The constructor parameter vs. method name one is a little unfortunate
given Google C++ style, but I think we've done this elsewhere in libssl,
so let's run with it for now.
Bug: 378
Change-Id: I31fb6b4b16e3248369dae6f47cc150de0e4f04fe
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43545
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
With -Wundef one could get warnings of undefined symbols.
This patch tries to fix this issue.
Furthermore, the case where there is BTI but no Pointer Authentication
now uses GNU_PROPERTY_AARCH64_BTI in the check which should correctly
reflect that feature's enabled state.
Change-Id: I14902a64e5f403c2b6a117bc9f5fb1a4f4611ebf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43524
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Use empty() over size() == 0, and don't export the IterateAES*
functions. (They return private types.)
Change-Id: I8a8f33a64e28cc2eab789563c6ba91afa6df87f9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43544
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
A recent change broke this but I didn't notice. (Which suggests that the
test isn't very useful, which is true, but I'm not ready to pull the
trigger on deleting it just yet.)
Change-Id: If120a553c095fa0be9f8e85fc05ee996a486621f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43484
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CopyDiaDllTo is no longer needed after
9f7781171e.
As a bonus, this makes the script much easier to use outside of the
bots.
Change-Id: Ib59b7e6ff9276b860032134ad7eaa006492e76b9
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43464
Reviewed-by: Adam Langley <agl@google.com>
(Original CL by svaldez, reworked by davidben.)
Change-Id: I8570808fa5e96a1c9e6e03c4877039a22e73254f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42404
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Add an earlyData and earlyDataRejected flag to configure the standard
0-RTT test options. It's too tedious otherwise. Along the way, I added
an -expect-cipher flag to a few of the tests which could do with them.
This does cause most 0-RTT tests to exchange a quick burst of data, so a
few more fuzzer mode suppressions are needed. I think that's probably
fine. Maybe we should mess with fuzzer mode so it's able to trial
decrypt as this is getting a little tedious.
Change-Id: Ib6490fe006d91294aab1a06d88f7793c6ae840c8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43086
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
OpenSSL synchronizes bio->next_bio and ssl->rbio with a variety of
callbacks, so BIO_copy_next_retry worked. We do not, so attempting to
flush the BIO crashed.
The SSL BIO is a compatibility hack and intentionally much more limited,
so start by just copying things from the right BIO directly. Add a basic
unit test for SSL BIOs. If we need to, we can implement a more complex
synchronization later.
Additionally reject reconfiguring an SSL BIO because that will leak the
object right now.
Change-Id: I724c95ab6f1a3a1aa1889b0483c81ce3bdc534ae
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43424
Reviewed-by: Adam Langley <agl@google.com>
(There's going to be more and it was getting too big.)
Change-Id: I16a49f77975697bb5a04f2adfd465b09c2a09ef3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43404
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
The Go TLS implementation, at the time runner forked, had custom
testing-only equal methods on all the handshake messages. We've since
removed all of them except for ClientHello, where we repurposed the
function to check ClientHello consistency on HelloVerifyRequest and
HelloRetryRequest.
These are tedious to update. Upstream has since replaced them with
reflect.DeepEqual, but the comparison we want is even tighter. Even
unknown extensions aren't allowed to change. Replace the check with a
custom one that works on the byte serialization and remove
clientHelloMsg.equal.
Along the way, I've fixed the HRR PSK identity logic to match the spec a
bit more and check binders more consistently.
Change-Id: Ib39e8791201c42d37e304ae5110c7aeed62c8b3f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43364
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
This change adds a config parameter PrivateKeyFile (to replace
PrivateKeyDERFile, although that still exists) because taking PKCS#1 DER
is a little odd for people. Also probe for PEM/DER and PKCS#1/8
automatically to try and work with whatever private key the user has.
Change-Id: I0f4efcd79528cfb26f791e9ee8c5141fc6a93723
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43344
Reviewed-by: David Benjamin <davidben@google.com>
This CL replaces clientHelloMsg's npnAfterAlpn and pskBinderFirst fields
with a new field: prefixExtensions. The extensions in prefixExtensions
are tried first when marshalling clientHelloMsg.
The ability to control extensions' marshalling order will make it
simpler to implement the "outer_extensions" behavior defined in
draft-ietf-tls-esni-07.
Bug: 275
Change-Id: Ib6dcc1e6fa0281f312cb65a9e204415c3f3ef2c6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43064
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Sometimes the linker will generate rodata subsections even if we don't
have -fdata-sections enabled. That's ok, so include them in the FIPS
module. The other subsections continue to be discarded to ensure that
unexpected sections don't appear and escape the module.
Bug: b/142971559
Change-Id: Icebcf40bd3d0e63f20456e44f6c2564f4316b561
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43324
Commit-Queue: Adam Langley <alangley@gmail.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
It's a lot easier to copy certificates to and from x509_test.cc when
there isn't an indent to worry about. Note this does stick a newline in
front of each string, but the PEM parsers don't care.
Change-Id: I06aff263a2470596e8c50564c198693cfdbf9c59
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43285
Reviewed-by: Adam Langley <agl@google.com>
See 309e73dfe067b3b774ef6f57bf665f41373a81ca from upstream, though note
that v3_alt.c's fix was rewritten. (We don't have sk_reserve, and I
don't think their fix was quite right anyway.)
Change-Id: Ieabd19d87d4628658324b212cce2ed3ce451ad22
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43284
Reviewed-by: Adam Langley <agl@google.com>
Since we have support for reading vectors from files, this change adds
support for saving them. There's no support for uploading the saved
vectors, rather it's just for quicker debugging since the NIST server is
taking over a minute to produce vectors at the moment and that's a
little frustrating to iterate with.
Change-Id: I5da8a084eb06b81aefa838b4e7ad8d529d1d31a6
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43144
Reviewed-by: David Benjamin <davidben@google.com>
The quic_early_data_context should always be saved in the SSL_SESSION.
This change fixes a bug where it was only saved in the SSL_SESSION on
full handshakes (but not resumption handshakes).
Bug: 376
Change-Id: I3659d3398e85ac4263760b504d7ea8458fc7e1e2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43264
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
DES being deprecated is hopefully well-established enough that no one is
going start complaining our implementation isn't constant-time. But I
think this is the only non-constant-time code left without a warning, so
add one for completeness.
(It is possible to implement DES with bitslicing, but 3DES TLS ciphers
are too slow as it is and hopefully not long for the world.)
Change-Id: I6b0de915e89ffe2d11372f7109642fcff44b11bf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43244
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
See b/169780122. This CL should be a no-op (the only other OPENSSL_LINUX
defines are in urandom/getrandom logic, which Trusty doesn't use), but
should be easier to work for future code.
Change-Id: I7676ce234a20ddaf54a881f2da1e1fcd680d1c78
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43224
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Change-Id: I7636736752ac371fc8d86fbc6bf81ca797ac5092
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43127
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Trusty doesn't have madvise() or sysconf() and more importantly,
doesn't have fork() (confirmed chatting to ncbray), so the
no-op #if branch in fork_detect.c seems appropriate.
Change-Id: I41b41e79d59919bae6c6ece0e0efd3872105e9b1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43204
Commit-Queue: Pete Bentley <prb@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
If clang-format sees STACK_OF(T) *foo, it has a hard time telling
whether * is a multiplication or a pointer and often indents things
wrong. There is now a TypenameMacros option to fix this.
Change-Id: I235f2f40ef32760e0232da265e78a4fbd5f187a0
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43145
Reviewed-by: Adam Langley <agl@google.com>
Due to a typo, if an unknown function was requested it was previously
ignored.
Change-Id: Id815c4b7e80d1452034b10bf9c7beb80a5ac3ed2
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43125
Reviewed-by: David Benjamin <davidben@google.com>
If a test fails due to an unexpected SSL_get_error result, notably 0-RTT
rejection, it's very difficult to debug.
Change-Id: I08585551f6d3d3c4ea414bf3ac7bc9ba0ed4063b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43085
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Sending empty spans tripped up the code because it never considered
the iovec to have been sent. Instead, filter out empty iovecs in the
first place.
Change-Id: I48ea2a887ca64c73051346f3096735c30507525a
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43124
Commit-Queue: Adam Langley <alangley@gmail.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
We have an ad-hoc expectResumeVersion, and I'll want to add one for ALPS
(to confirm changing ALPS on resumption works). We probably could have
done with such a test for ALPN too. Wrap all the ConnectionState
expectations into a struct with an optional resumeExpectations field.
Also move the OCSPResponse() method to ConnectionState for consistency.
Change-Id: Icaabf5571c51e78ed078f57de0e04928d3f3fa8d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43084
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Bumping OPENSSL_VERSION_NUMBER to 1.1.1 pulled in a few more to
define for compatibility.
Change-Id: I596c537d230f126dd53e8abe32c5132968a54826
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43104
Reviewed-by: Adam Langley <agl@google.com>
On the server, we echo the selected ALPN back out of the same getter as
the client.
Change-Id: I11978b9cd0a3e7c611f162e9cf5054e52005a195
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43045
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
This will make it less tedious to add new fields later.
Change-Id: I82fe8f1859e4eaf0c72551d4ca5cf9534bee10b5
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43005
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
This function is still a bit too C-like, but this is slightly better.
Change-Id: Id8931753c9b8a2445d12089af5391833a68c4901
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43004
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Expect to reenable in January 2021.
Change-Id: I364ffcf235901398196c60c45ff1c07fcac3f801
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43024
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Looks like some toolchain updated recently and the bots are complaining
about copy vs reference. While I'm here, this is a test and just
declaring a pair of vectors is much less typing than an external array
and a pair of spans.
Change-Id: Iffc0beed99f5ef492d78bc58b5bb02d7c595a072
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/43044
Reviewed-by: Adam Langley <agl@google.com>
In upstream, this returns a const pointer, so we should match.
Update-Note: Callers may need to update their calls of
X509_get0_extensions, but I believe everything affected has been fixed.
Change-Id: Ic92660e18868cc681399ba4fc3f47ea1796fb164
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42884
Reviewed-by: Adam Langley <agl@google.com>
This was introduced in OpenSSL 1.1.1, and wpa_supplicant expects us to
have it. We had this same function as SSL_CIPHER_get_value (to match
SSL_get_cipher_by_value). Align with upstream's name.
It seems we also had a ssl_cipher_get_value lying around, so fold them
together. (I've retained the assert in ssl_cipher_get_value as it seems
reasonable enough; casting a hypothetical SSLv2 cipher ID to uint16_t
would not behave correctly.)
Change-Id: Ifbec460435bbc483f2c3de988522e321f2708172
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42966
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Changes:
- Remove point prefixes.
- Don't verify SRR on the client.
TODO:
- Replace SRR generation with RR generation on issuer.
- Add finalized PrivacyPass version.
Change-Id: Ibfb04aaba2cf669639af77299da22ab668175edb
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42824
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Conscrypt will need these functions. Also fix a bug in
X509_get_extension_flags's error-handling. While I'm here, add
X509_CRL_get0_extensions for completeness. Nothing uses this yet, but
this could later be an alternative to avoid Conscrypt's mess with
templates.
Change-Id: I9393b75fcf53346535e6a4712355be081baa630d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/42744
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Adam Langley
David Benjamin
Tamas Petz
Adam Langley
Steven Valdez
Daniel McArdle
Nick Harper
Pete Bentley