Commit Graph

1742 Commits

Author SHA1 Message Date
David Benjamin
8745865451 Fix a couple other leaks on failure in X509_verify_cert.
If get_issuer fails, some of these calls return rather than jumping to common
cleanup code.

Change-Id: Iacd59747fb11e9bfaae86f2eeed88798ee08203e
Reviewed-on: https://boringssl-review.googlesource.com/5711
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 20:35:10 +00:00
David Benjamin
a6ee3de08e Fix leak on malloc failure in X509_verify_cert.
(Imported from upstream's 25efcb44ac88ab34f60047e16a96c9462fad39c1 and
56353962e7da7e385c3d577581ccc3015ed6d1dc.)

Change-Id: I2ff22fc9da23868de02e6f31c50a3f1d0c6dec1a
Reviewed-on: https://boringssl-review.googlesource.com/5710
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 20:34:44 +00:00
David Benjamin
5f4de9aa8f Fix pub_key comment in dh.h.
(Imported from upstream's 602af7d01da82dc6c45946572f531bcbe9ebbf47.)

Change-Id: I17cc0bfaf2d9954aafae9da30d2d37a97101f330
Reviewed-on: https://boringssl-review.googlesource.com/5691
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 20:32:51 +00:00
David Benjamin
9e45d6e42f Check for 0 modulus in BN_MONT_CTX_set.
The function BN_MONT_CTX_set was assuming that the modulus was non-zero
and therefore that |mod->top| > 0. In an error situation that may not be
the case and could cause a seg fault.

This is a follow on from CVE-2015-1794.

(Imported from upstream's 512368c9ed4d53fb230000e83071eb81bf628b22.)

The CVE itself doesn't affect us as the bit strength check in the DHE logic
excludes zero.

Also add tests to bn_test for a couple of division by zero cases. (This and
BN_div.)

Change-Id: Ibd8ef98d6be48eb95110021c23cd8e278656764d
Reviewed-on: https://boringssl-review.googlesource.com/5690
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 20:32:38 +00:00
David Benjamin
719220ec8e Get overflow checks right in BN_bin2bn.
BN_bin2bn takes a size_t as it should, but it passes that into bn_wexpand which
takes unsigned. Switch bn_wexpand and bn_expand to take size_t before they
check bounds against INT_MAX.

BIGNUM itself still uses int everywhere and we may want to audit all the
arithmetic at some point. Although I suspect having bn_expand require that the
number of bits fit in an int is sufficient to make everything happy, unless
we're doing interesting arithmetic on the number of bits somewhere.

Change-Id: Id191a4a095adb7c938cde6f5a28bee56644720c6
Reviewed-on: https://boringssl-review.googlesource.com/5680
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 20:30:00 +00:00
David Benjamin
0257cffb4e Tidy up BN decimal and hex decode functions.
Move the bn_expand call inside decode_hex; it's an implementation detail of
hex-decoding. decode_dec instead works with BN_mul_word and BN_add_word so it
can just rely on BN internally expanding things and check the return value.

Also clean up the decode_hex loop so it's somewhat more readable and check for
INT_MAX in bn_x2bn. It uses int over size_t rather pervasively, but while I'm
here at least make that function check overflow.

BUG=517474

Change-Id: I4f043973ee43071a02ea5d4313a8fdaf12404e84
Reviewed-on: https://boringssl-review.googlesource.com/5679
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 20:26:47 +00:00
David Benjamin
2b9ec70558 Remove SSL_CTRL_SET_CLIENT_CERT_TYPES.
This isn't called and, with the fixed-DH client cert types removed, is
only useful if a server wishes to not accept ECDSA certificates or
something.

BUG=404754

Change-Id: I21d8e1a71aedf446ce974fbeadc62f311ae086db
Reviewed-on: https://boringssl-review.googlesource.com/5673
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 19:15:14 +00:00
David Benjamin
d27441a9cb Remove separate APIs for configuring chain and verify stores.
These are unused (new as of 1.0.2). Although being able to separate the
two stores is a reasonable thing to do, we hope to remove the
auto-chaining feature eventually. Given that, SSL_CTX_set_cert_store
should suffice. This gets rid of two more ctrl macros.

BUG=404754,486295

Change-Id: Id84de95d7b2ad5a14fc68a62bb2394f01fa67bb4
Reviewed-on: https://boringssl-review.googlesource.com/5672
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 19:14:38 +00:00
David Benjamin
7591064546 Promote SSL_get0_certificate_types to a proper function.
BUG=404754

Change-Id: I94785e970d2f08e46826edd2ac41215500f46e99
Reviewed-on: https://boringssl-review.googlesource.com/5671
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 19:13:35 +00:00
David Benjamin
fd7e1163e8 Remove *_LIST SSL_ctrl functions.
They were removed in the initial fork, but the ctrl macros remained.

BUG=404754

Change-Id: I5b20434faf494c54974a8d9a9df0e87ccf33c414
Reviewed-on: https://boringssl-review.googlesource.com/5670
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 19:12:46 +00:00
Adam Langley
048d4ad5ee Remove superfluous “!= 0” in if.
“!= 0” is implicit in if statements and it looks very weird here.

Change-Id: I7f4e71c479b8ff9821a040f1c542b15af19b8aed
Reviewed-on: https://boringssl-review.googlesource.com/5720
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-17 19:12:07 +00:00
David Benjamin
74279b6342 Avoid a copy when using RSA_PADDING_NONE.
RSA_PADDING_NONE is actually the important one for RSA_decrypt since OAEP isn't
used much and RSA_PKCS1_PADDING is unsafe to use due to timing constraints.
(The SSL stack uses RSA_PADDING_NONE and does the padding check separately.)

Change-Id: I5f9d168e7c34796a41bf01fc1878022742b63501
Reviewed-on: https://boringssl-review.googlesource.com/5641
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 23:53:09 +00:00
Adam Langley
2deb984187 Fix NULL dereference in the case of an unexpected extension from a server.
Due to a typo, when a server sent an unknown extension, the extension
number would be taken from a NULL structure rather than from the
variable of the same name that's in the local scope.

BUG=517935

Change-Id: I29d5eb3c56cded40f6155a81556199f12439ae06
Reviewed-on: https://boringssl-review.googlesource.com/5650
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 18:21:20 +00:00
Brian Smith
21cdada609 Fix warning about unused |EVP_PKEY_METHOD.ctrl_str|.
Some compilers in some configurations warn about this structure member
not being assigned a value. Since it is never used anywhere, just
remove it.

Change-Id: I46064234961bf449fe5fcb88594ddb3ff390e7d7
Reviewed-on: https://boringssl-review.googlesource.com/5621
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 16:11:08 +00:00
David Benjamin
b8a6c9e1e9 Fix CRYPTO_hwrand comment.
Missed a mention of CRYPTO_have_hwrand.

Change-Id: I9756d80105c2fcee487a7badbf4d82f375b5652d
Reviewed-on: https://boringssl-review.googlesource.com/5640
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 16:10:41 +00:00
Matt Braithwaite
02e1834bc7 Make |RSA_PSS_PARAMS| public.
Change-Id: I4a30b80a76cb4bb6e9bc488a915488b0a794520e
Reviewed-on: https://boringssl-review.googlesource.com/5591
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:14:56 +00:00
Matt Braithwaite
45b03025bd Add more compatibility symbols like |SSL_OP_NETSCAPE_CA_DN_BUG|.
This benefits PyOpenSSL.

Change-Id: Idbb982def51ec395f3b5e1e0e3452bb62b50d927
Reviewed-on: https://boringssl-review.googlesource.com/5600
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:14:31 +00:00
Brian Smith
4ae9f2746c Clean up weirdness in initializing EC_GROUP cofactor & order.
Previously, |x| was reset to the value of the cofactor for no reason,
and there was an unnecessary copy made of |order|.

Change-Id: Ib6b06f651e280838299dff534c38726ebf4ccc97
Reviewed-on: https://boringssl-review.googlesource.com/4447
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:04:09 +00:00
David Benjamin
1be2ec6756 Fold CRYPTO_hwrand and CRYPTO_have_hwrand together.
Since the caller must check for CRYPTO_hwrand failures anyway, there's not much
point in doing the CRYPTO_have_hwrand check externally.

(As a bonus, CRYPTO_hwrand no longer compiles to abort() on ARM, so linker
deduplicating won't confuse Chrome's crash reporter...)

Change-Id: I2191d835fbda5b70812f14cd9a873a5e35c30c6d
Reviewed-on: https://boringssl-review.googlesource.com/5630
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:02:24 +00:00
David Benjamin
b2d987b47c Free tmp_wNAF in all exit paths.
BUG=517495

Change-Id: I67c9c511d4ed558ab7a976d6708398e02194cd0f
Reviewed-on: https://boringssl-review.googlesource.com/5628
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 02:00:35 +00:00
David Benjamin
ade291c566 Clean up the DES_key_schedule logic.
It's not clear why OpenSSL had a union. The comment says something about sizes
of long, since OpenSSL doesn't use stdint.h. But the variable is treated as a
bunch of uint32_t's, not DES_cblocks.

The key schedule is also always used by iterating or indexing into a uint32_t*,
treating the 16 2-word subkeys as a single uint32_t[32]. Instead, index into
them properly shush any picky tools. The compiler should be able to figure out
what's going on and optimize it appropriately.

BUG=517495

Change-Id: I83d0e63ac2c6fb76fac1dceda9f2fd6762074341
Reviewed-on: https://boringssl-review.googlesource.com/5627
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:55:59 +00:00
David Benjamin
3b51b7ad0f Remove stray (void)0.
Probably a remnant of ifdef soup somewhere.

Change-Id: I472f236a2db54a97490b22b0bbcc1701a2dba3b3
Reviewed-on: https://boringssl-review.googlesource.com/5623
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:53:43 +00:00
Brian Smith
f9f72b3667 Remove BIO dependency from cmac_test.
This is the only test amongst the tests for core crypto functionality
that depends on crypto/bio. This change removes that dependency. This
also factors out the duplicative hexdump logic into a shared function.

Change-Id: Ic280a71d086555a6993c05f183b94e1d38b60932
Reviewed-on: https://boringssl-review.googlesource.com/5622
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:53:01 +00:00
David Benjamin
b088331ec0 Simplify handshake hash handling.
Rather than support arbitrarily many handshake hashes in the general
case (which the PRF logic assumes is capped at two), special-case the
MD5/SHA1 two-hash combination and otherwise maintain a single rolling
hash.

Change-Id: Ide9475565b158f6839bb10b8b22f324f89399f92
Reviewed-on: https://boringssl-review.googlesource.com/5618
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:47:21 +00:00
David Benjamin
d6a4ae97cd Simplify tls1_channel_id_hash.
Rather than iterate over handshake_dgsts itself, it can just call
tls1_handshake_digest.

Change-Id: Ia518da540e47e65b13367eb1af184c0885908488
Reviewed-on: https://boringssl-review.googlesource.com/5617
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:16:33 +00:00
David Benjamin
5375fd594b Switch the handshake buffer from memory BIO to BUF_MEM.
A memory BIO is internally a BUF_MEM anyway. There's no need to bring
BIO_write into the mix. BUF_MEM is size_t clean.

Change-Id: I4ec6e4d22c72696bf47c95861771013483f75cab
Reviewed-on: https://boringssl-review.googlesource.com/5616
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:11:42 +00:00
David Benjamin
9550c3ac8b Decouple the handshake buffer and digest.
The handshake hash is initialized from the buffer as soon as the cipher
is known. When adding a message to the transcript, independently update
the buffer and rolling hash, whichever is active. This avoids the
complications around dont_free_handshake_buffer and EMS.

BUG=492371

Change-Id: I3b1065796a50fd1be5d42ead7210c2f253ef0aca
Reviewed-on: https://boringssl-review.googlesource.com/5615
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 01:10:33 +00:00
David Benjamin
5055c76709 Rename algorithm2 to algorithm_prf.
It's purely the PRF function now, although it's still different from the
rest due to the _DEFAULT field being weird.

Change-Id: Iaea7a99cccdc8be4cd60f6c1503df5be2a63c4c5
Reviewed-on: https://boringssl-review.googlesource.com/5614
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:59:34 +00:00
David Benjamin
b2a985bfb8 Fold away SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_INCLUDED_IN_RECORD.
It's a property of just algorithm_enc and hopefully AES-GCM will
continue to be the only true AEAD that requires this. Simpler to just
keep it in ssl_aead_ctx.c.

Change-Id: Ib7c060a3de2fa8590b2dc36c23a5d5fabff43b07
Reviewed-on: https://boringssl-review.googlesource.com/5613
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:57:37 +00:00
Brian Smith
62138c5d5a Check the return value of |BN_sub| in bn_test.cc.
Coverity complains about this.

Change-Id: I5140fd82bdbe7c2e3b36a8bc9006770a431741ea
Reviewed-on: https://boringssl-review.googlesource.com/5619
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:52:58 +00:00
Brian Smith
f4bbc2a360 Improve error checking of some |BN_CTX_get| callers.
The documentation for |BN_CTX_get| states: "Once |BN_CTX_get| has
returned NULL, all future calls will also return NULL until
|BN_CTX_end| is called." Some code takes advantage of that guarantee
by only checking the return value of the last call to |BN_CTX_get| in a
series of calls. That is correct and the most efficient way of doing
it. However, that pattern is inconsistent with most of the other uses
of |BN_CTX_get|. Also, static analysis tools like Coverity cannot
understand that pattern. This commit removes the instances of that
pattern that Coverity complained about when scanning *ring*.

Change-Id: Ie36d0223ea1caee460c7979547cf5bfd5fb16f93
Reviewed-on: https://boringssl-review.googlesource.com/5611
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:50:17 +00:00
Brian Smith
7b5f08edb8 Fix null pointer dereference in file_test.cc.
The error condition was checked for, but the return statement was
missing.

Change-Id: I92f89809a7a112fdece49a2a8a8628ff2da8e0da
Reviewed-on: https://boringssl-review.googlesource.com/5610
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-07 00:48:03 +00:00
Adam Langley
07bf9f69ba Drop DEFINE_STACK_OF.
We never need to define the actual structs because we always cast them
before use. The types only exist to be distinct, and they can do that
without a definition.

Change-Id: I1e1ca0833b383f3be422675cb7b90dacbaf82acf
Reviewed-on: https://boringssl-review.googlesource.com/5593
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:30:08 +00:00
Brian Smith
906e2993a8 Fix Windows build.
When using CMake to build with MSVC, MSVC complains about unreachable
code in the <xtree> header. This incantation silences that.

Change-Id: I5fc5305dc816a009a4c59501b212fd11e290637d
Reviewed-on: https://boringssl-review.googlesource.com/5552
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:26:34 +00:00
Matt Braithwaite
d0e1f1ca85 Include thread.h from crypto.h, like OpenSSL.
thread.h defines |CRYPTO_num_locks| and friends.

Change-Id: Id28484d20226bf3ab49b2a75c48210167b96a2f3
Reviewed-on: https://boringssl-review.googlesource.com/5592
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:25:23 +00:00
Matt Braithwaite
f92930e30a Add |EVP_rc2_cbc| and implement |EVP_CTRL_SET_RC2_KEY_BITS|.
Add it to |EVP_get_cipherbynid|, along with |EVP_rc2_40_cbc| and
|EVP_aes_192_cbc|.

Change-Id: Iee7621a91262359d1650684652995884a6cef37a
Reviewed-on: https://boringssl-review.googlesource.com/5590
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:23:56 +00:00
David Benjamin
7446a3b77f Clean up DTLS1_BITMAP code.
Take the sequence number as a parameter. Also replace satsub64be with
the boring thing: convert to uint64_t and subtract normally.

BUG=468889

Change-Id: Icab75f872b5e55cf4e9d68b66934ec91afeb198b
Reviewed-on: https://boringssl-review.googlesource.com/5558
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:23:05 +00:00
David Benjamin
c8d5122538 Fold dtls1_process_record into dtls1_get_record.
The split was only needed for buffering records. Likewise, the extra
seq_num field is now unnecessary.

This also fixes a bug where dtls1_process_record will push an error on
the queue if the decrypted record is too large, which dtls1_get_record
will ignore but fail to clear, leaving garbage on the error queue. The
error is now treated as fatal; the reason DTLS silently drops invalid
packets is worrying about ease of DoS, but after SSL_AEAD_CTX_open, the
packet has been authenticated. (Unless it's the null cipher, but that's
during the handshake and the handshake is already DoS-able by breaking
handshake reassembly state.)

The function is still rather a mess. Later changes will clean this up.

BUG=468889

Change-Id: I96a54afe0755d43c34456f76e77fc4ee52ad01e3
Reviewed-on: https://boringssl-review.googlesource.com/5557
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:14:11 +00:00
David Benjamin
8e6db495d3 Add more aggressive DTLS replay tests.
The existing tests only went monotonic. Allow an arbitrary mapping
function. Also test by sending more app data. The handshake is fairly
resilient to replayed packets, whereas our test code intentionally
isn't.

Change-Id: I0fb74bbacc260c65ec5f6a1ca8f3cb23b4192855
Reviewed-on: https://boringssl-review.googlesource.com/5556
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 21:10:48 +00:00
David Benjamin
229adfb42b FALLBACK_SCSV is an RFC now.
Update references.

Change-Id: I56af31529cf6bfd00d3f0bb9b6281645ed134c5c
Reviewed-on: https://boringssl-review.googlesource.com/5555
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 20:51:51 +00:00
Adam Langley
8bc81df02b Revert "pound-define EVP_R_BAD_DECRYPT CIPHER_R_BAD_DECRYPT."
It will end up allowing some misuses of the error API to break silently,
so we're better off without it.

This reverts commit 0fba870578.

Change-Id: I486962c77cb18474ad9eee2acec86b631c99210d
2015-08-05 12:16:11 -07:00
David Benjamin
b143eca16e Consistently participate in err for PKCS12_* functions.
err is a horrible API, but functions should consistently participate or not
participate in it. We were missing a few codepaths.

Change-Id: I762074d5030b8e9d3e5bba9f8fa91fbdccbee25a
Reviewed-on: https://boringssl-review.googlesource.com/5571
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 18:53:06 +00:00
David Benjamin
43bd18f3b2 Don't define typedefs twice.
16f774f8bf adds forward declarations for
everything in x509.h, but the typedefs are still in x509.h. Some versions of
clang flag the duplicate typedefs in C code.

Change-Id: Ib6684a238681d8c4fb1f0f91c3a6110013b3f4d6
Reviewed-on: https://boringssl-review.googlesource.com/5580
Reviewed-by: Adam Langley <agl@google.com>
2015-08-05 05:35:23 +00:00
Brian Smith
78fe4fd297 Fix more warnings about old-style prototypes.
Replace |()| with |(void)| in some prototypes to avoid compiler
warnings about old-style prototypes when building in some non-default
configurations for ARM.

Change-Id: Id57825084941c997bb7c41ec8ed94962f97ff732
Reviewed-on: https://boringssl-review.googlesource.com/5570
Reviewed-by: Adam Langley <agl@google.com>
2015-08-04 02:09:39 +00:00
Matt Braithwaite
16f774f8bf base.h: add typedefs from x509.h, and sort them.
Change-Id: I333573631ebe4b01f91b1aeebf620812161db3ee
Reviewed-on: https://boringssl-review.googlesource.com/5560
Reviewed-by: Adam Langley <agl@google.com>
2015-08-03 21:25:22 +00:00
Matt Braithwaite
0fba870578 pound-define EVP_R_BAD_DECRYPT CIPHER_R_BAD_DECRYPT.
(This is one of the most common errors that callers test for.)

Change-Id: Ic39b8dc6b5551de4a25e8517b9bbedf8a4a94d60
Reviewed-on: https://boringssl-review.googlesource.com/5534
Reviewed-by: Adam Langley <agl@google.com>
2015-08-03 18:33:59 +00:00
Matt Braithwaite
6454a4cc21 pound-define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
Change-Id: Ic04e474759254397e8cc9220b2618058d43f71be
Reviewed-on: https://boringssl-review.googlesource.com/5533
Reviewed-by: Adam Langley <agl@google.com>
2015-08-03 18:32:53 +00:00
Matt Braithwaite
5acf6b5cb4 include base64.h in evp.h
Change-Id: I0abe925fb094e6d95e03aba144dc266c73a4bb75
Reviewed-on: https://boringssl-review.googlesource.com/5536
Reviewed-by: Adam Langley <agl@google.com>
2015-08-03 18:31:58 +00:00
David Benjamin
fc05994e24 Fold away EC point format negotiation.
The only point format that we ever support is uncompressed, which the
RFC says implementations MUST support. The TLS 1.3 and Curve25519
forecast is that point format negotiation is gone. Each curve has just
one point format and it's labeled, for historial reasons, as
"uncompressed".

Change-Id: I8ffc8556bed1127cf288d2a29671abe3c9b3c585
Reviewed-on: https://boringssl-review.googlesource.com/5542
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:46:36 +00:00
Brian Smith
8a36e53abb Avoid using |WIN32| and use |OPENSSL_WINDOWS| instead.
MSVC and clang-cl automatically define |_WIN32| but |WIN32| is only
defined if a Windows header file has been included or if -DWIN32 was
passed on the command line. Thus, it is always better to test |_WIN32|
than |WIN32|. The convention in BoringSSL is to test |OPENSSL_WINDOWS|
instead, except for the place where |OPENSSL_WINDOWS| is defined.

Change-Id: Icf3e03958895be32efe800e689d5ed6a2fed215f
Reviewed-on: https://boringssl-review.googlesource.com/5553
Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2015-07-31 22:34:34 +00:00