f7ecb8f0c (Hopefully) fix a warning on Windows.
MSVC unhelpfuly says: warning C4146: unary minus operator applied to
unsigned type, result still unsigned.

Change-Id: Ia1e6b9fc415908920abb1bcd98fc7f7a5670c2c7
2015-11-03 14:29:01 -08:00
Adam Langley
466b9895ac Initialise variable before jump.
Clang finds:

crypto/ec/ec.c:420:7: error: variable 'ok' is used uninitialized
whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized]
  if (ctx == NULL) {
        ^~~~~~~~~~~

Change-Id: I33fc4d74ff3a3bd52ab155f8273fbcd9c6256e35
2015-11-03 14:20:45 -08:00
Adam Langley
1895493868 Add Intel's P-256
This change incorporates Intel's P-256 implementation. The record of
Intel's submission under CLA is in internal bug number 25330687.

Before:
Did 3582 ECDH P-256 operations in 1049114us (3414.3 ops/sec)
Did 8525 ECDSA P-256 signing operations in 1028778us (8286.5 ops/sec)
Did 3487 ECDSA P-256 verify operations in 1008996us (3455.9 ops/sec)
build/tool/bssl is 1434704 bytes after strip -s

After:
Did 8618 ECDH P-256 operations in 1027884us (8384.2 ops/sec)
Did 21000 ECDSA P-256 signing operations in 1049490us (20009.7 ops/sec)
Did 8268 ECDSA P-256 verify operations in 1079481us (7659.2 ops/sec)
build/tool/bssl is 1567216 bytes after strip -s

Change-Id: I147971a8e19849779c8ed7e20310d41bd4962299
Reviewed-on: https://boringssl-review.googlesource.com/6371
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 22:08:47 +00:00
Adam Langley
27a0d086f7 Add ssl_renegotiate_ignore.
This option causes clients to ignore HelloRequest messages completely.
This can be suitable in cases where a server tries to perform concurrent
application data and handshake flow, e.g. because they are trying to
“renew” symmetric keys.

Change-Id: I2779f7eff30d82163f2c34a625ec91dc34fab548
Reviewed-on: https://boringssl-review.googlesource.com/6431
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 21:58:13 +00:00
Matt Braithwaite
fa9eb568b0 Correct the spelling of "primitive".
Spotted by Matt Smart.

Change-Id: Id9c61ba6a293ddc52b2e2c93c427860765848c6d
Reviewed-on: https://boringssl-review.googlesource.com/6430
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 21:47:19 +00:00
Adam Langley
f1c1cf8794 Revert "Improve crypto/digest/md32_common.h mechanism."
This reverts commit 00461cf201.

Sadly it broke wpa_supplicant.
2015-11-02 18:14:34 -08:00
Brian Smith
00461cf201 Improve crypto/digest/md32_common.h mechanism.
The documentation in md32_common.h is now (more) correct with respect
to the most important details of the layout of |HASH_CTX|. The
documentation explaining why sha512.c doesn't use md32_common.h is now
more accurate as well.

Before, the C implementations of HASH_BLOCK_DATA_ORDER took a pointer
to the |HASH_CTX| and the assembly language implementations tool a
pointer to the hash state |h| member of |HASH_CTX|. (This worked
because |h| is always the first member of |HASH_CTX|.) Now, the C
implementations take a pointer directly to |h| too.

The definitions of |MD4_CTX|, |MD5_CTX|, and |SHA1_CTX| were changed to
be consistent with |SHA256_CTX| and |SHA512_CTX| in storing the hash
state in an array. This will break source compatibility with any
external code that accesses the hash state directly, but will not
affect binary compatibility.

The second parameter of |HASH_BLOCK_DATA_ORDER| is now of type
|const uint8_t *|; previously it was |void *| and all implementations
had a |uint8_t *data| variable to access it as an array of bytes.

This change paves the way for future refactorings such as automatically
generating the |*_Init| functions and/or sharing one I-U-F
implementation across all digest algorithms.

Change-Id: I30513bb40b5f1d2c8932551d54073c35484b3f8b
Reviewed-on: https://boringssl-review.googlesource.com/6401
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 02:04:38 +00:00
David Benjamin
ecc2591b6c Update link to Google style guide.
Change-Id: I0c9d86f188cd20d256620ccbb46546678714e081
Reviewed-on: https://boringssl-review.googlesource.com/6386
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 02:02:12 +00:00
Adam Langley
efb42fbb60 Make BN_mod_exp_mont_consttime take a const context.
BN_mod_exp_mont_consttime does not modify its |BN_MONT_CTX| so that
value should be const.

Change-Id: Ie74e48eec8061899fd056fbd99dcca2a86b02cad
Reviewed-on: https://boringssl-review.googlesource.com/6403
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 01:58:12 +00:00
Adam Langley
eb8be01f0c Add ciphers option to bssl.
This simply converts a cipher suite string to the list of cipher suites
that it implies.

Change-Id: Id8b31086715d619ea6601c40a6eb84dc0d8c500d
Reviewed-on: https://boringssl-review.googlesource.com/6370
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 01:17:02 +00:00
Adam Langley
09d68c98c0 Expand a comment.
As a follow up to https://boringssl-review.googlesource.com/#/c/6340,
this change expands a comment to note the reason for clearing a flag
that I missed.

Change-Id: Ib3cfecbb330f0ae7c46bf44286f4e6b407159fe8
Reviewed-on: https://boringssl-review.googlesource.com/6393
Reviewed-by: Adam Langley <agl@google.com>
2015-11-03 01:15:55 +00:00
David Benjamin
2e0901b75f Don't use ssl3_write_pending in DTLS.
That function doesn't do anything useful for DTLS. It's meant for tracking the
rest of the record we've already committed to by writing half of one. But one
cannot write half a datagram, so DTLS never tracks this. Just call
ssl_write_buffer_flush straight and don't touch wpend_*.

Change-Id: Ibe191907d64c955c7cfeefba26f5c11ad5e4b939
Reviewed-on: https://boringssl-review.googlesource.com/6418
Reviewed-by: Adam Langley <agl@google.com>
2015-11-02 23:17:24 +00:00
David Benjamin
13e81fc971 Fix DTLS asynchronous write handling.
Although the DTLS transport layer logic drops failed writes on the floor, it is
actually set up to work correctly. If an SSL_write fails at the transport,
dropping the buffer is fine. Arguably it works better than in TLS because we
don't have the weird "half-committed to data" behavior. Likewise, the handshake
keeps track of how far its gotten and resumes the message at the right point.

This broke when the buffering logic was rewritten because I didn't understand
what the DTLS code was doing. The one thing that doesn't work as one might
expect is non-fatal write errors during rexmit are not recoverable. The next
timeout must fire before we try again.

This code is quite badly sprinkled in here, so add tests to guard it against
future turbulence. Because of the rexmit issues, the tests need some hacks
around calls which may trigger them. It also changes the Go DTLS implementation
from being completely strict about sequence numbers to only requiring they be
monotonic.

The tests also revealed another bug. This one seems to be upstream's fault, not
mine. The logic to reset the handshake hash on the second ClientHello (in the
HelloVerifyRequest case) was a little overenthusiastic and breaks if the
ClientHello took multiple tries to send.

Change-Id: I9b38b93fff7ae62faf8e36c4beaf848850b3f4b9
Reviewed-on: https://boringssl-review.googlesource.com/6417
Reviewed-by: Adam Langley <agl@google.com>
2015-11-02 23:16:22 +00:00
David Benjamin
ebda9b3736 Make recordingconn emit more useful things for DTLS.
It's somewhat annoying to have to parse out the packetAdaptor mini-language.
Actually seeing those is only useful when debugging the adaptor itself, rather
than DTLS. Switch the order of the two middleware bits and add an escape hatch
to log the funny opcodes.

Change-Id: I249c45928a76b747d69f3ab972ea4d31e0680a62
Reviewed-on: https://boringssl-review.googlesource.com/6416
Reviewed-by: Adam Langley <agl@google.com>
2015-11-02 23:01:01 +00:00
Torbjörn Granlund
069bedfe0c Fix documentation typo.
Change-Id: Ia060a9f8c30ea7446ddffcc2221a8f5a37f14d8c
Reviewed-on: https://boringssl-review.googlesource.com/6415
Reviewed-by: Adam Langley <agl@google.com>
2015-11-02 22:53:27 +00:00
Adam Langley
ce514698f5 Fix a missing initializer that only Clang warns about.
89d4a68c introduced -Wmissing-field-initializers because it seemed
generally useful. However, Clang and GCC have differing opinions about
what counts as missing. This change should make Clang happy too.

Change-Id: I070c719f5c47f537207200d5399e093cc083e58f
2015-10-30 17:24:03 -07:00
Adam Langley
d9e817309a Fix several warnings that arise in Android.
Android is now using Ninja so it doesn't spew so much to the terminal
and thus any warnings in BoringSSL (which builds really early in the
process) and much more obvious.

Thus this change fixes a few warnings that appear in the Android build.

Change-Id: Id255ace90fece772a1c3a718c877559ce920b960
Reviewed-on: https://boringssl-review.googlesource.com/6400
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-30 21:11:48 +00:00
Adam Langley
bb85f3d655 Reorganise |SSL_SESSION| and |SSL| to save a little memory.
This is a fairly timid, first step at trying to pack common structures a
little better.

This change reorders a couple of structures a little and turns some
variables into bit-fields. Much more can still be done.

Change-Id: Idbe0f54d66559c0ad654bf7e8dea277a771a568f
Reviewed-on: https://boringssl-review.googlesource.com/6394
Reviewed-by: Adam Langley <agl@google.com>
2015-10-30 21:01:09 +00:00
Adam Langley
dff504d39a Make the instructions for downloading the ARM compiler easier to copy and paste.
Change-Id: If78cba6abc36999488981db2a12b039024c757df
Reviewed-on: https://boringssl-review.googlesource.com/6391
Reviewed-by: Brian Smith <brian@briansmith.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-30 20:47:08 +00:00
David Benjamin
51a01a5cd4 Revert most of "Refactor ChaCha20-Poly1305 AEAD nonce handling."
This reverts most of commit 271777f5ac. The old
ChaCha20-Poly1305, though being transitioned to the old name, should not change
in behavior. This also avoids adding a special-case to SSL_AEAD_CTX.

Also revert the name change to SSL_CIPHER_is_CHACHA20POLY1305. The one consumer
for that function doesn't need to distinguish the old and new variants, so
avoid unnecessary turbulence.

Change-Id: I5a6f97fccc5839d4d25e74e304dc002329d21b4b
Reviewed-on: https://boringssl-review.googlesource.com/6385
Reviewed-by: Adam Langley <agl@google.com>
2015-10-29 18:40:33 +00:00
Piotr Sikora
7063b6d062 Fix assert in SSL_set_shutdown.
Added in https://boringssl-review.googlesource.com/#/c/6312/.

Change-Id: I95f0c8d3a119513c50d1d62a78443c6445507bd4
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Reviewed-on: https://boringssl-review.googlesource.com/6395
Reviewed-by: Adam Langley <agl@google.com>
2015-10-29 13:19:53 +00:00
Brian Smith
96b9f3b68c Switch rsa_test.cc to use the new RSA encrypt/decrypt API.
Change-Id: I799e289a402612446e08f64f59e0243f164cf695
Reviewed-on: https://boringssl-review.googlesource.com/6372
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-10-28 23:36:44 +00:00
David Benjamin
8e4db8b1c2 Fix even more ChaCha20 rename deadlocks.
QUIC code references the TXT macro. Also get rid of
TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 which wasn't renamed for some reason.

Change-Id: I0308e07104b3cec394d748f3f1146bd786d2ace2
Reviewed-on: https://boringssl-review.googlesource.com/6384
Reviewed-by: Adam Langley <agl@google.com>
2015-10-28 21:09:46 +00:00
David Benjamin
278d34234f Get rid of all compiler version checks in perlasm files.
Since we pre-generate our perlasm, having the output of these files be
sensitive to the environment the run in is unhelpful. It would be bad to
suddenly change what features we do or don't compile in whenever workstations'
toolchains change or if developers do or don't have CC variables set.

Previously, all compiler-version-gated features were turned on in
https://boringssl-review.googlesource.com/6260, but this broke the build. I
also wasn't thorough enough in gathering performance numbers. So, flip them all
to off instead. I'll enable them one-by-one as they're tested.

This should result in no change to generated assembly.

Change-Id: Ib4259b3f97adc4939cb0557c5580e8def120d5bc
Reviewed-on: https://boringssl-review.googlesource.com/6383
Reviewed-by: Adam Langley <agl@google.com>
2015-10-28 19:33:04 +00:00
Piotr Sikora
3f5fe608c8 Support Bazel builds on other platforms.
This change causes the generated Bazel files to include the assembly
file lists for other platforms.

Change-Id: Ic474b6900f8c109393baac1ec9cc2d112f155a56
Reviewed-on: https://boringssl-review.googlesource.com/6390
Reviewed-by: Adam Langley <agl@google.com>
2015-10-28 19:26:57 +00:00
David Benjamin
87cfcdb6df Resolve another ChaCha20-Poly1305 rename deadlock.
WebRTC can't roll into Chromium without picking up the iOS build fix, but we
can't roll BoringSSL forwards because WebRTC also depends on the previously
exposed ChaCha20-Poly1305 cipher suite constants.

Define the old constants again.

Change-Id: If8434a0317e42b3aebe1bc1c5a58ed97a89a0230
Reviewed-on: https://boringssl-review.googlesource.com/6382
Reviewed-by: Adam Langley <agl@google.com>
2015-10-28 19:25:36 +00:00
David Benjamin
7dd3f77256 Fix aead.h header typo.
EVP_aead_chacha20_poly1305_old is listed twice instead of
EVP_aead_chacha20_poly1305.

Change-Id: I281eee7a8359cd2a2b04047c829ef351ea4a7b82
Reviewed-on: https://boringssl-review.googlesource.com/6381
Reviewed-by: Adam Langley <agl@google.com>
2015-10-28 17:50:23 +00:00
David Benjamin
f8e9dcaeea iOS builds use the static ARM CPU configuration.
The other codepath is Linux-specific. This should get tidied up a bit but, in
the meantime, fix the Chromium iOS (NO_ASM) build. Even when the assembly gets
working, it seems iOS prefers you make fat binaries rather than detect features
at runtime, so this is what we want anyway.

BUG=548539

Change-Id: If19b2e380a96918b07bacc300a3a27b885697b99
Reviewed-on: https://boringssl-review.googlesource.com/6380
Reviewed-by: Adam Langley <agl@google.com>
2015-10-28 17:25:25 +00:00
Adam Langley
d84b5aec7e Don't build with OPENSSL_SMALL.
This was submitted to check that it worked on all the builders but, in
normal usage, we should build without OPENSSL_SMALL so that everything
is compiled.

Change-Id: I31ac899862e3b31c55bf265a7ec5ff0cc9770b48
2015-10-27 18:34:44 -07:00
Adam Langley
de659cdc2e Fix PKCS#8 on 32-bit systems.
The previous commit fixed a signed/unsigned warning but, on 32-bit
systems, long is only 32 bits, so the fix was incorrect there.

Change-Id: I6afe340164de0e176c7f710fcdd095b2a4cddee4
2015-10-27 16:18:51 -07:00
Adam Langley
13f1dd497f Fix a couple more signed/unsigned compares.
Different compilers find different problems.

Change-Id: I732611005ae1cbfcb4bc70c3f98af2c18b0a04da
2015-10-27 16:07:26 -07:00
Adam Langley
96c2a28171 Fix all sign/unsigned warnings with Clang and GCC.
Change-Id: If2a83698236f7b0dcd46701ccd257a85463d6ce5
Reviewed-on: https://boringssl-review.googlesource.com/4992
Reviewed-by: Adam Langley <agl@google.com>
2015-10-27 22:48:00 +00:00
Brian Smith
0dc2a8aee2 Clean up |ECDH_compute_key|.
1. Check for the presence of the private key before allocating or
   computing anything.
2. Check the return value of |BN_CTX_get|.
3. Don't bother computing the Y coordinate since it is not used.
4. Remove conditional logic in cleanup section.

Change-Id: I4d8611603363c7e5d16a8e9f1d6c3a56809f27ae
Reviewed-on: https://boringssl-review.googlesource.com/6171
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 17:00:25 +00:00
Brian Smith
274341dd6e Change the type of |EC_GROUP_get_degree| and friends to |unsigned|.
These functions ultimately return the result of |BN_num_bits|, and that
function's return type is |unsigned|. Thus, these functions' return
type should also be |unsigned|.

Change-Id: I2cef63e6f75425857bac71f7c5517ef22ab2296b
Reviewed-on: https://boringssl-review.googlesource.com/6170
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 16:48:04 +00:00
David Benjamin
e93ffa5da7 Clarify that SSL_get_peer_cert_chain returns the unverified chain.
This came up and I wasn't sure which it was without source-diving.

Change-Id: Ie659096e0f42a7448f81dfb1006c125d292fd7fd
Reviewed-on: https://boringssl-review.googlesource.com/6354
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 16:42:30 +00:00
Adam Langley
05ee4fda1c Add no-op functions |CRYPTO_malloc_init| and |ENGINE_load_builtin_engines|.
This reduces the impact on Netty. See
904b84ce41 (commitcomment-12159877)

Change-Id: I22f9e1edaeb9e721326867ae2b4f3da2c5441437
Reviewed-on: https://boringssl-review.googlesource.com/5535
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 16:41:40 +00:00
Adam Langley
2e3c978d14 Add OPENSSL_SMALL.
Intel's P-256 code has very large tables and things like Chromium just
don't need that extra size. However, servers generally do so this change
adds an OPENSSL_SMALL define that currently just drops the 64-bit P-224
but will gate Intel's P-256 in the future too.

Change-Id: I2e55c6e06327fafabef9b96d875069d95c0eea81
Reviewed-on: https://boringssl-review.googlesource.com/6362
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 16:40:20 +00:00
Adam Langley
5dbdad9c33 For now, give the unsuffixed ChaCha20 AEAD name to the old version.
QUIC has a complex relationship with BoringSSL owing to it living both
in Chromium and the Google-internal repository. In order for it to
handle the ChaCha20-Poly1305 AEAD switch more easily this change gives
the unsuffixed name to the old AEAD, for now.

Once QUIC has moved to the “_old” version the unsuffixed name can be
given to the new version.

Change-Id: Id8a77be6e3fe2358d78e022413fe088e5a274dca
Reviewed-on: https://boringssl-review.googlesource.com/6361
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 16:39:12 +00:00
Brian Smith
f0523e9f20 Avoid hard-coded linkage of WNAF-based multiplication.
If the application is only using the P-256 implementation in p256-64.c,
then the WNAF code would all be dead code. The change reorganizes the
code so that all modern toolchains should be able to recognize that
fact and eliminate the WNAF-based code when it is unused.

Change-Id: I9f94bd934ca7d2292de4c29bb89e17c940c7cd2a
Reviewed-on: https://boringssl-review.googlesource.com/6173
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 16:38:25 +00:00
Brian Smith
80c5fabc63 Simplify |EC_METHOD| by removing invariant methods.
None of these methods vary per group. Factoring these out of
|EC_METHOD| should help some toolchains to do a better job optimizing
the code for size.

Change-Id: Ibd22a52992b4d549f12a8d22bddfdb3051aaa891
Reviewed-on: https://boringssl-review.googlesource.com/6172
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 15:55:47 +00:00
Brian Smith
f15e075b73 Add more tests for the RFC 7539 ChaCha20-Poly1305 AEAD.
The tests in crypto/cipher/test/chacha20_poly1305_deprecated_tests.txt
were adapted to the RFC 7539 AEAD construction by recalculating the tags.
Also a few additional vectors were added. These vectors were verified
against nettle. See
feb7292bf1.

Change-Id: Ib3f2797d5825bc1e32c55f845b5070b6993e4aff
Reviewed-on: https://boringssl-review.googlesource.com/6144
Reviewed-by: Adam Langley <alangley@gmail.com>
2015-10-27 01:34:33 +00:00