diff options
| author | Robert Sloan <varomodt@google.com> | 2017-12-11 09:06:12 -0800 |
|---|---|---|
| committer | Robert Sloan <varomodt@google.com> | 2017-12-11 09:07:04 -0800 |
| commit | cd79cdebdcdadadb156e037973c927abf3dac79d (patch) | |
| tree | 8d665d1755a4ff8b52bf8f66eb302de639d5b4ac /src | |
| parent | cd32b5c799ac5f2267a1c741e02ee32413a036c2 (diff) | |
| download | boringssl-cd79cdebdcdadadb156e037973c927abf3dac79d.tar.gz | |
external/boringssl: Sync to 21baf6421a7e1e03f85cf2243c3c2404f5765072.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/a5462d3050ac6a68ab488450bf5856475dbef992..21baf6421a7e1e03f85cf2243c3c2404f5765072
Test: BoringSSL CTS Presubmits
Change-Id: I7081a7bead0260f9790e3af70bc23dba42ddb156
Diffstat (limited to 'src')
26 files changed, 298 insertions, 154 deletions
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index eb8717ac..6674a419 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,5 +1,11 @@ cmake_minimum_required (VERSION 2.8.11) +# Report AppleClang separately from Clang. Their version numbers are different. +# https://cmake.org/cmake/help/v3.0/policy/CMP0025.html +if(POLICY CMP0025) + cmake_policy(SET CMP0025 NEW) +endif() + # Defer enabling C and CXX languages. project (BoringSSL NONE) @@ -63,6 +69,18 @@ if(CMAKE_COMPILER_IS_GNUCXX OR CLANG) set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-free-nonheap-object") endif() + if(CMAKE_CXX_COMPILER_ID STREQUAL "Clang" AND + NOT "6.0.0" VERSION_GREATER CMAKE_C_COMPILER_VERSION) + # Clang's -Wtautological-constant-compare is far too aggressive and does not + # account for, say, wanting the same code to work on both 32-bit and 64-bit + # platforms. + # + # Note "Clang" and "AppleClang" version differently, so we check for an + # exact match on the COMPILER_ID. As of writing, the warning is not in any + # release of AppleClang yet. + set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wno-tautological-constant-compare -Wtautological-constant-out-of-range-compare") + endif() + if(CLANG OR NOT "7.0.0" VERSION_GREATER CMAKE_C_COMPILER_VERSION) set(C_CXX_FLAGS "${C_CXX_FLAGS} -Wimplicit-fallthrough") endif() diff --git a/src/crypto/asn1/a_mbstr.c b/src/crypto/asn1/a_mbstr.c index 30fff82a..a2789ed1 100644 --- a/src/crypto/asn1/a_mbstr.c +++ b/src/crypto/asn1/a_mbstr.c @@ -61,17 +61,19 @@ #include <openssl/err.h> #include <openssl/mem.h> +#include "asn1_locl.h" + static int traverse_string(const unsigned char *p, int len, int inform, - int (*rfunc) (unsigned long value, void *in), + int (*rfunc) (uint32_t value, void *in), void *arg); -static int in_utf8(unsigned long value, void *arg); -static int out_utf8(unsigned long value, void *arg); -static int type_str(unsigned long value, void *arg); -static int cpy_asc(unsigned long value, void *arg); -static int cpy_bmp(unsigned long value, void *arg); -static int cpy_univ(unsigned long value, void *arg); -static int cpy_utf8(unsigned long value, void *arg); -static int is_printable(unsigned long value); +static int in_utf8(uint32_t value, void *arg); +static int out_utf8(uint32_t value, void *arg); +static int type_str(uint32_t value, void *arg); +static int cpy_asc(uint32_t value, void *arg); +static int cpy_bmp(uint32_t value, void *arg); +static int cpy_univ(uint32_t value, void *arg); +static int cpy_utf8(uint32_t value, void *arg); +static int is_printable(uint32_t value); /* * These functions take a string in UTF8, ASCII or multibyte form and a mask @@ -100,7 +102,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, unsigned char *p; int nchar; char strbuf[32]; - int (*cpyfunc) (unsigned long, void *) = NULL; + int (*cpyfunc) (uint32_t, void *) = NULL; if (len == -1) len = strlen((const char *)in); if (!mask) @@ -253,10 +255,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, */ static int traverse_string(const unsigned char *p, int len, int inform, - int (*rfunc) (unsigned long value, void *in), + int (*rfunc) (uint32_t value, void *in), void *arg) { - unsigned long value; + uint32_t value; int ret; while (len) { if (inform == MBSTRING_ASC) { @@ -267,8 +269,8 @@ static int traverse_string(const unsigned char *p, int len, int inform, value |= *p++; len -= 2; } else if (inform == MBSTRING_UNIV) { - value = ((unsigned long)*p++) << 24; - value |= ((unsigned long)*p++) << 16; + value = ((uint32_t)*p++) << 24; + value |= ((uint32_t)*p++) << 16; value |= *p++ << 8; value |= *p++; len -= 4; @@ -292,7 +294,7 @@ static int traverse_string(const unsigned char *p, int len, int inform, /* Just count number of characters */ -static int in_utf8(unsigned long value, void *arg) +static int in_utf8(uint32_t value, void *arg) { int *nchar; nchar = arg; @@ -302,7 +304,7 @@ static int in_utf8(unsigned long value, void *arg) /* Determine size of output as a UTF8 String */ -static int out_utf8(unsigned long value, void *arg) +static int out_utf8(uint32_t value, void *arg) { int *outlen; outlen = arg; @@ -315,7 +317,7 @@ static int out_utf8(unsigned long value, void *arg) * "mask". */ -static int type_str(unsigned long value, void *arg) +static int type_str(uint32_t value, void *arg) { unsigned long types; types = *((unsigned long *)arg); @@ -335,7 +337,7 @@ static int type_str(unsigned long value, void *arg) /* Copy one byte per character ASCII like strings */ -static int cpy_asc(unsigned long value, void *arg) +static int cpy_asc(uint32_t value, void *arg) { unsigned char **p, *q; p = arg; @@ -347,7 +349,7 @@ static int cpy_asc(unsigned long value, void *arg) /* Copy two byte per character BMPStrings */ -static int cpy_bmp(unsigned long value, void *arg) +static int cpy_bmp(uint32_t value, void *arg) { unsigned char **p, *q; p = arg; @@ -360,7 +362,7 @@ static int cpy_bmp(unsigned long value, void *arg) /* Copy four byte per character UniversalStrings */ -static int cpy_univ(unsigned long value, void *arg) +static int cpy_univ(uint32_t value, void *arg) { unsigned char **p, *q; p = arg; @@ -375,7 +377,7 @@ static int cpy_univ(unsigned long value, void *arg) /* Copy to a UTF8String */ -static int cpy_utf8(unsigned long value, void *arg) +static int cpy_utf8(uint32_t value, void *arg) { unsigned char **p; int ret; @@ -387,7 +389,7 @@ static int cpy_utf8(unsigned long value, void *arg) } /* Return 1 if the character is permitted in a PrintableString */ -static int is_printable(unsigned long value) +static int is_printable(uint32_t value) { int ch; if (value > 0x7f) diff --git a/src/crypto/asn1/a_utf8.c b/src/crypto/asn1/a_utf8.c index 17027686..119ccf92 100644 --- a/src/crypto/asn1/a_utf8.c +++ b/src/crypto/asn1/a_utf8.c @@ -59,6 +59,8 @@ #include <openssl/err.h> #include <openssl/mem.h> +#include "asn1_locl.h" + /* UTF8 utilities */ /* @@ -70,10 +72,10 @@ * incorrectly (not minimal length). */ -int UTF8_getc(const unsigned char *str, int len, unsigned long *val) +int UTF8_getc(const unsigned char *str, int len, uint32_t *val) { const unsigned char *p; - unsigned long value; + uint32_t value; int ret; if (len <= 0) return 0; @@ -112,7 +114,7 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val) || ((p[2] & 0xc0) != 0x80) || ((p[3] & 0xc0) != 0x80)) return -3; - value = ((unsigned long)(*p++ & 0x7)) << 18; + value = ((uint32_t)(*p++ & 0x7)) << 18; value |= (*p++ & 0x3f) << 12; value |= (*p++ & 0x3f) << 6; value |= *p++ & 0x3f; @@ -127,9 +129,9 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val) || ((p[3] & 0xc0) != 0x80) || ((p[4] & 0xc0) != 0x80)) return -3; - value = ((unsigned long)(*p++ & 0x3)) << 24; - value |= ((unsigned long)(*p++ & 0x3f)) << 18; - value |= ((unsigned long)(*p++ & 0x3f)) << 12; + value = ((uint32_t)(*p++ & 0x3)) << 24; + value |= ((uint32_t)(*p++ & 0x3f)) << 18; + value |= ((uint32_t)(*p++ & 0x3f)) << 12; value |= (*p++ & 0x3f) << 6; value |= *p++ & 0x3f; if (value < 0x200000) @@ -144,10 +146,10 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val) || ((p[4] & 0xc0) != 0x80) || ((p[5] & 0xc0) != 0x80)) return -3; - value = ((unsigned long)(*p++ & 0x1)) << 30; - value |= ((unsigned long)(*p++ & 0x3f)) << 24; - value |= ((unsigned long)(*p++ & 0x3f)) << 18; - value |= ((unsigned long)(*p++ & 0x3f)) << 12; + value = ((uint32_t)(*p++ & 0x1)) << 30; + value |= ((uint32_t)(*p++ & 0x3f)) << 24; + value |= ((uint32_t)(*p++ & 0x3f)) << 18; + value |= ((uint32_t)(*p++ & 0x3f)) << 12; value |= (*p++ & 0x3f) << 6; value |= *p++ & 0x3f; if (value < 0x4000000) @@ -167,7 +169,7 @@ int UTF8_getc(const unsigned char *str, int len, unsigned long *val) * most 6 characters. */ -int UTF8_putc(unsigned char *str, int len, unsigned long value) +int UTF8_putc(unsigned char *str, int len, uint32_t value) { if (!str) len = 6; /* Maximum we will need */ diff --git a/src/crypto/asn1/asn1_locl.h b/src/crypto/asn1/asn1_locl.h index 10a832cd..8cef2463 100644 --- a/src/crypto/asn1/asn1_locl.h +++ b/src/crypto/asn1/asn1_locl.h @@ -93,6 +93,9 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d); void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine); +int UTF8_getc(const unsigned char *str, int len, uint32_t *val); +int UTF8_putc(unsigned char *str, int len, uint32_t value); + #if defined(__cplusplus) } /* extern C */ diff --git a/src/crypto/fipsmodule/bn/asm/rsaz-avx2.pl b/src/crypto/fipsmodule/bn/asm/rsaz-avx2.pl index 0bb50cdb..32c21673 100755 --- a/src/crypto/fipsmodule/bn/asm/rsaz-avx2.pl +++ b/src/crypto/fipsmodule/bn/asm/rsaz-avx2.pl @@ -232,7 +232,7 @@ $code.=<<___; vmovdqu 32*8-128($ap), $ACC8 lea 192(%rsp), $tp0 # 64+128=192 - vpbroadcastq .Land_mask(%rip), $AND_MASK + vmovdqu .Land_mask(%rip), $AND_MASK jmp .LOOP_GRANDE_SQR_1024 .align 32 @@ -1082,10 +1082,10 @@ $code.=<<___; vpmuludq 32*6-128($np),$Yi,$TEMP1 vpaddq $TEMP1,$ACC6,$ACC6 vpmuludq 32*7-128($np),$Yi,$TEMP2 - vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3 + vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3 vpaddq $TEMP2,$ACC7,$ACC7 vpmuludq 32*8-128($np),$Yi,$TEMP0 - vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3 + vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3 vpaddq $TEMP0,$ACC8,$ACC8 mov %rbx, %rax @@ -1098,7 +1098,9 @@ $code.=<<___; vmovdqu -8+32*2-128($ap),$TEMP2 mov $r1, %rax + vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3 imull $n0, %eax + vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3 and \$0x1fffffff, %eax imulq 16-128($ap),%rbx @@ -1334,15 +1336,12 @@ ___ # But as we underutilize resources, it's possible to correct in # each iteration with marginal performance loss. But then, as # we do it in each iteration, we can correct less digits, and -# avoid performance penalties completely. Also note that we -# correct only three digits out of four. This works because -# most significant digit is subjected to less additions. +# avoid performance penalties completely. $TEMP0 = $ACC9; $TEMP3 = $Bi; $TEMP4 = $Yi; $code.=<<___; - vpermq \$0, $AND_MASK, $AND_MASK vpaddq (%rsp), $TEMP1, $ACC0 vpsrlq \$29, $ACC0, $TEMP1 @@ -1790,7 +1789,7 @@ $code.=<<___; .align 64 .Land_mask: - .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1 + .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff .Lscatter_permd: .long 0,2,4,6,7,7,7,7 .Lgather_permd: diff --git a/src/crypto/fipsmodule/bn/bn_tests.txt b/src/crypto/fipsmodule/bn/bn_tests.txt index eb447b53..87e64e2b 100644 --- a/src/crypto/fipsmodule/bn/bn_tests.txt +++ b/src/crypto/fipsmodule/bn/bn_tests.txt @@ -10507,6 +10507,12 @@ A = -80000000000000000000000000000000000000000000000000000000000000000000000000 E = 61803d4973ae68cfb2ba6770dbed70d36760fa42c01a16d1482eacf0d01adf7a917bc86ece58a73b920295c1291b90f49167ef856ecad149330e1fd49ec71392fb62d47270b53e6d4f3c8f044b80a5736753364896932abc6d872c4c5e135d1edb200597a93ceb262ff6c99079177cd10808b9ed20c8cd7352d80ac7f6963103 M = b5d257b2c50b050d42f0852eff5cfa2571157c500cd0bd9aa0b2ccdd89c531c9609d520eb81d928fb52b06da25dc713561aa0bd365ee56db9e62ac6787a85936990f44438363560f7af9e0c16f378e5b83f658252390d849401817624da97ec613a1b855fd901847352f434a777e4e32af0cb4033c7547fb6437d067fcd3d965 +# Regression test for CVE-2017-3738. +ModExp = d360792bd8210786607817c3dda64cc38c8d0f25569597cb1f363c7919a0c3587baff01a2283edaeb04fc288ac0ab3f279b2a89ffcb452d8bdf72422a9f9780f4aa702dc964cf033149d3a339883062cab8564aebdbfac0bf68985e522c6fe545b346044690c525ca85d3f4eb3e3c25cdf541545afc84a309e9b1d7807003461 +A = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2020202020df +E = 2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020FF2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020 +M = ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff2020202020ff + # Exp tests. # diff --git a/src/crypto/fipsmodule/ec/ec.c b/src/crypto/fipsmodule/ec/ec.c index 266baa24..41c2540b 100644 --- a/src/crypto/fipsmodule/ec/ec.c +++ b/src/crypto/fipsmodule/ec/ec.c @@ -819,20 +819,22 @@ int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) { static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const BIGNUM *in, BN_CTX *ctx) { - const BIGNUM *order = EC_GROUP_get0_order(group); - if (BN_is_negative(in) || BN_num_bits(in) > BN_num_bits(order)) { - // This is an unusual input, so we do not guarantee constant-time - // processing, even ignoring |bn_correct_top|. - BN_CTX_start(ctx); - BIGNUM *tmp = BN_CTX_get(ctx); - int ok = tmp != NULL && - BN_nnmod(tmp, in, order, ctx) && - ec_bignum_to_scalar(group, out, tmp); - BN_CTX_end(ctx); - return ok; + if (ec_bignum_to_scalar(group, out, in)) { + return 1; } - return ec_bignum_to_scalar(group, out, in); + ERR_clear_error(); + + // This is an unusual input, so we do not guarantee constant-time + // processing, even ignoring |bn_correct_top|. + const BIGNUM *order = &group->order; + BN_CTX_start(ctx); + BIGNUM *tmp = BN_CTX_get(ctx); + int ok = tmp != NULL && + BN_nnmod(tmp, in, order, ctx) && + ec_bignum_to_scalar_unchecked(group, out, tmp); + BN_CTX_end(ctx); + return ok; } int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, @@ -943,6 +945,18 @@ size_t EC_get_builtin_curves(EC_builtin_curve *out_curves, int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const BIGNUM *in) { + if (!ec_bignum_to_scalar_unchecked(group, out, in)) { + return 0; + } + if (!bn_less_than_words(out->words, group->order.d, group->order.top)) { + OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); + return 0; + } + return 1; +} + +int ec_bignum_to_scalar_unchecked(const EC_GROUP *group, EC_SCALAR *out, + const BIGNUM *in) { if (BN_is_negative(in) || in->top > group->order.top) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); return 0; diff --git a/src/crypto/fipsmodule/ec/ec_key.c b/src/crypto/fipsmodule/ec/ec_key.c index bba4402b..f64cb21e 100644 --- a/src/crypto/fipsmodule/ec/ec_key.c +++ b/src/crypto/fipsmodule/ec/ec_key.c @@ -242,7 +242,8 @@ int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) { } // XXX: |BN_cmp| is not constant time. if (key->priv_key != NULL && - BN_cmp(key->priv_key, EC_GROUP_get0_order(group)) >= 0) { + (BN_is_negative(key->priv_key) || + BN_cmp(key->priv_key, EC_GROUP_get0_order(group)) >= 0)) { return 0; } return 1; @@ -255,7 +256,8 @@ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key) { int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) { // XXX: |BN_cmp| is not constant time. if (key->group != NULL && - BN_cmp(priv_key, EC_GROUP_get0_order(key->group)) >= 0) { + (BN_is_negative(priv_key) || + BN_cmp(priv_key, EC_GROUP_get0_order(key->group)) >= 0)) { OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER); return 0; } @@ -318,7 +320,8 @@ int EC_KEY_check_key(const EC_KEY *eckey) { // check if generator * priv_key == pub_key if (eckey->priv_key) { // XXX: |BN_cmp| is not constant time. - if (BN_cmp(eckey->priv_key, EC_GROUP_get0_order(eckey->group)) >= 0) { + if (BN_is_negative(eckey->priv_key) || + BN_cmp(eckey->priv_key, EC_GROUP_get0_order(eckey->group)) >= 0) { OPENSSL_PUT_ERROR(EC, EC_R_WRONG_ORDER); goto err; } diff --git a/src/crypto/fipsmodule/ec/ec_test.cc b/src/crypto/fipsmodule/ec/ec_test.cc index 139840e5..8e7a81d9 100644 --- a/src/crypto/fipsmodule/ec/ec_test.cc +++ b/src/crypto/fipsmodule/ec/ec_test.cc @@ -510,6 +510,25 @@ TEST_P(ECCurveTest, Mul) { EXPECT_EQ(0, EC_POINT_cmp(group.get(), result.get(), generator, nullptr)); } +// Test that EC_KEY_set_private_key rejects invalid values. +TEST_P(ECCurveTest, SetInvalidPrivateKey) { + bssl::UniquePtr<EC_KEY> key(EC_KEY_new_by_curve_name(GetParam().nid)); + ASSERT_TRUE(key); + + bssl::UniquePtr<BIGNUM> bn(BN_new()); + ASSERT_TRUE(BN_one(bn.get())); + BN_set_negative(bn.get(), 1); + EXPECT_FALSE(EC_KEY_set_private_key(key.get(), bn.get())) + << "Unexpectedly set a key of -1"; + ERR_clear_error(); + + ASSERT_TRUE( + BN_copy(bn.get(), EC_GROUP_get0_order(EC_KEY_get0_group(key.get())))); + EXPECT_FALSE(EC_KEY_set_private_key(key.get(), bn.get())) + << "Unexpectedly set a key of the group order."; + ERR_clear_error(); +} + static std::vector<EC_builtin_curve> AllCurves() { const size_t num_curves = EC_get_builtin_curves(nullptr, 0); std::vector<EC_builtin_curve> curves(num_curves); diff --git a/src/crypto/fipsmodule/ec/internal.h b/src/crypto/fipsmodule/ec/internal.h index 7374e8b5..1b860c6b 100644 --- a/src/crypto/fipsmodule/ec/internal.h +++ b/src/crypto/fipsmodule/ec/internal.h @@ -91,10 +91,9 @@ extern "C" { OPENSSL_COMPILE_ASSERT(EC_MAX_SCALAR_WORDS <= BN_SMALL_MAX_WORDS, bn_small_functions_applicable); -// An EC_SCALAR is a |BN_num_bits(order)|-bit integer. Only the first +// An EC_SCALAR is an integer fully reduced modulo the order. Only the first // |order->top| words are used. An |EC_SCALAR| is specific to an |EC_GROUP| and -// must not be mixed between groups. Unless otherwise specified, it is fully -// reduced modulo the |order|. +// must not be mixed between groups. typedef union { // bytes is the representation of the scalar in little-endian order. uint8_t bytes[EC_MAX_SCALAR_BYTES]; @@ -173,13 +172,16 @@ struct ec_point_st { EC_GROUP *ec_group_new(const EC_METHOD *meth); -// ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to |*out|. -// |in| must be non-negative and have at most |BN_num_bits(&group->order)| bits. -// It returns one on success and zero on error. It does not ensure |in| is fully -// reduced. +// ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to +// |*out|. It returns one on success and zero if |in| is out of range. int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const BIGNUM *in); +// ec_bignum_to_scalar_unchecked behaves like |ec_bignum_to_scalar| but does not +// check |in| is fully reduced. +int ec_bignum_to_scalar_unchecked(const EC_GROUP *group, EC_SCALAR *out, + const BIGNUM *in); + // ec_random_nonzero_scalar sets |out| to a uniformly selected random value from // 1 to |group->order| - 1. It returns one on success and zero on error. int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, diff --git a/src/crypto/fipsmodule/ecdsa/ecdsa.c b/src/crypto/fipsmodule/ecdsa/ecdsa.c index 319a934e..6571c941 100644 --- a/src/crypto/fipsmodule/ecdsa/ecdsa.c +++ b/src/crypto/fipsmodule/ecdsa/ecdsa.c @@ -66,10 +66,53 @@ #include "../../internal.h" +// EC_LOOSE_SCALAR is like |EC_SCALAR| but is bounded by 2^|BN_num_bits(order)| +// rather than |order|. +typedef union { + // bytes is the representation of the scalar in little-endian order. + uint8_t bytes[EC_MAX_SCALAR_BYTES]; + BN_ULONG words[EC_MAX_SCALAR_WORDS]; +} EC_LOOSE_SCALAR; + +static void scalar_add_loose(const EC_GROUP *group, EC_LOOSE_SCALAR *r, + const EC_LOOSE_SCALAR *a, const EC_SCALAR *b) { + // Add and subtract one copy of |order| if necessary. We have: + // |a| + |b| < 2^BN_num_bits(order) + order + // so this leaves |r| < 2^BN_num_bits(order). + const BIGNUM *order = &group->order; + BN_ULONG carry = bn_add_words(r->words, a->words, b->words, order->top); + EC_LOOSE_SCALAR tmp; + BN_ULONG v = bn_sub_words(tmp.words, r->words, order->d, order->top) - carry; + v = 0u - v; + for (int i = 0; i < order->top; i++) { + OPENSSL_COMPILE_ASSERT(sizeof(BN_ULONG) <= sizeof(crypto_word_t), + crypto_word_t_too_small); + r->words[i] = constant_time_select_w(v, r->words[i], tmp.words[i]); + } +} + +static int scalar_mod_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r, + const EC_SCALAR *a, const EC_SCALAR *b) { + const BIGNUM *order = &group->order; + return bn_mod_mul_montgomery_small(r->words, order->top, a->words, order->top, + b->words, order->top, group->order_mont); +} + +static int scalar_mod_mul_montgomery_loose(const EC_GROUP *group, EC_SCALAR *r, + const EC_LOOSE_SCALAR *a, + const EC_SCALAR *b) { + // Although |a| is loose, |bn_mod_mul_montgomery_small| only requires the + // product not exceed R * |order|. |b| is fully reduced and |a| < + // 2^BN_num_bits(order) <= R, so this holds. + const BIGNUM *order = &group->order; + return bn_mod_mul_montgomery_small(r->words, order->top, a->words, order->top, + b->words, order->top, group->order_mont); +} + // digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for // ECDSA. Note this value is not fully reduced modulo the order, only the // correct number of bits. -static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out, +static void digest_to_scalar(const EC_GROUP *group, EC_LOOSE_SCALAR *out, const uint8_t *digest, size_t digest_len) { const BIGNUM *order = &group->order; size_t num_bits = BN_num_bits(order); @@ -195,15 +238,12 @@ int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, goto err; } - EC_SCALAR r, s, m, u1, u2, s_inv_mont; + EC_SCALAR r, s, u1, u2, s_inv_mont; + EC_LOOSE_SCALAR m; const BIGNUM *order = EC_GROUP_get0_order(group); if (BN_is_zero(sig->r) || - BN_is_negative(sig->r) || - BN_ucmp(sig->r, order) >= 0 || !ec_bignum_to_scalar(group, &r, sig->r) || BN_is_zero(sig->s) || - BN_is_negative(sig->s) || - BN_ucmp(sig->s, order) >= 0 || !ec_bignum_to_scalar(group, &s, sig->s)) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE); goto err; @@ -212,26 +252,21 @@ int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, // the products below. int no_inverse; if (!BN_mod_inverse_odd(X, &no_inverse, sig->s, order, ctx) || - !ec_bignum_to_scalar(group, &s_inv_mont, X) || + // TODO(davidben): Add a words version of |BN_mod_inverse_odd| and write + // into |s_inv_mont| directly. + !ec_bignum_to_scalar_unchecked(group, &s_inv_mont, X) || !bn_to_montgomery_small(s_inv_mont.words, order->top, s_inv_mont.words, order->top, group->order_mont)) { goto err; } - // u1 = m * s_inv_mont mod order - // u2 = r * s_inv_mont mod order + // u1 = m * s^-1 mod order + // u2 = r * s^-1 mod order // // |s_inv_mont| is in Montgomery form while |m| and |r| are not, so |u1| and - // |u2| will be taken out of Montgomery form, as desired. Note that, although - // |m| is not fully reduced, |bn_mod_mul_montgomery_small| only requires the - // product not exceed R * |order|. |s_inv_mont| is fully reduced and |m| < - // 2^BN_num_bits(order) <= R, so this holds. + // |u2| will be taken out of Montgomery form, as desired. digest_to_scalar(group, &m, digest, digest_len); - if (!bn_mod_mul_montgomery_small(u1.words, order->top, m.words, order->top, - s_inv_mont.words, order->top, - group->order_mont) || - !bn_mod_mul_montgomery_small(u2.words, order->top, r.words, order->top, - s_inv_mont.words, order->top, - group->order_mont)) { + if (!scalar_mod_mul_montgomery_loose(group, &u1, &m, &s_inv_mont) || + !scalar_mod_mul_montgomery(group, &u2, &r, &s_inv_mont)) { goto err; } @@ -368,14 +403,17 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len, int ok = 0; ECDSA_SIG *ret = ECDSA_SIG_new(); BN_CTX *ctx = BN_CTX_new(); - EC_SCALAR kinv_mont, priv_key, r_mont, s, tmp, m; + EC_SCALAR kinv_mont, priv_key, r_mont, s; + EC_LOOSE_SCALAR m, tmp; if (ret == NULL || ctx == NULL) { OPENSSL_PUT_ERROR(ECDSA, ERR_R_MALLOC_FAILURE); return NULL; } digest_to_scalar(group, &m, digest, digest_len); - if (!ec_bignum_to_scalar(group, &priv_key, priv_key_bn)) { + // TODO(davidben): Store the private key as an |EC_SCALAR| so this is obvious + // via the type system. + if (!ec_bignum_to_scalar_unchecked(group, &priv_key, priv_key_bn)) { goto err; } for (;;) { @@ -385,36 +423,21 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len, } // Compute priv_key * r (mod order). Note if only one parameter is in the - // Montgomery domain, |bn_mod_mul_montgomery_small| will compute the answer - // in the normal domain. + // Montgomery domain, |scalar_mod_mul_montgomery| will compute the answer in + // the normal domain. if (!ec_bignum_to_scalar(group, &r_mont, ret->r) || !bn_to_montgomery_small(r_mont.words, order->top, r_mont.words, order->top, group->order_mont) || - !bn_mod_mul_montgomery_small(s.words, order->top, priv_key.words, - order->top, r_mont.words, order->top, - group->order_mont)) { + !scalar_mod_mul_montgomery(group, &s, &priv_key, &r_mont)) { goto err; } - // Compute s += m in constant time. Reduce one copy of |order| if necessary. - // Note this does not leave |s| fully reduced. We have - // |m| < 2^BN_num_bits(order), so subtracting |order| leaves - // 0 <= |s| < 2^BN_num_bits(order). - BN_ULONG carry = bn_add_words(s.words, s.words, m.words, order->top); - BN_ULONG v = bn_sub_words(tmp.words, s.words, order->d, order->top) - carry; - v = 0u - v; - for (int i = 0; i < order->top; i++) { - s.words[i] = constant_time_select_w(v, s.words[i], tmp.words[i]); - } + // Compute tmp = m + priv_key * r. + scalar_add_loose(group, &tmp, &m, &s); // Finally, multiply s by k^-1. That was retained in Montgomery form, so the - // same technique as the previous multiplication works. Although the - // previous step did not fully reduce |s|, |bn_mod_mul_montgomery_small| - // only requires the product not exceed R * |order|. |kinv_mont| is fully - // reduced and |s| < 2^BN_num_bits(order) <= R, so this holds. - if (!bn_mod_mul_montgomery_small(s.words, order->top, s.words, order->top, - kinv_mont.words, order->top, - group->order_mont) || + // same technique as the previous multiplication works. + if (!scalar_mod_mul_montgomery_loose(group, &s, &tmp, &kinv_mont) || !bn_set_words(ret->s, s.words, order->top)) { goto err; } diff --git a/src/crypto/x509/a_strex.c b/src/crypto/x509/a_strex.c index d0d83564..465ad086 100644 --- a/src/crypto/x509/a_strex.c +++ b/src/crypto/x509/a_strex.c @@ -56,6 +56,7 @@ #include <openssl/x509.h> +#include <inttypes.h> #include <string.h> #include <openssl/asn1.h> @@ -63,6 +64,7 @@ #include <openssl/obj.h> #include "charmap.h" +#include "../asn1/asn1_locl.h" /* * ASN1_STRING_print_ex() and X509_NAME_print_ex(). Enhanced string and name @@ -105,22 +107,20 @@ typedef int char_io (void *arg, const void *buf, int len); #define HEX_SIZE(type) (sizeof(type)*2) -static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, +static int do_esc_char(uint32_t c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg) { unsigned char chflgs, chtmp; - char tmphex[HEX_SIZE(long) + 3]; + char tmphex[HEX_SIZE(uint32_t) + 3]; - if (c > 0xffffffffL) - return -1; if (c > 0xffff) { - BIO_snprintf(tmphex, sizeof tmphex, "\\W%08lX", c); + BIO_snprintf(tmphex, sizeof tmphex, "\\W%08" PRIX32, c); if (!io_ch(arg, tmphex, 10)) return -1; return 10; } if (c > 0xff) { - BIO_snprintf(tmphex, sizeof tmphex, "\\U%04lX", c); + BIO_snprintf(tmphex, sizeof tmphex, "\\U%04" PRIX32, c); if (!io_ch(arg, tmphex, 6)) return -1; return 6; @@ -180,7 +180,7 @@ static int do_buf(unsigned char *buf, int buflen, { int i, outlen, len; unsigned char orflags, *p, *q; - unsigned long c; + uint32_t c; p = buf; q = buf + buflen; outlen = 0; @@ -191,14 +191,14 @@ static int do_buf(unsigned char *buf, int buflen, orflags = 0; switch (type & BUF_TYPE_WIDTH_MASK) { case 4: - c = ((unsigned long)*p++) << 24; - c |= ((unsigned long)*p++) << 16; - c |= ((unsigned long)*p++) << 8; + c = ((uint32_t)*p++) << 24; + c |= ((uint32_t)*p++) << 16; + c |= ((uint32_t)*p++) << 8; c |= *p++; break; case 2: - c = ((unsigned long)*p++) << 8; + c = ((uint32_t)*p++) << 8; c |= *p++; break; diff --git a/src/crypto/x509/x_name.c b/src/crypto/x509/x_name.c index f132e6b6..78241004 100644 --- a/src/crypto/x509/x_name.c +++ b/src/crypto/x509/x_name.c @@ -539,3 +539,16 @@ int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) { return ne->set; } + +int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, + size_t *pderlen) +{ + /* Make sure encoding is valid */ + if (i2d_X509_NAME(nm, NULL) <= 0) + return 0; + if (pder != NULL) + *pder = (unsigned char *)nm->bytes->data; + if (pderlen != NULL) + *pderlen = nm->bytes->length; + return 1; +} diff --git a/src/include/openssl/asn1.h b/src/include/openssl/asn1.h index 5c8bf4cd..65729957 100644 --- a/src/include/openssl/asn1.h +++ b/src/include/openssl/asn1.h @@ -708,9 +708,6 @@ DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING) DECLARE_ASN1_FUNCTIONS(ASN1_NULL) DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING) -OPENSSL_EXPORT int UTF8_getc(const unsigned char *str, int len, unsigned long *val); -OPENSSL_EXPORT int UTF8_putc(unsigned char *str, int len, unsigned long value); - DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE) DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING) diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h index cdf68a12..c5b95e9d 100644 --- a/src/include/openssl/ssl.h +++ b/src/include/openssl/ssl.h @@ -3477,6 +3477,12 @@ OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl); // connections which resumed a session. OPENSSL_EXPORT int32_t SSL_get_ticket_age_skew(const SSL *ssl); +// SSL_CTX_set_false_start_allowed_without_alpn configures whether connections +// on |ctx| may use False Start (if |SSL_MODE_ENABLE_FALSE_START| is enabled) +// without negotiating ALPN. +OPENSSL_EXPORT void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, + int allowed); + // Deprecated functions. diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h index 430ffc07..9cc497a5 100644 --- a/src/include/openssl/x509.h +++ b/src/include/openssl/x509.h @@ -690,6 +690,9 @@ OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *xn); OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); +OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, + size_t *pderlen); + OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, time_t *t); OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); OPENSSL_EXPORT ASN1_TIME * X509_time_adj(ASN1_TIME *s, long adj, time_t *t); diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc index 53adba61..b801e82e 100644 --- a/src/ssl/handshake_client.cc +++ b/src/ssl/handshake_client.cc @@ -1512,13 +1512,25 @@ static enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) { static bool can_false_start(const SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - // False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. - return !SSL_is_dtls(ssl) && - SSL_version(ssl) == TLS1_2_VERSION && - (!ssl->s3->alpn_selected.empty() || - !ssl->s3->next_proto_negotiated.empty()) && - hs->new_cipher->algorithm_mkey == SSL_kECDHE && - hs->new_cipher->algorithm_mac == SSL_AEAD; + // False Start only for TLS 1.2 with an ECDHE+AEAD cipher. + if (SSL_is_dtls(ssl) || + SSL_version(ssl) != TLS1_2_VERSION || + hs->new_cipher->algorithm_mkey != SSL_kECDHE || + hs->new_cipher->algorithm_mac != SSL_AEAD) { + return false; + } + + // Additionally require ALPN or NPN by default. + // + // TODO(davidben): Can this constraint be relaxed globally now that cipher + // suite requirements have been relaxed? + if (!ssl->ctx->false_start_allowed_without_alpn && + ssl->s3->alpn_selected.empty() && + ssl->s3->next_proto_negotiated.empty()) { + return false; + } + + return true; } static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) { diff --git a/src/ssl/internal.h b/src/ssl/internal.h index 6c143839..4bef3582 100644 --- a/src/ssl/internal.h +++ b/src/ssl/internal.h @@ -2165,21 +2165,24 @@ struct SSLContext { // If true, a client will request certificate timestamps. bool signed_cert_timestamps_enabled:1; - // tlsext_channel_id_enabled is one if Channel ID is enabled and zero - // otherwise. For a server, means that we'll accept Channel IDs from clients. - // For a client, means that we'll advertise support. + // tlsext_channel_id_enabled is whether Channel ID is enabled. For a server, + // means that we'll accept Channel IDs from clients. For a client, means that + // we'll advertise support. bool tlsext_channel_id_enabled:1; - // grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero - // otherwise. + // grease_enabled is whether draft-davidben-tls-grease-01 is enabled. bool grease_enabled:1; - // allow_unknown_alpn_protos is one if the client allows unsolicited ALPN + // allow_unknown_alpn_protos is whether the client allows unsolicited ALPN // protocols from the peer. bool allow_unknown_alpn_protos:1; - // ed25519_enabled is one if Ed25519 is advertised in the handshake. + // ed25519_enabled is whether Ed25519 is advertised in the handshake. bool ed25519_enabled:1; + + // false_start_allowed_without_alpn is whether False Start (if + // |SSL_MODE_ENABLE_FALSE_START| is enabled) is allowed without ALPN. + bool false_start_allowed_without_alpn:1; }; // An ssl_shutdown_t describes the shutdown state of one end of the connection, diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc index 122313fa..6da081e6 100644 --- a/src/ssl/ssl_lib.cc +++ b/src/ssl/ssl_lib.cc @@ -2567,6 +2567,10 @@ int32_t SSL_get_ticket_age_skew(const SSL *ssl) { return ssl->s3->ticket_age_skew; } +void SSL_CTX_set_false_start_allowed_without_alpn(SSL_CTX *ctx, int allowed) { + ctx->false_start_allowed_without_alpn = !!allowed; +} + int SSL_clear(SSL *ssl) { // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously // established session to be offered the next time around. wpa_supplicant diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc index 8acabd72..1f43be6d 100644 --- a/src/ssl/test/bssl_shim.cc +++ b/src/ssl/test/bssl_shim.cc @@ -1304,6 +1304,10 @@ static bssl::UniquePtr<SSL_CTX> SetupCtx(SSL_CTX *old_ctx, SSL_CTX_set_msg_callback(ssl_ctx.get(), MessageCallback); + if (config->allow_false_start_without_alpn) { + SSL_CTX_set_false_start_allowed_without_alpn(ssl_ctx.get(), 1); + } + if (old_ctx) { uint8_t keys[48]; if (!SSL_CTX_get_tlsext_ticket_keys(old_ctx, &keys, sizeof(keys)) || diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go index 66c13fc9..362a7a53 100644 --- a/src/ssl/test/runner/runner.go +++ b/src/ssl/test/runner/runner.go @@ -2247,6 +2247,21 @@ read alert 1 0 expectedLocalError: "tls: peer did not false start: EOF", }, { + name: "FalseStart-NoALPNAllowed", + config: Config{ + MaxVersion: VersionTLS12, + CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, + Bugs: ProtocolBugs{ + ExpectFalseStart: true, + }, + }, + flags: []string{ + "-false-start", + "-allow-false-start-without-alpn", + }, + shimWritesFirst: true, + }, + { name: "NoFalseStart-NoAEAD", config: Config{ MaxVersion: VersionTLS12, @@ -4831,8 +4846,6 @@ func addStateMachineCoverageTests(config stateMachineTestConfig) { expectedNextProtoType: npn, }) - // TODO(davidben): Add tests for when False Start doesn't trigger. - // Client does False Start and negotiates NPN. tests = append(tests, testCase{ name: "FalseStart", @@ -9411,11 +9424,11 @@ func addCustomExtensionTests() { // custom extension should be accepted. testCases = append(testCases, testCase{ testType: serverTest, - name: "CustomExtensions-Server-EarlyDataAccepted", + name: "CustomExtensions-Server-EarlyDataOffered", config: Config{ - MaxVersion: VersionTLS13, - MaxEarlyDataSize: 16384, + MaxVersion: VersionTLS13, Bugs: ProtocolBugs{ + SendEarlyData: [][]byte{{1, 2, 3, 4}}, CustomExtension: expectedContents, ExpectedCustomExtension: &expectedContents, ExpectEarlyDataAccepted: false, @@ -9425,7 +9438,6 @@ func addCustomExtensionTests() { flags: []string{ "-enable-server-custom-extension", "-enable-early-data", - "-expect-ticket-supports-early-data", }, }) @@ -12483,12 +12495,10 @@ func addTLS13HandshakeTests() { testType: serverTest, name: "EarlyData-Server-BadFinished-" + name, config: Config{ - MaxVersion: VersionTLS13, - MaxEarlyDataSize: 16384, + MaxVersion: VersionTLS13, }, resumeConfig: &Config{ - MaxVersion: VersionTLS13, - MaxEarlyDataSize: 16384, + MaxVersion: VersionTLS13, Bugs: ProtocolBugs{ SendEarlyData: [][]byte{{1, 2, 3, 4}}, ExpectEarlyDataAccepted: true, @@ -12512,12 +12522,10 @@ func addTLS13HandshakeTests() { testType: serverTest, name: "Server-NonEmptyEndOfEarlyData-" + name, config: Config{ - MaxVersion: VersionTLS13, - MaxEarlyDataSize: 16384, + MaxVersion: VersionTLS13, }, resumeConfig: &Config{ - MaxVersion: VersionTLS13, - MaxEarlyDataSize: 16384, + MaxVersion: VersionTLS13, Bugs: ProtocolBugs{ SendEarlyData: [][]byte{{1, 2, 3, 4}}, ExpectEarlyDataAccepted: true, diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc index a5ce5a12..efe5acbc 100644 --- a/src/ssl/test/test_config.cc +++ b/src/ssl/test/test_config.cc @@ -128,6 +128,8 @@ const Flag<bool> kBoolFlags[] = { { "-allow-unknown-alpn-protos", &TestConfig::allow_unknown_alpn_protos }, { "-enable-ed25519", &TestConfig::enable_ed25519 }, { "-use-custom-verify-callback", &TestConfig::use_custom_verify_callback }, + { "-allow-false-start-without-alpn", + &TestConfig::allow_false_start_without_alpn }, }; const Flag<std::string> kStringFlags[] = { diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h index ea12d344..783471ad 100644 --- a/src/ssl/test/test_config.h +++ b/src/ssl/test/test_config.h @@ -144,6 +144,7 @@ struct TestConfig { bool enable_ed25519 = false; bool use_custom_verify_callback = false; std::string expect_msg_callback; + bool allow_false_start_without_alpn = false; }; bool ParseConfig(int argc, char **argv, TestConfig *out_initial, diff --git a/src/util/bot/DEPS b/src/util/bot/DEPS index 7b9f39e3..a4c3a7ff 100644 --- a/src/util/bot/DEPS +++ b/src/util/bot/DEPS @@ -22,7 +22,7 @@ vars = { deps = { 'boringssl/util/bot/android_tools': { - 'url': Var('chromium_git') + '/android_tools.git' + '@' + 'ca0bd083872ad925881736fe2bedc3ff855e08f5', + 'url': Var('chromium_git') + '/android_tools.git' + '@' + 'a2e9bc7c1b41d983577907df51d339fb1e0fd02f', 'condition': 'checkout_android', }, @@ -30,7 +30,7 @@ deps = { Var('chromium_git') + '/external/gyp.git' + '@' + 'd61a9397e668fa9843c4aa7da9e79460fe590bfb', 'boringssl/util/bot/libFuzzer': { - 'url': Var('chromium_git') + '/chromium/llvm-project/compiler-rt/lib/fuzzer.git' + '@' + '06fb50cc1f0197398c8a70658928a3b91912e68a', + 'url': Var('chromium_git') + '/chromium/llvm-project/compiler-rt/lib/fuzzer.git' + '@' + 'a00e8070bea627f21df4a7eb1d58083f1bcfbba1', 'condition': 'checkout_fuzzer', }, } diff --git a/src/util/bot/update_clang.py b/src/util/bot/update_clang.py index ee66153d..ffe7880c 100644 --- a/src/util/bot/update_clang.py +++ b/src/util/bot/update_clang.py @@ -19,8 +19,8 @@ import urllib2 # CLANG_REVISION and CLANG_SUB_REVISION determine the build of clang # to use. These should be synced with tools/clang/scripts/update.py in # Chromium. -CLANG_REVISION = '315613' -CLANG_SUB_REVISION=2 +CLANG_REVISION = '318667' +CLANG_SUB_REVISION=1 PACKAGE_VERSION = "%s-%s" % (CLANG_REVISION, CLANG_SUB_REVISION) diff --git a/src/util/bot/vs_toolchain.py b/src/util/bot/vs_toolchain.py index 153a6edc..64da79a1 100644 --- a/src/util/bot/vs_toolchain.py +++ b/src/util/bot/vs_toolchain.py @@ -87,8 +87,8 @@ def _GetDesiredVsToolchainHashes(): # Update 3 final with 10.0.15063.468 SDK and no vctip.exe. return ['f53e4598951162bad6330f7a167486c7ae5db1e5'] if env_version == '2017': - # VS 2017 Update 4 with 10.0.15063.468 SDK. - return ['88c3b62e1eb0893b8cd57e3f4859c3af27907f64'] + # VS 2017 Update 3.2 with 10.0.15063.468 SDK and patched setenv.cmd. + return ['a9e1098bba66d2acccc377d5ee81265910f29272'] raise Exception('Unsupported VS version %s' % env_version) |