858 Commits

Author SHA1 Message Date
Brian Smith
29c9f40f29 Take BoringSSL 06fa67c: Stop using |ERR_peek_last_error| in RSA blinding. 2015-09-14 16:57:53 -07:00
Brian Smith
c7c691a605 Take BoringSSL 23b185a: Allow out_present to be NULL in CBS_get_optional_asn1. 2015-09-14 16:54:40 -07:00
Brian Smith
28bffb7788 Merge BoringSSL 5148345: BN_mod_exp_mont_consttime: check for zero modulus. 2015-09-14 16:44:15 -07:00
Brian Smith
30c586dd4d Merge BoringSSL fe71f1d: Fix spurious bn_test failures. 2015-09-14 16:43:48 -07:00
Adam Langley
06fa67c8d3 Stop using |ERR_peek_last_error| in RSA blinding.
History has shown there are bugs in not setting the error code
appropriately, which makes any decision making based on
|ERR_peek_last_error|, etc. suspect. Also, this call was interfering
with the link-time optimizer's ability to discard the implementations of
many functions in crypto/err during dead code elimination.

Change-Id: Iba9e553bf0a72a1370ceb17ff275f5a20fca31ec
Reviewed-on: https://boringssl-review.googlesource.com/5748
Reviewed-by: Adam Langley <agl@google.com>
2015-09-08 23:32:48 +00:00
Paul Lietar
23b185a3cf Allow out_present to be NULL in CBS_get_optional_asn1
This is useful to skip an optional element, and mirrors the behaviour of
CBS_get_optional_asn1_octet_string.

Change-Id: Icb538c5e99a1d4e46412cae3c438184a94fab339
Reviewed-on: https://boringssl-review.googlesource.com/5800
Reviewed-by: Adam Langley <agl@google.com>
2015-09-03 18:46:17 +00:00
David Benjamin
76c2efc0e9 Forbid a server from negotiating both ALPN and NPN.
If the two extensions select different next protocols (quite possible since one
is server-selected and the other is client-selected), things will break. This
matches the behavior of NSS (Firefox) and Go.

Change-Id: Ie1da97bf062b91a370c85c12bc61423220a22f36
Reviewed-on: https://boringssl-review.googlesource.com/5780
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 20:46:42 +00:00
David Benjamin
43c4d17230 Add X509_CRL_up_ref.
(Imported from upstream's 65cbf983ca4f69b8954f949c2edaaa48824481b3.)

Change-Id: I1e5d26ed8da5a44f68d22385b31d413628229c50
Reviewed-on: https://boringssl-review.googlesource.com/5784
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 19:12:56 +00:00
David Benjamin
5148345282 BN_mod_exp_mont_consttime: check for zero modulus.
Don't dereference |d| when |top| is zero. Also test that various BIGNUM
methods behave correctly on zero/even inputs.

(Imported from upstream's cf633fa00244e39eea2f2c0b623f7d5bbefa904e.)

We already had the BN_div and BN_MONT_CTX_set tests, but align them with
upstream's for consistency.

Change-Id: Ice5d04f559b4d5672e23c400637c07d8ee401727
Reviewed-on: https://boringssl-review.googlesource.com/5783
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 19:12:28 +00:00
David Benjamin
fe71f1d4a5 Fix spurious bn_test failures.
BN_rand generates a single-word zero BIGNUM with quite a large
probability.

A zero BIGNUM in turn will end up having a NULL |d|-buffer, which we
shouldn't dereference without checking.

(Imported from upstream's 9c989aaa749d88b63bef5d5beeb3046eae62d836.)

Change-Id: Ic4d113e4fcf4ea4c0a4e905a1c4ba3fb758d9fc6
Reviewed-on: https://boringssl-review.googlesource.com/5782
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 19:10:01 +00:00
David Benjamin
8d100366e5 Fix dsa keygen for too-short seed
If the seed value for dsa key generation is too short (< qsize),
return an error.

(Imported from upstream's 1d7df236dcb4f7c95707110753e5e77b19b9a0aa and
df1565ed9cebb6933ee7c6e762abcfefd1cd3846.)

This switches the trigger for random seed from seed_len = 0 to seed_in =
NULL.

Change-Id: I2e07abed754c57ef9d96b02a52ba6d260c3f5fb9
Reviewed-on: https://boringssl-review.googlesource.com/5781
Reviewed-by: Adam Langley <agl@google.com>
2015-09-01 19:09:22 +00:00
David Benjamin
885fc046a5 Fix memory leaks on error in x_x509a.c.
See also upstream's c8491de393639dbc4508306b7dbedb3872b74293.

Change-Id: I017fb137d6d93b6abb82fdb03f02be8292963d0d
Reviewed-on: https://boringssl-review.googlesource.com/5767
Reviewed-by: Adam Langley <agl@google.com>
2015-08-31 18:54:17 +00:00
David Benjamin
ffadb3969f fread returns a size_t, not int.
Change-Id: I305fd40a887b1dedf23eeddfb5231fc61b355ea8
Reviewed-on: https://boringssl-review.googlesource.com/5762
Reviewed-by: Adam Langley <agl@google.com>
2015-08-28 22:46:40 +00:00
David Benjamin
ba13402c1b Fix the type of ASN1_i2d_bio's last argument.
It's supposed to be void*. The only reason this was working was that it was
only called in C which happily casts from void* to T*. (But if called in C++ in
a macro, it breaks.)

Change-Id: I7f765c3572b9b4815ae58da852be1e742de1bd96
Reviewed-on: https://boringssl-review.googlesource.com/5760
Reviewed-by: Adam Langley <agl@google.com>
2015-08-28 22:03:54 +00:00
David Benjamin
b8d28cf532 Factor out the buffering and low-level record code.
This begins decoupling the transport from the SSL state machine. The buffering
logic is hidden behind an opaque API. Fields like ssl->packet and
ssl->packet_length are gone.

ssl3_get_record and dtls1_get_record now call low-level tls_open_record and
dtls_open_record functions that unpack a single record independent of who owns
the buffer. Both may be called in-place. This removes ssl->rstate which was
redundant with the buffer length.

Future work will push the buffer up the stack until it is above the handshake.
Then we can expose SSL_open and SSL_seal APIs which act like *_open_record but
return a slightly larger enum due to other events being possible. Likewise the
handshake state machine will be detached from its buffer. The existing
SSL_read, SSL_write, etc., APIs will be implemented on top of SSL_open, etc.,
combined with ssl_read_buffer_* and ssl_write_buffer_*. (Which is why
ssl_read_buffer_extend still tries to abstract between TLS's and DTLS's fairly
different needs.)

The new buffering logic does not support read-ahead (removed previously) since
it lacks a memmove on ssl_read_buffer_discard for TLS, but this could be added
if desired. The old buffering logic wasn't quite right anyway; it tried to
avoid the memmove in some cases and could get stuck too far into the buffer and
not accept records. (The only time the memmove is optional is in DTLS or if
enough of the record header is available to know that the entire next record
would fit in the buffer.)

The new logic also now actually decrypts the ciphertext in-place again, rather
than almost in-place when there's an explicit nonce/IV. (That accidentally
switched in https://boringssl-review.googlesource.com/#/c/4792/; see
3d59e04bce96474099ba76786a2337e99ae14505.)

BUG=468889

Change-Id: I403c1626253c46897f47c7ae93aeab1064b767b2
Reviewed-on: https://boringssl-review.googlesource.com/5715
Reviewed-by: Adam Langley <agl@google.com>
2015-08-28 22:01:02 +00:00
Matt Braithwaite
e000472166 pkcs8.c: Add PBES2 to list of password-based encryption methods.
This consists mostly of re-adding OpenSSL's implementation of PBKDF2
(very loosely based upon e0d26bb3).  The meat of it, namely
|PKCS5_PBKDF2_HMAC|, was already present, but unused.

In addition, |PKCS8_encrypt| and |PKCS8_decrypt| must be changed to
not perform UCS-2 conversion in the PBES2 case.

Change-Id: Id170ecabc43c79491600051147d1d6d3c7273dbc
Reviewed-on: https://boringssl-review.googlesource.com/5745
Reviewed-by: Adam Langley <agl@google.com>
2015-08-28 20:33:33 +00:00
Brian Smith
0b23f8cf9e Rename the C library to "ring-core", rename Rust crate to "ring".
The Rust crate can't be named "ring" if it links to a C library called
"ring".
2015-08-26 21:18:41 -07:00
Brian Smith
d6411bde92 Rust: Add RSA and ECDSA signature verification API. 2015-08-26 21:18:39 -07:00
Brian Smith
46dea05fb3 Rename libring.lib to ring.lib on Windows.
Rust's native library integration works best when the library is named
<foo>.lib on Windows and lib<foo>.lib on other platforms.
2015-08-26 21:18:35 -07:00
Brian Smith
eb838e4e93 Get ARM builds working better. 2015-08-26 21:18:34 -07:00
Brian Smith
574e3fa979 Fix Windows build warning.
msbuild was complaining that with warning MSB8012 that |TargetPath|
does not match the Linker's OutputFile property value. The problem
was caused by the wrong ordering of the setting of build properties
and the inclusion of the built-in property sheets.
2015-08-26 21:18:29 -07:00
Brian Smith
df3269a837 Update output/int paths in preparation for making cargo work 2015-08-26 21:18:27 -07:00
Brian Smith
cf79a973f4 Improve warning-related parts of build system.
Make default warnings stricter in mk/top_of_makefile.mk, and then
disable the extra warnings as necessary in mk/ring.mk, in order to sync
ring's build system with mozilla::pkix's build system. Also, use spaces
consistently for indention, instead of a mix of spaces and tabs.
2015-08-26 21:18:26 -07:00
Brian Smith
fe44612bf6 Remove one-shot digest functions that may use a static buffer.
It would be nice to keep the one-shot functions around since they are
convenient, but there's not any good, backward-compatible, way to
remove the shared static buffer option. In particular, there are likely
to be many callers of these functions that expect them to never fail,
and so returning |NULL| when the caller doesn't supply a buffer is not
likely to work well in all cases. Consequently, it's better to fail
hard at build time.
2015-08-26 21:18:25 -07:00
Brian Smith
5007fb3af0 Revert some MSVC 2015 compat changes; disable some warnings in MSVC 2015.
The change to add explicitly-deleted constructors and assignemnt
operators in aead_test.cc and digest_test.cc broke GCC 4.8 builds.
Those changes were made to prevent MSVC from issuing these warnings:

  * C4623: default constructor was implicitly defined as deleted
           because a base class default constructor is inaccessible or
	   deleted.
  * C4626: assignment operator was implicitly defined as deleted
           because a base class assignment operator is inaccessible or
	   deleted.
  * C5027: move assignment operator was implicitly defined as deleted
           because a base class move assignment operator is inaccessible
	   or deleted.

All of these warnigns are just "Warning: we didn't do something
impossible in violation of the C++ language semantics" so they are safe
to disable. Even without considering the GCC 4.8 breakage, this is a
better fix.
2015-08-26 21:18:21 -07:00
Brian Smith
3685ef6d97 Improve Visual Studio 2015 Compatibility.
* Silence some warnings about things that MSVC 2015 warns about that
  MSVC 2013 didn't.

* Change the solution so that it opens in Visual Studio 2015 if Visual
  Studio 2015 is installed.

* Change ToolsVersion to 14.0 in the project files so that Visual
  Studio 2015 does not put a warning in the build log about the version
  being 12.0. This means that Visual Studio 2013 will have a warning,
  but the warning is harmless, and if we have to choose, it's better
  for VS 2013 to warn than VS 2015 to warn, in the long term. See
  https://github.com/Microsoft/msbuild/issues/52#issuecomment-88674094.

* Build with the VS 2013 XP-compatible toolchain if using Visual Studio
  2013 (including its msbuild); Otherwise build with the Visual Studio
  2015 XP-compatible toolchain. See
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/ \
    d06c3741-c637-4627-9b1a-1e068803a067/ \
    setting-platformtoolset-value-based-on-vs-version.
2015-08-26 21:18:21 -07:00
Brian Smith
fd669003ff Remove BER support. 2015-08-26 21:18:20 -07:00
Brian Smith
72e2935ff2 Create a 1-to-1 mapping of perlasm scripts to outputs.
Previously, sha-x86_64.pl (was sha512-x86_64.pl) was used to generate
both sha256-x86_64.S and sha512-x86_64.S. This required special build
logic in ring.mk and also would have required special logic in the
msbuild project files. This commit adds dedicated perlasm source files
for both, and there's now a 1-to-1 correspondence between perlasm
scripts and output files, which avoids any need for special-case logic
in the build system.

The same goes for sha-armv8.pl (was sha512-armv8.pl).
2015-08-26 21:18:20 -07:00
Brian Smith
1dd9cd171c Rename sha512-{x86_64,armv8}.pl to sha-{x86_64,armv8}.pl.
This commit prepares for the addition of dedicated
sha256-{x86_64,armv8}.pl and sha512-{x86_64,armv8}.pl scripts, in order
to create a 1-to-1 mapping of source .pl scripts to generated
.S assembly language files. This is a separate commit so that git tools
recognize the renames correctly.
2015-08-26 21:18:19 -07:00
Brian Smith
e78f56048f Add Visual Studio solution, OPENSSL_NO_ASM only for now.
Much of the repetitive logic was put into mk/Common.props,
mk/Windows.props, and mk/WindowsTest.props. There is still a lot of
repetitive logic in the test project files that should be moved to
WindowsTest.props in the future. (In fact, it would be better if the
build system were modified in the future to work like CMake does,
(re-)generating the necessary project files during the build.)

Regular (OPENSSL_NO_ASM) mode will come in a later commit.

I've marked the Visual Studio files as eol=crlf in .gitattributes for
now. This should be the least painful option, since it any CRLF
conversion would create problems for for people sharing a source tree
across platforms (e.g. a shared folder in a VM), and because Visual
Studio IDE resets the files back to CR/LF line endings whenever a
change to project or solution settings is made using its GUI. There is
no license comment in these files because Visual Studio strips comments
when changes are made using the GUI.
2015-08-26 21:18:19 -07:00
Brian Smith
6198948e2f Remove directory traversal code. 2015-08-26 21:18:18 -07:00
Brian Smith
13baebc3b5 Replace CMake with GNU Make and add Travis CI integration.
Travis CI doesn't have a new enough version of CMake readily available,
and I've been wanting to replace the CMake-based build system for other
reasons. This kills the Windows support, but I'm intending to add a
native msbuild build system for Windows soon. Also, this builds in
OPENSSL_NO_ASM mode for now.
2015-08-26 21:18:16 -07:00
Brian Smith
d752711a4e Remove ERR_error_string.
ERR_error_string writes to a shared static buffer, which is obviously
bad. BoringSSL had already deprecated it.
2015-08-26 21:18:16 -07:00
Brian Smith
765426d805 Neuter error string functions so that Go isn't need to build. 2015-08-26 21:18:16 -07:00
Brian Smith
0fad1235ec Remove "cipher.h" from public API.
See David Benjamin's comment at:
https://boringssl-review.googlesource.com/#/c/3990
2015-08-26 21:18:15 -07:00
Brian Smith
47e7edc7db Remove lhash. 2015-08-26 21:18:14 -07:00
Brian Smith
0cc126a203 Remove crypto/stack. 2015-08-26 21:18:13 -07:00
Brian Smith
20e9295b25 Remove EVP_BytesToKey. 2015-08-26 21:18:13 -07:00
Brian Smith
0c382830cd Remove BN_mod_exp2_mont. 2015-08-26 21:18:12 -07:00
Brian Smith
96129ba23a Remove BN_primality_test. 2015-08-26 21:18:12 -07:00
Brian Smith
58df6d8306 Remove BN_mod_lshift1. 2015-08-26 21:18:11 -07:00
Brian Smith
517df569bb Remove BN_mod_lshift. 2015-08-26 21:18:11 -07:00
Brian Smith
b8b0c25527 Remove BN_mask_bits. 2015-08-26 21:18:10 -07:00
Brian Smith
a98e7c9f2c Remove BN_sqrt. 2015-08-26 21:18:10 -07:00
Brian Smith
3cabd5062c Remove RSA_recover_crt_params. 2015-08-26 21:18:10 -07:00
Brian Smith
225d1d1044 Remove AES-192. 2015-08-26 21:18:09 -07:00
Brian Smith
c0ba4f8bcd Remove ECB mode. 2015-08-26 21:18:08 -07:00
Brian Smith
49c0edec78 Remove CFB mode. 2015-08-26 21:18:08 -07:00
Brian Smith
c08a0374cd Remove OFB mode. 2015-08-26 21:18:07 -07:00
Brian Smith
ddde8768c1 Remove RC4 assembly language optimizations. 2015-08-26 21:18:07 -07:00