Upgrade to upstream 519c2986c73c23461b130ad19b93fd7d081353d5 (Chromium 92 0 4515 107) #68

This improves compatibility with cryptography.io. cryptography.io doesn't actually care what we return, since the code won't run, but feigning success seems better than failure. If some application does try to run this function and checks, returning an error will probably crash it. Change-Id: I7a8164753a2f1a7b31dbeb10c7030c5e5fea2bc9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46004 Commit-Queue: David Benjamin <[email protected]> Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>

I got the values flipped around. Also cryptography.io wants EC_GROUP_get_asn1_flag to check a curve's encoding. We (mostly) only support named curves, so just return OPENSSL_EC_NAMED_CURVE. Change-Id: I544e76b7380ecd8dceb1df3db4dd4cf5cb322352 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46024 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Update-Note: This removes a function that appears to be unused. It also hardcodes the use of MD5, so please do not use it. Change-Id: I67909c6360e4737fc22742592f88b907eb818e96 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45964 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Update-Note: https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these functions a no-op, but we kept them around because there were still some call sites floating around. That code has since been updated, so we can remove this. Change-Id: I25d411122d0e7a427eef5ebe8357401c0e5039d4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45984 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

pkcs12_test.cc was getting a bit long. Along the way, embed_test_data.go needed a fix to work around a syntax quirk of C++. Change-Id: Ic4a19f77d177ebd607918feb253a08f1f9037981 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46044 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

PKCS#12 is overly general and, among other things, supports disabling encryption. In practice, the unencrypted form is not widely implemented. Moreover, even in contexts where cleartext is fine, an unencrypted PKCS#12 file still requires a password for the mandatory MAC component. They're not very useful. However, cryptography.io uses them. Previously, we added support for parsing these. This CL adds support for creating them too, because now cryptography.io now also depends on that. Change-Id: Ib7c4e29615047b6c73f887fea7c80f8844999bb7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46045 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

We aim to eventually make the entire X509 structure opaque, but let's start small. Update-Note: I believe this is now safe to do. If there are compile failures, switch to X509_get0_notBefore, X509_getm_notBefore, and X509_set1_notBefore, or revert this if I'm wrong and too many callers still need updating. Change-Id: I6e9d91630a10ac777e13ebcdeb543b3cbeea6383 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45965 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

OpenSSL classified their behavior as a bug and are fixing it for the next release. In principle it'd be more compatible to emulate OpenSSL's bug and undo it when we update OPENSSL_VERSION_NUMBER, but use of PKCS12_parse is rare and this behavior is confusing, so let's leave it as-is. Bug: 250 Change-Id: I5f9825490a8afde67272dfaf476b35dbde94b59c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46064 Reviewed-by: Adam Langley <[email protected]>

This is to help with cryptography.io compatibility. We don't implement any of the flags (PKCS7_sign checks flags == PKCS7_DETACHED), but cryptography.io now depends on the constant and PKCS7_SIGNER_INFO type being available. (cryptography.io also wants some new functions, but I think it's easier to stub those out externally for now. If we need to actually enable those features, we can look at actually implementing more of PKCS7_sign.) Change-Id: Id8419e34a68c04d4894417c7d6b13c1952d0bb88 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46084 Commit-Queue: David Benjamin <[email protected]> Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This will also pull in POLICY_MAPPINGS by way of STACK_OF(T) handling. Change-Id: I8ddc9547647f8cae3800047eb58e1c83f6ae1085 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46104 Commit-Queue: David Benjamin <[email protected]> Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Change-Id: I290abd9e48dd4c200f61dd1a7c9acb56a9e2a707 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46105 Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This flag causes the runner to execute the shim with the RR debugger. See https://rr-project.org/. Unlike typical debuggers, the RR workflow is to first record a session and then replay it. The user cannot interact with the debugger while recording and they replay the session multiple times. For these reasons, I've opted not to launch xterm like -gdb and -lldb do. The other difference is that -rr-record restricts the runner to exactly one test. Otherwise, it's too easy to accumulate a bunch of unwanted recordings. Also, `rr replay` uses the most recent recording by default, so it's not very useful for runner to record multiple tests. Change-Id: I2d29d64df5c4c832e50833325db3500ec2698e76 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46144 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

ASN1_OBJECTs are awkward. Sometimes they are static, when returned from OBJ_nid2obj, and sometimes they are dynamic, when parsed from crypto/asn1. Most structures in crypto/asn1 need to support unknown OIDs and thus must own their ASN1_OBJECTs. But they also may be initialized with static ones in various APIs, such as X509_ALGOR_set0. To make that work, ASN1_OBJECT_free detects static ASN1_OBJECTs and is a no-op. Functions like X509_ALGOR_set0 take ownership, so OpenSSL has them take a non-const ASN1_OBJECT*. To match, OBJ_nid2obj then returns a non-const ASN1_OBJECT*, to signal that it is freeable. However, this means OBJ_nid2obj's mutability doesn't match its return type. In the fork, we switched OBJ_nid2obj to return const. But, in doing so, we had to make X509_ALGOR_set0 and X509_PUBKEY_set0_param take const ASN1_OBJECT, even though they would actually take ownership of dynamic ASN1_OBJECTs. There are also a few internal casts with a TODO to be const-correct. Neither situation is ideal. (Perhaps a more sound model would be to copy static ASN1_OBJECTs before putting them in most structs. But that would not match current usage.) But I think aligning with OpenSSL is the lesser evil here, since it avoids misleading set0 functions. Managing ownership of ASN1_OBJECTs is much more common than mutating them. To that end, I've added a note that ASN1_OBJECTs you didn't create must be assumed immutable[*]. Update-Note: The change to OBJ_nid2obj should be compatible. The changes to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some pointer types. [*] This is *almost* honored by all of our functions. The exception is c2i_ASN1_OBJECT, which instead checks the DYNAMIC flag as part of the object reuse business. This would come up if we ever embedded ASN1_OBJECTs directly in structs. Change-Id: I1e6c700645c12b43323dd3887adb74e795c285b9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46164 Commit-Queue: David Benjamin <[email protected]> Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>

In order to provide evidence to auditors that high-level functions end up calling into the FIPS module, provide counters that allow for such monitoring. Change-Id: I55d45299f3050bf58077715ffa280210db156116 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46124 Commit-Queue: Adam Langley <[email protected]> Reviewed-by: David Benjamin <[email protected]>

The representation here is a bit more messy than necessary. In doing so, clean up the variable names and smooth away two rough edges: - X509_ALGOR_get0 would leave *out_param_value uninitialized if *out_param_type is V_ASN1_UNDEF. Instead, set it to NULL, so callers do not accidentally use an uninitialized pointer. - X509_PUBKEY_set0_param, if key is NULL, would leave the key alone. No one calls this function externally and none of the (since removed) callers in OpenSSL rely on this behavior. A NULL check here adds a discontinuity at the empty string that seems unnecessary here: changing the algorithm without changing the key isn't useful. (Note the API doesn't support changing the key without the algorithm.) Note for reviewing: the representation of ASN1_TYPE is specified somewhat indirectly. ASN1_TYPE uses the ASN1_ANY ASN1_ITEM, which has utype V_ASN1_ANY. Then you look at asn1_d2i_ex_primitive and asn1_ex_c2i which peel off the ASN1_TYPE layer and parse directly into the value field, with a fixup for NULL. Hopefully we can rework this someday... Change-Id: I628c4e20f8ea2fd036132242337f4dcac5ba5015 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46165 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Flagged by valgrind. Change-Id: Ib49297bd483650880207a1efe5e9dff666e458d5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46204 Reviewed-by: Adam Langley <[email protected]>

We already know all the supported curves in runner.go. No sense in repeating this list in more places than needed. (I'm about to need a similar construct for -signing-prefs, so I figure it's worth being consistent.) This CL also adds a ShimConfig option because others don't support the same curves we do and will likely run into this quickly. Change-Id: Id79cea16891802af021b53a33ffd811a5d51c4ae Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46186 Reviewed-by: Adam Langley <[email protected]>

When it is and isn't safe to assume an X509 field is non-NULL seems to cause some confusion. (I often get requests to add NULL checks when rewriting calling code.) X.509 has surprisingly few optional fields, and we generally say pointers are non-NULL unless documented. But that only works if we remember to mention the nullable ones. Change-Id: I18b57a17c9d57c377ea2227347e423f574389818 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46185 Reviewed-by: Adam Langley <[email protected]>

See draft-davidben-tls13-pkcs1-00. The code point is disabled by default and must be configured in SSL_set_verify_algorithm_prefs and SSL_set_signing_algorithm_prefs. It is also only defined for TLS 1.3 client certificates and otherwise ignored. This required reworking the tests a bit since this is the first signature algorithm that's disabled by default, and the first algorithm that behaves differently between client and server. Change-Id: Iac4aa96a4963cbc33688c252e958a572c5c3b511 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46187 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

The build scripts distinguish between normal files and bcm.c fragments based on whether code is in a subdirectory inside crypto/fipsmodule. Bug: 401 Change-Id: Ieba88178e4f8e19f020e56e2567d5736a34bb43f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46224 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Get entropy from /dev/urandom on FreeBSD < 12, or getrandom() on FreeBSD 12, per https://www.freebsd.org/cgi/man.cgi?query=getrandom&sektion=2&format=html Tested manually with `ninja run_tests` on both FreeBSD 11 and 12. Change-Id: I72ef54d1a83104d1fbe172fd86f6cd32dacc9819 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46188 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: Adam Langley <[email protected]>

This is a little inconvenient for external users of the test suite. It's also not very helpful to pass -handshaker-path in build configurations without a handshaker because there won't be a file there anyway. Change-Id: I6a8fdcfbbf86288876c4c6fda2a46d32663efb69 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46244 Reviewed-by: Adam Langley <[email protected]>

Change-Id: Id5b5b639023d30a8ebd763d02e1787fbf9d79288 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46245 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: Adam Langley <[email protected]>

In doing so, this switches make_errors.go to take library names as parameters rather than detecting it from the CWD. (I considered detecting it, but then we'd need to map evp -> crypto/whatever and crypto/whatever -> evp in both directions.) Since crypto/hpke currently sits in the EVP namespace, I've gone ahead and added that, so it should be easier to define new errors in crypto/hpke. I've not added crypto/cipher, etc., yet. Moving those will be a breaking change (consumers that put ERR_LIB_CIPHER and ERR_LIB_EVP in a switch/case need patches). Bug: 398 Change-Id: Ibae2afd46e076891fa517c377b540b2e492516f0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46264 Reviewed-by: Adam Langley <[email protected]>

Bug: 275 Change-Id: I724e9315b860e230e8fed92de34d89a875ef043c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46184 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

All our EVP_CIPHERs are deterministic, so there's usually no point in testing only one direction. Some of the ECB tests were missing free decryption tests. CTR is the same in both directions, but we ought to test the API agrees. OFB vectors are doubled up, so we can merge them together. Plus there are typos in the OFB-AES192.Decrypt tests, also present upstream, so we weren't actually testing everything we should. (I haven't removed the direction-specific logic altogether since the tests imported from nist_cavp rely on it. Though there may be something to be said for running them both ways since they don't actually double them up...) Change-Id: I36a77d342afa436e89ad244a87567e1a4c6ee9dc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46284 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This reverts commit a3437c0. There was a miscommunication and it does not seem like we currently need this. If that changes later, it's in Git and we can bring it back easily. Change-Id: Ibbce29df2258a2d893d725ab3ee6fd78c5b6cb00 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46286 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

See also 8129ac6ac4c0ca3a488c225cde580ede7dabe874 and 81198bf323ea9deda907714170d329ca7d2ff01f from upstream. In trying to figure out why ASan (which normally catches overlapping memcpys) didn't flag this, I noticed that we actually don't have tests for empty inputs. I've added them to cipher_tests.txt where missing and fixed a bad assert in ofb.c. ASan still doesn't flag this because LLVM even requires memcpy handle dst == src. Still, fixing it is less effort than getting a clear answer from GCC and MSVC. Though this puts us in the frustrating position of trying to follow a C rule that our main toolchain and sanitizer disavow. https://bugs.llvm.org/show_bug.cgi?id=11763 https://reviews.llvm.org/D86993 Change-Id: I53c64a84834ddf5cddca0b3d53a29998f666ea2f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46285 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This API does not come from OpenSSL, but OpenSSL does not appear to have any way to get this information. There is X509_get0_pubkey_bitstr, but that only works for X509 objects, not X509_PUBKEY. Change-Id: Ifc8be554a4d8cbf830c32b95b953f092980804df Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46304 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This fixes a bug in ASN1_TYPE_get. Partly imported from upstream's 261ec72d58af64327214a78ca1c54b169ad93c28, though I don't believe ASN1_TYPE_set was broken per se. There's also a lot more than in that commit. I've added a test to ensure we maintain the unused bits invariant anyway, in case external code relies on it. (The invariant comes from the pointer being NULL-initialized and from ASN1_primitive_free zeroing *pval on free.) Change-Id: I4c0c57519a7628041d81c26cd850317e01409556 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46324 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

One thing of note is the name setters are copying, not ownership-transfering. They're non-const because currently even serializing or duplicating a X509_NAME potentially mutates it (ugh). Change-Id: I5265ea54c776cd9f6bed86870d0505fa3e16c794 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46325 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

PKCS#10 CSRs don't contain extensions but attributes, which are kind of like extensions, but defined separately. There is an attribute type from PKCS#9 to embed a list of X.509 extensions inside an attribute, as well as a Microsoft variant. X509_REQ_set_extension_nids allowed callers globally reconfigure the set of attributes recognized as aliases of this extensions attribute. This is not used by anyone and not thread-safe. Remove it and only support the two default attribute types. From there, document the remaining functions. Update-Note: This removes a pair of unused functions. Change-Id: Ic1fc41163996c0c980ba8320b417e444d484aa39 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46326 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

To make the script run with python3, let me replace python2 specific dict functions to python3 compatible ones. Change-Id: I85b446234f9a86a02f60eed311e1c747a3ff399b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46364 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

It's now 2021. Hopefully we can at least assume anyone building with -std=c11 also has a corresponding set of headers. Plus, even if you don't, Clang seems to provide a header. (So C11 atomics work in clang-cl.) Also apparently atomics are optional, so this checks __STDC_NO_ATOMICS__. This does *not* set C11 as the minimum version. If you build with -std=c99, we'll silently use the non-atomics implementation. That's a little magical, so I've kept OPENSSL_C11_ATOMIC as a way to assert that you really want C11 atomics. Mostly it turns into a -std=c11 && !MSVC self-assert. Update-Note: If something fails to compile, we'll revert this and adjust the check, or add an opt-out, or give up. Also, if building with -std=c99, consider -std=c11. Change-Id: I1a8074c367a765c5a0f087db8c250e050df2dde8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46344 Reviewed-by: Adam Langley <[email protected]>

CMake 3.5.0 was released March 8, 2016. Per our five year rule, we can require that now: https://cmake.org/pipermail/cmake/2016-March/062947.html Change-Id: I916fdb66e0356e3a8ffbe1e5fa89f51d99a78546 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46345 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

GCC 4.9.0 was released April 2014, which was well over five years ago. Change-Id: Ib26d459ed82a7af671b8524a334a6f99eacb003e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46346 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Bug: 402 Change-Id: I6de879f44f6e3eca26f2f49c500769d944fa9bc0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46404 Reviewed-by: Adam Langley <[email protected]>

Although it is strictly fine to call SHA512_Final in SHA384_Final (array sizes in C parameters are purely decorational, according to the language), GCC 11 reportedly checks now and gets upset about the size mismatch. Use an unsized helper function so all our code matches the specified bounds. Unfortunately, the bounds in all the functions are a bit misleading because SHA512_Final really outputs based on sha->md_len (which Init function you called) rather than which Final function. I've fixed this places within a library where we mismatched and added asserts to the smaller functions. SHA512_Final is assert-less because I've seen lots of code use SHA384_Init / SHA512_Update / SHA512_Final. This doesn't fix the SHA256 variant since that is generated by a pile of macros in a multiply-included file. This is probably a good opportunity to make that code less macro-heavy. Update-Note: There is a small chance the asserts will trip something, but hopefully not since I've left SHA512_Final alone. Bug: 402 Change-Id: I4c9d579a63ee0a0dea103c19ef219c13bb9aa62c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46405 Reviewed-by: Adam Langley <[email protected]>

Being called on every malloc or free has some non-trivial implications. Change-Id: I9f18f307a8b43e30dea2e2f3a47d7da0b188e980 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46406 Reviewed-by: Adam Langley <[email protected]>

It's now a year past the February 2020 deadline for removing it. Judging from b/72831885, it looks like the root cause was addressed. Change-Id: I8c8b358ef4f4146b41aab2a7163c000fa7306025 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46407 Reviewed-by: Adam Langley <[email protected]>

This wasn't being used and wasn't even set correctly in split handshake tests. Change-Id: I03000db8dd3c227ea44e7bacaf3d1341259fae44 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46384 Reviewed-by: Adam Langley <[email protected]>

MSAN doesn't like the counters starting at whatever value malloc found to be free. Change-Id: I0968e61e0025db35b82291fde5d1e193aef77c1e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46444 Commit-Queue: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Omitting the extension means we'll never issue tickets, but if the client were to offer a ticket anyway, RFC8446 4.2.9 says we MUST reject the ClientHello. It's not clear on what alert to use, but missing_extension is probably appropriate. Thanks to Ben Kaduk for pointing this out. Change-Id: Ie5c720eac9dd2e1a27ba8a13c59b707c109eaa4e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46464 Commit-Queue: David Benjamin <[email protected]> Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Change-Id: I0ea4c600741c3604d7b3b6df614b40d8c57116e4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46504 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

When doing Android FIPS validations one ends up with quite a lot of different build configurations for ACVP and it's useful to be able to check that a binary is what you think it is. Change-Id: Ie5c81f164e6e6903c85ea832a93868f84921e74a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46484 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Do a better job with scopers for fds and posix_spawn_file_actions_t. There's also no need to make a copy of handshaker_path with strdup. The non-const parameter are because posix_spawn inherits execve's C problem: unlike C++, C cannot cast from char *const * to const char *const *, so POSIX APIs are not const-correct. Finally, we freely use std::vector and friends in tests, so we don't actually need to depend on bssl::Array. Change-Id: I739dcb6b1a2d415d47ff9b2399eebec987aab0bc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46524 Reviewed-by: Adam Langley <[email protected]>

Change-Id: Ie5e41c55e36958af5aabd9e365eb2986a488069e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46525 Reviewed-by: Adam Langley <[email protected]>

This is no longer needed. Change-Id: Ie6dba524ecccd265f7f80a910b40c0fe1800356b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46526 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

TLS 1.3 works, so no need to exclude version negotiation. We also now only test QUICTransportParams with QUIC, so there is no need to exclude it manually. Checking the protocol works as well. Change-Id: Ie9d33095231a1f9eb74145db5147a287e4fdc930 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46527 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

The delegated credentials bits got stuck in the middle of the handshake bits. Change-Id: I522d8a5a5f000de3e329934851ee74fc4ec613a7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46528 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

It's strange to have Serialize/Deserialize methods not inverses of each other. Split the operation up and move the common parts out of the subclass. Change-Id: Iadfa57de19faca411c64b64d2568a78d2eb982e8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46529 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

The check for ssl_hs_read_change_cipher_spec didn't do anything. Replace it with an assert and add some comments since the hs->wait handling is a little tricky. Change-Id: I8e62ce3cceca9bed4611cb9d3faf0bfec3d3bdd4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46530 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

The ssl_buffer.cc code handles this, but since outgoing handshake I/O goes through a different path, it was missing these checks. Change-Id: I4fed62b435b577645c405d0d995511a58d47a702 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46531 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Some of our calls handled it and others didn't. Change-Id: I09f15d3db679954599bcf987d86357b6e12e9b9b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46532 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

It's a little confusing to have load_word_le but actually use size_t instead of crypto_word_t. NOTE: on some platforms, notably NaCl, crypto_word_t is larger than size_t. (Do we still need to support this?) We don't have a good testing story here, so I tested it by hacking up a 32-bit x86 build to think it was OPENSSL_64_BIT. Change-Id: Ia0ce469e86803f22655fe2d9659a6a5db766429f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46424 Reviewed-by: Adam Langley <[email protected]>

We have loads of variations of these. Align them in one set. This avoids the HOST_* macros defined by md32_common.h, so it'll be a little easier to make it a more conventional header. Change-Id: Id47fe7b51a8f961bd87839f8146d8a5aa8027aa6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46425 Reviewed-by: Adam Langley <[email protected]>

It's only used from that file and, given the names defined by it, probably isn't usable by other files anyway. Change-Id: Ice205408962ade00c1dcb51406da3ef2fd7f0393 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46426 Reviewed-by: Adam Langley <[email protected]>

BIO_flush may return a negative value, so we shouldn't cast it directly to bool. Change-Id: Ibdf688d1a6b4b316069e3b99a8a8b18974ee17ed Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46534 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

We don't support renegotiation on the server anymore. Even if we did, we wouldn't want to rerun ALPN anyway, and we don't do resumption on renegotiation. Change-Id: I43438d084bfe5fbe9b011ae0f53349df1baf6c97 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46533 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

AES_128_GCM is more common than AES_GCM_128 and matches the specification. Bug: 275 Change-Id: If3446a38f7bfbe0250d9646e363db29b93e4d231 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46666 Reviewed-by: David Benjamin <[email protected]> Reviewed-by: Dan McArdle <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This avoids duplicating some code in client and server. It should also clean up some ECH test code, which needs to juggle a pair of transcripts for a brief window. Change-Id: I4db11119e34b56453f01b5890060b8d4129a25b9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46564 Reviewed-by: Adam Langley <[email protected]>

This avoids looking up and passing around the cipherSuite object everywhere. We don't serialize ClientSessionState and, if we did, we can simply do the lookup at parsing time. Change-Id: Ice06e4da6b23ff32988597100e8aaa11b82f23ad Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46565 Reviewed-by: Adam Langley <[email protected]>

In early TLS 1.3 drafts, HelloRetryRequest was a dedicated message type. Our HelloRetryRequest handling in runner is still based on this. Along the way, remove the SendServerHelloAsHelloRetryRequest test, since that's just a generic unexpected message type now. Change-Id: Idd9c54d0ab66d962657af9a53849c3928f78ce5c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46585 Reviewed-by: Adam Langley <[email protected]>

This is a remnant of when we had various pre-standard TLS 1.3 variants. runner's logic is now built-in. Change-Id: I72a2fcef9a94e82fa39fe4be9d60ddd329d212ce Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46604 Reviewed-by: Adam Langley <[email protected]>

Per the comment in writeClientHash, we should writeClientHash before writeRecord to get the sequence numbers right. Some of the client HRR bits are still wrong, but I'll fix those as part of tidying up the HRR path in a later commit. (This doesn't actually matter because only DTLS uses sequence numbers, and we don't support DTLS 1.3.) Change-Id: I4cbc671f524d56c7f970b5ec0bceeb2641625d15 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46624 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

We only need to implement enough of SSL 3.0 to test that the shim does not. Change-Id: I25cb48e407f1bc458bbdb3544b9df9fdfbc3d9c9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46625 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

The 'client' and 'server' halves are remnants of SSL 3.0 and Go (originally) lacking a way to clone hash.Hash. The Go limitation meant that computing SSL 3.0's proto-HMAC construction mutated the running hash on Finished, so crypto/tls just maintained two of them. Without SSL 3.0, this is no longer needed. That, however, leaves us with having both a crypto.Hash and a hash.Hash, and both can't be named 'hash'. I stepped around this by storing the cipher suite itself and using cipherSuite.hash(). Change-Id: Ia38880ae446949baa2181d33136c748cf5374664 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46626 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

All the comments say the buffer is only needed in TLS 1.2, but this doesn't match the code. The code uses the buffer in one place, for ECH, to avoid copying a hash.Hash. Go does support this, albeit in a *very* roundabout way. This is ugly but means we can now properly drop the handshake buffer in TLS 1.3. Change-Id: I4a1559a64fcb98ccfbab54de99402fe6f62725a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46627 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Also avoid unnecessarily stashing a copy of the serialized old ClientHello. Change-Id: I699299f0ce767ba059fbb08e8f2140793a649322 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46628 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Matching the Go standard library cipher.AEAD interface, EVP_AEAD, and the C implementation, put the AAD parameter after plaintext/ciphertext. Bug: 275 Change-Id: I46804ff0e55a75742016ff6311bbe6fd6d208355 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46665 Reviewed-by: Dan McArdle <[email protected]> Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Re-encoding a message does not necessarily give back the same value. Bug: 275 Change-Id: I52cddd6152445b70579cbe03525898383bee211d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46644 Reviewed-by: David Benjamin <[email protected]> Reviewed-by: Dan McArdle <[email protected]> Commit-Queue: David Benjamin <[email protected]>

The client handshake currently defers creating the finishedHash and writing things into the transcript, which is a little annoying for ECH. In preparation for simplifying that, one nuisance is that we retain both hello and helloBytes, across a long span of code. helloBytes is *almost* the same as hello.marshal() except: - When we send a V2ClientHello, helloBytes records that we serialized the ClientHello completely differently. - For the JDK11 workaround tests, helloBytes records that we swapped out the ClientHello entirely. - By the time we finally write helloBytes into the transcript, hello may have been updated to the second ClientHello. This CL resolves the first two issues. It replaces the v2ClientHelloMsg with an option when serializing the clientHelloMsg, and it has the ClientHello replacement function return a clientHelloMsg instead of a []byte. (This is a little weird because we're conflating parsed and constructed ClientHellos, but ah well.) A follow-up CL will remove the differed transcript bits and we'll actually be able to drop helloBytes. Change-Id: Ib82ac216604e2c4bf421277e57aa5fd3b4cef161 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46629 Reviewed-by: Adam Langley <[email protected]>

The challenge field, at least per our implementation and OpenSSL, may be either left-padded or truncated to form the ClientHello random. Test both cases, as well as an exact match. Change-Id: Icdedf899ef483225d8ed20580ad15818b5e52e91 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46631 Reviewed-by: Adam Langley <[email protected]>

This is follow-up cleanup work from https://boringssl-review.googlesource.com/27944. Change-Id: I39d1bf0bc28540228166389eac378b07a1168e6c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46684 Reviewed-by: Adam Langley <[email protected]>

This removes the now unnecessary virtual calls. Benchmark differences are mostly positive but probably noise. Before: Did 839000 AES-128-CBC-SHA1 (16 bytes) open operations in 2000497us (6.7 MB/sec) Did 623000 AES-128-CBC-SHA1 (256 bytes) open operations in 2000409us (79.7 MB/sec) Did 434000 AES-128-CBC-SHA1 (1350 bytes) open operations in 2002909us (292.5 MB/sec) Did 146000 AES-128-CBC-SHA1 (8192 bytes) open operations in 2000785us (597.8 MB/sec) Did 82000 AES-128-CBC-SHA1 (16384 bytes) open operations in 2014268us (667.0 MB/sec) After: Did 866000 AES-128-CBC-SHA1 (16 bytes) open operations in 2000697us (6.9 MB/sec) [+3.2%] Did 616000 AES-128-CBC-SHA1 (256 bytes) open operations in 2001403us (78.8 MB/sec) [-1.2%] Did 432000 AES-128-CBC-SHA1 (1350 bytes) open operations in 2003898us (291.0 MB/sec) [-0.5%] Did 148000 AES-128-CBC-SHA1 (8192 bytes) open operations in 2006042us (604.4 MB/sec) [+1.1%] Did 83000 AES-128-CBC-SHA1 (16384 bytes) open operations in 2010885us (676.3 MB/sec) [+1.4%] Change-Id: I735e99296ca9a1771518c622b8e7e6979a0d30bc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46685 Reviewed-by: Adam Langley <[email protected]>

We currently construct finishedHash fairly late, after we've resolved HelloRetryRequest. As a result, we need to defer some of the transcript operations across a large chunk of code. This is a remnant of earlier iterations of TLS 1.3, when HelloRetryRequest didn't tell us the cipher suite yet. Now the cipher suite is known earlier and we can construct the finishedHash object immediately. In doing so, move HRR handling inside doTLS13Handshake(). This keeps more of TLS 1.3 bits together and allows us to maintain the HRR bits of the handshake closer to the rest of HRR processing. This will be useful for ECH which complicates this part of the process with an inner and outer ClientHello. Finally, this adds a missing check that the HRR and SH cipher suites match. Change-Id: Iec149eb5c648973325b190f8a0622c9196bf3a29 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46630 Reviewed-by: Adam Langley <[email protected]>

Change-Id: Id6440b3e2feea0539ac83ee697c9e5aee0709fbd Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46664 Reviewed-by: Adam Langley <[email protected]>

This CL adds an initial implementation of the ECH server, with pieces of the client in BoGo as necessary for testing. In particular, the server supports ClientHelloInner compression with ech_outer_extensions. When ECH decryption fails, it can send retry_configs back to the client. This server passes the "ech-accept" and "ech-reject" test cases in tls-interop-runner[0] when tested against both the cloudflare-go and nss clients. For reproducibility, I started with the main branch at commit 707604c262d8bcf3e944ed1d5a675077304732ce and updated the endpoint's script to pass the server's ECHConfig and private key to the boringssl tool. Follow-up CLs will update HPKE to the latest draft and catch us up to draft-10. [0]: https://github.com/xvzcf/tls-interop-runner Bug: 275 Change-Id: I49be35af46d1fd5dd9c62252f07d0bae179381ab Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45285 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Rather than computing kVarianceBlocks, which is hard to reason about, use a sha1_final_with_secret_suffix abstraction. This lets us separate reasoning in bytes about the minimum and maximum values of |data_size| and the interaction with HMAC, separately from the core constant-time SHA-1 update. It's also faster. I'm guessing it's the more accurate block counts. Before: Did 866000 AES-128-CBC-SHA1 (16 bytes) open operations in 2000697us (6.9 MB/sec) Did 616000 AES-128-CBC-SHA1 (256 bytes) open operations in 2001403us (78.8 MB/sec) Did 432000 AES-128-CBC-SHA1 (1350 bytes) open operations in 2003898us (291.0 MB/sec) Did 148000 AES-128-CBC-SHA1 (8192 bytes) open operations in 2006042us (604.4 MB/sec) Did 83000 AES-128-CBC-SHA1 (16384 bytes) open operations in 2010885us (676.3 MB/sec) After: Did 2089000 AES-128-CBC-SHA1 (16 bytes) open operations in 2000049us (16.7 MB/sec) [+141.3%] Did 851000 AES-128-CBC-SHA1 (256 bytes) open operations in 2000034us (108.9 MB/sec) [+38.2%] Did 553000 AES-128-CBC-SHA1 (1350 bytes) open operations in 2002169us (372.9 MB/sec) [+28.1%] Did 178000 AES-128-CBC-SHA1 (8192 bytes) open operations in 2008596us (726.0 MB/sec) [+20.1%] Did 98000 AES-128-CBC-SHA1 (16384 bytes) open operations in 2001509us (802.2 MB/sec) [+18.6%] Confirmed with valgrind tooling that this is still constant-time. In doing so, I ran into a new nuisance with GCC. In loops where we run constant_time_lt with a counter value, GCC sometimes offsets the loop counter by the secret. It cancels it out before dereferencing memory, etc., but valgrind does not know that x + uninit - uninit = x and gets upset. I've worked around this with a barrier for now. Change-Id: Ieff8d2cad1b56c07999002e67ce4e6d6aa59e0d3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46686 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Change-Id: Ib2356f1a6e6ef8bfd5b5469eae9d1bc43dd40895 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46724 Commit-Queue: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Bug: 275 Change-Id: I4ccf7e8385d708326c71a855585583908e82bb2d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46744 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

TLS 1.3 servers should only skip early data if the client offered it. Our HRR codepath didn't quite get this right. This CL is the minimal fix for this issue, but I think we should rearrange this logic slightly rather than deciding to do 0-RTT and then changing our mind. The next CL will do that. (This bug does not have any interoperability consequences. When configured to skip early data, we're happy to vacuously skip over zero early data records. We were just less strict than we should be.) Change-Id: Ida42134b92b4df708b2bb959c536580bec454165 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46764 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

We currently determine whether we need HelloRetryRequest at the same time as resolving key share machinery. That is a little too late for early data negotiation, so we end up accepting early data and then clearing it later on in the function. This works but is easy to mess up, given the preceding CL. There's also some ALPS logic that got this wrong, but I believe it didn't result in any incorrect behavior. Instead, this pulls secret computation out of the key_share helper function, which now just finds the matching key share. We then check early whether we need HRR, before deciding on early data. Change-Id: I108865da08addfefed4a7db73c60e11cf4335093 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46765 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This also fixes a minor bug (that doesn't matter because we don't implement DTLS 1.3). init_message must be paired with finish_message to correctly handle the DTLS header. Change-Id: I4b65c82d4b691d5b77d9e20513983145098d6f8f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46785 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

See also 86a90dc749af91f8a7b8da6628c9ffca2bae3009 from upstream. This differs from upstream's which treats {NULL, 2} as a valid way to spell the empty list. (I think this is a mistake and have asked them about it.) Upstream's CL also, for them, newly makes the empty list disable ALPN, when previously they'd disable it but misread it as a malloc failure. For us, we'd already fixed the misreading due to our switch to bssl::Array and bssl::Span, but the documentation was odd. This CL preserves that behavior, but updates the documentation and writes a test. Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now reject invalud inputs. Previously, they would accept them, but silently send an invalid ALPN extension which the server would almost certainly error on. Change-Id: Id5830b2d8c3a5cee4712878fe92ee350c4914367 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46804 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Change-Id: I3dfd75c93b3ae83e0a4db643ac7d00d2867fa656 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46704 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

The gclient-managed files usually go in .gitignore. I think without it, we have to redownload it all the time on the bots? Though this also makes my git status cleaner. Change-Id: Ic9bac6796bd3dcdea5039bcac39e853d9f12906b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46824 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

'corpora' seems to be more common than 'corpuses' in Chromium code search, including in libFuzzer's source itself. Change-Id: I6489b57a4608f47274c4400aac135cbfb991953a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46825 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Also generate a corpus to unblock the Chromium roll. The build tools expect there to be a corresponding directory somewhere. Bug: 275 Change-Id: I7a061ba6625ec57c10b0ae17e68b6b0159c539d4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46826 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: Adam Langley <[email protected]>

It's defined as GCM without a plaintext input, so this is trivial. Change-Id: Id430e998447e489c2bf2dd5c6541877870104ade Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46844 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Chromium's fuzzer uses a shared library build. Change-Id: I49a9fef9c0f10694302727d0251005240c30988f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46864 Reviewed-by: Adam Langley <[email protected]>

They still need to be Python-2-compatible until I figure out how to switch the version used in the CI. I've left out make_curve25519_tables.py because it's some bytes vs unicode mess I don't care to figure out. We should just rewrite that in Go which should also be much faster anyway. Change-Id: I4446641815315a84c2979b1be1e1949f88cbacf8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46884 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

See go/handshake-hints (internal). CL originally by Bin Wu <[email protected]>. I just reworked the tests and tidied it up a bit. This is the start of a replacement for the split handshakes API. For now, only TLS 1.3 is supported. It starts with an initial set of hints, but we can add more later. (In particular, we should probably apply the remote handshaker's extension order to avoid needing to capability protect such changes.) Change-Id: I7b6a6dfaa84c6c6e3436d2a4026c3652b8a79f0f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46535 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

We have a few too many X.509 parsers. Bug: chromium:1199744 Change-Id: Ib6f6b7bf6059ed542c334a5ca5a2d3928aae3bef Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46904 Commit-Queue: David Benjamin <[email protected]> Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>

The ASN1_BOOLEAN representation is a mess. ASN1_BOOLEAN is an int and if non-negative (negative values mean omitted or default), gets cast to uint8_t and encoded as the value. This means callers are simply expected to know true is 0xff, not 1. Fix this by only encoding 0 or 0xff. This also fixes a bug where values like 0x100 are interpreted as true (e.g. in the tasn_enc.c logic to handle default values), but encoded as false because the cast only looks at the least significant byte. This CL does not change the parsing behavior, which is to allow any BER encoding and preserve the value in the in-memory representation (though we should tighten that). However the BER encode will no longer be preserved when re-encoding. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. Change-Id: I5bb53e068d5900daca07299a27c0551e78ffa91d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46924 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Update-Note: Direct accesses of X509_PUBKEY should be replaced with one of the accessors. I believe all callers have been fixed at this point. Change-Id: Ib325782867478fb548da1bf5ef0023cf989f125b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46944 Reviewed-by: Adam Langley <[email protected]>

I stopped short of documenting the add1_attr_by functions because the type parameter is a bit of a mess. It appears to be several enums put together. To that end, I've updated the documentation on V_ASN1_MAX_UNIVERSAL to note that we also need to avoid MBSTRING_FLAG. As a preview of what I'm putting off to later, see X509_ATTRIBUTE_set1_data for how the type parameter is used. set1_data is extra fun because PKCS#10 attributes are set-valued. Plus there's upstream's e20b57270dece66ce2c68aeb5d14dd6d9f3c5d68, which we should import first. Change-Id: I3453a0b224e42c6e22828c7d332ee133e09e6173 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46945 Reviewed-by: Adam Langley <[email protected]>

Change-Id: I134e2e8d73913843d21d8a3d7f2b266bee6ba73b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46964 Reviewed-by: Adam Langley <[email protected]>

x509_req.c changes imported from upstream's 9b0a453190efc9b14cc04e74ce2e8e35af45fb39. Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with one of the accessors. I couldn't find any direct accesses, so hopefully this is fine. Change-Id: I7eab6375d5dcf366ef72e5ce059f3558c947f35b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46946 Reviewed-by: Adam Langley <[email protected]>

The X509_ATTRIBUTE structure includes a hack to tolerate malformed attributes that encode the value directly instead of a set of values. This form is never created by OpenSSL and shouldn't be needed any more. (Imported from upstream's e20b57270dece66ce2c68aeb5d14dd6d9f3c5d68.) This also changes X509_ATTRIBUTE_set1_data slightly. Previously, set1_data would override whatever was previously in the X509_ATTRIBUTE, but leak memory. Now set1_data appends to the set. (PKCS#10 attributes use SET OF ANY as value.) It's unclear to me if this was intentional on upstream's part. (The attrtype == 0 case only makes sense in the old behavior.) Since there is no other way to create a two-element SET and upstream has long since released this behavior, I left it matching upstream. Update-Note: Given OpenSSL hasn't accepted these for five years, it's unlikely anything depends on it. If something breaks, we can revert this and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty X509_ATTRIBUTE, so the behavior change there should be safe. Change-Id: Ic03c793b7d42784072ec0d9a7b6424aecc738632 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46947 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

b571e77 changed these fd numbers, but that interacts poorly with cross-version tests. Instead, remove the assumptions StartProcess() was making about the relationship between the two sets of fds. Change-Id: If8fe62e4d20d22776e79e05e82cb5920cbb545ec Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47044 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This is mostly to confirm the STACK_OF(ASN1_TYPE) was created the right number of times. Change-Id: I30c32f91cb6091e63bfcaebb0fe966270e503d93 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46984 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

These functions are not in any released version of OpenSSL. The history is they were added to 1.0.2 beta for CT, but then removed in favor of i2d_re_X509_tbs. We forked in between the two events. I'm not sure what the reasoning was upstream's end. I'm thinking: - X509 currently only captures the serialized TBSCertificate. It might be nice to capture the whole Certificate to avoid needing a serialization in X509_cmp and make it easier to interop with other stacks. (Unclear.) That would require not exporting the X509_CINF standalone for serialization. - The modified bit means, without locking, i2d_X509 is not const or thread-safe. We *might* be able to shift the re-encoding to i2d_re_X509_tbs, which is already inherently non-const. That requires not having X509_CINF_set_modified. I'm not sure how feasible either of these are, but between that, upstream alignment, and X509_CINF otherwise being absent from public accessors, it seems worth removing. Update-Note: X509_get_cert_info, X509_CINF_set_modified, and X509_CINF_get_signature are removed. I believe all callers have been updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and X509_get0_tbs_sigalg instead. Change-Id: Ic1906ba383faa7903973cb498402518985dd838c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46985 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Signed-off-by: Piotr Sikora <[email protected]> Change-Id: Ieb403b6651d445948abef48d7432fd248294284f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47084 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Change-Id: I3a16fa731cfa7c92e5fec19f78ae48650921f626 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47104 Reviewed-by: Adam Langley <[email protected]>

Clang 12 in opt mode produces a couple of assembly patterns that were not handled by delocate. Firstly, two-digit vector indexes were just a simple omission. Fixed. Secondly, Clang puts symbol deltas in .byte directives, and bit-shifts them. The .byte directive was not considered to be a symbol-containing directive because it's too small, but it could store deltas. Additionally, bit-shifting of symbol expressions was not supported. Fixed. Change-Id: I796299821f5ac7d3639fa6243c5d9bd5342bbddf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47064 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Change-Id: I26a643737e99ddf75af24143829df4551040f7db Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47144 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Someone asked me about this API and I realized it didn't clarify what DER representation. Change-Id: I3c53df200612dd5a8269a14dd04e7b430cd96389 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47124 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

The implementation is a little goofy, but OBJ_dup internally makes a copy of all the data. Change-Id: I58e6804ede00100211ac112f03e26a34a2d29b5a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47125 Reviewed-by: Adam Langley <[email protected]>

Upstream ultimately preferred a different naming convention, and type-specific constants. Align with them. Update-Note: This renames some BoringSSL-specific constants that we recently added. It doesn't look like anyone's used them yet. Change-Id: I580e0872a5f09fb1c5bab9127c35f1ed852680c0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47164 Reviewed-by: Adam Langley <[email protected]>

Change-Id: I40513b3947fa571d2d0b918641b9917451ced3e1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47284 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Just some errata applied, otherwise the same. https://tools.ietf.org/rfcdiff?url2=rfc8439&url1=rfc7539 Change-Id: I0cf5d50eeca7840d0ab99c54e06f1008ac423211 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47264 Reviewed-by: Adam Langley <[email protected]>

When updating the test file for SHA-1 support, I forgot to remove the non-deterministic bits (i.e. key and signature generation) from the input vectors. Change-Id: Id47f9b2cc85282f68b71aedc271d4b4b53e04c70 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47285 Reviewed-by: David Benjamin <[email protected]>

https://boringssl-review.googlesource.com/c/boringssl/+/42084's commit message did a good job of explaining how BTI and PAC work, but we're missing some documentation in the header on conventions. I think these are right? Bug: 409 Change-Id: I959e68d3ca076d0bdf9d1f2b5a5f0450023de4d6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47204 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Bug: 275 Change-Id: I8096070386af7d2b5020875ea09bcc0c04ebc8cd Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47245 Reviewed-by: Steven Valdez <[email protected]> Reviewed-by: David Benjamin <[email protected]> Commit-Queue: Steven Valdez <[email protected]>

PKCS#7 stores certificates and CRLs in (implicitly-tagged) SET OF types. This means they're unordered and, in DER, must be sorted. We currently sort neither. OpenSSL upstream sorts CRLs but doesn't sort certificates. openssl/openssl#13143 reports that Microsoft has a stricter parser that checks this. This CL fixes both fields in our serializer. This does not change the parsing code, which still preserves whatever order we happened to find, but I've updated the documentation to clarify that callers should not rely on the ordering. Based on [0] and the odd order in kPKCS7NSS, I believe this aligns with NSS's behavior. Update-Note: It is no longer the case that constructing a PKCS#7 file and parsing them back out will keep the certificates and CRLs in the same order. [0] https://source.chromium.org/chromium/chromium/src/+/main:chrome/common/net/x509_certificate_model_nss_unittest.cc;drc=c91b0c37b5ddf31cffd732c661c0c5930b0740f4;l=286 Change-Id: If776bb78476557af2c4598f1b6dc10e189adab5d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47304 Reviewed-by: Adam Langley <[email protected]>

We can add them if we need them, but we're only using HKDF-SHA256 in ECH. Keep the set small to encourage a common set of parameters. Bug: 410 Change-Id: I5b9ddf3daa1d0c7f35df473470998369e9882553 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47324 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

We can always add it back later, but nothing's using it right now. Looking at all references to draft-irtf-cfrg-hpke in the IETF tracker, there are zero uses of any of the modes beyond SetupBase. Bug: 410 Change-Id: I23deb27554d36152776417d86e7759cb2c22e4eb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47325 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

(Imported from upstream's 65b88a75921533ada8b465bc8d5c0817ad927947 and 7c65179ad95d0f6f598ee82e763fce2567fe5802.) Change-Id: Id6a9604231d3cacc5e20af07e40d09e20dc9d3c0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47332 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Although we only support X25519 right now, we may need to support other KEMs in the future. In the general case, a public/private keypair is less meaningful. (If something like NTRU-HRSS even goes here, I guess it'd be the entropy passed to HRSS_encap.) Instead of taking an entire keypair, just take the private key. Perhaps we call it the "seed"? Bug: 410 Change-Id: Ifd6b6ea8ea36e6eca60d303706d6d2620f8c42d4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47326 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Change-Id: I3fc0cc07d7a0a29df02601e321d5a5a9ff128bf9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47330 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This replaces the ID-based API with one that is more static linker friendly. For ECH, it doesn't make a difference because we currently pull in all the options we've implemented. But this means other HPKE uses need not pull in everything ECH needs and vice versa. Along the way, fix an inconsistency: we prefixed all the AEAD constants with "AEAD", but not the others. Since the rest of the name already determines everything, go with the shorter version. Bug: 410 Change-Id: I56e46c13b43c97e15eeb45204cde7019dd21e250 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47327 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This is a little tedious but aligns with some of our other variable-length parameters. This is in preparation for making the HPKE APIs KEM-agnostic, so we don't need to make so many variations on the HPKE functions for each KEM. (Especially if we ever need to implement SetupPSK*, SetupAuth*, or SetupAuthPSK*.) Bug: 410 Change-Id: I0625580b15358ab1f02b7835122256e8f058a779 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47328 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

In cases where the RPC from acvptool to modulewrapper is expensive, these iterated tests take excessive amounts of time. By moving the inner loop into the module wrapper the number of round-trips is reduced by 1000×. Change-Id: Ic047db071239492e416a08cab60d6a7e2905e8dc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47364 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

I meant to grab more interesting types this round, but I missed a few spots. We should be able to get these out of the way though. Update-Note: Direct access of these structs should be replaced by accessors. Change-Id: I43cb8f949d53754cfebef2f84be66e89d2b96f96 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47384 Reviewed-by: Adam Langley <[email protected]>

Callers using private key callbacks may retain non-trivial state with a private key. In many cases, the private key is no longer necessary immediately after the first round-trip (e.g. non-HRR TLS 1.3 connections). Add a function that callers can query to drop the state a hair earlier. This is tested in two ways. First, the asserts in front of using the key, combined with existing tests, ensure we don't start reporting it too early. Second, I've added tests in ssl_test.cc to assert we report it as early as we expect to. In doing so, the number of parameters on ConnectClientAndServer() started getting tedious, so I've split that into a CreateClientAndServer() and CompleteHandshakes(). Callers that need to configure weird things or drive the handshake manually can call CreateClientAndServer() (which takes care of the BIO pair business) and continue from there. Bug: b/183734559 Change-Id: I05e1edb6d269c8468ba7cde7dc90e0856694a0ca Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47344 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

NIST breaks these URLs so often it's unclear if it's worth including them. If they do it again it might be a signal to remove them all. However, until then, this change updates many of them. Some were deleted because the format of the anchors has been switched and all the section numbers remove, and I don't think it's worth trying to unpick all that. Change-Id: I31457c225e68ee44d383a5a148fdcc80a3430864 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47464 Commit-Queue: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

This introduces an EVP_HPKE_KEM, to capture the KEM choice, and EVP_HPKE_KEY, to capture the key import (and thus avoids asking receivers to pass in the full keypair). It is a bit more wordy now, but we'll be in a better place when some non-TLS user inevitably asks for a P-256 version. Bug: 410 Change-Id: Icb9cc8b028e6d1f86e6d8adb31ebf1f975181675 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47329 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

It's sometimes hpke and sometimes ctx. Our other EVP_FOO_CTX types are usually called ctx, so use ctx. Bug: 410 Change-Id: Ib1c6d8018ffd8fd180b89f5be58283f3f098e44b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47404 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Bug: 410 Change-Id: I633eab7f2d148c9158a5bb29d73e07f1f18b7105 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47331 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This was fixed in review, but we forgot to update the comment. Change-Id: If1fdd9211ff085edeb50457edf0caba5e31b6d16 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47448 Reviewed-by: Dan McArdle <[email protected]> Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

It's kind of weird that we assign a session ID, based on whether we detect the handshake wants stateful resumption, and then erase it afterwards. Also remove the is_server parameter, which we can get from hs. Change-Id: I94ac817c63abb08a457e0e0c29f5c2d2b60aa498 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47444 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

We do not offer sessions on renegotiation. Rather than applying this at both the ClientHello and ServerHello, just drop ssl->session, which takes care of both cases. Change-Id: I5ebaedc8d9cc0fca61242ed9b85fa3449636dfec Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47445 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

We've inherited some behavior from OpenSSL where, in ticket-based client sessions, we fill in a placeholder session ID of SHA256(ticket). This was done to avoid confusing other code in OpenSSL (and possibly callers?) that assumed session_id_length != 0 determined validity. Separately, TLS 1.2 session tickets are syntactically weird. The client generates a fake signaling session ID, which the server echoes on resumption. These combined meant we used the placeholder SHA256 value as this signaling ID. Since we already have code to generate random session IDs for TLS 1.3, use that instead to minimize unnecessary implementation quirks visible on the wire. This removes one of the places we still rely on the placeholders within the library. Change-Id: I0de2781da72e2bbc030505611589c853f105ce9d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47446 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This aligns with OpenSSL. In particular, we clear not_resumable as soon as the SSL_SESSION is complete, but it may not have an ID or ticket. (Due to APIs like SSL_get_session, SSL_SESSION needs to act both as a resumption handle and a bundle of connection properties.) Along the way, use the modified function in a few internal checks which, with the ssl_update_cache change, removes the last dependency within the library on the placeholder SHA256 IDs. Change-Id: Ic225109ff31ec63ec08625e9f61a20cf0d9dd648 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47447 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This adds CRL analogs to some X509 functions added in https://boringssl-review.googlesource.com/c/boringssl/+/43784. I missed that we need to support this for CRLs too. Change-Id: Id64952a1b2d33bcd057a96c80aadd97a3c3d9fb5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47525 Reviewed-by: Adam Langley <[email protected]>

https://boringssl-review.googlesource.com/c/boringssl/+/42504 aligned RSA private key checks, but I missed the public key ones. We have two different sets of RSA public key checks right now. One in the parser just checks for e = 1 and even e. The other, when using the key, checks for overly large e and n. Align the two. Now parsing RSA public keys calls RSA_check_key and the extra checks on e are added to RSA_check_key. Note RSA private key parsing already called RSA_check_key. The consequences are: First, RSA public keys with large n, large e, or n < e will be rejected at parse time. Previously, they would be parsed but all operations on them would fail. This aligns with our existing behavior for parsing private keys. Second, operations on RSA public keys with even e will fail. They already failed to parse, but it was possible to manually construct such a key. Previously, operations wouldn't explicitly fail, but they wouldn't do anything useful because even exponents are not invertible. (Encrypting would produce something undecryptable and the private key would have a hard time reliably producing signatures we'd accept.) There is no change to RSA private keys with even e. Those would already fail the (e, d) consistency check and the fault check. Third, operations on RSA public keys with e = 1 will fail. They already failed to parse, but it was possible to manually construct such a key and "verify" signatures or "encrypt" messages. However, with e = 1, those operations are no-ops. Finally, RSA private keys with e = d = 1 will be rejected at parse and use. This is the only case that affects private keys because e = d = 1 are inverses, just pointless. Uses paired with RSA public key parsing (e.g. our TLS library checks consistency with a certificate public key) are not affected. Those already rejected such keys because we rejected them in the public key parser. This CL aligns the private half. This doesn't close https://crbug.com/boringssl/316, but we won't be able to resolve that without a consistent story for what keys are valid. Update-Note: See above. Bug: 316 Change-Id: Ic27df18c4f48e5e3e57a17d6fe39399e2f8d5c68 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47524 Reviewed-by: Adam Langley <[email protected]>

We usually call the parameter 'digest', but people sometimes think they can skip the hashing for short inputs are short. I also suspect the term 'digest' is less common. Add warnings about this. There were also some cases where we called it 'in' and even 'msg'. This CL fixes those to say 'digest'. Finally, RSA_{sign,verify}_raw are documented to be building blocks of signature schemes, rather than signature schemes themselves. It's unfortunate that EVP_PKEY_sign means "sign a digest", while EVP_DigestSign means "sign, likely internally digesting it as the first step", but we're a bit stuck there. Change-Id: I4c38afff9b6196e2789cf27653fe5e5e8c68c1bf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47504 Reviewed-by: Adam Langley <[email protected]>

My editor was being too clever. Change-Id: I7044a09de83d3530583424eb5da2183039fb0643 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47484 Reviewed-by: Adam Langley <[email protected]>

ServerHello/EncryptedExtensions/Finished is logically one atomic flight that exits the early data state, we have process each message sequentially. Until we've processed Finished, we are still in the early data state and must support writing data. Individual messages *are* processed atomically, so the interesting points are before ServerHello (already tested), after ServerHello, and after EncryptedExtensions. The TLS 1.3 handshake internally clears ssl->session when processing ServerHello, so getting the early data information from ssl->session does not work. Instead, use hs->early_session, which is what other codepaths use. I've tested this with runner rather than ssl_test, so we can test both post-SH and post-EE states. ssl_test would be more self-contained, since we can directly control the API calls, but it cannot test the post-EE state. To reduce record overhead, our production implementation packs EE and Finished into the same record, which means the handshake will process the two atomically. Instead, I've tested this in runner, with a flag to partially drive the handshake before reading early data. I've also tweaked the logic to hopefully be a little clearer. Bug: chromium:1208784 Change-Id: Ia4901042419c5324054f97743bd1aac59ebf8f24 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47485 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

We can unexport the X509_REQ_INFO type entirely. (NB: OpenSSL hasn't done this, but has unexported so much of X509_REQ_INFO that it is impossible to use what remains anyway.) Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use accessors instead. Change-Id: I1eea5207b9195c8051d5e467acd63ad5f0caf89d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47564 Reviewed-by: Adam Langley <[email protected]>

We didn't end up deploying this. We also never implemented the final RFC, so what we do have isn't useful for someone who wishes to deploy it anyway. Update-Note: Token binding APIs are removed. Change-Id: Iecea7c3dcf9d3e2644a3b7afaf61511310b45d5f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47584 Reviewed-by: Adam Langley <[email protected]>

Change-Id: Ib8aaa2b6bfafc88cf51d2ae0f085bb87275a4306 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47585 Reviewed-by: Adam Langley <[email protected]>

The script now matches fuzz/refresh_ssl_corpora.sh. Change-Id: I0089c5091e3e21c5590a73909b05e066fefe4a34 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47604 Reviewed-by: Adam Langley <[email protected]>

We misread (or maybe it changed?) the draft padding scheme. The current text does not round the whole payload to a multiple of 32, just the server name as a fallback. Switch the GREASE size selection to match. Although, we may want to change the draft here. See also tlswg/draft-ietf-tls-esni#433 While I'm here, update some references from draft-09 to draft-10. Also make the comment less verbose. Bug: 275 Change-Id: I3c9f34159890bc3b7d71f6877f34b895bc7f9b17 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47644 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This is part of a very deep dependency chain. I'm sniffing at making all the add_clienthello callbacks const. Between HelloVerifyRequest, HelloRetryRequest, and soon ECH, we're creating lots of ClientHellos per connection. That's probably easiest to manage if constructing a ClientHello had no side effects. Update-Note: The change to the return type isn't quite compatible, but I only found one caller of this function, which has since been fixed. (If we need to return a non-const value for compatibility, we can do that and document that the caller should not mutate the output.) Change-Id: I21f18f7438920a5b03d874fa548f054af3a42c4a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47664 Reviewed-by: Adam Langley <[email protected]>

If we ever forget to fill it in the randoms, they'll end up all zero. Particularly at the ClientHello, that logic is getting increasingly far away from ClientHello serialization, so add a test to make sure we notice. (This will flakily fail with probability 2^-256, which is reasonably unlikely.) Change-Id: I81f32fd96dbccf377cb92198a222b557ab66976b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47665 Reviewed-by: Adam Langley <[email protected]>

I forgot to update the references. Change-Id: I1a746eec13afd9fd1e59ca1824b2dd0f83ff7f74 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47666 Reviewed-by: Adam Langley <[email protected]>

We'll return 0 and get confused. (Negotiating early data and not using it is plausible if, say, the client preconnects but gets a ServerHello before any request binds the socket.) Change-Id: I94d458e18c58223f73c9340cac06e5ec5f8c84a0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47684 Reviewed-by: Adam Langley <[email protected]>

Now skipping over HPKE decryption in |ssl_client_hello_decrypt| when fuzzer mode is enabled. To improve code coverage, this fuzzer-only logic also also has the ability to simulate a failed decryption. As a result of mostly skipping the decryption, we now have to exclude "*-ECH-Server-Decline*" tests from running in fuzzer mode. These tests rely on the now-broken assumption that decryption will fail when the client used an ECHConfig unknown to the server. Bug: 275 Change-Id: I759a79c8596897cdd3d3a37e05f2973d47346ef9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47624 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

(cd build_Fuzzer ; cmake -DFUZZ=1 -GNinja .. ; autoninja) (cd build_NoFuzzer ; cmake -DFUZZ=1 -DNO_FUZZER_MODE=1 -GNinja .. ; autoninja) (cd fuzz ; ./refresh_ssl_corpora.sh ../build_Fuzzer ../build_NoFuzzer) Bug: 275 Change-Id: If47c323d07414da290bc492eda41bebc972c01af Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47724 Reviewed-by: David Benjamin <[email protected]>

Also shortens ECH variable names in runner.go. Bug: 275 Change-Id: Iaef520ae09eb94f714fbdaa4383d1456add6f113 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47744 Commit-Queue: Dan McArdle <[email protected]> Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

When decrypting a ticket we would copy the client's session ID into the session and then copy the session's ID into the ServerHello (if resuming). That seems icky. Instead install the same placeholder on the server as we do on the client. Change-Id: Icb50a3be2f05e6428f1b286c8c09015f7bb4af16 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47784 Commit-Queue: Adam Langley <[email protected]> Reviewed-by: David Benjamin <[email protected]>

e.g. /home/peter/boringssl/crypto/curve25519/curve25519.c:503:57: error: argument 2 of type 'const uint8_t[32]' {aka 'const unsigned char[32'} with mismatched bound [-Werror=array-parameter=] 503 | int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) { | ~~~~~~~~~~~~~~^~~~~ In file included from /home/peter/boringssl/crypto/curve25519/curve25519.c:33: /home/peter/boringssl/crypto/curve25519/internal.h:109:58: note: previously declared as 'const uint8_t *' {aka 'const unsigned char *'} 109 | int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s); | ~~~~~~~~~~~~~~~^ /home/peter/boringssl/crypto/curve25519/curve25519.c:823:57: error: argument 2 of type 'const uint8_t *' {aka 'const unsigned char *'} declared as a pointer [-Werror=array-parameter=] 823 | void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) { | ~~~~~~~~~~~~~~~^ In file included from /home/peter/boringssl/crypto/curve25519/curve25519.c:33: /home/peter/boringssl/crypto/curve25519/internal.h:117:56: note: previously declared as an array 'const uint8_t[32]' {aka 'const unsigned char[32]'} 117 | void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]); | ~~~~~~~~~~~~~~^~~~~ cc1: all warnings being treated as errors Change-Id: I7e9b68fe261a94834f519057adb6ff90c0cb73cf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47805 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This adds a check to EVP_get_cipherbyname which ensures that name is not null when passed to OPENSSL_strcasecmp, which cannot handle null values. OpenSSL already ensures this in their implementation of EVP_get_cipherbyname by using OBJ_NAME_get, so this improves parity. Change-Id: Icea45a5da2a7a461d2a65fbfbc84653c4f124dab Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47844 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

The macro isn't doing any work here. Change-Id: Id97dfa4b027407c5e4b3e7eb1586c3c2a2d977d8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47806 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

…256. Similar to https://boringssl-review.googlesource.com/c/boringssl/+/46405, SHA256_Final and SHA224_Final hit array size warnings in the new GCC. The array sizes are, strictly speaking, purely decoration, but this is a good warning so we should be clean with it on. That same change is difficult to apply to md32_common.h because md32_common.h generates the functions for us. md32_common.h is already strange in that it is multiply-included and changes behavior based on macros defined by the caller. Instead, replace it with inline functions, which are a bit more conventional and typesafe. This allows each hash function to define the function prototype. Use this to add an unsized helper for SHA-256. Bug: 402 Change-Id: I61bc30fb58c54dd40a55c9b1ebf3fb9adde5e038 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47807 Reviewed-by: Adam Langley <[email protected]> Reviewed-by: Peter Foley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Node.js uses EVP_PKEY_get0, which is present in OpenSSL but which BoringSSL currently does not export. This CL adds an implementation for it, which Electron is currently floating as a patch. See nodejs/node@6a7eb32 from Node. Change-Id: I2474cacbd22882355a8037e2033739f7496b21f2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47824 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Also now that it's finalized, flip the default for SSL_set_quic_use_legacy_codepoint. Update-Note: QUIC APIs now default to the standard code point rather than the draft one. QUICHE has already been calling SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once callers implementing the draft versions cycle out, we can then drop SSL_set_quic_use_legacy_codepoint altogether. I've also bumped BORINGSSL_API_VERSION in case we end up needing an ifdef. Change-Id: Id2cab66215f4ad4c1e31503d329c0febfdb4603e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47864 Reviewed-by: David Schinazi <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Because file names are not enclosed in quotation marks in the open call. https://bugs.chromium.org/p/boringssl/issues/detail?id=415 ``` cmake --build "C:\Projects\ Extern\Visual C++ 2015\x64 Debug\Build\BoringSSL\." [9/439] Generating rdrand-x86_64.asm FAILED: crypto/fipsmodule/rdrand-x86_64.asm cmd.exe /C "cd /D "C:\Projects\ Extern\Visual C++ 2015\x64 Debug\Build\BoringSSL\crypto\fipsmodule" && "C:\Program Files\CMake\bin\cmake.exe" -E make_directory . && C:\Perl64\bin\perl.exe "C:/Projects/ Extern/Source/BoringSSL/crypto/fipsmodule/rand/asm/rdrand-x86_64.pl" nasm rdrand-x86_64.asm" Can't open perl script "C:/Projects/": No such file or directory error closing STDOUT at C:/Projects/ Extern/Source/BoringSSL/crypto/fipsmodule/rand/asm/rdrand-x86_64.pl line 87. ninja: build stopped: subcommand failed. ``` Bug: 415 Change-Id: I83c4a460689b9adeb439425ad390322ae8b2002a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47884 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

ssl->s3 is never null. And if it were, we'd have crashed long before. Change-Id: Idb441c3a91d8c77327a0f9a6d193a64367f347ee Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47904 Reviewed-by: Adam Langley <[email protected]>

This avoids needing to worry about the interaction with renegotiation which, in turn, means we can drop the init callback. (If we did support DTLS renegotiation, we'd probably want to forbid the parameter from changing anyway. Changing your SRTP parameters partway through will likely confuse the RTP half of the application anyway.) Change-Id: Ifef1e9479d9df296b69b0d296f6bef57b13da68e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47905 Reviewed-by: Adam Langley <[email protected]>

The channel_id_valid bit is both used for whether channel_id is filled in (SSL_get_tls_channel_id), and whether this particular handshake will eventually negotiate Channel ID. The former means that, if SSL_get_tls_channel_id is called on the client, we'll return all zeros. Apparently we never fill in channel_id on the client at all. The latter means the state needs to be reset on renegotiation because we do not currently forbid renegotiation with Channel ID (we probably should...), which is the last use of the init callback for extensions. Instead, split this into a bit for the handshake and a bit for the connection. Note this means we actually do not expose or even retain whether Channel ID was used on the client. This requires a tweak to the handoff logic, but it should be compatible. The serialized ssl->s3->channel_id was always a no-op: the handback happens before the ChannelID message, except in RSA key exchange. But we forbid Channel ID in RSA key exchange anyway. Update-Note: SSL_get_tls_channel_id will no longer return all zeros during the handshake or on the client. I did not find any callers relying on this. Change-Id: Icd4b78dd3f311d1c7dfc1cae7d2b86dc7e327a99 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47906 Reviewed-by: Adam Langley <[email protected]>

The remaining remnants of Channel ID all configure the private key ahead of time. Unwind the callback machinery, which cuts down on async points and the cases we need to test. This also unwinds some odd interaction between the callback and SSL_set_tls_channel_id_enabled: If a client uses SSL_set_tls_channel_id_enabled but doesn't set a callback, the handshake would still pause at SSL_ERROR_WANT_CHANNEL_ID_LOOKUP. This is now removed, so SSL_set_tls_channel_id_enabled only affects the server and SSL_CTX_set1_tls_channel_id only affects the client. Update-Note: SSL_CTX_set_channel_id_cb is removed. SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client, only as a server. Change-Id: I89ded99ca65e1c61b1bc4e009ca0bdca0b807359 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47907 Reviewed-by: Adam Langley <[email protected]>

Make it a little clearer they shouldn't be updating sequence numbers, enqueuing the message, etc. That's left to add_message. (ECH clients need to construct a pair of parallel ClientHellos.) Change-Id: I554a8f200d464727bc219b66931b3d0bae266f76 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47908 Reviewed-by: Adam Langley <[email protected]>

Bug: 275 Change-Id: Ib5804ce3d0a5faff5cf26af544a4afaaf0ad2cc8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47909 Reviewed-by: Adam Langley <[email protected]>

The ECH server extension is defined for TLS 1.3 EncryptedExtensions, not TLS 1.2 ServerHello. Bug: 275 Change-Id: Ie6e76c238075d70e6a0694ec0192df07da3457d1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47910 Reviewed-by: Adam Langley <[email protected]>

The first thing any deployment will want to monitor is whether ECH was actually used. Also it's useful if the command-line tool can output this. (The alert is how the client signals it discarded the connection due to ECH reject.) This also disables ECH with the handoff mechanism for now. (The immediate cause being that ech_accept isn't serialized.) We'll probably need to make some decisions around the ordering here, since ECH affects where the true ClientHello is available. Bug: 275 Change-Id: Ie4559733290e653a514fcd94431090bf86bc3172 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47911 Reviewed-by: Adam Langley <[email protected]>

The test was not actually using a repeated config ID. Bug: 275 Change-Id: I69519fde196247abb07dceba1da1bac22188f13f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47912 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

An ECHConfig is like a certificate in that knowing the fields isn't sufficient. The exact byte representation is significant. (The ECHConfig is bound into the encryption.) But the ECHConfig type only has fields, so runner can only represent ECHConfigs that are the output of our serialization function. This matters less as a client testing a server because the server can only parse ECHConfigs with fields we support. But as a server testing a client, we need to see how the client reacts to extra extensions, etc. Just using []byte to represent ECHConfigs is inconvenient, so instead pattern this after x509.Certificate: you can parse one from a byte string (not currently included since we don't need it yet), or you can construct a new one from a template with the fields you want. Bug: 275 Change-Id: I6602d0780b1cef12b6c4b442999bdff7b3d7dd70 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47964 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Having the nil vs. non-nil []byte for the sake of a couple tests with invalid payloads is tedious. Use separate fields instead. Bug: 275 Change-Id: I557d914d60ce94d68796c05162ff3dd2ab7684db Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47965 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Noticed this while I was in the area. We currently use an extremely lax parse that even tolerates syntax errors. Instead use a strict parse that ensures our client only sends what we expect. Change-Id: Ifb0e1e1698489ff217db0c7a0317caa885e20759 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47966 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This implements draft-ietf-tls-esni-10. This will be used to test the client implementation. While I'm here, I've switched the setup logic in the server tests to use the new ServerECHConfig type. I'll probably need to patch in various features later for testing, but this should be a usable starting point. Based on an initial implementation by Dan McArdle in https://boringssl-review.googlesource.com/c/boringssl/+/46786 Bug: 275 Change-Id: I69523cda70c3da2ae505bcab837fd358195fb9e9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47967 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

While decompression is deterministic, compression is not. New revisions of the compression algorithm may start using different (hopefully smaller!) compressions. So this doesn't cause hint mismatches, add a certificate compression hint. If the shim's Certificate message matches the handshaker, we'll reuse the already compressed message. This also adds what appears to be a missing test for when the server cannot find compression algorithms in common. Change-Id: Idbedaceb20208463d8f61581ee27971c17fcd126 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48005 Reviewed-by: Adam Langley <[email protected]>

ECH requires that we construct two ClientHellos. That means our add_clienthello callbacks will need to be called multiple times and should be const. (They already are called multiple times for HelloRetryRequest, but we currently thread that through the callbacks a bit. With ECH, I think we need to make them pure serialization.) Bug: 275 Change-Id: I11f8195fd2ec4b8639f0a2af01a24d4974445580 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47984 Reviewed-by: Adam Langley <[email protected]>

Also add ECH GREASE state into the mix. Clearing this isn't critical, especially now that we have an SSL_HANDSHAKE structure, but it's easy enough. Bug: 275 Change-Id: If1aa8d5c0c8fdb5af710852778ce452c507a2524 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47985 Reviewed-by: Adam Langley <[email protected]>

Like the early_data CL, this does shift a bit of logic that was previously hidden away in the callbacks. For key_share, this is probably a good move independent of ECH. The logic around HRR, etc., was a little messy. Bug: 275 Change-Id: Iafbcebdf66ce1f7957d798a98ee6b996fff24639 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47986 Reviewed-by: Adam Langley <[email protected]>

This is now never used. Instead, we rely on each renegotiation creating a new handshake structure with fresh state. This simplifies things for ECH. (We probably could make an init hook work with ECH's two-ClientHello scheme by either maintaining separate state per ClientHello or calling init once for both ClientHellos. But the few uses of init were removable, so this is easier.) Bug: 275 Change-Id: Ie5e132fe072e5ea8db21ca16aa53fcd0895d8e48 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47987 Reviewed-by: Adam Langley <[email protected]>

This lets ssl_get_grease_value be const. The lazy thing isn't a deal-breaker (we only need idempotence, and a non-thread-safe const also works fine), but just initializing it earlier seems simpler. Bug: 275 Change-Id: Iad228ea4a9146ede9a3849f3339f7ec9e698e6eb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47988 Reviewed-by: Adam Langley <[email protected]>

This avoids an unnecessary one-byte RAND_bytes call. Bug: 275 Change-Id: Idf5bfb17401441f2af7b3c784f7b5d876d005165 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47989 Reviewed-by: Adam Langley <[email protected]>

This is kinda annoying and, like the grease_seed, demonstrates a shortcoming with the idea of making add_clienthello completely const. Strictly speaking, we only need idempotence. But I think this is okay: const is much easier to enforce than idempotence, and we'll likely need to do this anyway: - While not in the current draft, I expect the draft's eventual HRR resolution to retain the ECH extension, GREASE or not, on ECH reject. Things are somewhat violating RFC8446 HRR rules right now. That means we'll need to stash the ECH payload regardless. - ECH binds all the other extensions in the outer ClientHello, so computing the payload will need to move outside the callback system anyway. In some sense, all this is shifting our ClientHello output from the "immediate mode" end of the spectrum (as we usually use) to the "retained mode" end, which I suppose makes sense as this message becomes more intricate. Bug: 275 Change-Id: I9eb8cd1cde2ce264345b6ed3ee526d4eab81e911 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47990 Reviewed-by: Adam Langley <[email protected]>

Change-Id: I80083805a64665f46a6a4d85e1d9d52b1722264d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48025 Reviewed-by: Adam Langley <[email protected]>

This is less effective than it seems because both ((const SSL_HANDSHAKE*)hs)->ssl and ((const SSL*)ssl)->s3 are both non-const pointers. I considered moving hs->ssl to hs->ssl_ and adding const-overloaded accessors, but I'd need to repeat the same with ssl->s3, at which point this seemed not worth it yet. Maybe later if we rewrite everything to more idiomatic C++. Bug: 275 Change-Id: I9912a3df205916fdf2191a3687013d717528038d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47991 Reviewed-by: Adam Langley <[email protected]>

May not be strictly necessary, but similarly easier to reason about when we need to interweave multiple ClientHellos. Bug: 275 Change-Id: I9f85787860f3e8ce1653331ce52343d5bf5def23 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47992 Reviewed-by: Adam Langley <[email protected]>

We'll need to maintain two transcripts on the ECH client and then, once we know which of ClientHelloOuter or ClientHelloInner is used, overwrite the default transcript with the alternate one. Rather than indirect through a pointer, move support is easy enough. Then this can just be hs->transcript = std::move(hs->inner_transcript). Bug: 275 Change-Id: Id4b0a0a48b956cd65ce8fc3dacfd16eebe2eb778 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47993 Reviewed-by: Adam Langley <[email protected]>

For TLS 1.3, since the bulk of extensions move to EncryptedExtensions, we made the extension callbacks apply to EncryptedExtensions and pulled the few ServerHello extensions out of the callback system. This means the ServerHello naming is a little confusing. We probably should rename these callbacks, though parse_server is a bit ambiguous as to whether this is "parse the extension from the server" or "parse as a server". For now, add a comment. Change-Id: If1aa0846426de2cc8dcb2253695a8dd3285f7b76 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47994 Reviewed-by: Adam Langley <[email protected]>

ssl_add_clienthello_tlsext is about to get kinda messy with ECH. Move the padding and GREASE extensions into a few helpers. Bug: 275 Change-Id: I3bb702fb79dce4be68490c4a8fd889121ecdae58 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47995 Reviewed-by: Adam Langley <[email protected]>

…o_tlsext. This makes calls to ssl_add_clienthello_tlsext a hair easier. Also we only apply the [256, 511) compatibility hack to TLS, so we can just use a constant. Bug: 275 Change-Id: Ia2b5192aeef0cd8848ecfa1ea3b89a0a7382ff1a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47996 Reviewed-by: Adam Langley <[email protected]>

Computing the binders on ClientHelloInner is a little interesting. While I'm in the area, tidy this up a bit. The exploded parameters may as well be an SSL_SESSION, and hash_transcript_and_truncated_client_hello can just get folded in. Change-Id: I9d3a7e0ae9f391d6b9a23b51b5d7198e15569b11 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47997 Reviewed-by: Adam Langley <[email protected]>

If we're dropping the PSK extension due to an HRR with mismatched hash (looking back at that, we could easily have avoided that nuisance... I've filed [0] on rfc8446bis), we don't predict the length correctly. The consequence is we don't pad the second ClientHello to the desired range. Fix this and add an assert. [0] tlswg/tls13-spec#1227 Change-Id: I47d880b6bdafa95840f7513b6b7718851f22554d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47998 Reviewed-by: Adam Langley <[email protected]>

While the previous CL fixed a bug in computing this padding, we don't actually need to pad the second (cleartext) ClientHello anyway. This padding is to work around bugs in old F5 and WebSphere servers, which do not speak TLS 1.3. Save a few bytes. Change-Id: I9b5d9bb1c0d880f1b1c9182667a9d3d82588c04c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47999 Reviewed-by: Adam Langley <[email protected]>

We didn't correctly handle tests where the versions figure into resumeConfig and got by because the test didn't actually check the version. Run it more accurately, and check more fields. Also add a skipVersionNameCheck option for when the heuristic doesn't work. (Some of the tests specify a TLS maximum version by passing in all the -no-tls1, etc., flags for the other versions. Moreover, some of them will set no flags for a maximum of TLS 1.3. Suppress the check on those tests.) Change-Id: I72c069b1baed09e29bf502036957fe0e90edbe60 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48000 Reviewed-by: Adam Langley <[email protected]>

The old name was really long and a bit tedious to type out. Bug: 275 Change-Id: Ie24ef811f9288e619148a2bed36ca34b67af0a3a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48001 Reviewed-by: Adam Langley <[email protected]>

Previously we would extract the KEM ID from the ECHConfig and then parse the private key using the corresponding KEM type. This CL makes it take a pre-pared EVP_HPKE_KEY and checks it matches. This does require the caller pass the key type through externally, which is probably prudent? (On the other hand we are still inferring config from the rest of the ECHConfig... maybe we can add an API to extract the EVP_HPKE_KEM from a serialized ECHConfig if it becomes a problem. I could see runner or tool wanting that out of convenience.) The immediate motivation is to add APIs to programmatically construct ECHConfigs. I'm thinking we can pass a const EVP_HPKE_KEY * to specify the key, at which point it's weird for SSL_ECH_KEYS_add to look different. Bug: 275 Change-Id: I2d424323885103d3fe0a99a9012c160baa8653bd Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48002 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

We'll probably need to make this more complex later, but this should be a start. I had hoped this would also simplify tests, MakeECHConfig() was still needed to generate weird inputs for tests. I've instead tidied that up a bit with a params structure. Now the only hard-coded ECHConfig in tests is to check the output of the new API. Bug: 275 Change-Id: I640a224fb4b7a7d20e8a2cd7a1e75d1e3fe69936 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48003 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Based on an initial implementation by Dan McArdle at https://boringssl-review.googlesource.com/c/boringssl/+/46784 This CL contains most of a client implementation for draft-ietf-tls-esni-10. The pieces missing so far, which will be done in follow-up CLs are: 1. While the ClientHelloInner is padded, the server Certificate message is not. I'll add that once we resolve the spec discussions on how to do that. (We were originally going to use TLS record-level padding, but that doesn't work well with QUIC.) 2. The client should check the public name is a valid DNS name before copying it into ClientHelloOuter.server_name. 3. The ClientHelloOuter handshake flow is not yet implemented. This CL can detect when the server selects ClientHelloOuter, but for now the handshake immediately fails. A follow-up CL will remove that logic and instead add the APIs and extra checks needed. Otherwise, this should be complete, including padding and compression. The main interesting point design-wise is that we run through ClientHello construction multiple times. We need to construct ClientHelloInner and ClientHelloOuter. Then each of those has slight variants: EncodedClientHelloInner is the compressed form, and ClientHelloOuterAAD just has the ECH extension erased to avoid a circular dependency. I've computed ClientHelloInner and EncodedClientHelloInner concurrently because the compression scheme requires shifting the extensions around to be contiguous. However, I've computed ClientHelloOuterAAD and ClientHelloOuter by running through the logic twice. This probably can be done better, but the next draft revises the construction anyway, so I'm thinking I'll rework it then. (In the next draft, we use a placeholder payload of the same length, so we can construct the ClientHello once and fill in the payload.) Additionally, now that we have a client available in ssl_test, this adds a threading test to confirm that SSL_CTX_set1_ech_keys is properly synchronized. (Confirmed that, if I drop the lock in SSL_CTX_set1_ech_keys, TSan notices.) Change-Id: Icaff68b595035bdcc73c468ff638e67c84239ef4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48004 Reviewed-by: Adam Langley <[email protected]>

This comment dates to SSLeay. It appears to be describing the incremental trial division strategy where they would pick a starting candidate, compute moduli by small primes, and then update by incrementing the candidate and saved moduli instead of dividing from scratch. We use a simpler rejection sampling strategy. Change-Id: If2203d616f2b1f632bcd7033ceb60a83d1b75674 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48047 Reviewed-by: Adam Langley <[email protected]>

This would have caught an issue with some tests I was working on. It also catches an issue with some per-message tests, so fix those. Change-Id: I6b3ad8e0db0b1a6ccac4b346dcc652b16b73e006 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48046 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Although not permitted by the TLS specification, systems sometimes ossify TLS extension order, or byte offsets of various fields. To keep the ecosystem healthy, add an API to reorder ClientHello extensions. Since ECH, HelloRetryRequest, and HelloVerifyRequest are sensitive to extension order, I've implemented this by per-connection permutation of the indices in the kExtensions structure. This ensures that all ClientHellos within a connection are consistently ordered. As follow-up work, permuting the other messages would also be nice, though any server messages would need to be incorporated in handshake hints. Change-Id: I18ce39b4df5ee376c654943f07ec26a50e0923a9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48045 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This CL fixes a couple of things. First, we never tested that SSL_write refuses to write application data after a fatal alert, so add some tests here. With those tests, we can revise some of this logic: Next, this removes the write_shutdown check in SSL_write and instead relies on the lower-level versions of the check in the write_app_data, etc., hooks. This improves error-reporting on handshake errors: We generally try to make SSL_do_handshake errors sticky, analogous to handshakeErr in the Go implementation. SSL_write and SSL_read both implicitly call SSL_do_handshake. Callers driving the two in parallel will naturally call SSL_do_handshake twice. Since the error effectively applies to both operations, we save and replay handshake errors (hs->error). Handshake errors typically come with sending alerts, which also sets write_shutdown so we don't try to send more data over the channel. Checking this early in SSL_write means we don't get a chance to replay the handshake error. So this CL defers it, and the test ensures we still ultimately get it right. Finally, https://crbug.com/1078515 is a particular incarnation of this. If the server enables 0-RTT and then reverts to TLS 1.2, clients need to catch the error and retry. There, deferring the SSL_write check isn't sufficient, because the can_early_write bit removes the write path's dependency on the handshake, so we don't call into SSL_do_handshake at all. For now, I've made this error path clear can_early_write. I suspect we want it to apply to all handshake errors, though it's weird because the handshake error is effectively a read error in 0-RTT. We don't currently replay record decryption failures at SSL_write, even though those also send a fatal alert and thus break all subsequent writes. Bug: chromium:1078515 Change-Id: Icdfae6a8f2e7c1b1c921068dca244795a670807f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48065 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

I wrote this tool to make it easier to test the ECH client against real-world servers with the bssl client tool. I found that manually extracting an ECHConfigList from a raw HTTPS record is unnecessarily painful. The tool queries DNS over UDP for HTTPS records. If it finds any HTTPS records in the response, it attempts to extract an ECHConfigList from the "ech" SvcParam. It can write each extracted ECHConfigList to a file in a given directory. Once the ECH client implementation lands, the bssl client tool should have a new flag that that takes the path to an ECHConfigList file. I am using golang.org/x/net/dns/dnsmessage to parse the DNS response. I recently added the |UnknownResource| type to this library to enable callers (like us) to extract the bytes of otherwise-unsupported records (like HTTPS). I updated the dependency with `go get -u golang.org/x/net`. Although the bssl client tool knows how to resolve the address of its "-connect" parameter, it is difficult to query HTTPS records in a platform-agnostic way. If we decide the bssl client should directly query HTTPS rather than leaning on fetch_ech_config_list.go, we should look into libresolv. Specifically, the |res_query| function enables the caller to query arbitrary record types. This may open its own can of cross-platform worms; macOS and Linux typically ship with different implementations and it is not available on Windows. For more info, see `man 3 resolver`. Bug: 275 Change-Id: I705591658921f60a958164a18b68ffb697c2ea4b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44104 Reviewed-by: David Benjamin <[email protected]>

This reverts commit 160a889. Reason for revert: This broke go.sum on CI for some reason. Will fix and reland. Original change's description: > Add util/fetch_ech_config_list.go > > I wrote this tool to make it easier to test the ECH client against > real-world servers with the bssl client tool. I found that manually > extracting an ECHConfigList from a raw HTTPS record is unnecessarily > painful. > > The tool queries DNS over UDP for HTTPS records. If it finds any HTTPS > records in the response, it attempts to extract an ECHConfigList from > the "ech" SvcParam. It can write each extracted ECHConfigList to a file > in a given directory. Once the ECH client implementation lands, the bssl > client tool should have a new flag that that takes the path to an > ECHConfigList file. > > I am using golang.org/x/net/dns/dnsmessage to parse the DNS response. I > recently added the |UnknownResource| type to this library to enable > callers (like us) to extract the bytes of otherwise-unsupported records > (like HTTPS). I updated the dependency with `go get -u golang.org/x/net`. > > Although the bssl client tool knows how to resolve the address of its > "-connect" parameter, it is difficult to query HTTPS records in a > platform-agnostic way. If we decide the bssl client should directly > query HTTPS rather than leaning on fetch_ech_config_list.go, we should > look into libresolv. Specifically, the |res_query| function enables the > caller to query arbitrary record types. This may open its own can of > cross-platform worms; macOS and Linux typically ship with different > implementations and it is not available on Windows. For more info, see > `man 3 resolver`. > > Bug: 275 > Change-Id: I705591658921f60a958164a18b68ffb697c2ea4b > Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44104 > Reviewed-by: David Benjamin <[email protected]> [email protected],[email protected] Change-Id: Iec36265dfa3b7c59eb811ed708219bfebb07a710 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 275 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48105 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This is a reland of 160a889 with go.mod and go.sum fixed. This updates golang.org/x/crypto, adds the latest golang.org/x/net as a direct dependency (it was previously an indirect dependency via x/crypto), and cleans up stale entries from go.sum with go mod tidy. Original change's description: > Add util/fetch_ech_config_list.go > > I wrote this tool to make it easier to test the ECH client against > real-world servers with the bssl client tool. I found that manually > extracting an ECHConfigList from a raw HTTPS record is unnecessarily > painful. > > The tool queries DNS over UDP for HTTPS records. If it finds any HTTPS > records in the response, it attempts to extract an ECHConfigList from > the "ech" SvcParam. It can write each extracted ECHConfigList to a file > in a given directory. Once the ECH client implementation lands, the bssl > client tool should have a new flag that that takes the path to an > ECHConfigList file. > > I am using golang.org/x/net/dns/dnsmessage to parse the DNS response. I > recently added the |UnknownResource| type to this library to enable > callers (like us) to extract the bytes of otherwise-unsupported records > (like HTTPS). I updated the dependency with `go get -u golang.org/x/net`. > > Although the bssl client tool knows how to resolve the address of its > "-connect" parameter, it is difficult to query HTTPS records in a > platform-agnostic way. If we decide the bssl client should directly > query HTTPS rather than leaning on fetch_ech_config_list.go, we should > look into libresolv. Specifically, the |res_query| function enables the > caller to query arbitrary record types. This may open its own can of > cross-platform worms; macOS and Linux typically ship with different > implementations and it is not available on Windows. For more info, see > `man 3 resolver`. > > Bug: 275 > Change-Id: I705591658921f60a958164a18b68ffb697c2ea4b > Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/44104 > Reviewed-by: David Benjamin <[email protected]> Bug: 275 Change-Id: I9571e96c7a2ad7e239d86a353929a4e556d71287 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48106 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Ran clang-format and util/convert_comments.go. Change-Id: I6d95c51a305b3590e77aea050cbe3ec5de5cc4d2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48125 Reviewed-by: Adam Langley <[email protected]>

Change-Id: Ia8016763a2aa2fff85a3abc59f3d5593ca26081b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48126 Reviewed-by: Adam Langley <[email protected]>

Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly. Change-Id: I03ba0d17acc09604c1c20bf8f682e7bbc5642310 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48127 Reviewed-by: Adam Langley <[email protected]>

See also upstream's 9689a6aeed4ef7a2357cb95191b4313175440e4c. X509_VERIFY_PARAM_ID made sense as a separate structure when X509_VERIFY_PARAM was public, but now the struct is unexported. Change-Id: I93bac64d33b76aa020fae07bba71b04f1505fdc4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48128 Reviewed-by: Adam Langley <[email protected]>

This was added in draft-11, which I'll update to more broadly in a follow-up CL. This is an easily separable component: we don't want to allow the DNS to arbitrarily insert strings in the ClientHello, so invalid public names are rejected. Unfortunately, we have a bit of a mess because DNS syntax does not exclude IPv4 literals, yet everyone sticks DNS and IP literals in the same string. The RFC3986 rules are alright, but don't match reality. Reality is (probably?) the WHATWG rules, which are a mess. The load-bearing bit of the spec is that, at certificate verification, you should reject whatever strings your application refuses to represent as a DNS name. I'll have Chromium call into its URL parser. https://www.ietf.org/archive/id/draft-ietf-tls-esni-11.html#section-6.1.4.3-3 But there's still a bit at the validation step where clients "SHOULD" run the IPv4 parser. In case downstream logic forgets, I've gone ahead and implemented the WHATWG IPv4 parser. https://www.ietf.org/archive/id/draft-ietf-tls-esni-11.html#section-4-6.6.1 Bug: 275 Change-Id: I15aa1ac0391df9c3859c44b8a259296e1907b7d4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48085 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Bug: chromium:1221591 Change-Id: Ie8335e53b107ba019a1bde62c12f846802e056c5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48165 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

This is a bit short of a name to take, and no one seems to be using it. (OpenSSL has renamed it, but not unexported it.) Change-Id: I0de74d4d4812678ac3b1ec4b1b126a7748fe952b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48129 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

This is a bit more self-explanatory, especially now that TLS 1.0 is the minimum version we implement anyway. Change-Id: Ic65e9f90bb5cd747328bd9e30b976d1e124c7764 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48130 Reviewed-by: Adam Langley <[email protected]>

The one place where LHASH_OF(T) appears in public APIs is X509V3_EXT_conf_nid. This is only ever called with conf = NULL, but cryptography.io needs to utter the type name as part of bindings. Thus this CL keeps DECLARE_LHASH_OF and LHASH_OF macros public and the others private. Update-Note: BoringSSL no longer provides a general-purpose hash table to callers. Use the language's standard library, or another implementation. Change-Id: Ibfc65c4b4bf35abf5b1919658d0c52e4004e6629 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48205 Reviewed-by: Adam Langley <[email protected]>

lh_new is a very short name to be claiming. Change-Id: I529f5063f9afae56fdb532ae4f4b91bb807322f6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48206 Reviewed-by: Adam Langley <[email protected]>

This is not exported, and lh_FOO_doall_arg is sufficient. Change-Id: I251a4490577cbde71e09470f5a8898e3c8a457ce Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48207 Reviewed-by: Adam Langley <[email protected]>

OpenSSL's BIT STRING representation has two modes, one where it implicitly trims trailing zeros and the other where the number of unused bits is explicitly set. This means logic in ASN1_item_verify, or elsewhere in callers, that checks flags and ASN1_STRING_length is inconsistent with i2c_ASN1_BIT_STRING. Add ASN1_BIT_STRING_num_bytes for code that needs to deal with X.509 using BIT STRING for some fields instead of OCTET STRING. Switch ASN1_item_verify to it. Some external code does this too, so export it as public API. This is mostly a theoretical issue. All parsed BIT STRINGS use explicit byte strings, and there are no APIs (apart from not-yet-opaquified structs) to specify the ASN1_STRING in X509, etc., structures. We intentionally made X509_set1_signature_value, etc., internally construct the ASN1_STRING. Still having an API is more consistent and helps nudge callers towards rejecting excess bits when they want bytes. It may also be worth a public API for consistently accessing the bit count. I've left it alone for now because I've not seen callers that need it, and it saves worrying about bytes-to-bits overflows. This also fixes a bug in the original version of the truncating logic when the entire string was all zeros, and const-corrects a few parameters. Change-Id: I9d29842a3d3264b0cde61ca8cfea07d02177dbc2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48225 Commit-Queue: David Benjamin <[email protected]> Commit-Queue: Adam Langley <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Change-Id: I188feff6d62986554e34a10d148108b19a4eae0b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48226 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

We already had a test, but move it to asn1_test.cc since it's part of the ASN.1 library. Also, since it's easy, test it using public APIs rather than stack-allocating an ASN1_STRING. Change-Id: Ic77494e6c8f74584d159a600e334416197761475 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48227 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Change-Id: If192e1f77d93a216e964b5422cb7d13d153ac328 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48228 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

These macros aren't consumed by anything anymore. Change-Id: Id9616fa0962ae0dbf27bc884c6883dcad9755eb2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48229 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

I flipped the boolean in https://boringssl-review.googlesource.com/c/boringssl/+/41864 and applied a timeout in the wrong cases. Change-Id: I0ea963add45ae627a039f619904dc713d8b0cbf0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48185 Reviewed-by: Adam Langley <[email protected]> Commit-Queue: David Benjamin <[email protected]>

This addresses some feedback in https://boringssl-review.googlesource.com/c/boringssl/+/48131/1/ssl/test/runner/runner.go#1555, pulled into a separate CL for clarity: First, take the listener, waitChan, exec.Cmd trio and wrap them into a shimProcess type. shimProcess is now responsible for the -port flag, so it can manage the TCPListener internally. Next, take the core test loop and moves it into a doExchanges() function, so that it can use a more usual early return pattern for errors, rather than thread err == nil through all the control flow. With shimProcess pulled out, doExchanges() can just take a *shimProcess. Finally, unacted-on err variable has gotten very far from where it's actually used. Rename it to localErr, to align with our expectedLocalError machinery. Change-Id: I63697a5d79040ad77fa06c125253ec5031aeaf5c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48186 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Some tests run three connections, resuming a renewed ticket. Particularly the way TLS 1.2 ticket renewal works, the client logic could accidentally report the old session up to the application. Our runner tests would not currently notice (though one of the tests in ssl_tests does). Make runner tests also check this by cycling ticket keys between connection attempts. This also makes newSessionsOnResume apply even if the test did not specify a resumeConfig. Change-Id: I95375c01adf6ad62de65ecf8aed3c286a0571875 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48131 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

In renegotiation handshakes and, later, ECH ClientHelloOuter handshakes, we don't want to add sessions to the session cache. We also don't want to release a session as resumable until the handshake completes. Ideally we'd only construct SSL_SESSION at the end of the handshake, but existing APIs like SSL_get_session must work mid-handshake, so SSL_SESSION is both a handle to immutable resumption state, and a container for in-progress connection properties. We manage this with a not_resumable flag that's only cleared after the handshake is done and the SSL_SESSION finalized. However, TLS 1.2 ticket renewal currently clears the flag too early and breaks the invariant. This won't actually affect renegotiation or ClientHelloOuter because those handshakes never resume. Still, we can maintain the invariant storing the copy in hs->new_session. Note this does sacrifice a different invariant: previously, ssl->session and hs->new_session were never set at the same time. This change also means ssl_update_cache does not need to special-case ticket renewal. Change-Id: I03230cd9c63e5bee6bd60cd05c0439e16533c6d4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48132 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

ssl_update_cache takes the cache lock to add to the session cache, releases it, and then immediately takes and releases the lock to increment handshakes_since_cache_flush. Then, in 1/255 connections, does the same thing again to flush stale sessions. Merge the first two into one lock. In doing so, move ssl_update_cache to ssl_session.cc, so it can access a newly-extracted add_session_lock. Also remove the mode parameter (the SSL knows if it's a client or server), and move the established_session != session check to the caller, which more directly knows whether there was a new session. Also add some TSan coverage for this path in the tests. In an earlier iteration of this patch, I managed to introduce a double-locking bug because we weren't testing it at all. Confirmed this test catches both double-locking and insufficient locking. (It doesn't seem able to catch using a read lock instead of a write lock in SSL_CTX_flush_sessions, however. I suspect the hash table is distributing the cells each thread touches.) Update-Note: This reshuffles some locks around the session cache. (Hopefully for the better.) Change-Id: I78dca53fda74e036b90110cca7fbcc306a5c8ebe Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48133 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

base64.StdEncoding.EncodeToString is very long to write out. Change-Id: Ie987d483513e4192a31c8562b9cf25e99f8a838b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48134 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

If a client offers ECH, but the server rejects it, the client completes the handshake with ClientHelloOuter in order to authenticate retry keys. Implement this flow. This is largely allowing the existing handshake to proceed, but with some changes: - Certificate verification uses the other name. This CL routes this up to the built-in verifier and adds SSL_get0_ech_name_override for the callback. - We need to disable False Start to pick up server Finished in TLS 1.2. - Client certificates, notably in TLS 1.3 where they're encrypted, should only be revealed to the true server. Fortunately, not sending client certs is always an option, so do that. Channel ID has a similar issue. I've just omitted the extension in ClientHelloOuter because it's deprecated and is unlikely to be used with ECH at this point. ALPS may be worth some pondering but, the way it's currently used, is not sensitive. (Possibly we should change the draft to terminate the handshake before even sending that flight...) - The session is never offered in ClientHelloOuter, but our internal book-keeping doesn't quite notice. I had to replace ech_accept with a tri-state ech_status to correctly handle an edge case in SSL_get0_ech_name_override: when ECH + 0-RTT + reverify_on_resume are all enabled, the first certificate verification is for the 0-RTT session and should be against the true name, yet we have selected_ech_config && !ech_accept. A tri-state tracks when ECH is actually rejected. I've maintained this on the server as well, though the server never actually cares. Bug: 275 Change-Id: Ie55966ca3dc4ffcc8c381479f0fe9bcacd34d0f8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48135 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Change-Id: I25dd24d82be3dad4314a350cd32edc06fe9b59c9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48245 Reviewed-by: David Benjamin <[email protected]>

Change-Id: I6cc25dd27e8a6a82821aa370a34fb115c5987f1a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48246 Reviewed-by: David Benjamin <[email protected]>

Additionally decorate ipv4_from_asc and ipv6_from_asc with their array lengths. Bug: 419 Change-Id: I2bce182ac260b071f076434deadab4096d29b2b1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48265 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>

Test needs to be updated to reflect 7fffa46. Change-Id: I0eeb7c1058c57d36939865902ebfac2eaa2ca05d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48305 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Match the other internal headers. Change-Id: I1b8e995b9a59fa02a7e38ee0ec9141e15655071a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48325 Reviewed-by: Adam Langley <[email protected]>

This cleans up the story with https://boringssl-review.googlesource.com/c/boringssl/+/46164. None of our exported functions mutate ASN1_OBJECTS, with the exception of ASN1_OBJECT_free, the object reuse mode of c2i_ASN1_OBJECT, and their callers. Those functions check flags to correctly handle static ASN1_OBJECTs. For now, I've kept the struct definition in crypto/asn1 even though ASN1_OBJECT is partially in crypto/obj. Since we prefer to cut dependencies to crypto/asn1, we probably should rearrange this later. I've also, for now, kept crypto/asn1/internal.h at C-style comments, though our style story here is weird. (Maybe it's time to clang-format crypto/asn1 and crypto/x509? Patches from upstream rarely directly apply anyway, since we're a mix of 1.0.2 and 1.1.1 in crypto/x509.) Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors. Change-Id: I655e6bd8afda98a2d1e676c3abeb873aa8de6691 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48326 Reviewed-by: Adam Langley <[email protected]>

EVP_MD_nid, in OpenSSL, is the same as EVP_MD_type. EVP_MD_type seems to be the preferred spelling, so put EVP_MD_nid in the deprecated bucket. Also add an EVP_MD_do_all alias to EVP_MD_do_all_sorted. Change-Id: I4e7b800902459ac5cb9ef0df65d73da94afdf927 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48365 Reviewed-by: Adam Langley <[email protected]>

lh_strhash mapped nullptr to zero. ec8c67d switched CONF's use to OPENSSL_strhash, which crashes on nullptr. But CONF depends on the nullptr handling. Change-Id: I131c752aa089fb99b01c9e406b6994f3a6236976 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48385 Commit-Queue: Adam Langley <[email protected]> Reviewed-by: David Benjamin <[email protected]>

The comments say that this should work, but it didn't. OpenSSL doesn't have any documentation about this but from looking at the code it works there. (Along with things like magic sections called “ENV” to get environment variables, sigh.) Change-Id: I538fbad57e6af37eee739de6d2643f554bfc5c79 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48386 Commit-Queue: Adam Langley <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Change-Id: Iaa5971f6a09a4267be95ea1820b72f7b619b53e1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48366 Reviewed-by: Adam Langley <[email protected]>

This function's behavior differs from all the other lastpos functions. It does not appear to be used anywhere, so remove it. (lastpos = -1 returns the first match, lastpos = -2 additionally fails if there are duplicates, lastpos = -3 additionally fails if the attribute is multiply-valued.) Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function. Change-Id: I8547bac6626623e43827e2490f04850eb148e317 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48367 Reviewed-by: Adam Langley <[email protected]>

X509*_get_*_by_NID return -1 if the extension was not found, but -2 if the NID was invalid. Looking through callers, many check index != -1, rather than index < 0. That means, in theory, they'll do the wrong thing in some cases. Realistically, this case is impossible: most callers pass in a constant. Even in those that don't, NIDs are a local enum, not standard constants. That means hitting this path is almost certainly a programmer error. No need to complicate the calling convention for it. Update-Note: The return value convention of some functions was simplified. This is not expected to affect any callers. Change-Id: If2f5a45c37caccdbfcc3296ff2db6db1183e3a95 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48368 Reviewed-by: Adam Langley <[email protected]>

Found by OSS-Fuzz. This comes up if you enable client certificates and the draft ECH implementation on the server. Bug: 275, oss-fuzz:35815 Change-Id: I0b4fcc994f7238f8a3cf1f1934672bac0cee0cfb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48425 Reviewed-by: Adam Langley <[email protected]>

See also f8fc0e35e0b1813af15887d42e17b7d5537bb86c from upstream, though our BN_divs have diverged slightly. Change-Id: I49fa4f0a5c730d34e6f41f724f1afe3685470712 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48426 Reviewed-by: Adam Langley <[email protected]>

This is not used anywhere inside or outside the library. Update-Note: Removed unused field in struct. Change-Id: I244d8af819e84412956fecb929678404fdfcc38f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48427 Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>

Also use a slightly more conservative pattern. Instead of aligning the pointer as a uintptr_t and casting back, compute the offset and advance in pointer space. C guarantees that casting from pointer to uintptr_t and back gives the same pointer, but general integer-to-pointer conversions are generally implementation-defined. GCC does define it in the useful way, but this makes fewer dependencies. Change-Id: I70c7af735e892fe7a8333b78b39d7b1f3f1cdbef Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48405 Reviewed-by: Adam Langley <[email protected]>

Change-Id: I10eb66f195636a9bf953c841ea13e187e6f94aad Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48506 Reviewed-by: Adam Langley <[email protected]>

Update-Note: Use accessors instead. Change-Id: I7b41eb7c724d94d3e6d26498063e045a1850c671 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48465 Reviewed-by: Adam Langley <[email protected]>

I've switched a few things to the accessors where it was easy, but X509_EXTENSION is, in us and upstream, not const-correct right now, so it's a little goofy. Update-Note: Use X509_EXTENSION_get_* instead. Change-Id: Ife9636051a924a950b1c739b7720baf12e35f9c7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48505 Reviewed-by: Adam Langley <[email protected]>

The stack consumption of the HRSS functions is causing issues in stack-constrained environments. Therefore allocate many variables on the heap. This means that several HRSS_ functions now allocate, and thus can fail, where they couldn't before. Callers that ignore the return value and don't have crash-on-failure mallocs will still be safe, although things will fail to decrypt later on. Somehow, this actually makes key generation _faster_ on my machine. (I don't know. Better alignment? Fewer L1 collisions?) The other operations are slightly slower, as expected. Before: Did 17390 HRSS generate operations in 3054088us (5694.0 ops/sec) Did 225000 HRSS encap operations in 3000512us (74987.2 ops/sec) Did 87000 HRSS decap operations in 3014525us (28860.3 ops/sec) After: Did 21300 HRSS generate operations in 3026637us (7037.5 ops/sec) Did 221000 HRSS encap operations in 3008911us (73448.5 ops/sec) Did 84000 HRSS decap operations in 3007622us (27929.0 ops/sec) Change-Id: I2312df8909af7d8d250c7c483c65038123f21ad9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48345 Commit-Queue: Adam Langley <[email protected]> Reviewed-by: David Benjamin <[email protected]>

Trusty wants to seed from a different RNG than the one that supplies per-draw entropy. This is a no-op change unless you're substituting in your own implementations of these functions. To see that it's a no-op in urandom.c, note that it only changes the |seed| argument to |fill_with_entropy|. That causes the value of |extra_getrandom_flags_for_seed_bss_get| to be ORed into the flags, but that value will always be zero unless it's an Android FIPS build. Change-Id: Ic8d954df3074559cbf1bfee1ae91a4a2b7e14d9d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48485 Reviewed-by: David Benjamin <[email protected]>

…5--92-0-4515-107

Commits on Aug 11, 2021

boringssl upgrade

baentsch committed Aug 11, 2021

Configuration menu

View commit details

Copy full SHA for 61de933

Browse repository at this point

Copy the full SHA

61de933 View commit details

Browse the repository at this point in the history

Upgrade to upstream 519c2986c73c23461b130ad19b93fd7d081353d5 (Chromium 92 0 4515 107) #68

Upgrade to upstream 519c2986c73c23461b130ad19b93fd7d081353d5 (Chromium 92 0 4515 107) #68

Commits on Feb 26, 2021

Commits on Mar 1, 2021

Commits on Mar 4, 2021

Commits on Mar 5, 2021

Commits on Mar 12, 2021

Commits on Mar 15, 2021

Commits on Mar 16, 2021

Commits on Mar 17, 2021

Commits on Mar 18, 2021

Commits on Mar 19, 2021

Commits on Mar 22, 2021

Commits on Mar 23, 2021

Commits on Mar 29, 2021

Commits on Mar 30, 2021

Commits on Mar 31, 2021

Commits on Apr 1, 2021

Commits on Apr 2, 2021

Commits on Apr 6, 2021

Commits on Apr 8, 2021

Commits on Apr 12, 2021

Commits on Apr 13, 2021

Commits on Apr 14, 2021

Commits on Apr 15, 2021

Commits on Apr 16, 2021

Commits on Apr 19, 2021

Commits on Apr 20, 2021

Commits on Apr 21, 2021

Commits on Apr 22, 2021

Commits on Apr 23, 2021

Commits on Apr 28, 2021

Commits on Apr 30, 2021

Commits on May 3, 2021

Commits on May 4, 2021

Commits on May 6, 2021

Commits on May 7, 2021

Commits on May 10, 2021

Commits on May 11, 2021

Commits on May 13, 2021

Commits on May 14, 2021

Commits on May 18, 2021

Commits on May 19, 2021

Commits on May 20, 2021

Commits on May 21, 2021

Commits on May 24, 2021

Commits on May 25, 2021

Commits on May 27, 2021

Commits on Jun 1, 2021

Commits on Jun 2, 2021

Commits on Jun 3, 2021

Commits on Jun 7, 2021

Commits on Jun 8, 2021

Commits on Jun 9, 2021

Commits on Jun 10, 2021

Commits on Jun 11, 2021

Commits on Jun 14, 2021

Commits on Jun 16, 2021

Commits on Jun 18, 2021

Commits on Jun 21, 2021

Commits on Jun 22, 2021

Commits on Jun 23, 2021

Commits on Jun 24, 2021

Commits on Jun 25, 2021

Commits on Jun 29, 2021

Commits on Jun 30, 2021

Commits on Jul 1, 2021

Commits on Jul 2, 2021

Commits on Jul 7, 2021

Commits on Jul 9, 2021

Commits on Jul 12, 2021

Commits on Jul 15, 2021

Commits on Aug 11, 2021

Commits on Aug 12, 2021