diff options
author | Tobias Thierer <tobiast@google.com> | 2019-10-09 16:59:06 -0700 |
---|---|---|
committer | android-build-merger <android-build-merger@google.com> | 2019-10-09 16:59:06 -0700 |
commit | 3434ade1730050b73c4e9780103653e8d55feb32 (patch) | |
tree | d745c0835cc8b4175a106373cabf1824abcba406 | |
parent | eafc5bb83b5600d6dd4321f1319f772c513df258 (diff) | |
parent | df64c91709705551026e3d1585a4b6300f7d8939 (diff) | |
download | boringssl-3434ade1730050b73c4e9780103653e8d55feb32.tar.gz |
external/boringssl: Sync to 56b6c714c9cae5963681ed9dd9f6cabf294e3f80. am: 01e077a02e
am: df64c91709
Change-Id: Iaf260abc95a86c2acabd410bbe6d20b781895821
87 files changed, 673 insertions, 114 deletions
diff --git a/BORINGSSL_REVISION b/BORINGSSL_REVISION index 6356531d..b88723d9 100644 --- a/BORINGSSL_REVISION +++ b/BORINGSSL_REVISION @@ -1 +1 @@ -6e7255c17e1a7348a2377fbc804441dd284806e2 +56b6c714c9cae5963681ed9dd9f6cabf294e3f80 diff --git a/linux-aarch64/crypto/chacha/chacha-armv8.S b/linux-aarch64/crypto/chacha/chacha-armv8.S index e05a265f..3a39034a 100644 --- a/linux-aarch64/crypto/chacha/chacha-armv8.S +++ b/linux-aarch64/crypto/chacha/chacha-armv8.S @@ -1980,5 +1980,6 @@ ChaCha20_512_neon: ldp x29,x30,[sp],#96 ret .size ChaCha20_512_neon,.-ChaCha20_512_neon +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/fipsmodule/aesv8-armx64.S b/linux-aarch64/crypto/fipsmodule/aesv8-armx64.S index 1680444e..4ab36b84 100644 --- a/linux-aarch64/crypto/fipsmodule/aesv8-armx64.S +++ b/linux-aarch64/crypto/fipsmodule/aesv8-armx64.S @@ -770,5 +770,6 @@ aes_hw_ctr32_encrypt_blocks: ret .size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/fipsmodule/armv8-mont.S b/linux-aarch64/crypto/fipsmodule/armv8-mont.S index 1ea05ba9..ccee888e 100644 --- a/linux-aarch64/crypto/fipsmodule/armv8-mont.S +++ b/linux-aarch64/crypto/fipsmodule/armv8-mont.S @@ -1418,5 +1418,6 @@ __bn_mul4x_mont: .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 4 +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S b/linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S index 35676830..9cd7351a 100644 --- a/linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S +++ b/linux-aarch64/crypto/fipsmodule/ghash-neon-armv8.S @@ -336,5 +336,6 @@ gcm_ghash_neon: .byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,100,101,114,105,118,101,100,32,102,114,111,109,32,65,82,77,118,52,32,118,101,114,115,105,111,110,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S b/linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S index 1267937b..267cdd1b 100644 --- a/linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S +++ b/linux-aarch64/crypto/fipsmodule/ghashv8-armx64.S @@ -244,5 +244,6 @@ gcm_ghash_v8: .byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/fipsmodule/sha1-armv8.S b/linux-aarch64/crypto/fipsmodule/sha1-armv8.S index ecb48859..a378181e 100644 --- a/linux-aarch64/crypto/fipsmodule/sha1-armv8.S +++ b/linux-aarch64/crypto/fipsmodule/sha1-armv8.S @@ -1230,5 +1230,6 @@ sha1_block_armv8: .align 2 .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/fipsmodule/sha256-armv8.S b/linux-aarch64/crypto/fipsmodule/sha256-armv8.S index b3196882..c4d88710 100644 --- a/linux-aarch64/crypto/fipsmodule/sha256-armv8.S +++ b/linux-aarch64/crypto/fipsmodule/sha256-armv8.S @@ -1208,5 +1208,6 @@ sha256_block_armv8: .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/fipsmodule/sha512-armv8.S b/linux-aarch64/crypto/fipsmodule/sha512-armv8.S index 37e00d79..134f4053 100644 --- a/linux-aarch64/crypto/fipsmodule/sha512-armv8.S +++ b/linux-aarch64/crypto/fipsmodule/sha512-armv8.S @@ -1080,5 +1080,6 @@ sha512_block_data_order: .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/fipsmodule/vpaes-armv8.S b/linux-aarch64/crypto/fipsmodule/vpaes-armv8.S index 3a34209d..bd46e532 100644 --- a/linux-aarch64/crypto/fipsmodule/vpaes-armv8.S +++ b/linux-aarch64/crypto/fipsmodule/vpaes-armv8.S @@ -1211,5 +1211,6 @@ vpaes_ctr32_encrypt_blocks: ldp x29,x30,[sp],#16 ret .size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/test/trampoline-armv8.S b/linux-aarch64/crypto/test/trampoline-armv8.S index f5296f68..df30630a 100644 --- a/linux-aarch64/crypto/test/trampoline-armv8.S +++ b/linux-aarch64/crypto/test/trampoline-armv8.S @@ -683,5 +683,6 @@ abi_test_clobber_v15_upper: fmov v15.d[1], xzr ret .size abi_test_clobber_v15_upper,.-abi_test_clobber_v15_upper +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-aarch64/crypto/third_party/sike/asm/fp-armv8.S b/linux-aarch64/crypto/third_party/sike/asm/fp-armv8.S index da49a401..02e53322 100644 --- a/linux-aarch64/crypto/third_party/sike/asm/fp-armv8.S +++ b/linux-aarch64/crypto/third_party/sike/asm/fp-armv8.S @@ -994,5 +994,6 @@ sike_mpdblsubx2_asm: ldp x29, x30, [sp],#16 ret +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/chacha/chacha-armv4.S b/linux-arm/crypto/chacha/chacha-armv4.S index aed7ca64..f9202a35 100644 --- a/linux-arm/crypto/chacha/chacha-armv4.S +++ b/linux-arm/crypto/chacha/chacha-armv4.S @@ -1488,5 +1488,6 @@ ChaCha20_neon: .size ChaCha20_neon,.-ChaCha20_neon .comm OPENSSL_armcap_P,4,4 #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/aes-armv4.S b/linux-arm/crypto/fipsmodule/aes-armv4.S index b2966b4a..e4b09b35 100644 --- a/linux-arm/crypto/fipsmodule/aes-armv4.S +++ b/linux-arm/crypto/fipsmodule/aes-armv4.S @@ -1217,5 +1217,6 @@ _armv4_AES_decrypt: .byte 65,69,83,32,102,111,114,32,65,82,77,118,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/aesv8-armx32.S b/linux-arm/crypto/fipsmodule/aesv8-armx32.S index 3a2d2e43..b768742f 100644 --- a/linux-arm/crypto/fipsmodule/aesv8-armx32.S +++ b/linux-arm/crypto/fipsmodule/aesv8-armx32.S @@ -776,5 +776,6 @@ aes_hw_ctr32_encrypt_blocks: ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,pc} .size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/armv4-mont.S b/linux-arm/crypto/fipsmodule/armv4-mont.S index 12ebe40c..ffbc2ef5 100644 --- a/linux-arm/crypto/fipsmodule/armv4-mont.S +++ b/linux-arm/crypto/fipsmodule/armv4-mont.S @@ -972,5 +972,6 @@ bn_mul8x_mont_neon: .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/bsaes-armv7.S b/linux-arm/crypto/fipsmodule/bsaes-armv7.S index f6cec3db..6058d472 100644 --- a/linux-arm/crypto/fipsmodule/bsaes-armv7.S +++ b/linux-arm/crypto/fipsmodule/bsaes-armv7.S @@ -1524,5 +1524,6 @@ bsaes_ctr32_encrypt_blocks: @ out to retain a constant-time implementation. .size bsaes_ctr32_encrypt_blocks,.-bsaes_ctr32_encrypt_blocks #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/ghash-armv4.S b/linux-arm/crypto/fipsmodule/ghash-armv4.S index a0fa53c6..800f4503 100644 --- a/linux-arm/crypto/fipsmodule/ghash-armv4.S +++ b/linux-arm/crypto/fipsmodule/ghash-armv4.S @@ -586,5 +586,6 @@ gcm_ghash_neon: .byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/ghashv8-armx32.S b/linux-arm/crypto/fipsmodule/ghashv8-armx32.S index 65c9f22a..50333c8a 100644 --- a/linux-arm/crypto/fipsmodule/ghashv8-armx32.S +++ b/linux-arm/crypto/fipsmodule/ghashv8-armx32.S @@ -248,5 +248,6 @@ gcm_ghash_v8: .byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/sha1-armv4-large.S b/linux-arm/crypto/fipsmodule/sha1-armv4-large.S index 2b70a325..afb0a003 100644 --- a/linux-arm/crypto/fipsmodule/sha1-armv4-large.S +++ b/linux-arm/crypto/fipsmodule/sha1-armv4-large.S @@ -1506,5 +1506,6 @@ sha1_block_data_order_armv8: .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/sha256-armv4.S b/linux-arm/crypto/fipsmodule/sha256-armv4.S index 19280753..1cf4285a 100644 --- a/linux-arm/crypto/fipsmodule/sha256-armv4.S +++ b/linux-arm/crypto/fipsmodule/sha256-armv4.S @@ -2834,5 +2834,6 @@ sha256_block_data_order_armv8: .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/sha512-armv4.S b/linux-arm/crypto/fipsmodule/sha512-armv4.S index c44fcc6c..d59a389d 100644 --- a/linux-arm/crypto/fipsmodule/sha512-armv4.S +++ b/linux-arm/crypto/fipsmodule/sha512-armv4.S @@ -1889,5 +1889,6 @@ sha512_block_data_order_neon: .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P #endif +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/fipsmodule/vpaes-armv7.S b/linux-arm/crypto/fipsmodule/vpaes-armv7.S index 9124ce20..a10e7232 100644 --- a/linux-arm/crypto/fipsmodule/vpaes-armv7.S +++ b/linux-arm/crypto/fipsmodule/vpaes-armv7.S @@ -1231,5 +1231,6 @@ vpaes_ctr32_encrypt_blocks: vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return .size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-arm/crypto/test/trampoline-armv4.S b/linux-arm/crypto/test/trampoline-armv4.S index e526e993..c184bb37 100644 --- a/linux-arm/crypto/test/trampoline-armv4.S +++ b/linux-arm/crypto/test/trampoline-armv4.S @@ -375,5 +375,6 @@ abi_test_clobber_d15: vmov s31, r0 bx lr .size abi_test_clobber_d15,.-abi_test_clobber_d15 +.section .note.GNU-stack,"",%progbits #endif #endif // !OPENSSL_NO_ASM diff --git a/linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S b/linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S index 911d6383..462afdfa 100644 --- a/linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S +++ b/linux-ppc64le/crypto/fipsmodule/aesp8-ppc.S @@ -3666,4 +3666,5 @@ _aesp8_xts_dec5x: blr .long 0 .byte 0,12,0x14,0,0,0,0,0 +.section .note.GNU-stack,"",@progbits #endif // !OPENSSL_NO_ASM && __powerpc64__ diff --git a/linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S b/linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S index 88a8a254..50c5d80d 100644 --- a/linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S +++ b/linux-ppc64le/crypto/fipsmodule/ghashp8-ppc.S @@ -583,4 +583,5 @@ gcm_ghash_p8: .byte 71,72,65,83,72,32,102,111,114,32,80,111,119,101,114,73,83,65,32,50,46,48,55,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 +.section .note.GNU-stack,"",@progbits #endif // !OPENSSL_NO_ASM && __powerpc64__ diff --git a/linux-x86/crypto/chacha/chacha-x86.S b/linux-x86/crypto/chacha/chacha-x86.S index 287b62a5..389cecc1 100644 --- a/linux-x86/crypto/chacha/chacha-x86.S +++ b/linux-x86/crypto/chacha/chacha-x86.S @@ -971,4 +971,5 @@ ChaCha20_ssse3: .byte 44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32 .byte 60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111 .byte 114,103,62,0 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/aes-586.S b/linux-x86/crypto/fipsmodule/aes-586.S index c8eeee53..d949f7d8 100644 --- a/linux-x86/crypto/fipsmodule/aes-586.S +++ b/linux-x86/crypto/fipsmodule/aes-586.S @@ -3259,4 +3259,5 @@ aes_nohw_set_decrypt_key: .byte 65,69,83,32,102,111,114,32,120,56,54,44,32,67,82,89 .byte 80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114 .byte 111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/aesni-x86.S b/linux-x86/crypto/fipsmodule/aesni-x86.S index 671c79e5..99410d9a 100644 --- a/linux-x86/crypto/fipsmodule/aesni-x86.S +++ b/linux-x86/crypto/fipsmodule/aesni-x86.S @@ -2509,4 +2509,5 @@ aes_hw_set_decrypt_key: .byte 83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83 .byte 32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115 .byte 115,108,46,111,114,103,62,0 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/bn-586.S b/linux-x86/crypto/fipsmodule/bn-586.S index 64e36cec..d2cd647a 100644 --- a/linux-x86/crypto/fipsmodule/bn-586.S +++ b/linux-x86/crypto/fipsmodule/bn-586.S @@ -1540,4 +1540,5 @@ bn_sub_part_words: popl %ebp ret .size bn_sub_part_words,.-.L_bn_sub_part_words_begin +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/co-586.S b/linux-x86/crypto/fipsmodule/co-586.S index b617d81a..3b774528 100644 --- a/linux-x86/crypto/fipsmodule/co-586.S +++ b/linux-x86/crypto/fipsmodule/co-586.S @@ -1262,4 +1262,5 @@ bn_sqr_comba4: popl %esi ret .size bn_sqr_comba4,.-.L_bn_sqr_comba4_begin +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S b/linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S index 7aa0ea52..46877154 100644 --- a/linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S +++ b/linux-x86/crypto/fipsmodule/ghash-ssse3-x86.S @@ -290,4 +290,5 @@ gcm_ghash_ssse3: .align 16 .Llow4_mask: .long 252645135,252645135,252645135,252645135 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/ghash-x86.S b/linux-x86/crypto/fipsmodule/ghash-x86.S index e1830784..c691f0aa 100644 --- a/linux-x86/crypto/fipsmodule/ghash-x86.S +++ b/linux-x86/crypto/fipsmodule/ghash-x86.S @@ -1071,4 +1071,5 @@ gcm_ghash_clmul: .byte 82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112 .byte 112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62 .byte 0 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/md5-586.S b/linux-x86/crypto/fipsmodule/md5-586.S index cc0dcd83..22e0a294 100644 --- a/linux-x86/crypto/fipsmodule/md5-586.S +++ b/linux-x86/crypto/fipsmodule/md5-586.S @@ -684,4 +684,5 @@ md5_block_asm_data_order: popl %esi ret .size md5_block_asm_data_order,.-.L_md5_block_asm_data_order_begin +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/sha1-586.S b/linux-x86/crypto/fipsmodule/sha1-586.S index 4df4d061..4165f122 100644 --- a/linux-x86/crypto/fipsmodule/sha1-586.S +++ b/linux-x86/crypto/fipsmodule/sha1-586.S @@ -3804,4 +3804,5 @@ _sha1_block_data_order_avx: .byte 102,111,114,109,32,102,111,114,32,120,56,54,44,32,67,82 .byte 89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112 .byte 114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/sha256-586.S b/linux-x86/crypto/fipsmodule/sha256-586.S index 39d57786..f9cecb3e 100644 --- a/linux-x86/crypto/fipsmodule/sha256-586.S +++ b/linux-x86/crypto/fipsmodule/sha256-586.S @@ -5563,4 +5563,5 @@ sha256_block_data_order: popl %ebp ret .size sha256_block_data_order,.-.L_sha256_block_data_order_begin +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/sha512-586.S b/linux-x86/crypto/fipsmodule/sha512-586.S index c8dd6770..89fc8b57 100644 --- a/linux-x86/crypto/fipsmodule/sha512-586.S +++ b/linux-x86/crypto/fipsmodule/sha512-586.S @@ -2833,4 +2833,5 @@ sha512_block_data_order: .byte 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 .byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 .byte 62,0 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/vpaes-x86.S b/linux-x86/crypto/fipsmodule/vpaes-x86.S index 7200cfde..c36a8b83 100644 --- a/linux-x86/crypto/fipsmodule/vpaes-x86.S +++ b/linux-x86/crypto/fipsmodule/vpaes-x86.S @@ -704,4 +704,5 @@ vpaes_cbc_encrypt: popl %ebp ret .size vpaes_cbc_encrypt,.-.L_vpaes_cbc_encrypt_begin +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/fipsmodule/x86-mont.S b/linux-x86/crypto/fipsmodule/x86-mont.S index 9924c028..8b7deddf 100644 --- a/linux-x86/crypto/fipsmodule/x86-mont.S +++ b/linux-x86/crypto/fipsmodule/x86-mont.S @@ -480,4 +480,5 @@ bn_mul_mont: .byte 54,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121 .byte 32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46 .byte 111,114,103,62,0 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86/crypto/test/trampoline-x86.S b/linux-x86/crypto/test/trampoline-x86.S index 2222347a..56b9a909 100644 --- a/linux-x86/crypto/test/trampoline-x86.S +++ b/linux-x86/crypto/test/trampoline-x86.S @@ -202,4 +202,5 @@ abi_test_clobber_xmm7: pxor %xmm7,%xmm7 ret .size abi_test_clobber_xmm7,.-.L_abi_test_clobber_xmm7_begin +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/chacha/chacha-x86_64.S b/linux-x86_64/crypto/chacha/chacha-x86_64.S index 4e2267bb..2d8cd97d 100644 --- a/linux-x86_64/crypto/chacha/chacha-x86_64.S +++ b/linux-x86_64/crypto/chacha/chacha-x86_64.S @@ -1629,4 +1629,5 @@ ChaCha20_8x: .byte 0xf3,0xc3 .cfi_endproc .size ChaCha20_8x,.-ChaCha20_8x +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S b/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S index 3eb1688c..97fb817a 100644 --- a/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S +++ b/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64.S @@ -3075,4 +3075,5 @@ aes256gcmsiv_kdf: .byte 0xf3,0xc3 .cfi_endproc .size aes256gcmsiv_kdf, .-aes256gcmsiv_kdf +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S b/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S index 677335b9..def3d5bf 100644 --- a/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S +++ b/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64.S @@ -8983,4 +8983,5 @@ seal_avx2_short_tail: vzeroupper jmp seal_sse_tail_16 .cfi_endproc +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/aes-x86_64.S b/linux-x86_64/crypto/fipsmodule/aes-x86_64.S index f45e010e..65de7b20 100644 --- a/linux-x86_64/crypto/fipsmodule/aes-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/aes-x86_64.S @@ -2661,4 +2661,5 @@ aes_nohw_cbc_encrypt: .long 0x1b1b1b1b, 0x1b1b1b1b, 0, 0 .byte 65,69,83,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S b/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S index 98365a87..c0339660 100644 --- a/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64.S @@ -848,4 +848,5 @@ aesni_gcm_encrypt: .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 .byte 65,69,83,45,78,73,32,71,67,77,32,109,111,100,117,108,101,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/aesni-x86_64.S b/linux-x86_64/crypto/fipsmodule/aesni-x86_64.S index de309533..660564b4 100644 --- a/linux-x86_64/crypto/fipsmodule/aesni-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/aesni-x86_64.S @@ -2502,4 +2502,5 @@ __aesni_set_encrypt_key: .byte 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S b/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S index ecf5b66f..236df163 100644 --- a/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64.S @@ -423,4 +423,5 @@ gcm_ghash_ssse3: .Llow4_mask: .quad 0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/ghash-x86_64.S b/linux-x86_64/crypto/fipsmodule/ghash-x86_64.S index 0b36afac..6cdc8cd1 100644 --- a/linux-x86_64/crypto/fipsmodule/ghash-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/ghash-x86_64.S @@ -1868,4 +1868,5 @@ gcm_ghash_avx: .byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/md5-x86_64.S b/linux-x86_64/crypto/fipsmodule/md5-x86_64.S index 18e2e928..848f695b 100644 --- a/linux-x86_64/crypto/fipsmodule/md5-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/md5-x86_64.S @@ -698,4 +698,5 @@ md5_block_asm_data_order: .byte 0xf3,0xc3 .cfi_endproc .size md5_block_asm_data_order,.-md5_block_asm_data_order +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S b/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S index 067575ec..b5218c57 100644 --- a/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S +++ b/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm.S @@ -4539,4 +4539,5 @@ ecp_nistz256_point_add_affinex: .byte 0xf3,0xc3 .cfi_endproc .size ecp_nistz256_point_add_affinex,.-ecp_nistz256_point_add_affinex +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S b/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S index 5dfecc85..7d8b3072 100644 --- a/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S +++ b/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm.S @@ -339,4 +339,5 @@ beeu_mod_inverse_vartime: .cfi_endproc .size beeu_mod_inverse_vartime, .-beeu_mod_inverse_vartime +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S b/linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S index fefccd6f..3c6aeb85 100644 --- a/linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/rdrand-x86_64.S @@ -59,4 +59,5 @@ CRYPTO_rdrand_multiple8_buf: .byte 0xf3,0xc3 .cfi_endproc .size CRYPTO_rdrand_multiple8_buf,.-CRYPTO_rdrand_multiple8_buf +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/rsaz-avx2.S b/linux-x86_64/crypto/fipsmodule/rsaz-avx2.S index 579c7055..18e5eca5 100644 --- a/linux-x86_64/crypto/fipsmodule/rsaz-avx2.S +++ b/linux-x86_64/crypto/fipsmodule/rsaz-avx2.S @@ -1745,4 +1745,5 @@ rsaz_1024_gather5_avx2: .long 2,2,2,2, 3,3,3,3 .long 4,4,4,4, 4,4,4,4 .align 64 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/sha1-x86_64.S b/linux-x86_64/crypto/fipsmodule/sha1-x86_64.S index 044f36f0..c4681961 100644 --- a/linux-x86_64/crypto/fipsmodule/sha1-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/sha1-x86_64.S @@ -3597,4 +3597,5 @@ K_XX_XX: .byte 0xf,0xe,0xd,0xc,0xb,0xa,0x9,0x8,0x7,0x6,0x5,0x4,0x3,0x2,0x1,0x0 .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/sha256-x86_64.S b/linux-x86_64/crypto/fipsmodule/sha256-x86_64.S index 55b540f1..f26b9b23 100644 --- a/linux-x86_64/crypto/fipsmodule/sha256-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/sha256-x86_64.S @@ -3969,4 +3969,5 @@ sha256_block_data_order_avx: .byte 0xf3,0xc3 .cfi_endproc .size sha256_block_data_order_avx,.-sha256_block_data_order_avx +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/sha512-x86_64.S b/linux-x86_64/crypto/fipsmodule/sha512-x86_64.S index 509e144e..983f3433 100644 --- a/linux-x86_64/crypto/fipsmodule/sha512-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/sha512-x86_64.S @@ -2988,4 +2988,5 @@ sha512_block_data_order_avx: .byte 0xf3,0xc3 .cfi_endproc .size sha512_block_data_order_avx,.-sha512_block_data_order_avx +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S b/linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S index 8546d0d8..b87b947b 100644 --- a/linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S +++ b/linux-x86_64/crypto/fipsmodule/vpaes-x86_64.S @@ -1129,4 +1129,5 @@ _vpaes_consts: .byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 .align 64 .size _vpaes_consts,.-_vpaes_consts +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/x86_64-mont.S b/linux-x86_64/crypto/fipsmodule/x86_64-mont.S index f3637f01..40090d97 100644 --- a/linux-x86_64/crypto/fipsmodule/x86_64-mont.S +++ b/linux-x86_64/crypto/fipsmodule/x86_64-mont.S @@ -1256,4 +1256,5 @@ bn_mulx4x_mont: .size bn_mulx4x_mont,.-bn_mulx4x_mont .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 16 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S b/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S index b12393e2..eec69920 100644 --- a/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S +++ b/linux-x86_64/crypto/fipsmodule/x86_64-mont5.S @@ -3786,4 +3786,5 @@ bn_gather5: .long 0,0, 1,1 .long 2,2, 2,2 .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/test/trampoline-x86_64.S b/linux-x86_64/crypto/test/trampoline-x86_64.S index 91a13f3e..6424f73b 100644 --- a/linux-x86_64/crypto/test/trampoline-x86_64.S +++ b/linux-x86_64/crypto/test/trampoline-x86_64.S @@ -514,4 +514,5 @@ abi_test_set_direction_flag: std .byte 0xf3,0xc3 .size abi_test_set_direction_flag,.-abi_test_set_direction_flag +.section .note.GNU-stack,"",@progbits #endif diff --git a/linux-x86_64/crypto/third_party/sike/asm/fp-x86_64.S b/linux-x86_64/crypto/third_party/sike/asm/fp-x86_64.S index 4b3c9254..bb2f0978 100644 --- a/linux-x86_64/crypto/third_party/sike/asm/fp-x86_64.S +++ b/linux-x86_64/crypto/third_party/sike/asm/fp-x86_64.S @@ -1867,4 +1867,5 @@ sike_mpmul: .cfi_adjust_cfa_offset -8 .byte 0xf3,0xc3 .cfi_endproc +.section .note.GNU-stack,"",@progbits #endif diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 3fe86bf2..66596af3 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -117,7 +117,7 @@ endif() if(CMAKE_COMPILER_IS_GNUCXX OR CLANG) # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration # primarily on our normal Clang one. - set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings") + set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla") if(MSVC) # clang-cl sets different default warnings than clang. It also treats -Wall # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall. diff --git a/src/crypto/curve25519/asm/x25519-asm-arm.S b/src/crypto/curve25519/asm/x25519-asm-arm.S index 905af077..9a26adda 100644 --- a/src/crypto/curve25519/asm/x25519-asm-arm.S +++ b/src/crypto/curve25519/asm/x25519-asm-arm.S @@ -2129,4 +2129,8 @@ mov sp,r12 vpop {q4,q5,q6,q7} bx lr +#if defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + #endif /* !OPENSSL_NO_ASM && __arm__ && !__APPLE__ */ diff --git a/src/crypto/fipsmodule/rand/internal.h b/src/crypto/fipsmodule/rand/internal.h index c7ed74de..07563b7f 100644 --- a/src/crypto/fipsmodule/rand/internal.h +++ b/src/crypto/fipsmodule/rand/internal.h @@ -41,6 +41,11 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, void CRYPTO_sysrand(uint8_t *buf, size_t len); #if defined(OPENSSL_URANDOM) && defined(BORINGSSL_FIPS) +// CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the +// operating system. It may draw from the |GRND_RANDOM| pool on Android, +// depending on the vendor's configuration. +void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len); + // CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the // operating system, if the entropy pool is initialized. If it is uninitialized, // it will not block and will instead fill |buf| with all zeros or early diff --git a/src/crypto/fipsmodule/rand/rand.c b/src/crypto/fipsmodule/rand/rand.c index 60e92c50..87d7b30a 100644 --- a/src/crypto/fipsmodule/rand/rand.c +++ b/src/crypto/fipsmodule/rand/rand.c @@ -32,9 +32,9 @@ // It's assumed that the operating system always has an unfailing source of -// entropy which is accessed via |CRYPTO_sysrand|. (If the operating system -// entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we -// don't try to handle it.) +// entropy which is accessed via |CRYPTO_sysrand[_for_seed]|. (If the operating +// system entropy source fails, it's up to |CRYPTO_sysrand| to abort the +// process—we don't try to handle it.) // // In addition, the hardware may provide a low-latency RNG. Intel's rdrand // instruction is the canonical example of this. When a hardware RNG is @@ -61,11 +61,11 @@ struct rand_thread_state { // (re)seeded. This is bound by |kReseedInterval|. unsigned calls; // last_block_valid is non-zero iff |last_block| contains data from - // |CRYPTO_sysrand|. + // |CRYPTO_sysrand_for_seed|. int last_block_valid; #if defined(BORINGSSL_FIPS) - // last_block contains the previous block from |CRYPTO_sysrand|. + // last_block contains the previous block from |CRYPTO_sysrand_for_seed|. uint8_t last_block[CRNGT_BLOCK_SIZE]; // next and prev form a NULL-terminated, double-linked list of all states in // a process. @@ -169,7 +169,7 @@ static void rand_get_seed(struct rand_thread_state *state, uint8_t seed[CTR_DRBG_ENTROPY_LEN]) { if (!state->last_block_valid) { if (!hwrand(state->last_block, sizeof(state->last_block))) { - CRYPTO_sysrand(state->last_block, sizeof(state->last_block)); + CRYPTO_sysrand_for_seed(state->last_block, sizeof(state->last_block)); } state->last_block_valid = 1; } @@ -181,7 +181,7 @@ static void rand_get_seed(struct rand_thread_state *state, int used_hwrand = hwrand(entropy, sizeof(entropy)); if (!used_hwrand) { - CRYPTO_sysrand(entropy, sizeof(entropy)); + CRYPTO_sysrand_for_seed(entropy, sizeof(entropy)); } // See FIPS 140-2, section 4.9.2. This is the “continuous random number diff --git a/src/crypto/fipsmodule/rand/urandom.c b/src/crypto/fipsmodule/rand/urandom.c index 9fa0c97c..33c0b031 100644 --- a/src/crypto/fipsmodule/rand/urandom.c +++ b/src/crypto/fipsmodule/rand/urandom.c @@ -36,6 +36,10 @@ #endif #include <sys/syscall.h> +#if defined(OPENSSL_ANDROID) +#include <sys/system_properties.h> +#endif + #if !defined(OPENSSL_ANDROID) #define OPENSSL_HAS_GETAUXVAL #endif @@ -120,6 +124,9 @@ static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) { #if !defined(GRND_NONBLOCK) #define GRND_NONBLOCK 1 #endif +#if !defined(GRND_RANDOM) +#define GRND_RANDOM 2 +#endif #endif // OPENSSL_LINUX @@ -138,10 +145,36 @@ DEFINE_BSS_GET(int, urandom_fd_requested) DEFINE_BSS_GET(int, urandom_fd) #if defined(USE_NR_getrandom) + // getrandom_ready is one if |getrandom| had been initialized by the time // |init_once| was called and zero otherwise. DEFINE_BSS_GET(int, getrandom_ready) + +// extra_getrandom_flags_for_seed contains a value that is ORed into the flags +// for getrandom() when reading entropy for a seed. +DEFINE_BSS_GET(int, extra_getrandom_flags_for_seed) + +// On Android, check a system property to decide whether to set +// |extra_getrandom_flags_for_seed| otherwise they will default to zero. If +// ro.oem_boringcrypto_hwrand is true then |extra_getrandom_flags_for_seed| will +// be set to GRND_RANDOM, causing all random data to be drawn from the same +// source as /dev/random. +static void maybe_set_extra_getrandom_flags(void) { +#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID) + char value[PROP_VALUE_MAX + 1]; + int length = __system_property_get("ro.boringcrypto.hwrand", value); + if (length < 0 || length > PROP_VALUE_MAX) { + return; + } + + value[length] = 0; + if (strcasecmp(value, "true") == 0) { + *extra_getrandom_flags_for_seed_bss_get() = GRND_RANDOM; + } #endif +} + +#endif // USE_NR_getrandom DEFINE_STATIC_ONCE(rand_once) @@ -176,6 +209,7 @@ static void init_once(void) { if (have_getrandom) { *urandom_fd_bss_get() = kHaveGetrandom; + maybe_set_extra_getrandom_flags(); return; } #endif // USE_NR_getrandom @@ -346,11 +380,23 @@ void RAND_set_urandom_fd(int fd) { // on success and zero on error. If |block| is one, this function will block // until the entropy pool is initialized. Otherwise, this function may fail, // setting |errno| to |EAGAIN| if the entropy pool has not yet been initialized. -static int fill_with_entropy(uint8_t *out, size_t len, int block) { +// If |seed| is one, this function will OR in the value of +// |*extra_getrandom_flags_for_seed()| when using |getrandom|. +static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) { if (len == 0) { return 1; } +#if defined(USE_NR_getrandom) + int getrandom_flags = 0; + if (block) { + getrandom_flags |= GRND_NONBLOCK; + } + if (seed) { + getrandom_flags |= *extra_getrandom_flags_for_seed_bss_get(); + } +#endif + CRYPTO_once(rand_once_bss_get(), init_once); if (block) { CRYPTO_once(wait_for_entropy_once_bss_get(), wait_for_entropy); @@ -364,7 +410,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block) { if (*urandom_fd_bss_get() == kHaveGetrandom) { #if defined(USE_NR_getrandom) - r = boringssl_getrandom(out, len, block ? 0 : GRND_NONBLOCK); + r = boringssl_getrandom(out, len, getrandom_flags); #elif defined(OPENSSL_MACOS) if (__builtin_available(macos 10.12, *)) { // |getentropy| can only request 256 bytes at a time. @@ -400,7 +446,15 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block) { // CRYPTO_sysrand puts |requested| random bytes into |out|. void CRYPTO_sysrand(uint8_t *out, size_t requested) { - if (!fill_with_entropy(out, requested, /*block=*/1)) { + if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/0)) { + perror("entropy fill failed"); + abort(); + } +} + +#if defined(BORINGSSL_FIPS) +void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { + if (!fill_with_entropy(out, requested, /*block=*/1, /*seed=*/1)) { perror("entropy fill failed"); abort(); } @@ -412,12 +466,11 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) { #endif } -#if defined(BORINGSSL_FIPS) void CRYPTO_sysrand_if_available(uint8_t *out, size_t requested) { // Return all zeros if |fill_with_entropy| fails. OPENSSL_memset(out, 0, requested); - if (!fill_with_entropy(out, requested, /*block=*/0) && + if (!fill_with_entropy(out, requested, /*block=*/0, /*seed=*/0) && errno != EAGAIN) { perror("opportunistic entropy fill failed"); abort(); diff --git a/src/crypto/hrss/asm/poly_rq_mul.S b/src/crypto/hrss/asm/poly_rq_mul.S index ebaabd3d..0b684c38 100644 --- a/src/crypto/hrss/asm/poly_rq_mul.S +++ b/src/crypto/hrss/asm/poly_rq_mul.S @@ -8460,4 +8460,8 @@ ret .cfi_endproc .size poly_Rq_mul,.-poly_Rq_mul +#if defined(__ELF__) +.section .note.GNU-stack,"",@progbits +#endif + #endif diff --git a/src/crypto/perlasm/arm-xlate.pl b/src/crypto/perlasm/arm-xlate.pl index 4dec2760..adbd239e 100755 --- a/src/crypto/perlasm/arm-xlate.pl +++ b/src/crypto/perlasm/arm-xlate.pl @@ -228,6 +228,9 @@ while(my $line=<>) { print "\n"; } +# See https://www.airs.com/blog/archives/518. +print ".section\t.note.GNU-stack,\"\",\%progbits\n" if ($flavour =~ /linux/); + print "#endif\n" if ($flavour eq "linux32" || $flavour eq "linux64"); print "#endif // !OPENSSL_NO_ASM\n"; diff --git a/src/crypto/perlasm/ppc-xlate.pl b/src/crypto/perlasm/ppc-xlate.pl index 0ce231f2..f8e42a22 100644 --- a/src/crypto/perlasm/ppc-xlate.pl +++ b/src/crypto/perlasm/ppc-xlate.pl @@ -309,6 +309,9 @@ while($line=<>) { print "\n"; } +# See https://www.airs.com/blog/archives/518. +print ".section\t.note.GNU-stack,\"\",\@progbits\n" if ($flavour =~ /linux/); + print "#endif // !OPENSSL_NO_ASM && __powerpc64__\n"; close STDOUT; diff --git a/src/crypto/perlasm/x86_64-xlate.pl b/src/crypto/perlasm/x86_64-xlate.pl index f9284115..d2854cf4 100755 --- a/src/crypto/perlasm/x86_64-xlate.pl +++ b/src/crypto/perlasm/x86_64-xlate.pl @@ -1260,6 +1260,8 @@ while(defined(my $line=<>)) { print "\n$current_segment\tENDS\n" if ($current_segment && $masm); print "END\n" if ($masm); +# See https://www.airs.com/blog/archives/518. +print ".section\t.note.GNU-stack,\"\",\@progbits\n" if ($elf); print "#endif\n" if ($gas); diff --git a/src/crypto/perlasm/x86asm.pl b/src/crypto/perlasm/x86asm.pl index 24f0fc15..b331cd4f 100644 --- a/src/crypto/perlasm/x86asm.pl +++ b/src/crypto/perlasm/x86asm.pl @@ -297,6 +297,8 @@ ___ ___ } print @out; + # See https://www.airs.com/blog/archives/518. + print ".section\t.note.GNU-stack,\"\",\@progbits\n" if ($elf); print "#endif\n" unless ($win32 || $netware); } diff --git a/src/crypto/poly1305/poly1305_arm_asm.S b/src/crypto/poly1305/poly1305_arm_asm.S index 04f7c4cd..77b3c48e 100644 --- a/src/crypto/poly1305/poly1305_arm_asm.S +++ b/src/crypto/poly1305/poly1305_arm_asm.S @@ -2022,4 +2022,8 @@ vst1.8 d4,[r0,: 64] add sp,sp,#0 bx lr +#if defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + #endif /* __arm__ && !OPENSSL_NO_ASM && !__APPLE__ */ diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h index 6810a647..8cd03be8 100644 --- a/src/include/openssl/ssl.h +++ b/src/include/openssl/ssl.h @@ -560,6 +560,13 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code); #define SSL_ERROR_HANDOFF 17 #define SSL_ERROR_HANDBACK 18 +// SSL_ERROR_WANT_RENEGOTIATE indicates the operation is pending a response to +// a renegotiation request from the server. The caller may call +// |SSL_renegotiate| to schedule a renegotiation and retry the operation. +// +// See also |ssl_renegotiate_explicit|. +#define SSL_ERROR_WANT_RENEGOTIATE 19 + // SSL_error_description returns a string representation of |err|, where |err| // is one of the |SSL_ERROR_*| constants returned by |SSL_get_error|, or NULL // if the value is unrecognized. @@ -3605,6 +3612,7 @@ enum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT { ssl_renegotiate_once, ssl_renegotiate_freely, ssl_renegotiate_ignore, + ssl_renegotiate_explicit, }; // SSL_set_renegotiate_mode configures how |ssl|, a client, reacts to @@ -3618,6 +3626,13 @@ enum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT { // Note that ignoring HelloRequest messages may cause the connection to stall // if the server waits for the renegotiation to complete. // +// If set to |ssl_renegotiate_explicit|, |SSL_read| and |SSL_peek| calls which +// encounter a HelloRequest will pause with |SSL_ERROR_WANT_RENEGOTIATE|. +// |SSL_write| will continue to work while paused. The caller may call +// |SSL_renegotiate| to begin the renegotiation at a later point. This mode may +// be used if callers wish to eagerly call |SSL_peek| without triggering a +// renegotiation. +// // If configuration shedding is enabled (see |SSL_set_shed_handshake_config|), // configuration is released if, at any point after the handshake, renegotiation // is disabled. It is not possible to switch from disabling renegotiation to @@ -3630,6 +3645,16 @@ enum ssl_renegotiate_mode_t BORINGSSL_ENUM_INT { OPENSSL_EXPORT void SSL_set_renegotiate_mode(SSL *ssl, enum ssl_renegotiate_mode_t mode); +// SSL_renegotiate starts a deferred renegotiation on |ssl| if it was configured +// with |ssl_renegotiate_explicit| and has a pending HelloRequest. It returns +// one on success and zero on error. +// +// This function does not do perform any I/O. On success, a subsequent +// |SSL_do_handshake| call will run the handshake. |SSL_write| and +// |SSL_read| will also complete the handshake before sending or receiving +// application data. +OPENSSL_EXPORT int SSL_renegotiate(SSL *ssl); + // SSL_renegotiate_pending returns one if |ssl| is in the middle of a // renegotiation. OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl); @@ -4081,9 +4106,6 @@ OPENSSL_EXPORT int SSL_get_read_ahead(const SSL *ssl); // SSL_set_read_ahead returns one. OPENSSL_EXPORT int SSL_set_read_ahead(SSL *ssl, int yes); -// SSL_renegotiate put an error on the error queue and returns zero. -OPENSSL_EXPORT int SSL_renegotiate(SSL *ssl); - // SSL_set_state does nothing. OPENSSL_EXPORT void SSL_set_state(SSL *ssl, int state); diff --git a/src/ssl/internal.h b/src/ssl/internal.h index ec3594c2..7f163a45 100644 --- a/src/ssl/internal.h +++ b/src/ssl/internal.h @@ -353,6 +353,97 @@ class Array { size_t size_ = 0; }; +// GrowableArray<T> is an array that owns elements of |T|, backed by an +// Array<T>. When necessary, pushing will automatically trigger a resize. +// +// Note, for simplicity, this class currently differs from |std::vector| in that +// |T| must be efficiently default-constructible. Allocated elements beyond the +// end of the array are constructed and destructed. +template <typename T> +class GrowableArray { + public: + GrowableArray() = default; + GrowableArray(const GrowableArray &) = delete; + GrowableArray(GrowableArray &&other) { *this = std::move(other); } + ~GrowableArray() {} + + GrowableArray &operator=(const GrowableArray &) = delete; + GrowableArray &operator=(GrowableArray &&other) { + size_ = other.size_; + other.size_ = 0; + array_ = std::move(other.array_); + return *this; + } + + size_t size() const { return size_; } + bool empty() const { return size_ == 0; } + + const T &operator[](size_t i) const { return array_[i]; } + T &operator[](size_t i) { return array_[i]; } + + T *begin() { return array_.data(); } + const T *cbegin() const { return array_.data(); } + T *end() { return array_.data() + size_; } + const T *cend() const { return array_.data() + size_; } + + // Push adds |elem| at the end of the internal array, growing if necessary. It + // returns false when allocation fails. + bool Push(T elem) { + if (!MaybeGrow()) { + return false; + } + array_[size_] = std::move(elem); + size_++; + return true; + } + + // CopyFrom replaces the contents of the array with a copy of |in|. It returns + // true on success and false on allocation error. + bool CopyFrom(Span<const T> in) { + if (!array_.CopyFrom(in)) { + return false; + } + size_ = in.size(); + return true; + } + + private: + // If there is no room for one more element, creates a new backing array with + // double the size of the old one and copies elements over. + bool MaybeGrow() { + if (array_.size() == 0) { + return array_.Init(kDefaultSize); + } + // No need to grow if we have room for one more T. + if (size_ < array_.size()) { + return true; + } + // Double the array's size if it's safe to do so. + if (array_.size() > std::numeric_limits<size_t>::max() / 2) { + OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); + return false; + } + Array<T> new_array; + if (!new_array.Init(array_.size() * 2)) { + return false; + } + for (size_t i = 0; i < array_.size(); i++) { + new_array[i] = std::move(array_[i]); + } + array_ = std::move(new_array); + + return true; + } + + // |size_| is the number of elements stored in this GrowableArray. + size_t size_ = 0; + // |array_| is the backing array. Note that |array_.size()| is this + // GrowableArray's current capacity and that |size_ <= array_.size()|. + Array<T> array_; + // |kDefaultSize| is the default initial size of the backing array. + static constexpr size_t kDefaultSize = 16; +}; + // CBBFinishArray behaves like |CBB_finish| but stores the result in an Array. OPENSSL_EXPORT bool CBBFinishArray(CBB *cbb, Array<uint8_t> *out); @@ -2155,8 +2246,6 @@ BSSL_NAMESPACE_END DEFINE_LHASH_OF(SSL_SESSION) -DEFINE_NAMED_STACK_OF(CertCompressionAlg, bssl::CertCompressionAlg) - BSSL_NAMESPACE_BEGIN // An ssl_shutdown_t describes the shutdown state of one end of the connection, @@ -2294,6 +2383,10 @@ struct SSL3_STATE { // alert_dispatch is true there is an alert in |send_alert| to be sent. bool alert_dispatch : 1; + // renegotiate_pending is whether the read half of the channel is blocked on a + // HelloRequest. + bool renegotiate_pending : 1; + // hs_buf is the buffer of handshake data to process. UniquePtr<BUF_MEM> hs_buf; @@ -3137,7 +3230,7 @@ struct ssl_ctx_st { bssl::UniquePtr<STACK_OF(SRTP_PROTECTION_PROFILE)> srtp_profiles; // Defined compression algorithms for certificates. - bssl::UniquePtr<STACK_OF(CertCompressionAlg)> cert_compression_algs; + bssl::GrowableArray<bssl::CertCompressionAlg> cert_compression_algs; // Supported group values inherited by SSL structure bssl::Array<uint16_t> supported_group_list; diff --git a/src/ssl/s3_lib.cc b/src/ssl/s3_lib.cc index 41dd5889..d7f8a854 100644 --- a/src/ssl/s3_lib.cc +++ b/src/ssl/s3_lib.cc @@ -181,7 +181,8 @@ SSL3_STATE::SSL3_STATE() tls13_downgrade(false), token_binding_negotiated(false), pq_experiment_signal_seen(false), - alert_dispatch(false) {} + alert_dispatch(false), + renegotiate_pending(false) {} SSL3_STATE::~SSL3_STATE() {} diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc index 11863129..703c2bc9 100644 --- a/src/ssl/ssl_lib.cc +++ b/src/ssl/ssl_lib.cc @@ -478,6 +478,7 @@ static bool ssl_can_renegotiate(const SSL *ssl) { return false; case ssl_renegotiate_freely: + case ssl_renegotiate_explicit: return true; case ssl_renegotiate_once: return ssl->s3->total_renegotiations == 0; @@ -945,29 +946,16 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { return 1; // Ignore the HelloRequest. } - if (!ssl_can_renegotiate(ssl) || - // Renegotiation is only supported at quiescent points in the application - // protocol, namely in HTTPS, just before reading the HTTP response. - // Require the record-layer be idle and avoid complexities of sending a - // handshake record while an application_data record is being written. - !ssl->s3->write_buffer.empty() || - ssl->s3->write_shutdown != ssl_shutdown_none) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); - ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); - return 0; + ssl->s3->renegotiate_pending = true; + if (ssl->renegotiate_mode == ssl_renegotiate_explicit) { + return 1; // Handle it later. } - // Begin a new handshake. - if (ssl->s3->hs != nullptr) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return 0; - } - ssl->s3->hs = ssl_handshake_new(ssl); - if (ssl->s3->hs == nullptr) { + if (!SSL_renegotiate(ssl)) { + ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); return 0; } - ssl->s3->total_renegotiations++; return 1; } @@ -1012,6 +1000,11 @@ static int ssl_read_impl(SSL *ssl) { } while (ssl->s3->pending_app_data.empty()) { + if (ssl->s3->renegotiate_pending) { + ssl->s3->rwstate = SSL_ERROR_WANT_RENEGOTIATE; + return -1; + } + // Complete the current handshake, if any. False Start will cause // |SSL_do_handshake| to return mid-handshake, so this may require multiple // iterations. @@ -1353,6 +1346,7 @@ int SSL_get_error(const SSL *ssl, int ret_code) { case SSL_ERROR_PENDING_TICKET: case SSL_ERROR_EARLY_DATA_REJECTED: case SSL_ERROR_WANT_CERTIFICATE_VERIFY: + case SSL_ERROR_WANT_RENEGOTIATE: return ssl->s3->rwstate; case SSL_ERROR_WANT_READ: { @@ -1743,8 +1737,39 @@ long SSL_get_default_timeout(const SSL *ssl) { int SSL_renegotiate(SSL *ssl) { // Caller-initiated renegotiation is not supported. - OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + if (!ssl->s3->renegotiate_pending) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + if (!ssl_can_renegotiate(ssl)) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); + return 0; + } + + // Renegotiation is only supported at quiescent points in the application + // protocol, namely in HTTPS, just before reading the HTTP response. + // Require the record-layer be idle and avoid complexities of sending a + // handshake record while an application_data record is being written. + if (!ssl->s3->write_buffer.empty() || + ssl->s3->write_shutdown != ssl_shutdown_none) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); + return 0; + } + + // Begin a new handshake. + if (ssl->s3->hs != nullptr) { + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return 0; + } + ssl->s3->hs = ssl_handshake_new(ssl); + if (ssl->s3->hs == nullptr) { + return 0; + } + + ssl->s3->renegotiate_pending = false; + ssl->s3->total_renegotiations++; + return 1; } int SSL_renegotiate_pending(SSL *ssl) { @@ -2226,36 +2251,17 @@ int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id, ssl_cert_decompression_func_t decompress) { assert(compress != nullptr || decompress != nullptr); - for (const auto *alg : ctx->cert_compression_algs.get()) { - if (alg->alg_id == alg_id) { + for (const auto &alg : ctx->cert_compression_algs) { + if (alg.alg_id == alg_id) { return 0; } } - UniquePtr<CertCompressionAlg> alg = MakeUnique<CertCompressionAlg>(); - if (alg == nullptr) { - return 0; - } - - alg->alg_id = alg_id; - alg->compress = compress; - alg->decompress = decompress; - - if (ctx->cert_compression_algs == nullptr) { - ctx->cert_compression_algs.reset(sk_CertCompressionAlg_new_null()); - if (ctx->cert_compression_algs == nullptr) { - return 0; - } - } - - if (!PushToStack(ctx->cert_compression_algs.get(), std::move(alg))) { - if (sk_CertCompressionAlg_num(ctx->cert_compression_algs.get()) == 0) { - ctx->cert_compression_algs.reset(); - } - return 0; - } - - return 1; + CertCompressionAlg alg; + alg.alg_id = alg_id; + alg.compress = compress; + alg.decompress = decompress; + return ctx->cert_compression_algs.Push(alg); } void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) { diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc index 2df005a2..c01443ea 100644 --- a/src/ssl/ssl_test.cc +++ b/src/ssl/ssl_test.cc @@ -24,6 +24,7 @@ #include <gtest/gtest.h> +#include <openssl/aead.h> #include <openssl/base64.h> #include <openssl/bio.h> #include <openssl/cipher.h> @@ -472,6 +473,74 @@ static bool CipherListsEqual(SSL_CTX *ctx, return true; } +TEST(GrowableArrayTest, Resize) { + GrowableArray<size_t> array; + ASSERT_TRUE(array.empty()); + EXPECT_EQ(array.size(), 0u); + + ASSERT_TRUE(array.Push(42)); + ASSERT_TRUE(!array.empty()); + EXPECT_EQ(array.size(), 1u); + + // Force a resize operation to occur + for (size_t i = 0; i < 16; i++) { + ASSERT_TRUE(array.Push(i + 1)); + } + + EXPECT_EQ(array.size(), 17u); + + // Verify that expected values are still contained in array + for (size_t i = 0; i < array.size(); i++) { + EXPECT_EQ(array[i], i == 0 ? 42 : i); + } +} + +TEST(GrowableArrayTest, MoveConstructor) { + GrowableArray<size_t> array; + for (size_t i = 0; i < 100; i++) { + ASSERT_TRUE(array.Push(i)); + } + + GrowableArray<size_t> array_moved(std::move(array)); + for (size_t i = 0; i < 100; i++) { + EXPECT_EQ(array_moved[i], i); + } +} + +TEST(GrowableArrayTest, GrowableArrayContainingGrowableArrays) { + // Representative example of a struct that contains a GrowableArray. + struct TagAndArray { + size_t tag; + GrowableArray<size_t> array; + }; + + GrowableArray<TagAndArray> array; + for (size_t i = 0; i < 100; i++) { + TagAndArray elem; + elem.tag = i; + for (size_t j = 0; j < i; j++) { + ASSERT_TRUE(elem.array.Push(j)); + } + ASSERT_TRUE(array.Push(std::move(elem))); + } + EXPECT_EQ(array.size(), static_cast<size_t>(100)); + + GrowableArray<TagAndArray> array_moved(std::move(array)); + EXPECT_EQ(array_moved.size(), static_cast<size_t>(100)); + size_t count = 0; + for (const TagAndArray &elem : array_moved) { + // Test the square bracket operator returns the same value as iteration. + EXPECT_EQ(&elem, &array_moved[count]); + + EXPECT_EQ(elem.tag, count); + EXPECT_EQ(elem.array.size(), count); + for (size_t j = 0; j < count; j++) { + EXPECT_EQ(elem.array[j], j); + } + count++; + } +} + TEST(SSLTest, CipherRules) { for (const CipherTest &t : kCipherTests) { SCOPED_TRACE(t.rule); @@ -5586,5 +5655,139 @@ TEST_P(SSLVersionTest, DoubleSSLError) { } } +TEST(SSLTest, WriteWhileExplicitRenegotiate) { + bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); + ASSERT_TRUE(ctx); + + bssl::UniquePtr<X509> cert = GetTestCertificate(); + bssl::UniquePtr<EVP_PKEY> pkey = GetTestKey(); + ASSERT_TRUE(cert); + ASSERT_TRUE(pkey); + ASSERT_TRUE(SSL_CTX_use_certificate(ctx.get(), cert.get())); + ASSERT_TRUE(SSL_CTX_use_PrivateKey(ctx.get(), pkey.get())); + ASSERT_TRUE(SSL_CTX_set_min_proto_version(ctx.get(), TLS1_2_VERSION)); + ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_2_VERSION)); + ASSERT_TRUE(SSL_CTX_set_strict_cipher_list( + ctx.get(), "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256")); + + bssl::UniquePtr<SSL> client, server; + ASSERT_TRUE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(), + ClientConfig(), true /* do_handshake */, + false /* don't shed handshake config */)); + SSL_set_renegotiate_mode(client.get(), ssl_renegotiate_explicit); + + static const uint8_t kInput[] = {'h', 'e', 'l', 'l', 'o'}; + + // Write "hello" until the buffer is full, so |client| has a pending write. + size_t num_writes = 0; + for (;;) { + int ret = SSL_write(client.get(), kInput, sizeof(kInput)); + if (ret != int(sizeof(kInput))) { + ASSERT_EQ(-1, ret); + ASSERT_EQ(SSL_ERROR_WANT_WRITE, SSL_get_error(client.get(), ret)); + break; + } + num_writes++; + } + + // Encrypt a HelloRequest. + uint8_t in[] = {SSL3_MT_HELLO_REQUEST, 0, 0, 0}; +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) + // Fuzzer-mode records are unencrypted. + uint8_t record[5 + sizeof(in)]; + record[0] = SSL3_RT_HANDSHAKE; + record[1] = 3; + record[2] = 3; // TLS 1.2 + record[3] = 0; + record[4] = sizeof(record) - 5; + memcpy(record + 5, in, sizeof(in)); +#else + // Extract key material from |server|. + static const size_t kKeyLen = 32; + static const size_t kNonceLen = 12; + ASSERT_EQ(2u * (kKeyLen + kNonceLen), SSL_get_key_block_len(server.get())); + uint8_t key_block[2u * (kKeyLen + kNonceLen)]; + ASSERT_TRUE( + SSL_generate_key_block(server.get(), key_block, sizeof(key_block))); + Span<uint8_t> key = MakeSpan(key_block + kKeyLen, kKeyLen); + Span<uint8_t> nonce = + MakeSpan(key_block + kKeyLen + kKeyLen + kNonceLen, kNonceLen); + + uint8_t ad[13]; + uint64_t seq = SSL_get_write_sequence(server.get()); + for (size_t i = 0; i < 8; i++) { + // The nonce is XORed with the sequence number. + nonce[11 - i] ^= uint8_t(seq); + ad[7 - i] = uint8_t(seq); + seq >>= 8; + } + + ad[8] = SSL3_RT_HANDSHAKE; + ad[9] = 3; + ad[10] = 3; // TLS 1.2 + ad[11] = 0; + ad[12] = sizeof(in); + + uint8_t record[5 + sizeof(in) + 16]; + record[0] = SSL3_RT_HANDSHAKE; + record[1] = 3; + record[2] = 3; // TLS 1.2 + record[3] = 0; + record[4] = sizeof(record) - 5; + + ScopedEVP_AEAD_CTX aead; + ASSERT_TRUE(EVP_AEAD_CTX_init(aead.get(), EVP_aead_chacha20_poly1305(), + key.data(), key.size(), + EVP_AEAD_DEFAULT_TAG_LENGTH, nullptr)); + size_t len; + ASSERT_TRUE(EVP_AEAD_CTX_seal(aead.get(), record + 5, &len, + sizeof(record) - 5, nonce.data(), nonce.size(), + in, sizeof(in), ad, sizeof(ad))); + ASSERT_EQ(sizeof(record) - 5, len); +#endif // BORINGSSL_UNSAFE_FUZZER_MODE + + ASSERT_EQ(int(sizeof(record)), + BIO_write(SSL_get_wbio(server.get()), record, sizeof(record))); + + // |SSL_read| should pick up the HelloRequest. + uint8_t byte; + ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1)); + ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1)); + + // Drain the data from the |client|. + uint8_t buf[sizeof(kInput)]; + for (size_t i = 0; i < num_writes; i++) { + ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf))); + EXPECT_EQ(Bytes(buf), Bytes(kInput)); + } + + // |client| should be able to finish the pending write and continue to write, + // despite the paused HelloRequest. + ASSERT_EQ(int(sizeof(kInput)), + SSL_write(client.get(), kInput, sizeof(kInput))); + ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf))); + EXPECT_EQ(Bytes(buf), Bytes(kInput)); + + ASSERT_EQ(int(sizeof(kInput)), + SSL_write(client.get(), kInput, sizeof(kInput))); + ASSERT_EQ(int(sizeof(buf)), SSL_read(server.get(), buf, sizeof(buf))); + EXPECT_EQ(Bytes(buf), Bytes(kInput)); + + // |SSL_read| is stuck until we acknowledge the HelloRequest. + ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1)); + ASSERT_EQ(SSL_ERROR_WANT_RENEGOTIATE, SSL_get_error(client.get(), -1)); + + ASSERT_TRUE(SSL_renegotiate(client.get())); + ASSERT_EQ(-1, SSL_read(client.get(), &byte, 1)); + ASSERT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(client.get(), -1)); + + // We never renegotiate as a server. + ASSERT_EQ(-1, SSL_read(server.get(), buf, sizeof(buf))); + ASSERT_EQ(SSL_ERROR_SSL, SSL_get_error(server.get(), -1)); + uint32_t err = ERR_get_error(); + EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err)); + EXPECT_EQ(SSL_R_NO_RENEGOTIATION, ERR_GET_REASON(err)); +} + } // namespace BSSL_NAMESPACE_END diff --git a/src/ssl/t1_lib.cc b/src/ssl/t1_lib.cc index 52cea6cf..cc29a832 100644 --- a/src/ssl/t1_lib.cc +++ b/src/ssl/t1_lib.cc @@ -2756,8 +2756,8 @@ static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { bool first = true; CBB contents, algs; - for (const auto *alg : hs->ssl->ctx->cert_compression_algs.get()) { - if (alg->decompress == nullptr) { + for (const auto &alg : hs->ssl->ctx->cert_compression_algs) { + if (alg.decompress == nullptr) { continue; } @@ -2767,7 +2767,7 @@ static bool cert_compression_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { return false; } first = false; - if (!CBB_add_u16(&algs, alg->alg_id)) { + if (!CBB_add_u16(&algs, alg.alg_id)) { return false; } } @@ -2794,8 +2794,8 @@ static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs, return true; } - const size_t num_algs = - sk_CertCompressionAlg_num(hs->ssl->ctx->cert_compression_algs.get()); + const SSL_CTX *ctx = hs->ssl->ctx.get(); + const size_t num_algs = ctx->cert_compression_algs.size(); CBS alg_ids; if (!CBS_get_u8_length_prefixed(contents, &alg_ids) || @@ -2823,9 +2823,8 @@ static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs, given_alg_ids[given_alg_idx++] = alg_id; for (size_t i = 0; i < num_algs; i++) { - const auto *alg = sk_CertCompressionAlg_value( - hs->ssl->ctx->cert_compression_algs.get(), i); - if (alg->alg_id == alg_id && alg->compress != nullptr) { + const auto &alg = ctx->cert_compression_algs[i]; + if (alg.alg_id == alg_id && alg.compress != nullptr) { if (i < best_index) { best_index = i; } @@ -2845,10 +2844,7 @@ static bool cert_compression_parse_clienthello(SSL_HANDSHAKE *hs, if (best_index < num_algs && ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) { hs->cert_compression_negotiated = true; - hs->cert_compression_alg_id = - sk_CertCompressionAlg_value(hs->ssl->ctx->cert_compression_algs.get(), - best_index) - ->alg_id; + hs->cert_compression_alg_id = ctx->cert_compression_algs[best_index].alg_id; } return true; diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc index 261f6c60..9bd389bd 100644 --- a/src/ssl/test/bssl_shim.cc +++ b/src/ssl/test/bssl_shim.cc @@ -1126,6 +1126,15 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session, return false; } + if (config->renegotiate_explicit && + SSL_total_renegotiations(ssl) != + GetTestState(ssl)->explicit_renegotiates) { + fprintf(stderr, "Performed %d renegotiations, but triggered %d of them\n", + SSL_total_renegotiations(ssl), + GetTestState(ssl)->explicit_renegotiates); + return false; + } + return true; } diff --git a/src/ssl/test/handshake_util.cc b/src/ssl/test/handshake_util.cc index 4b1dcc84..fe96751c 100644 --- a/src/ssl/test/handshake_util.cc +++ b/src/ssl/test/handshake_util.cc @@ -40,8 +40,18 @@ using namespace bssl; bool RetryAsync(SSL *ssl, int ret) { const TestConfig *config = GetTestConfig(ssl); TestState *test_state = GetTestState(ssl); - // No error or not async; don't retry. - if (ret >= 0 || !config->async) { + if (ret >= 0) { + return false; + } + + int ssl_err = SSL_get_error(ssl, ret); + if (ssl_err == SSL_ERROR_WANT_RENEGOTIATE && config->renegotiate_explicit) { + test_state->explicit_renegotiates++; + return SSL_renegotiate(ssl); + } + + if (!config->async) { + // Only asynchronous tests should trigger other retries. return false; } @@ -62,7 +72,7 @@ bool RetryAsync(SSL *ssl, int ret) { // See if we needed to read or write more. If so, allow one byte through on // the appropriate end to maximally stress the state machine. - switch (SSL_get_error(ssl, ret)) { + switch (ssl_err) { case SSL_ERROR_WANT_READ: AsyncBioAllowRead(test_state->async_bio, 1); return true; diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go index 5a4b0cc9..758566a9 100644 --- a/src/ssl/test/runner/runner.go +++ b/src/ssl/test/runner/runner.go @@ -5268,6 +5268,18 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) { }) tests = append(tests, testCase{ + name: "Renegotiate-Client-Explicit", + config: Config{ + MaxVersion: VersionTLS12, + }, + renegotiate: 1, + flags: []string{ + "-renegotiate-explicit", + "-expect-total-renegotiations", "1", + }, + }) + + tests = append(tests, testCase{ name: "SendHalfHelloRequest", config: Config{ MaxVersion: VersionTLS12, diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc index bd32ce9d..8d8a0686 100644 --- a/src/ssl/test/test_config.cc +++ b/src/ssl/test/test_config.cc @@ -102,6 +102,7 @@ const Flag<bool> kBoolFlags[] = { {"-renegotiate-once", &TestConfig::renegotiate_once}, {"-renegotiate-freely", &TestConfig::renegotiate_freely}, {"-renegotiate-ignore", &TestConfig::renegotiate_ignore}, + {"-renegotiate-explicit", &TestConfig::renegotiate_explicit}, {"-forbid-renegotiation-after-handshake", &TestConfig::forbid_renegotiation_after_handshake}, {"-enable-all-curves", &TestConfig::enable_all_curves}, @@ -1577,6 +1578,9 @@ bssl::UniquePtr<SSL> TestConfig::NewSSL( if (renegotiate_ignore) { SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_ignore); } + if (renegotiate_explicit) { + SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_explicit); + } if (!check_close_notify) { SSL_set_quiet_shutdown(ssl.get(), 1); } diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h index ce4b4164..8c25ed20 100644 --- a/src/ssl/test/test_config.h +++ b/src/ssl/test/test_config.h @@ -119,6 +119,7 @@ struct TestConfig { bool renegotiate_once = false; bool renegotiate_freely = false; bool renegotiate_ignore = false; + bool renegotiate_explicit = false; bool forbid_renegotiation_after_handshake = false; int expect_peer_signature_algorithm = 0; bool enable_all_curves = false; diff --git a/src/ssl/test/test_state.h b/src/ssl/test/test_state.h index 2364286f..2aa9e30c 100644 --- a/src/ssl/test/test_state.h +++ b/src/ssl/test/test_state.h @@ -61,6 +61,7 @@ struct TestState { // cert_verified is true if certificate verification has been driven to // completion. This tests that the callback is not called again after this. bool cert_verified = false; + int explicit_renegotiates = 0; }; bool SetTestState(SSL *ssl, std::unique_ptr<TestState> state); diff --git a/src/ssl/tls13_both.cc b/src/ssl/tls13_both.cc index 7457155c..18bdef20 100644 --- a/src/ssl/tls13_both.cc +++ b/src/ssl/tls13_both.cc @@ -133,9 +133,9 @@ bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, } ssl_cert_decompression_func_t decompress = nullptr; - for (const auto* alg : ssl->ctx->cert_compression_algs.get()) { - if (alg->alg_id == alg_id) { - decompress = alg->decompress; + for (const auto &alg : ssl->ctx->cert_compression_algs) { + if (alg.alg_id == alg_id) { + decompress = alg.decompress; break; } } @@ -517,9 +517,9 @@ bool tls13_add_certificate(SSL_HANDSHAKE *hs) { } const CertCompressionAlg *alg = nullptr; - for (const auto *candidate : ssl->ctx->cert_compression_algs.get()) { - if (candidate->alg_id == hs->cert_compression_alg_id) { - alg = candidate; + for (const auto &candidate : ssl->ctx->cert_compression_algs) { + if (candidate.alg_id == hs->cert_compression_alg_id) { + alg = &candidate; break; } } diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc index a52a49c5..f6a81d45 100644 --- a/src/ssl/tls13_server.cc +++ b/src/ssl/tls13_server.cc @@ -976,7 +976,7 @@ static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) { // the case of a small server write buffer. Consumers which don't write data // to the client will need to do a zero-byte write if they wish to flush the // tickets. - if (hs->ssl->ctx->quic_method != nullptr && sent_tickets) { + if (hs->ssl->quic_method != nullptr && sent_tickets) { return ssl_hs_flush; } return ssl_hs_ok; diff --git a/src/tool/speed.cc b/src/tool/speed.cc index 160d90f1..68073a99 100644 --- a/src/tool/speed.cc +++ b/src/tool/speed.cc @@ -13,9 +13,9 @@ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include <algorithm> -#include <string> #include <functional> #include <memory> +#include <string> #include <vector> #include <assert.h> @@ -54,6 +54,8 @@ OPENSSL_MSVC_PRAGMA(warning(pop)) #include "../third_party/sike/sike.h" +// g_print_json is true if printed output is JSON formatted. +static bool g_print_json = false; // TimeResults represents the results of benchmarking a function. struct TimeResults { @@ -62,20 +64,54 @@ struct TimeResults { // us is the number of microseconds that elapsed in the time period. unsigned us; - void Print(const std::string &description) { - printf("Did %u %s operations in %uus (%.1f ops/sec)\n", num_calls, - description.c_str(), us, - (static_cast<double>(num_calls) / us) * 1000000); + void Print(const std::string &description) const { + if (g_print_json) { + PrintJSON(description); + } else { + printf("Did %u %s operations in %uus (%.1f ops/sec)\n", num_calls, + description.c_str(), us, + (static_cast<double>(num_calls) / us) * 1000000); + } + } + + void PrintWithBytes(const std::string &description, + size_t bytes_per_call) const { + if (g_print_json) { + PrintJSON(description, bytes_per_call); + } else { + printf("Did %u %s operations in %uus (%.1f ops/sec): %.1f MB/s\n", + num_calls, description.c_str(), us, + (static_cast<double>(num_calls) / us) * 1000000, + static_cast<double>(bytes_per_call * num_calls) / us); + } } - void PrintWithBytes(const std::string &description, size_t bytes_per_call) { - printf("Did %u %s operations in %uus (%.1f ops/sec): %.1f MB/s\n", - num_calls, description.c_str(), us, - (static_cast<double>(num_calls) / us) * 1000000, - static_cast<double>(bytes_per_call * num_calls) / us); + private: + void PrintJSON(const std::string &description, + size_t bytes_per_call = 0) const { + if (first_json_printed) { + puts(","); + } + + printf("{\"description\": \"%s\", \"numCalls\": %u, \"microseconds\": %u", + description.c_str(), num_calls, us); + + if (bytes_per_call > 0) { + printf(", \"bytesPerCall\": %zu", bytes_per_call); + } + + printf("}"); + first_json_printed = true; } + + // first_json_printed is true if |g_print_json| is true and the first item in + // the JSON results has been printed already. This is used to handle the + // commas between each item in the result list. + static bool first_json_printed; }; +bool TimeResults::first_json_printed = false; + #if defined(OPENSSL_WINDOWS) static uint64_t time_now() { return GetTickCount64() * 1000; } #elif defined(OPENSSL_APPLE) @@ -274,24 +310,29 @@ static bool SpeedRSAKeyGen(const std::string &selected) { } std::sort(durations.begin(), durations.end()); - printf("Did %u RSA %d key-gen operations in %uus (%.1f ops/sec)\n", - num_calls, size, us, - (static_cast<double>(num_calls) / us) * 1000000); + const std::string description = + std::string("RSA ") + std::to_string(size) + std::string(" key-gen"); + const TimeResults results = {num_calls, us}; + results.Print(description); const size_t n = durations.size(); assert(n > 0); - // |min| and |max| must be stored in temporary variables to avoid an MSVC - // bug on x86. There, size_t is a typedef for unsigned, but MSVC's printf - // warning tries to retain the distinction and suggest %zu for size_t - // instead of %u. It gets confused if std::vector<unsigned> and - // std::vector<size_t> are both instantiated. Being typedefs, the two - // instantiations are identical, which somehow breaks the size_t vs unsigned - // metadata. - unsigned min = durations[0]; - unsigned median = n & 1 ? durations[n / 2] - : (durations[n / 2 - 1] + durations[n / 2]) / 2; - unsigned max = durations[n - 1]; - printf(" min: %uus, median: %uus, max: %uus\n", min, median, max); + // Distribution information is useful, but doesn't fit into the standard + // format used by |g_print_json|. + if (!g_print_json) { + // |min| and |max| must be stored in temporary variables to avoid an MSVC + // bug on x86. There, size_t is a typedef for unsigned, but MSVC's printf + // warning tries to retain the distinction and suggest %zu for size_t + // instead of %u. It gets confused if std::vector<unsigned> and + // std::vector<size_t> are both instantiated. Being typedefs, the two + // instantiations are identical, which somehow breaks the size_t vs + // unsigned metadata. + unsigned min = durations[0]; + unsigned median = n & 1 ? durations[n / 2] + : (durations[n / 2 - 1] + durations[n / 2]) / 2; + unsigned max = durations[n - 1]; + printf(" min: %uus, median: %uus, max: %uus\n", min, median, max); + } } return true; @@ -979,6 +1020,16 @@ static const struct argument kArguments[] = { "16,256,1350,8192,16384)", }, { + "-json", + kBooleanArgument, + "If this flag is set, speed will print the output of each benchmark in " + "JSON format as follows: \"{\"description\": " + "\"descriptionOfOperation\", \"numCalls\": 1234, " + "\"timeInMicroseconds\": 1234567, \"bytesPerCall\": 1234}\". When " + "there is no information about the bytes per call for an operation, " + "the JSON field for bytesPerCall will be omitted.", + }, + { "", kOptionalArgument, "", @@ -997,6 +1048,10 @@ bool Speed(const std::vector<std::string> &args) { selected = args_map["-filter"]; } + if (args_map.count("-json") != 0) { + g_print_json = true; + } + if (args_map.count("-timeout") != 0) { g_timeout_seconds = atoi(args_map["-timeout"].c_str()); } @@ -1036,6 +1091,9 @@ bool Speed(const std::vector<std::string> &args) { // knowledge in them and construct a couple of the AD bytes internally. static const size_t kLegacyADLen = kTLSADLen - 2; + if (g_print_json) { + puts("["); + } if (!SpeedRSA(selected) || !SpeedAEAD(EVP_aead_aes_128_gcm(), "AES-128-GCM", kTLSADLen, selected) || !SpeedAEAD(EVP_aead_aes_256_gcm(), "AES-256-GCM", kTLSADLen, selected) || @@ -1077,6 +1135,9 @@ bool Speed(const std::vector<std::string> &args) { !SpeedHRSS(selected)) { return false; } + if (g_print_json) { + puts("\n]"); + } return true; } |