| Age | Commit message (Collapse) | Author |
|---|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/66e61c577d39e757bf491468f651461fa79fd5e1..a9670a8b476470e6f874fef3554e8059683e1413
* No-op change to test the bots.
* Remove outdated comment in ECDSA implementation.
* Add missing assert.h include.
* Check tag class and constructed bit in d2i_ASN1_OBJECT.
Update-Note: d2i_ASN1_OBJECT will now notice more incorrect tags. It was
already checking for tag number 6, so it is unlikely anyone was relying
on this as a non-tag-checking parser.
* Don't parse constructed BIT STRINGs in crypto/bytestring
Update-Note: PKCS#7 and PKCS#12 parsers will now reject BER constructed
BIT STRINGs. We were previously misparsing them, as was OpenSSL. Given
how long the incorrect parse has been out there, without anyone noticing
(other parsers handle it correctly), it is unlikely these exist.
* Enforce DER rules for BIT STRING values.
* Remove support for indefinite lengths in crypto/asn1.
Update-Note: Invalid certificates (and the few external structures using
asn1t.h) with BER indefinite lengths will now be rejected.
* Remove support for constructed strings in crypto/asn1.
Update-Note: Invalid certificates (and the few external structures using
asn1t.h) with BER constructed strings will now be rejected.
* Check for trailing data in extensions.
Update-Note: Some previously accepted invalid certicates may be
rejected, either in certificate verification or in X509_get_ext_d2i.
* Update tools.
* Fold x509v3/pcy_int.h into x509v3/internal.h.
* Switch kModuleDigestSize to a macro.
* Switch DEPS actions on bots to Python 3.
* Match OPENSSL_EXPORT in ssl/internal.h friend declarations.
* Add a function to express the desired record version protocol.
* Add CRYPTO_BUFFER_new_from_static_data_unsafe.
* Finish documenting asn1.h.
* Trim some undocumented symbols from asn1.h.
* Add magic tag to BoringSSL binaries.
* Document and const-correct multi-string types.
* Fully unexport X509_VAL.
Update-Note: The last remnants of the now (barely usable) X509_VAL are
no longer exported. It is unlikely anyone was relying on this.
* Document ASN1_OBJECT, i2c, and c2i functions.
* Unexport ASN1_OBJECT_new.
Update-Note: ASN1_OBJECT_new is no longer exported. While this function
does remain in OpenSSL, it is extremely unlikely anyone has found a use
for this function.
* Return 0x80 in all ASN1_get_object error paths.
Update-Note: ASN1_get_object's calling convention is slightly
simplified.
* Document low-level encoding functions in asn1.h.
* Use C preprocessor comments in assembly headers.
* Document and const-correct ASN1_TYPE functions.
* Fix error-handling for i2a_ASN1_OBJECT.
* Document i2a_ASN1_* functions.
* Fold i2a_ASN1_ENUMERATED into i2a_ASN1_INTEGER.
* Fix BIT STRING comparison in ASN1_STRING_cmp.
Update-Note: ASN1_STRING_cmp no longer incorrectly treats BIT STRINGs
with different padding bits as equal.
* Rewrite ASN1_item_pack and ASN1_item_unpack.
Update-Note: ASN1_item_unpack now checks for trailing data.
* Document some more ASN1_ITEM-associated functions.
* Reword ASN1_BOOLEAN exception.
* Move M_ASN1_* to the deprecated section.
* Fix up some doc.go nits in asn1.h.
* Document new/free/d2i/i2d for singly-typed ASN1_STRINGs.
* Document ASN1_NULL.
* Const-correct the low-level ASN1 i2d functions.
Update-Note: The type signature of some i2d functions, such as
i2d_ASN1_OCTET_STRING, is now const-correct.
* Start documenting ASN1_ITEM.
* Tidy up SSLTest.SetVersion.
* Deduplicate d2i and i2d documentation.
* Check tag class and constructed bit in d2i_ASN1_BOOLEAN.
* Use typedefs in i2d and d2i_ASN1_BOOLEAN.
* Forward-declare SSL_CLIENT_HELLO.
* Fix BN_CTX usage in BN_mod_sqrt malloc error paths.
* Make ASN1_NULL an opaque pointer.
Update-Note: Code that was assuming ASN1_NULL was an int typedef will
fail to compile. Given this was never dereferencable, it is hard to
imagine anything relying on this.
* Remove remnants of ASN.1 print function generators.
* Fold x509_vfy.h into x509.h.
* Make ASN1_STRING_TABLE_add thread-safe and document.
Update-Note: ASN1_STRING_TABLE_add no longer allows overwrite existing
entries. In most cases, this would crash or trigger a race condition
anyway.
* Test ASN1_STRING_set_by_NID with custom NIDs.
* Test ASN1_STRING_set_by_NID with built-in NIDs.
* Test that built-in ASN1_STRING_TABLEs are sorted.
* Extract common rotl/rotr functions.
* Remove X509_STORE_set0_additional_untrusted.
* Enable X509_V_FLAG_TRUSTED_FIRST by default.
Update-Note: X509_verify_cert will now build slightly different chains
by default. Hopefully, this fixes more issues than it causes, but there
is a risk of trusted_first breaking other scenarios. Those scenarios
will also break OpenSSL 1.1.x defaults, so hopefully this is fine.
* Switch x509_test.cc to modify the existing X509_VERIFY_PARAM.
* Add note to HMAC test vectors from NIST
* Add log tag for Trusty.
* Fix CRYPTO_malloc, etc., definitions.
* Keep EVP_CIPHER/EVP_MD lookup and do_all functions in sync
* aarch64: Add missing LR validation in 'vpaes_cbc_encrypt'
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I0fc8c0f6505d4ee04193404cf02ec776bced8d40
|
|
This change re-lands https://r.android.com/1834454 by reverting https://r.android.com/1842042 with no changes.
Revert was due to a vendor copy of wpa_supplicant needing the same changes as https://r.android.com/1835013, this is now done and I verified that it builds correctly against this version of BoringSSL.
This CL includes the following upstream changes:
https://boringssl.googlesource.com/boringssl/+log/c1571feb5faf5cce844354c63d0f3e842464bea3..66e61c577d39e757bf491468f651461fa79fd5e1
* Allow PKCS7_sign to work for signing kernel modules.
* Speed up constant-time base64 decoding.
* Unwind remnants of ASN1_TFLG_NDEF.
* acvptool: add CS3 support.
* Ignore SIGPIPE in the bssl tool.
* Add FIPS counters for AES-GCM in EVP_AEAD.
* Refresh fuzzer corpus for ECH draft-13.
* Fix the TLS fuzzers for ECH draft-13.
* Clarify that TLS sessions are not application sessions.
* Fix BN_prime_checks_for_validation to align with false-positive rate.
* Add maskHash to RSA_PSS_PARAMS for compat
* Remove ASN1_OP_I2D_* callbacks.
* Don't read it->funcs without checking it->itype.
* Reject missing required fields in i2d functions.
Update-Note: Structures with missing mandatory fields can no longer be
encoded. Note that, apart from the cases already handled by preceding
CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main
downstream impact I've seen of this particular change is in combination
with other bugs. Consider a caller that does:
* Reject -1 types in ASN1_TYPE and MSTRINGs when encoding.
Update-Note: A default-constructed object with a required ANY or
string-like CHOICE field cannot be encoded until the field is specified.
Note this affects i2d_X509: notBefore and notAfter are string-like
CHOICEs in OpenSSL.
* Correctly handle invalid ASN1_OBJECTs when encoding.
Update-Note: A default-constructed object with a required ASN1_OBJECT
field can no longer be encoded without initializing the ASN1_OBJECT.
Note this affects X509: the signature algorithm is an ASN1_OBJECT. Tests
that try to serialize an X509_new() must fill in all required fields.
(Production code is unlikely to be affected because the output was
unparsable anyway, while tests sometimes wouldn't notice.)
* Check for invalid CHOICE selectors in i2d functions.
Update-Note: An invalid CHOICE object (e.g. GENERAL_NAME) will now fail
when encoded, rather than be silently omitted. In particular, CHOICE
objects are default-initialized by tasn_new.c in an empty -1 state.
Structures containing a required CHOICE field can no longer be encoded
without filling in the CHOICE.
* Fix x509_name_ex_i2d error-handling.
* Correctly propagate errors in i2d functions.
Update-Note: Some error cases which were silently misinterpreted as
missing OPTIONAL elements will now cause encoding to fail.
* acvptool: add hmacDRBG support
* Check for __TRUSTY__ instead of TRUSTY.
* Update comment for ECH draft-13.
* Silence a GCC false positive warning.
* Switch to the new, simpler WHATWG URL formulation.
* Revert "Guard use of sdallocx with BORINGSSL_SDALLOCX"
* Fix calculation of draft-13 ECH confirmation signal.
* Update to draft-ietf-tls-esni-13.
* Reword SSL_get0_ech_name_override documentation.
* Remove SSL_set_verify_result.
* Make most of crypto/x509 opaque.
Update-Note: Patch cl/390055173 into the roll that includes this. This
unexports most of the X.509 structs, aligning with OpenSSL. Use the
accessor APIs instead.
* Remove V_ASN1_APP_CHOOSE.
Update-Note: V_ASN1_APP_CHOOSE is removed. I only found one use, which
has been fixed.
* Rewrite ASN1_PRINTABLE_type and add tests.
* Include SHA512-256 in EVP_get_digestbyname and EVP_MD_do_all.
* NUL is not printable.
Update-Note: ASN1_mbstring_ncopy will no longer allow PrintableString
for strings containing NUL.
* Make RSA_check_key more than 2x as fast.
* Benchmark RSA private key parsing.
* Work around yet another MSVC 2015 SFINAE bug.
* Avoid re-hashing the transcript multiple times.
* Make ssl_parse_extensions a little easier to use.
* Deduplicate our three ServerHello parsers.
* Merge in OpenSSL's X.509 corpus.
* Run X509_print in the certificate fuzzer.
* Fix some error-handling in i2v functions.
* Fix typo.
* OPENSSL_strndup should not return NULL given {NULL, 0}.
* Rewrite name constraints matching with CBS.
* Add some tests for name constraints.
* Fix i2v_GENERAL_NAME to not assume NUL terminated strings
* Do not rely on ASN1_STRING being NUL-terminated.
* Add a CBB_add_zeros helper.
* Linkify RFCs in documentation.
* Refer to RFCs consistently.
* runner: Test session IDs over 32 bytes.
* Process the TLS 1.3 cipher suite in one place.
* Guard use of sdallocx with BORINGSSL_SDALLOCX
* Bump minimum GCC version and note impending VS2015 deprecation.
* Add Span::first() and Span::last().
* Simplify built-in BIOs slightly.
* Fix some error returns from SSL_read and SSL_write.
* Fix negative ENUMERATED values in multi-strings.
* Add a test for ASN1_mbstring_copy and clean up.
* Remove ASN1_TFLG_SET_ORDER.
* Fix ASN1_STRING_print_ex with negative integers.
* Check i2d_ASN1_TYPE's return value in ASN1_STRING_print_ex.
* Document ASN.1 printing functions.
* Move some ASN1 printing functions to crypto/asn1.
* Move a_strex.c back to asn1, split X509_NAME bits out.
* Unwind io_ch abstraction in print functions.
* Implement ASN1_STRING_print_ex_fp, etc., with file BIOs.
* Remove OPENSSL_NO_FP_API ifdefs.
* Move X509_ALGOR to x509.h.
* Unexport BIT_STRING_BITNAME.
* Unexport ub_* constants.
Update-Note: Removed some unnamespaced constants.
* Always use an ASN1_STRING_TABLE global mask of UTF8String.
Update-Note: The global mask for ASN1_STRING_set_by_NID is now always
UTF-8. Callers that want another type should reconsider and, if UTF-8 is
still unsuitable, just pass the actual desired type into
ASN1_mbstring_copy, X509_NAME_ENTRY_set_data, etc
* Document ASN1_mbstring_copy.
* Update ghashv8-armx.pl from upstream.
* Align with upstream on 'close STDOUT' lines.
* Avoid double-expanding variables in CMake.
* Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj.
* Add some tests for time_t to ASN1_TIME conversions.
* Remove ASN1_STRING_FLAG_MSTRING.
Update-Note: ASN1_STRING_FLAG_MSTRING is no longer defined and
X509_time_adj_ex now behaves more predictably. Callers that actually
wanted to lock to a specific type should call ASN1_UTCTIME_adj or
ASN1_GENERALIZEDTIME_adj instead.
* Document another batch of functions.
* Clarify BIO_new_mum_buf's lifetime rules.
* generate_ech.cc: include needed headers
* Don't overread in poly_Rq_mul
* acvp: recognise another style of JSON.
* Revert "Revert "Revert "Disable check that X.509 extensions implies v3."""
Change-Id: I5fe21e26f701feb315aceb86684b5bc1ee327669
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
|
|
Revert submission 1835013-bssl_update_sep2021
Reason for revert: DroidMonitor: Potential culprit for Bug 201683809 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
I27d7b79e3:Fix wpa_supplicant build with newer BoringSSL
I4f2228ef8:external/boringssl: Sync to 66e61c577d39e757bf4914...
Change-Id: If2184c4aa55b7dc89e037362e4d5cbbea1107ae2
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/c1571feb5faf5cce844354c63d0f3e842464bea3..66e61c577d39e757bf491468f651461fa79fd5e1
* Allow PKCS7_sign to work for signing kernel modules.
* Speed up constant-time base64 decoding.
* Unwind remnants of ASN1_TFLG_NDEF.
* acvptool: add CS3 support.
* Ignore SIGPIPE in the bssl tool.
* Add FIPS counters for AES-GCM in EVP_AEAD.
* Refresh fuzzer corpus for ECH draft-13.
* Fix the TLS fuzzers for ECH draft-13.
* Clarify that TLS sessions are not application sessions.
* Fix BN_prime_checks_for_validation to align with false-positive rate.
* Add maskHash to RSA_PSS_PARAMS for compat
* Remove ASN1_OP_I2D_* callbacks.
* Don't read it->funcs without checking it->itype.
* Reject missing required fields in i2d functions.
Update-Note: Structures with missing mandatory fields can no longer be
encoded. Note that, apart from the cases already handled by preceding
CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main
downstream impact I've seen of this particular change is in combination
with other bugs. Consider a caller that does:
* Reject -1 types in ASN1_TYPE and MSTRINGs when encoding.
Update-Note: A default-constructed object with a required ANY or
string-like CHOICE field cannot be encoded until the field is specified.
Note this affects i2d_X509: notBefore and notAfter are string-like
CHOICEs in OpenSSL.
* Correctly handle invalid ASN1_OBJECTs when encoding.
Update-Note: A default-constructed object with a required ASN1_OBJECT
field can no longer be encoded without initializing the ASN1_OBJECT.
Note this affects X509: the signature algorithm is an ASN1_OBJECT. Tests
that try to serialize an X509_new() must fill in all required fields.
(Production code is unlikely to be affected because the output was
unparsable anyway, while tests sometimes wouldn't notice.)
* Check for invalid CHOICE selectors in i2d functions.
Update-Note: An invalid CHOICE object (e.g. GENERAL_NAME) will now fail
when encoded, rather than be silently omitted. In particular, CHOICE
objects are default-initialized by tasn_new.c in an empty -1 state.
Structures containing a required CHOICE field can no longer be encoded
without filling in the CHOICE.
* Fix x509_name_ex_i2d error-handling.
* Correctly propagate errors in i2d functions.
Update-Note: Some error cases which were silently misinterpreted as
missing OPTIONAL elements will now cause encoding to fail.
* acvptool: add hmacDRBG support
* Check for __TRUSTY__ instead of TRUSTY.
* Update comment for ECH draft-13.
* Silence a GCC false positive warning.
* Switch to the new, simpler WHATWG URL formulation.
* Revert "Guard use of sdallocx with BORINGSSL_SDALLOCX"
* Fix calculation of draft-13 ECH confirmation signal.
* Update to draft-ietf-tls-esni-13.
* Reword SSL_get0_ech_name_override documentation.
* Remove SSL_set_verify_result.
* Make most of crypto/x509 opaque.
Update-Note: Patch cl/390055173 into the roll that includes this. This
unexports most of the X.509 structs, aligning with OpenSSL. Use the
accessor APIs instead.
* Remove V_ASN1_APP_CHOOSE.
Update-Note: V_ASN1_APP_CHOOSE is removed. I only found one use, which
has been fixed.
* Rewrite ASN1_PRINTABLE_type and add tests.
* Include SHA512-256 in EVP_get_digestbyname and EVP_MD_do_all.
* NUL is not printable.
Update-Note: ASN1_mbstring_ncopy will no longer allow PrintableString
for strings containing NUL.
* Make RSA_check_key more than 2x as fast.
* Benchmark RSA private key parsing.
* Work around yet another MSVC 2015 SFINAE bug.
* Avoid re-hashing the transcript multiple times.
* Make ssl_parse_extensions a little easier to use.
* Deduplicate our three ServerHello parsers.
* Merge in OpenSSL's X.509 corpus.
* Run X509_print in the certificate fuzzer.
* Fix some error-handling in i2v functions.
* Fix typo.
* OPENSSL_strndup should not return NULL given {NULL, 0}.
* Rewrite name constraints matching with CBS.
* Add some tests for name constraints.
* Fix i2v_GENERAL_NAME to not assume NUL terminated strings
* Do not rely on ASN1_STRING being NUL-terminated.
* Add a CBB_add_zeros helper.
* Linkify RFCs in documentation.
* Refer to RFCs consistently.
* runner: Test session IDs over 32 bytes.
* Process the TLS 1.3 cipher suite in one place.
* Guard use of sdallocx with BORINGSSL_SDALLOCX
* Bump minimum GCC version and note impending VS2015 deprecation.
* Add Span::first() and Span::last().
* Simplify built-in BIOs slightly.
* Fix some error returns from SSL_read and SSL_write.
* Fix negative ENUMERATED values in multi-strings.
* Add a test for ASN1_mbstring_copy and clean up.
* Remove ASN1_TFLG_SET_ORDER.
* Fix ASN1_STRING_print_ex with negative integers.
* Check i2d_ASN1_TYPE's return value in ASN1_STRING_print_ex.
* Document ASN.1 printing functions.
* Move some ASN1 printing functions to crypto/asn1.
* Move a_strex.c back to asn1, split X509_NAME bits out.
* Unwind io_ch abstraction in print functions.
* Implement ASN1_STRING_print_ex_fp, etc., with file BIOs.
* Remove OPENSSL_NO_FP_API ifdefs.
* Move X509_ALGOR to x509.h.
* Unexport BIT_STRING_BITNAME.
* Unexport ub_* constants.
Update-Note: Removed some unnamespaced constants.
* Always use an ASN1_STRING_TABLE global mask of UTF8String.
Update-Note: The global mask for ASN1_STRING_set_by_NID is now always
UTF-8. Callers that want another type should reconsider and, if UTF-8 is
still unsuitable, just pass the actual desired type into
ASN1_mbstring_copy, X509_NAME_ENTRY_set_data, etc
* Document ASN1_mbstring_copy.
* Update ghashv8-armx.pl from upstream.
* Align with upstream on 'close STDOUT' lines.
* Avoid double-expanding variables in CMake.
* Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj.
* Add some tests for time_t to ASN1_TIME conversions.
* Remove ASN1_STRING_FLAG_MSTRING.
Update-Note: ASN1_STRING_FLAG_MSTRING is no longer defined and
X509_time_adj_ex now behaves more predictably. Callers that actually
wanted to lock to a specific type should call ASN1_UTCTIME_adj or
ASN1_GENERALIZEDTIME_adj instead.
* Document another batch of functions.
* Clarify BIO_new_mum_buf's lifetime rules.
* generate_ech.cc: include needed headers
* Don't overread in poly_Rq_mul
* acvp: recognise another style of JSON.
* Revert "Revert "Revert "Disable check that X.509 extensions implies v3."""
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I4f2228ef815ded0599322186ab7bad49ab1bb5af
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/3989c99706bf30054798ff82f1cb010e50e385f5..c1e156ae16fa8b61af9b5d2b74e59d3f86e141be
* Add DH_compute_key_padded.
Update-Note: No compatibility impact, but callers that use
DH_compute_key and then fix up the removed leading zeros can switch to
this function. Then they should migrate to something else.
* Fix client 0-RTT handling with ALPS.
* acvp: add XTS support.
* doc: fix SSL_set0_rbio
* Add support for the new QUIC TLS extension codepoint
* delocate: preprocess perlasm output on Aarch64
* Replace MockQUICTransport tags with record types.
* Run extension tests at all protocols.
* Make QUIC tests work with early data.
* Make QUIC work with -async tests.
* Fix ALPS state machine in QUIC servers.
* runner: Allow tokbind without RI/EMS in TLS 1.3.
* Test that ALPS can be deferred to the ALPN callback.
* Send ECH acceptance signal from backend server.
* delocate: handle Aarch64 assembly in parser.
* Add ASM optimizations for Windows on Arm
* Use gai_strerrorA on Windows.
* Optimize suffix building in FileTest::ReadNext().
* A handful more compatibility functions.
* Update HPKE to draft-irtf-cfrg-hpke-07.
* acvp: drop subprocess_test.go
* Add some OpenSSL-compatibility aliases
* delocate: eliminate expression from vpaes assembly.
* delocate: support alternative comment indicators
* Update third_party/googletest.
* acvp: add tests
* Fix chacha20_poly1305_x86_64.pl comments.
* Fix awkward wording in comment.
* Update ECH GREASE to draft-ietf-tls-esni-09
* Gerrit ignores <sup>; use Unicode superscript instead.
* acvp: better document the subprocess protocol.
* Add .text.unlikely.* pattern to fips_shared.lds.
* acvp: fix silly errors.
* acvp: load config later.
* Allow some non-minimal lengths in BER.
* Export tool_sources to GN.
* Use more efficient std::string::find overload.
* Revert "Add support for the new QUIC TLS extension codepoint"
* Move DH parameter generation out of the FIPS module.
* Add support for the new QUIC TLS extension codepoint
* Use stdlib.h instead of cstdlib in span.h.
* Check for trailing data in X509Test.GeneralName.
* Fix ChaCha20-Poly1305 x86-64 asm on Windows
* Include bn.h from bn/internal.h
* acvp: add support for finite-field Diffie–Hellman.
* Move DH code into the FIPS module.
* Remove unused Netware codepaths in x86 perlasm.
* Finish switching to NASM.
Update-Note: If a x86 Windows asm build breaks, switch from Yasm to
NASM. We're also no longer testing NASM on x86_64 Windows, but there
wasn't any patch to revert.
* Switch to passive entropy collection for Android FIPS.
* Skip ASN.1 template tests in Windows shared library builds.
* Add TLS_KDF to documented break tests.
* acvp: add support for KAS
* Align armv8.pl references to OPENSSL_armcap_P.
Update-Note: If aarch64 builds get some weird error about relocations,
it's this CL's fault.
* Reject bad ASN.1 templates with implicitly-tagged CHOICEs.
* Implement GREASE for ECH (draft-ietf-tls-esni-08).
* acvp: add TLS KDF support
* acvp: tweak config
* acvp: fix subprocess_test.go
* Const-correct GENERAL_NAME_cmp.
* Fix EDIPartyName parsing and GENERAL_NAME_cmp.
* PWCT failures should clear the generated key.
* Get closer to Ed25519 boundary conditions.
* draft-ietf-tls-certificate-compression is now RFC 8879.
* Update FIPS.md to include latest FIPS certificate.
* Only accept little-endian ARM and MIPS variants in base.h.
Update-Note: CPU processor defines are a mess. If a little-endian ARM or
MIPS build breaks, some of the assumptions above may be wrong. In that
case, the output $CC -dM -E - < /dev/null on the offending toolchain
will be useful to fix it. If a big-endian ARM or MIPS build breaks, this
is working as intended. Any resulting binaries weren't producing the
right outputs.
* aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
* Improve sk_dup.
* Poly1305: Use |size_t|; assert |poly1305_state| is large enough.
* util/fipstools/acvp/acvptool: buffer signal channel to avoid losing signal
* Add digest.h to self_check.c
* Document ASN1_STRING.
* acvp: add SHA-512/256 support.
* Add FIPS self test for the TLS KDF.
* Rename the master_key field in SSL_SESSION to secret.
* Always check the TLS 1.3 downgrade signal.
Update-Note: SSL_CTX_set_ignore_tls13_downgrade,
SSL_set_ignore_tls13_downgrade, and SSL_is_tls13_downgrade now do
nothing. Calls sites should be removed. (There are some copies of older
Chromium lying around, so I haven't removed the functions yet.) The
enforcement was already on by default, so this CL does not affect
callers that don't use those functions.
* Fix NETSCAPE_SPKI_get_pubkey documentation.
* Const-correct and document more X509 functions.
* Add APIs for checking ASN.1 INTEGERs.
Update-Note: This CL does not change behavior, but I'm leaving a note to
myself to make net/der/parse_values.cc call the new functions.
* Remove some unnecessary pointer casts.
* Document the basic ASN1_STRING functions.
* Document some defaults for the EVP RSA interface.
* Rearrange ASN1_STRING_copy slightly.
* Remove the legacy MSTRING M_ASN1 macros.
Update-Note: Some M_ASN1 macros were removed. Code search says there
were no uses, and OpenSSL upstream removed all of them.
* Switch M_ASN1_TIME macros within the library.
* Unwind M_ASN1_* macros for primitive types.
Update-Note: Some external code uses the M_ASN1_* macros. This should
remain compatible, but some type errors may have gotten through
unnoticed. This CL restores type-checking.
* Reformat and convert comments in asn1.h.
* aarch64: Fix name of gnu property note section
* Re-reformat x509.h.
* Document X509V3_add1_i2d and friends.
* Remove ASN1_STRING_FLAG_NDEF.
* Unexport internal crypto/asn1 functions.
Update-Note: Code search says these are unused. If someone's using them,
we can reexport them.
* Unwind some old ASN.1 ifdefs.
* Unwind ASN1_PRIMITIVE_FUNCS.
* Remove some unused types from asn1t.h.
* Unwind ASN1_TFLG_NDEF.
Update-Note: Types that use one of the NDEF macros in asn1t.h will fail
to compile. This CL should not affect certificate parsing.
* Unwind ASN1_ITYPE_COMPAT.
Update-Note: Types using IMPLEMENT_COMPAT_ASN1 from openssl/asn1t.h will
fail to compile. This CL should not affect certificate parsing.
* Unwind ASN1_AFLG_BROKEN.
Update-Note: Types using ASN1_BROKEN_SEQUENCE from openssl/asn1t.h will
fail to compile. This CL should not affect certificate parsing.
* Const-correct various X509 string parameters.
* Document the next few functions in x509.h
* Remove sk_new_null call.
* acvp: move inner MCT loops into subprocess.
* Fix x509_rsa_ctx_to_pss when saltlen is md_size.
* Document the X509V3_get_d2i family of functions.
* runner: explicitly signal error from handshaker.
* runner: add -skip
* Add functions for manipulating X.509 TBS structures.
* Remove ASN1_STRING_length_set prototype.
* Update Go on the bots.
* Rework vs_toolchain.py and vs_env.py.
* Add ECDSA verify KAT to FIPS self-tests.
* Add AES-GCM AEADs with internal nonce generation.
* Define a constant for the standard GCM nonce length.
* Add test for X25519-containing certificate.
* Add SSL_early_data_reason_string.
* Add raw redeem API.
* aarch64: Remove some flavour conditionals
* Have fewer opaque booleans in aead_test.cc
* acvp: RSA signature verification tests.
* acvp: RSA signature generation tests.
* acvp: support RSA key generation tests.
* Support 4096-bit keys in FIPS mode.
* Reland "Check AlgorithmIdentifier parameters for RSA and ECDSA signatures.""
Update-Note: Some invalid certificates will now be rejected at
verification time. Parsing of certificates is unchanged.
* acvp: add 3DES-CBC support
* acvp: add 3DES-ECB support
* Clear some reported gcc -Wshadow warnings.
* Const-correct X509V3_extensions_print.
* clang-format and convert comments in x509v3.h.
* aarch64: Improve conditional compilation
* Silence some linter checks.
* acvp: update subprocess_test.go
* Update clang.
* Implement draft-vvv-tls-alps-01.
* Simplify 0-RTT tests.
Bug: 160351436
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I1fb4105341a73be9d5f978301f7318e16027f37d
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/3743aafdacff2f7b083615a043a37101f740fa53..3989c99706bf30054798ff82f1cb010e50e385f5
* Fix crash when flushing an SSL BIO.
* Document low-level PEM read/write functions.
* clang-format pem.h and convert comments.
* Add PSK variants of HPKE setup functions to BoGo.
* acvp: abstract out MCT iteration functions.
* Add Go implementation of HPKE draft 05 to runner.
* runner: Implement a more complete ClientHello consistency check.
* Update TrustTokenV2 to use VOPRFs and assemble RR.
* acvp: add AES-CCM support.
* acvp: highlight that the TOTP secret goes in the config file.
* acvp: handle more private key formats.
* runner: Refactor BoGo clientHelloMsg extension marshalling.
* Include rodata subsections in FIPS-shared build.
* Switch x509_test.cc to use C++ raw string literals.
* Fix some malloc error handling.
* acvp: add AES-KWP support.
* acvp: add AES-KW support.
* acvp: support saving vectors.
* Fix handling of quic_early_data_context.
* Add a warning to des.h.
* Move Trusty workaround to the OPENSSL_LINUX define.
* acvp: add AES-GCM support.
* Disable fork detection on Trusty.
* acvp: add AES-CTR support.
* Tell clang-format that STACK_OF and LHASH_OF are types.
* modulewrapper: fix unknown functions.
* Print SSL_get_error in bssl_shim.
* modulewrapper: fix sending empty spans.
* Allow specifying different initial and resumption expectations.
* Add a few more OPENSSL_NO_* constants.
* Test SSL_get0_alpn_selected on both client and server.
* runner: Rewrite sessionState parsing with byteReader.
* Switch ssl_parse_extensions to bool and Span.
* Disable check that X.509 extensions implies v3.
* Silence some clang warnings on macOS and iOS CQ bots.
* Mirror dsa.h's deprecation notice in dh.h.
* Const-correct X509_get0_extensions.
Update-Note: Callers may need to update their calls of
X509_get0_extensions, but I believe everything affected has been fixed.
Bug: 160351436
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: Ieaf5a7c605cdfe2a511406c8b377e9178ad69a55
|
|
This reverts commit 92a0f790a5c96b3f6e0516a20aca2222459be9cd.
Reason for revert: Breaks tests in postsubmit: b/170610462
Change-Id: I728ca3ccefda48c2f379747a9b8a68d45ca7854b
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/3743aafdacff2f7b083615a043a37101f740fa53..3989c99706bf30054798ff82f1cb010e50e385f5
* Fix crash when flushing an SSL BIO.
* Document low-level PEM read/write functions.
* clang-format pem.h and convert comments.
* Add PSK variants of HPKE setup functions to BoGo.
* acvp: abstract out MCT iteration functions.
* Add Go implementation of HPKE draft 05 to runner.
* runner: Implement a more complete ClientHello consistency check.
* Update TrustTokenV2 to use VOPRFs and assemble RR.
* acvp: add AES-CCM support.
* acvp: highlight that the TOTP secret goes in the config file.
* acvp: handle more private key formats.
* runner: Refactor BoGo clientHelloMsg extension marshalling.
* Include rodata subsections in FIPS-shared build.
* Switch x509_test.cc to use C++ raw string literals.
* Fix some malloc error handling.
* acvp: add AES-KWP support.
* acvp: add AES-KW support.
* acvp: support saving vectors.
* Fix handling of quic_early_data_context.
* Add a warning to des.h.
* Move Trusty workaround to the OPENSSL_LINUX define.
* acvp: add AES-GCM support.
* Disable fork detection on Trusty.
* acvp: add AES-CTR support.
* Tell clang-format that STACK_OF and LHASH_OF are types.
* modulewrapper: fix unknown functions.
* Print SSL_get_error in bssl_shim.
* modulewrapper: fix sending empty spans.
* Allow specifying different initial and resumption expectations.
* Add a few more OPENSSL_NO_* constants.
* Test SSL_get0_alpn_selected on both client and server.
* runner: Rewrite sessionState parsing with byteReader.
* Switch ssl_parse_extensions to bool and Span.
* Disable check that X.509 extensions implies v3.
* Silence some clang warnings on macOS and iOS CQ bots.
* Mirror dsa.h's deprecation notice in dh.h.
* Const-correct X509_get0_extensions.
Update-Note: Callers may need to update their calls of
X509_get0_extensions, but I believe everything affected has been fixed.
Bug: 160351436
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I591546ce4deac518352bb625537073aca1465d35
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/2fb729d4f36beaf263ad85e24a790b571652679c..3743aafdacff2f7b083615a043a37101f740fa53
* Add SSL_CIPHER_get_protocol_id.
* Add TrustTokenV2.
* Add X509_get_pathlen and X509_REVOKED_get0_extensions.
* Add some accommodations for FreeRDP
* Require non-NULL store in X509_STORE_CTX_init.
Update-Note: X509_STORE_CTX_init will now fail when the store is NULL,
rather than report success, only to crash later in X509_verify_cert.
Breakage should thus be limited to code which was passing in a NULL
store but never used the resulting X509_STORE_CTX.
* Const-correct X509V3_CONF_METHOD.
Update-Note: External definitions of X509V3_CONF_METHOD will need fix
the types of their functions. There should not be any of these (probably
hide this struct), but if there are, this aligns with upstream OpenSSL.
* Avoid unions in X509_NAME logic.
* Bump OPENSSL_VERSION_NUMBER to 1.1.1.
Update-Note: Some OPENSSL_VERSION_NUMBER/OPENSSL_IS_BORINGSSL checks may
need to be updated. Hopefully even more can go away.
* Document more of x509.h.
* Fix potential leak in bssl::Array::Shrink.
* Remove ASN1_STRING_length_set.
Update-Note: Use ASN1_STRING_set instead, though this function appears
to be unused.
* Revert "Check AlgorithmIdentifier parameters for RSA and ECDSA signatures."
* Implement PSK variants of HPKE setup functions.
* acvp: support working with files.
* Document a few more functions in x509.h.
* Add subject key ID and authority key ID accessors.
* Remove sxnet and pkey_usage_period extensions.
Update-Note: Parsers for these two extensions are removed. Parsing the
types directly or passing NID_sxnet and NID_pkey_usage_period into
X509V3_get_d2i, or *_get_ext_d2i will no longer work.
* Const-correct various X509 functions.
* Make X509_set_not{Before,After} functions rather than macros.
* Add X509_get0_uids from OpenSSL 1.1.0.
* Bound RSA and DSA key sizes better.
Update-Note: Some invalid or overly large RSA and DSA keys may
previously have been accepted that are now rejected at parse time. For
public keys, this only moves the error from verification to parsing. In
some private key cases, we would previously allow signing with those
keys, but the resulting signatures would not be accepted by BoringSSL
anyway. This CL makes us behave more consistently.
* Add set1 versions of X509 timestamp setters.
* Consistently sort generated build files.
* delocate: use 64-bit GOT offsets in the large memory model.
* Update HPKE implementation and test vectors to draft-irtf-cfrg-hpke-05.
* Handle NULL arguments in some i2d_* functions.
* aarch64: support BTI and pointer authentication in assembly
* Support delegated credentials verison 06
* delocation: large memory model support.
* Enforce presence of ALPN when QUIC is in use.
Update-Note: If an SSL_QUIC_METHOD is set, connections will now fail if
ALPN is not negotiated. This new behavior can be detected by checking
if the value of BORINGSSL_API_VERSION is greater than 10.
* Fix the naming of alert error codes.
Update-Note: The renamed alerts will log slightly different strings, but
the constants used by external code are still there.
* Use golang.org/x/crypto in runner.
Update-Note: The tests now have a golang.org/x/crypto dependency. This
should be fetched transparently with Go modules. Monorepos with
different import path conventions may need to rewrite these imports.
* Disable ClientHello padding for QUIC.
* Add X509_SIG_get0 and X509_SIG_getm.
* Implement HPKE.
* Disallow TLS 1.3 compatibility mode in QUIC.
* Switch clang-format IncludeBlocks to Preserve.
* Fix unterminated clang-format off.
* Add line number to doc.go error messages.
* Kick the bots.
* Add a JSON output to generate_build_files.py.
* Add details of 20190808 FIPS certification.
* Link to ws2_32 more consistently.
* Allow explicitly-encoded X.509v1 versions for now.
* Opaquify PKCS8_PRIV_KEY_INFO.
Update-Note: Direct accesses of PKCS8_PRIV_KEY_INFO now need to use the
accessors. Code search suggests no one uses the fields. Even the
accessors are virtually unused (the one thing which uses it doesn't need
it).
* Implement i2d_PUBKEY and friends without crypto/asn1.
* Remove TRUST_TOKEN_experiment_v0.
Update-Note: This gets rid of TRUST_TOKEN_experiment_v0. Existing callers
should be updated to call TRUST_TOKEN_experiment_v1.
* Clarify in-place rules for low-level AES mode functions.
* acvp: add CMAC-AES support.
* acvp: add SP800-108 KDF support.
* Remove x509->name.
Update-Note: instead of x509->name, use X509_NAME_oneline and
X509_get_subject_name.
* Maybe build for AArch64 Windows.
* sha1-x86_64: fix CFI.
* Use |crypto_word_t| and |size_t| more consistently in ECC scalar recoding.
* Enable shaext path for sha1.
* Avoid relying on SSL_get_session's behavior during the handshake.
Update-Note: SSL_generate_key_block will now fail mid-handshake. It is
ambiguous which key block to use and, in some cases, we may not even be
able to compute the right key block.
* Add a -wait-for-debugger flag to runner.
* Add missing OPENSSL_EXPORT to X509_get_X509_PUBKEY.
* Const-correct various functions in crypto/asn1.
* Remove uneeded switch statement.
* Convert X.509 accessor macros to proper functions.
Update-Note: This should be compatible, but it is possible that someone,
e.g., passed in a bssl::UniquePtr<X509> to an accessor and relied on
operator->. Callers may also run afoul of const correctness. I mirrored
OpenSSL 1.1.1's consts, so it should at least be compatible with
third-party code.
* Remove X509_CINF_get_issuer and X509_CINF_get_extensions.
Update-Note: Two unused macros were removed. If there were uses, the
X509-level accessors can be used instead.
* Remove X509_get_signature_type.
Update-Note: If there are any calls to X509_get_signature_type, remove
them. It more-or-less always returned NID_undef.
* clang-format x509.h and run comment converter.
* Check AlgorithmIdentifier parameters for RSA and ECDSA signatures.
* Remove some unimplemented prototypes.
* Check the X.509 version when parsing.
Update-Note: The X.509 parser is now a bit stricter. This may break some
malformed certificates which were previously incorrectly accepted.
* Fix x509v3_cache_extensions error-handling.
Update-Note: The X.509 verifier now correctly rejects syntax errors in
important certificate extensions. This may break some malformed
certificates which were incorrectly accepted before.
* Work around Windows command-line limits in embed_test_data.go.
* Move crypto/x509 test data into its own directory.
* Test resumability of same, different, and default ticket keys.
* Fixes warning when redefining PATH_MAX when building with MINGW.
* Abstract fd operations better in tool.
* Use CMAKE_SIZEOF_VOID_P instead of CMAKE_CL_64
* Enforce the keyUsage extension in TLS 1.2 client certs.
Update-Note: Client certificates which do not support the
digitalSignature key usage will be rejected. They should either include
that bit or omit the keyUsage extension.
* Reword some comments.
* Add “Z Computation” KAT.
* acvptool: handle negative sizeConstraint.
* Let memory hooks override the size prefix.
* acvptool: go fmt
* Assert md_size > 0.
* Remove -enable-ed25519 compat hack.
* Add a |SSL_process_tls13_new_session_ticket|.
* Use ctr32 optimizations for AES_ctr128_encrypt.
* Test AES mode wrappers.
* Bump minimum CMake version.
* Modify how QUIC 0-RTT go/no-go decision is made.
* Remove RAND_set_urandom_fd.
Update-Note: RAND_set_urandom_fd no longer exists. This was only called
by Chromium, which now uses CRYPTO_pre_sandbox_init.
* Document that getrandom support must be consistent.
* Fix docs link for SSL_CTX_load_verify_locations
* Fix TRUST_TOKEN experiment_v1 SRR map.
* Add CRYPTO_pre_sandbox_init.
* Still query getauxval if reading /proc/cpuinfo fails.
* Add missing header to ec/wnaf.c
* Fix OPENSSL_TSAN typo.
* Fix p256-x86_64-table.h indentation.
* Enable avx2 implementation of sha1.
* Trim Z coordinates from the OPENSSL_SMALL P-256 tables.
* Use public multi-scalar mults in Trust Tokens where applicable.
* Use batched DLEQ proofs for Trust Token.
* Restrict when 0-RTT will be accepted in QUIC.
* Disable TLS 1.3 compatibility mode for QUIC.
* Use a 5-bit comb for some Trust Tokens multiplications.
* Use a (mostly) constant-time multi-scalar mult for Trust Tokens.
* Batch inversions in Trust Tokens.
* Rearrange the DLEQ logic slightly.
* Use token hash to encode private metadata for Trust Token Experiment V1.
* Introduce an EC_AFFINE abstraction.
* Make the fuzzer PRNG thread-safe.
* Disable fork-detect tests under TSAN.
* Introduce TRUST_TOKENS_experiment_v1.
* Route PMBToken calls through TRUST_TOKEN_METHOD.
* Introduce a TRUST_TOKEN_METHOD hook to select TRUST_TOKEN variations.
Update-Note: Pass TRUST_TOKEN_experiment_v0() into any existing code
that now needs a TRUST_TOKEN_METHOD.
* fork_detect: be robust to qemu.
* Move serialization of points inside pmbtoken.c.
* Introduce PMBTOKENS key abstractions.
* Fix the types used in token counts.
Update-Note: Fix callers of TRUST_TOKEN_ISSUER_issue to use size_t
instead of uint8_t. The max_batchsize changes should go through without
changes to the caller.
* Remove unused code from ghash-x86_64.pl.
* Switch the P-384 hash-to-curve to draft-07.
* Add hash-to-curve code for P384.
* Write down the expressions for all the NIST primes.
* Move fork_detect files into rand/
* Harden against fork via MADV_WIPEONFORK.
* Fix typo in comment.
* Use faster addition chains for P-256 field inversion.
* Tidy up third_party/fiat.
* Prefix g_pre_comp in p256.c as well.
* Add missing curve check to ec_hash_to_scalar_p521_xmd_sha512.
* Add a tool to compare the output of bssl speed.
* Benchmark ECDH slightly more accurately.
* Align remaining Intel copyright notice.
* Don't retain T in PMBTOKEN_PRETOKEN.
* Check for trailing data in TRUST_TOKEN_CLIENT_finish_issuance.
* Properly namespace everything in third_party/fiat/p256.c.
* Update fiat-crypto.
* Add missing ERR_LIB_TRUST_TOKEN constants.
* Add bssl speed support for hashtocurve and trusttoken.
* Implement DLEQ checks for Trust Token.
* Fix error-handling in EVP_BytesToKey.
* Fix Trust Token CBOR.
* Match parameter names between header and source.
* Trust Token Implementation.
* Include mem.h for |CRYPTO_memcmp|
* acvptool: add subprocess tests.
* Add SHA-512-256.
* Make ec_GFp_simple_cmp constant-time.
Update-Note: This does mean that we pay a 6M+2S Jacobian comparison
where comparing two publicly affine points should cost no field
operations at all. Code which compares two EC public keys for equality
will be slightly slower. I wouldn't expect this to matter (if you
actually use the public keys, you'll pay much much more) If it does, we
can restore this optimization by keeping better track of affine vs.
Jacobian forms. See https://crbug.com/boringssl/326.
* Tidy up CRYPTO_sysrand variants.
* Do a better job testing EC_POINT_cmp.
* Follow-up comments to hash_to_scalar.
* Add a hash_to_scalar variation of P-521's hash_to_field.
* Add SSL_SESSION_copy_without_early_data.
* Double-check secret EC point multiplications.
* Make ec_felem_equal constant-time.
* Fix hash-to-curve comment.
* Make ec_GFp_simple_is_on_curve constant-time.
* Implement draft-irtf-cfrg-hash-to-curve-06.
* Update list of tested SDE configurations.
* Only draw from RDRAND for additional_data if it's fast.
* Generalize bn_from_montgomery_small.
* Remove BIGNUM from uncompressed coordinate parsing.
* Add EC_RAW_POINT serialization function.
* Base EC_FELEM conversions on bytes rather than BIGNUMs.
* runner: Replace supportsVersions calls with allVersions.
* Enable QUIC for some perMessageTest runner tests
* Move BN_nnmod calls out of low-level group_set_curve.
* Clean up various EC inversion functions.
* Start to organize ec/internal.h a little.
* Fix CFI for AVX2 ChaCha20-Poly1305.
* Remove unused function prototype.
* Enable more runner tests for QUIC
* Require QUIC method with Transport Parameters and vice versa
* acvptool: support non-interactive mode.
* Add is_quic bit to SSL_SESSION
* Update SDE.
* Update tools.
* Add simpler getters for DH and DSA.
* Don't define default implementations for weak symbols.
* Don't automatically run all tests for ABI testing.
* Fix test build with recent Clang.
* Remove LCM dependency from RSA_check_key.
* Simplify bn_sub_part_words.
* No-op commit to test Windows SDE bots.
* ABI-test each AEAD.
* Add memory tracking and sanitization hooks
* Add X509_STORE_CTX_get0_chain.
* Add DH_set_length.
* Static assert that CRYPTO_MUTEX is sufficiently aligned.
* [bazel] Format toplevel BUILD file with buildifier
* Add |SSL_CTX_get0_chain|.
* Configure QUIC secrets inside set_{read,write}_state.
Update-Note: See b/151142920#comment9
Change-Id: I4bbb76e15b5d95615ea643bccf796db87fae4989
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/40244
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
* Allow setting QUIC transport parameters after parsing the client's
* Fix comment for |BORINGSSL_self_test|.
* Trust Token Key Generation.
* Revise QUIC encryption secret APIs.
Update-Note: This is an incompatible change to SSL_QUIC_METHOD.
BORINGSSL_API_VERSION can be used to distinguish the two revisions.
* Fix ec_point_mul_scalar_public's documentation.
Test: atest CtsLibcoreTestCases CtsLibcoreTestCases
Change-Id: I754169828a3e1cb461bf0d4a64d4d7b46951d730
|
|
This reverts commit c960c43412e0632abb712fc465e70b6dfa2e9657.
Reason for revert: <Breaks ART buildbot>
Bug: 166619732
Change-Id: I5c843090e06a33aca391cde9c2da2bcb16995f05
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/2fb729d4f36beaf263ad85e24a790b571652679c..a0b49d63fdc33e54eac93674c86891d15d181d87
Test: atest CtsLibcoreTestCases
Change-Id: Ida4794d56d237422351b9ddcc7d0bc9295e816e1
|
|
This includes the following changes which are far too many to list here:
https://boringssl.googlesource.com/boringssl/+log/7b8b9c17db93ea5287575b437c77fb36eeb81b31..d18cb77864dcc4b5c7cb08c2331008c01165f34f
This also retires one function from android_compat_hacks.c which is no longer
necessary.
Change-Id: Ie00536d7ad815464b2b031f7bcd1b683e12c1623
|
|
|
