| Age | Commit message (Collapse) | Author |
|---|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/2a33faebe1827956e7fca8cbb15e2ca79b292d9c..538b2a6cf0497cf8bb61ae726a484a3d7a34e54e
* Restore the X509_EXTENSION ASN1_ITEM too
* Give WARNING paragraphs a splash of color
* Support lists and code blocks in doc.go
* sha: Add SSSE3 check to SHAEXT SHA-256 implementation.
* Give time.h a title and move to low-level infra group
* Restore the X509 ASN1_ITEM
* Add conf.h to the documentation output
* Skip emitting empty <pre> blocks in documentation
* Support medium memory models.
* Change certificate depth limit to match OpenSSL and document
Update-Note: The new semantics increase the limit by 1 compared to the
old ones. Thus this change should only accept more chains than
previously and be relatively safe. It also makes us more
OpenSSL-compatible. Envoy will need a tweak because they unit test the
boundary condition for the depth limit.
* Fix X509_ATTRIBUTE_set1_data with negative attributes
* sha: Move Armv7 dispatching to C
* Disable 32-bit Arm assembly optimizations on iOS
Update-Note: iOS on 32-bit Arm now disables assembly. This is unlikely
to impact anyone. As far as I can tell, 32-bit Arm for iOS thoroughly
does not exist anymore.
* Assume the Arm assembler can handle ADR
Update-Note: If 32-bit Arm assembly no longer builds, let us know and
tell us what your toolchain is.
* Document and fix up name hashing functions
Update-Note: This is source-compatible for C/C++, including with
-Wconversion, but some bindings need a patch in cl/588632028 to be
compatible.
* sha: Remove check for SSSE3 for AVX variants.
* Document functions that export verification internals
* sha: Move AArch64/X86-64 dispatching to C.
* Remove cert_verify_proc_blocklist.inc
* Call CheckPathAfterVerification in deadline/iteration limit case
* Fuzz more extension parsers in the cert parser
* Document GENERAL_NAME-related APIs
Update-Note: In the process, unexport the ASN1_ITEMs, and the d2i/i2d
functions for OTHERNAME and EDIPARTYNAME. These do not appear to be used
and removing them will cut down on the amount of compatibility glue
needed when we rewrite the parsers with a safer calling convention.
* Remove unused Chromium test data
* Remove fillins/log.h
* Unexport some STACK_OF types.
Update-Note: A few obscure STACK_OF(T) types are unexported. This is not
expected to impact anyone.
* Const-correct X509_TRUST and X509_PURPOSE
Update-Note: No one uses these APIs except for rust-openssl.
rust-openssl may need fixes because they seem to not quite handle C
const correctly.
* Remove dynamic X509_TRUST and X509_PURPOSE registration
* Actually remove KU_* from x509.h
* Add distrust by SPKI to TrustStoreInMemory
* Move KU_* back to <openssl/x509v3.h>
* Document or unexport some more of x509.h
* Add missing include
* Consistently call CRYPTO_free_ex_data first
* Fix the names of some X509_STORE_CTX functions
* Simplify and document X509_VERIFY_PARAM inheritance
* Add a debugging log facility to the delegate.
* Unexport X509_VERIFY_PARAM_lookup
Update-Note: Removed unused function.
Change-Id: I118f4a1ebff99f919d0f6ee63175633fe945822b
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64487
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
* Fix build with -Wmissing-field-initializers
* Remove X509_VERIFY_PARAM_get0_peername
* Document some key usage accessors
* Simplify and document X509_supported_extension
* Const-correct X509_LOOKUP_METHOD
Update-Note: Making X509_LOOKUP_file and X509_LOOKUP_hash_dir return
const pointers is not quite source-compatible, but code search suggests
nothing cares. If we have to, we can cast const away in those functions,
but let's try the more type-safe option first.
* Fix KYBER_decap declaration
* Replace X509_LOOKUP_ctrl with real functions
* Name the hash functions in the Kyber implementation
* Pull the string-based extensions APIs into their own section
* Always use a 32-byte shared secret for Kyber
Update-Note: The Kyber public APIs have changed slightly, but we do not
believe there are any users of them yet.
* Tidy up x509_lu.c functions a little
* Clean up the by_file_ctrl x509 code to be slightly less obtuse
* Use relative links in markdown files
* Merge <openssl/x509v3.h> into <openssl/x509.h>
* Merge crypto/x509v3 into crypto/x509
* Simplify X509_VERIFY_PARAM_new and X509_VERIFY_PARAM_free
* Remove X509_VERIFY_PARAM names
Update-Note: Removed some unused functions.
* Add a value barrier in p224_select_point
* Add CRYPTO_{addc,subc}_* functions to crypto/internal.h
* Implement the old FIPS 186-2 PRF
* Document some X509_VERIFY_PARAM and X509_STORE functions
* Remove a pile of unused X509_STORE callbacks
Update-Note: Removed a bunch of unused X509_STORE callback functions.
We can restore them if someone was using them.
* add checkout command to BUILDING.md
* Move X509_INFO back into x509.h and document
* Give BIO an ex_data
* Remove fillins/openssl_util
* Remove unused fields in X509_LOOKUP and X509_LOOKUP_METHOD
* Fix some docs.go nits
* Unexport various unused X509_OBJECT and X509_LOOKUP functions.
* Add X509_OBJECT_new and X509_OBJECT_free
* Fix leak if X509_STORE_CTX_init is called on a previously initialized context
* Remove fillins/path_service
* Remove fillins/fillins_base64
* Remove fillins/file_util
* Remove fillins/fillins_string_util.[cc|h]
* Remove X509_STORE_CTX_zero
* Update README.md
* Remove IMPORT and related importing tools
* Use InsertBraces - and reformat pki as such
* Clang-format all of pki.
* Trim X509_INFO and move to crypto/pem
* Document ASN1_ITEM-based signing, etc. APIs
* Unexport some ASN1_ITEMs that aren't used externally
Update-Note: Fewer types can be parsed generically through the ASN1_ITEM
system now. If someone was relying on a removed ASN1_ITEM, it will
appear as a compile error and we can restore it.
* Document X509_NAME comparison functions
* Document PKCS8_PRIV_KEY_INFO and X509_SIG
* Document X509_PUBKEY functions
* Remove pki/fillins/net_errors.h
* Remove the _BORINGSSL_LIBPKI_ defines
Update-Note: _BORINGSSL_LIBPKI_ in build files can be removed.
* Remove no longer reachable CRL path validation code
* Remove support for the certificateIssuer CRL entry extension
* Use the ASN1_BOOLEAN typedef in ISSUING_DIST_POINT
* Unexport the idp_flags constants
* Remove some remnants of indirect CRLs in CRL matching
Update-Note: This also makes a corresponding distribution point change
to ignore distribution points with a CRLissuer field. Before, we would
check for it to match the CRL issuer, but this field is only meant to be
used with indirect CRLs (RFC 5280, section 6.3.3, step b.1). The old
code didn't include this, so I think it isn't *quite* a no-op on some
invalid DP/CRL pairs, but it matches the new verifier from Chromium.
* Remove the delta CRL special case on expiry
* Remove the now no-op CRL reasons loop
* Don't process DistributionPoints with a reasons field
Update-Note: See above.
* Remove the redundant idp_reasons field
* Remove removedFromCRL handling
* Remove dcrl output parameter in CRL lookup logic
* Don't parse delta CRL and CRL number extensions
Update-Note: While this is broadly a no-op, this may change behavior
slightly at the edges. Invalid CRL number extensions will now be ignored
instead of treated as a parse error. A delta CRL that incorrectly marks
its delta CRL extension as non-critical will be interpreted as a normal
CRL. (This is the expected behavior for an implementation which does not
implement delta CRLs. Extensions like this are supposed to be marked
critical.)
* Remove EXFLAG_FRESHEST
Update-Note: Though exported, this was an internal flag to the delta CRL
implementation. Remove it.
* Remove delta and extended CRL support
Update-Note: The X509_V_FLAG_EXTENDED_CRL_SUPPORT and
X509_V_FLAG_USE_DELTAS flags now cause verification to fail. They
weren't enabled by any caller.
* Manually unroll pi and rho steps in Keccak
* Don't prematurely run keccak_f in squeeze
* Remove X509_CRL_diff
Update-Note: Removed an unused function. This has no callers and is only
useful to create delta CRLs, which are similarly unused and being
removed.
* Expand and document RSA_PSS_PARAMS functions
* Document X509_REVOKED-related functions
* Const-correct and document trust/reject object APIs
* Limit the SHA_CTX workaround to C
* Simplify AES-GCM counter increment
* Remove unnecessary length check before OPENSSL_memcpy
* Test EVP_CTRL_AEAD_SET_IV_FIXED and friends
* Tighten the limit in ASN1_STRING_set further
* Fix delocate build rules with make
* Add basic C implementation of SPHINCS+-SHA2-128s.
* Update Go dependencies
Test: treehugger
Change-Id: I7261f06f8b3b77bb70e934d9aa1733ebf1a72b54
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/bd20800c22fc8402611b537287bd6948c3f2a5a8..2a33faebe1827956e7fca8cbb15e2ca79b292d9c
* do not call memcpy directly in curve25519_64_adx.h
* Skip ForkDetect tests on iOS
* Add ALPS codepoint supports for split handshake
* Add missing include for waitpid
* Add a note about the list in target.h
* Teach delocate about a new directive that Clang is using.
* Make the pki private headers available to gn
* Sync pki to chromium 5934e28579cddeae3d9ae5b5974f8aae31f200dd
* Move Keccak code to its own folder and add an absorb API.
* Add support for fork detection via pthread_atfork()
* Error check X509_ALGOR_set0()
* Add some IWYU export pragmas
* Convert X509_NAME_get_text_by_[NID|OBJ] to return UTF-8
* crypto: remove kBoringSSLBinaryTag
* Export OPENSSL_NO_* defines in bssl-sys for consumption in rust-openssl
* Improve X509Test.NameAttributeValues coverage
* Edit bssl-sys setup instructions.
* Store NID_undef's ASN1_OBJECT outside the table
* Don't include NID_undef in short/long name tables
* Remove asn1_ex_clear from ASN1_EXTERN_FUNCS.
* Avoid GCC's -Wdangling-pointer warning in CBB
* Replace remaining references to __ARM_ARCH__ with __ARM_ARCH
* Update tools on CI
* Add support for 32bit break tests on Android.
* Fix path for modifiable libcrypto used in KAT testing.
* Add new asm files to generate_build_files.py
* sync pki to chromium 248754f767a6df29d26ebb7da231f22713924a7d
* Consistently use SIZE_MAX over (size_t)-1
* Also add OPENSSL_calloc
* Add OPENSSL_zalloc
* Add table-independent x86+adx asm for P-256
* Implement bssl-crypto wrappers for AES-CBC
Test: treehugger
Change-Id: I001a8100c56e52b925831dc8a70b0b10a4e8aed9
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/8aa51ddfcf1fbf2e5f976762657e21c7aee2f922..d89702704febab30774e8af22450899af297bfb0
* Update X25519+Kyber ID.
* Add comment about regenerating peg files.
* Adding a C implementation of Kyber.
* Fix handling of critical X.509 policy constraints
Update-Note: X.509 certificate verification (not parsing) will now
notice policy-validation-related errors in the certificate chain. These
include syntax errors in policy-related extensions, and chains with a
requireExplicitPolicy policy constraint that are valid for no
certificate policies. Such chains are unambiguously invalid. We just did
not check it before by default. This is an obscure corner of X.509 and
not expected to come up in most PKIs.
* Fix policy validation when the user policy set is NULL
* Remove dynamic X509_VERIFY_PARAM registration
Update-Note: Various unused functions for registering named
X509_VERIFY_PARAMs were removed. These functions only exist to make
X509_VERIFY_PARAM_lookup return a custom value. Instead, applications
that want a particular X509_VERIFY_PARAM can just configure it directly,
rather than stashing it in library-global state and then looking it back
up with X509_VERIFY_PARAM_lookup.
* Const-correct sk_FOO_cmp_func
Update-Note: Anything that defines a comparison function would need to
fix the type signature. I found only one external caller, Envoy, that
defines it. https://github.com/envoyproxy/envoy/pull/25051 fixes it.
(That we hadn't run into the upstream incompatibility suggests this is
just not a feature folks use outside the library much.)
* Sort various X.509 global lists sooner
* Add a warning about OBJ_create and global state
* Fix parameter name for i2d_X509_EXTENSION
* Give X509 an ASN1_ITEM again
* Reject non-minimal lengths in ASN1_get_object
Update-Note: Non-minimal lengths in certificates are no longer accepted,
as required for standards compliance. The one exception is the signature
field, where we still carry an exception. Some of this was already
enforced by libssl's parser.
* Reimplement X509 parsing without templates
Update-Note: The ASN1_ITEM removal means custom ASN.1 templates (which
are discouraged in favor of our much simpler CBS and CBB types) using
X509 will fail to compile. We don't believe anyone is relying on this,
but this can be restored if we find something.
Update-Note: Certificate parsing is slightly stricter: the outermost
TLVs, except for the signature field, no longer accept non-minimal
lengths, as mandated by DER. This strictness was broadly already applied
by the libssl parser.
* add bindings to RAND_bytes
* Represent unknown universal types with V_ASN1_OTHER
Update-Note: This does not change the set of inputs accepted or rejected
by the ASN.1 parser. It does, however, change the in-memory
representation in edge cases. Unless the application was specifically
inspecting the in-memory representation for these unknown types, we
expect this to have no impact.
* - remove dependency on hex-literal crate - add helper for converting between hex strings and bytes
* Rewrite c2i_ASN1_OBJECT
Update-Note: When we removed object-reuse from all the d2i functions, we
missed one d2i_ASN1_OBJECT. See
https://boringssl-review.googlesource.com/c/boringssl/+/56647.
Otherwise, this CL is not expected to change behavior.
* Make ASN1_OBJECT_create size_t-clean.
* Rewrite ASN1_OBJECT and ASN1_BOOLEAN d2i/i2d functions.
Update-Note: d2i_ASN1_OBJECT and d2i_ASN1_BOOLEAN will no longer accept
non-minimal length prefixes (forbidden in DER). d2i_ASN1_BOOLEAN will
also no longer accept non-canonical representations of TRUE (also
forbidden in DER). This does not affect certificate parsing, as that
still goes through the old template system, though we will make a
similar change to those functions later.
* add bindings for hkdf and update panic handler
* Get rid of the libc crate dependency in bssl-sys
* Set up cargo deny to deny new dependencies by default.
* Reduce type-punning in ASN1_TYPE
* Add a test for OPTIONAL CHOICE values
* Add CTRDBG_STATE to bssl::UniquePtr
* Hmac should be able to take longer keys
* Const-correct and document a few functions in x509v3.h.
* Test that X509_NAMEs sort their RDNs when encoding.
* Tidy up HMAC_Init_ex slightly
* Rust bindings to boringssl plain AES implementation
* Rust build cleanup
* initial setup for bssl crate with hmac and sha2 bindings - update rust folder to split into `bssl` and `bssl-sys` - add initial bindings for hmac and a subset of sha2
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases boringssl_crypto_test boringssl_ssl_test
Change-Id: I547037039af99463322a565947717d757b8616b1
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/e40d0f8ee1361fbff2927a6806c755acea79a521..8aa51ddfcf1fbf2e5f976762657e21c7aee2f922
* Add OPENSSL_EXPORT to BN_mod_inverse_blinded
* Add prefetch to sha1_block_data_order_shaext
* Remove EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD from public headers
* test_fips: flush stdout before aborting on failure.
* Work around a NASM bug
* Plug a leak in ASN1_item_i2d()
* Add a few more assertions to compiler_test.cc.
* Fix use of unitialized cbb on failure case.
* urandom_test: force MADV_WIPEONFORK both ways.
* Use KEM terminology in TLS ECDHE and key_share abstractions
* Define a NID for P-384 + Kyber768.
* Use the common location for CMake in the bots
* Fix ninja run_tests
* Workaround yet more NULL + 0 language bugs
* Fix the generated CMake build
* Replace almost all instances of CMAKE_SOURCE_DIR and CMAKE_BINARY_DIR
* Ignore elf.ErrNoSymbols in util/read_symbols.go
* Run Go tests as part of run_tests
* Pick up a VS 2022 toolchain from Chromium
* Switch to CIPD's copy of perl
* Simplify ECKeyShare slightly.
* Move the ASN.1-based SSLKeyShare serialization to handoff.cc.
* Create the SSLKeyShare object in TLS 1.2 client ECDHE slightly later
* Require getauxval on 32-bit Arm Linux
Update-Note: BoringSSL now requires API level 18 or later. Projects
needing to support API level of 17 or below will fail to build due to
the use of getauxval. If any such projects exist, please contact
BoringSSL maintainers.
* Go back to breaking syscalls with the syscall number
* Pass the full user_regs_struct to PTRACE_SETREGS
* Print the reason the child stopped in urandom_test
* Move data from .text to .rodata on x86_64
* Start a Kyber implementation with basic Keccak code.
* Tweak urandom_test for Android devices without getrandom.
* Cap the number of ECDSA and DSA sign iterations.
Update-Note: If signing starts failing with ECDSA_R_INVALID_ITERATIONS,
something went horribly wrong because it should not be possible with
real curves. (Needing even one retry has probability 2^-256 or so.)
* Add more DSA consistency checks.
Update-Note: Some invalid DSA keys will be rejected by the parser and at
use. Nothing should be using DSA anymore.
* Revert "Revert "Fetch entropy from a system daemon in FIPS mode on Android.""
* Reject zero ECDSA keys in EC_KEY_set_private_key
Update-Note: Systems that manually construct an EC_KEY (i.e. not from
parsing), and either omit the public key or don't call EC_KEY_check_key
will start rejecting the zero private key. If such a system *also* signs
untrusted digests, this fixes an infinite loop in ECDSA.
* Gracefully handle DSA objects with missing fields
* Fix Android tests with new recipe changes
* acvp: update test expectations
* acvp: write updated tests without `.bz2` suffix
* acvp: fix tests
* Update Go dependencies
* Move constants from .text to .rodata on aarch64
* Add bbe@ to list of reviewers
* Revert go:build ignore lines
* Replace the union inside EVP_PKEY with void*.
* Make EVP_PKEY opaque.
Update-Note: Code that reaches into the EVP_PKEY struct will no longer
compile, like in OpenSSL. I believe I've fixed all the cases. If I
missed any, the fix is to switch code to accessors. EVP_PKEY_id(pkey)
for pkey->type is the most common fix.
* Make boringssl_gtest_main a STATIC library
* Update build tools
* Use --allowlist-file in bssl-sys
* Tidy up check_chain_extensions after proxy certificate removal
* Remove proxy certificate support.
* Remove global_target from build.
* Don't include custom builds of libc++ in CMake installs
* Specify -Iinclude with the crypto target.
* Unify the two copies of bn_add_words and bn_sub_words
* Implement P256_XMD:SHA-256_SSWU_RO_ and P384_XMD:SHA-384_SSWU_RO_
* Align the hash-to-curve formulation with draft-16.
* Fix a -Wignored-qualifiers warning in trust_token_test.cc
* Make OPENSSL_malloc push ERR_R_MALLOC_FAILURE on failure.
* Cap decimal input sizes in s2i_ASN1_INTEGER
Update-Note: The stringly-typed API for constructing X.509 extensions
now has (very generous) maximum input length for decimal integers of
8,192 digits. If anyone was relying on a higher input, this will break.
This is unlikely and should be caught by unit tests; if a project hits
this outside of tests, that means they are passing untrusted input into
this function, which is a security vulnerability in itself, and means
they especially need this change to avoid a DoS.
* Make ERR and thread use system malloc.
Update-Note: Any recent documentation (in all OpenSSL forks) for the ERR functions
cautions against freeing the returned ERR "data" strings, as freeing them is handled
by the error library. This change can make an existing double free bug more
obvious by being more likely to cause a crash with the double free.
* Add OPENSSL_asprintf and friends for asprintf(3) functionality.
* Add a note in INCORPORATING about which branch to use
* Generate Rust wrappers for HKDF
* Bound the overall output size of ASN1_generate_v3
Update-Note: The stringly-typed API for constructing X.509 extensions
now has a maximum output size. If anyone was constructing an extension
larger than 64K, this will break. This is unlikely and should be caught
by unit tests; if a project hits this outside of tests, that means they
are passing untrusted input into this function, which is a security
vulnerability in itself, and means they especially need this change to
avoid a DoS.
* VMS? I don't think so. Take this for a walk behind the barn.
* Revert "Drop HRSS assembly."
* Move Go CMake support into its own file.
* Get rid of time_t usage internally, change to int64_t
Update-Note: This is a potentially breaking change for things
that bind to the ASN1_[UTC|GENERALIZED]TIME_set and ASN1_TIME_adj
family of functions (and can not type convert a time_t to an
int64).
* Remove d2i_FOO object reuse
Update-Note: This slightly changes the calling convention of the d2i_FOO
functions. The change should be compatible with almost all valid calls.
If something goes wrong, it should hopefully be quite obvious. If
affected (or unaffected), prefer to set the output parameter to NULL
and use the return value instead.
* Don't use negative values for unimplemented modes
* Don't use object reuse in X509_parse_from_buffer.
* Remove stale TODO in util/bot/DEPS
* Remove if'd-out OCB-AES assembly
* Trim unnecessary -lrt and ws2_32 deps in the build.
* Unexport GENERAL_NAME_cmp
* Also test i2d_GENERAL_NAME in X509Test.GeneralName
* Fix the type of x400Address in GENERAL_NAME
* Remove old clang-cl workaround
* Limit the CMake -isysroot assembly workaround to older CMake
* Clean up test_support_lib and GTest dependencies slightly.
* Fix various malloc failure paths.
* Partially mitigate quadratic-time malloc tests in unit tests
* Add ABI tests for bn_add_words, etc.
* Avoid branches in GCC in bn/generic.c.
* Add bn_add_words and bn_sub_words assembly for aarch64.
* Rearrange bn/generic.c
* Reject even moduli in RSA_check_key.
Update-Note: RSA keys with even moduli already do not work. (In addition
to being nonsensical, all operations will fail with them because we
cannot do Montgomery reduction on even moduli.) This CL shifts the error
from when you use the key, to when you parse the key, like our other
validation steps. Also after this lands, the check for odd modulus in
cl/447099278 can be removed.
* Move malloc failure testing into OPENSSL_malloc
* Const-correct the various EVP_PKEY PEM writers
* Fix leak in set_dist_point_name error handling.
* Fix leak in error-handling for issuingDistributionPoint
* Clear false positives in RSA-OAEP constant time validation
* Fix some clang-format formatting.
* Stop clang from un-constant-timing copy_from_prebuf.
Update-Note: It is possible the above is wrong and some OPENSSL_NO_ASM
relied on value barriers being disabled. If so, this will break that
build and we'll need to reconsider.
* Clear various false positives in RSA constant-time validation
* Silence an uninitialized variable false positive in GCC.
* Fix leak on error in v2i_POLICY_MAPPINGS
* Cap bit indices in the unsafe string-based X.509 extensions API
Update-Note: If anyone is using FORMAT:BITLIST to create very large BIT
STRINGs, this will break. This is unlikely and should be caught by
unit tests; if a project hits this outside of tests, that means they are
passing untrusted input into this function, which is a security
vulnerability in itself, and means they especially need this change to
avoid a DoS.
* Move OpenSSLConfig.cmake into the cmake/ directory
* Align header guard style in the remaining headers.
* Add locale independent implementations of isalpha, isalnum, isdigit, and isxdigit.
* Fix OPENSSL_NO_ASM builds with the generated CMake build.
* Remove ASN1_TFLG_COMBINE.
* Unexport and remove support for implicit tagging on ASN1_ITYPE_EXTERN.
Update-Note: IMPLEMENT_EXTERN_ASN1 can no longer be used outside the
library. I found no callers using this machinery, and we're better off
gradually migrating every <openssl/asn1t.h> user to CBS/CBB anyway.
* Correctly handle optional ASN1_ITEM_TEMPLATE types.
* Remove the last of the broken NEON workaround
* Make X509V3_get_value_int free the old value before overwriting it.
* Fix leak on invalid input to a2i_GENERAL_NAME.
* Define BORINGSSL_IMPLEMENTATION in the Bazel build
* Simplify the external Bazel build.
* Simplify a pair of Go range expressions
* Fix stray */s in // line comment license headers
* Mark standalone Go scripts with go:build ignore
* Align the generated CMake build with the main one.
* Check for null value in set_dist_point_name.
* Fix error-handling in X509V3_EXT_add_nconf_sk and X509v3_add_ext.
* Remove now unnecessary check in CBS_peek_asn1_tag.
* Introduce a locale-independent version of isdigit
* Add a fuzzer for the config file machinery.
* Rewrite ASN1_generate_v3.
Update-Note: This code is reachable from the deprecated, string-based
X.509 extensions API. I've added tests for this, so it should behave
generally compatibly, but if anything changes for a caller using these
APIs, this CL is the likely cause. (NB: No one should be using these
APIs. They're fundamentally prone to string injection vulnerabilities.)
* Add some tests for optional and default ASN1_BOOLEAN.
* Introduce constants for ASN1_BOOLEAN
* Introduce a locale-independent version of isspace
* Add tests for X509_NAME_hash and X509_NAME_hash_old.
* Remove old Trust Token redeem API.
* Remove support for ppc64le.
Update-Note: BoringSSL no longer supports ppc64le.
* Switch ERR_GET_* to inline functions
* Remove ppc64le assembly.
Update-Note: After this change, ppc64le builds drop assembly
optimizations and will fallback to a generic C-based AES implementation.
* Remove ppc64le delocate and FIPS build.
* Add CBS_get_u64_decimal.
* Align ppc assembly setup with other architectures
* Use the same Deleter across all bssl::UniquePtr<T>.
* Set C11 in all compilers.
* Reduce architecture detection in CMake.
Update-Note: If the CMake build fails to build somewhere for an
assembly-related reasons, it's probably from this CL.
* Work around nasm bug with empty assembly files
* Also remove poly_rq_mul.S from generate_build_files.py
* Don't send two post-quantum initial key shares.
* Drop HRSS assembly.
* Add a WORKSPACE.toplevel file
* Unexport BN_MONT_CTX_set_locked.
Update-Note: This removes a function that can only be used by accessing
one of BoringSSL's private locks.
* Align headers in generate_build_files.py output.
* Maintain a frame pointer in aesni-gcm-x86_64.pl and add SEH unwind codes
* Don't automatically sync the two CONF parameters in X509V3_EXT_nconf.
* Convert ghash-x86_64.pl to new directives.
* Add initial support for SEH directives in x86_64 perlasm
* Fix inhibitPolicyMapping in the new policy tree code.
* Rewrite X.509 policy tree logic.
* Don't test for PMULL when NO_ASM.
* Indent DB lines in x86_64 NASM output.
* Reduce caller requirements on X509V3_CTX.
Update-Note: If using different CONFs in the X509V3_CTX and the function
parameter, the function parameter is now always used. No callers do
this, and it's somewhat arbitrary which is used. (The generic code
always uses the one in ctx. The @section syntax uses the parameter. Then
the per-extension callbacks use the ctx.)
* Rename CTX_TEST to X509V3_CTX_TEST.
Update-Note: CTX_TEST appears to be unused. If affected, switch to using
X509V3_set_ctx_test instead.
* Handle errors more normally in asn1_gen.c.
* Fix crash if '@section' is used with no CONF.
* Test requireAnyPolicy being a SkipCerts value
* Test policy mappings from invalid policies.
* Add stubs for hybrid Kyber768 with X25519 or P-256.
* Add optimised Aarch64 GCM.
* Test that policy checking always succeeds with just a trust anchor
* Remove no-op entries from asn1_str2tag.
* Const-correct sk_FOO_deep_copy's copy callback.
* Deprecate, test, and document X.509 config APIs.
* Remove the last of the filename comments.
* Further const-correct config-based extension creation.
* Empty stacks are vacuously sorted
* Add sk_FOO_delete_if.
* Add over_message issuance and redemption to Trust Tokens.
* Remove hmac.h include from ssl.h.
* Simplify MSVC warning configuration
* Build rust bindings against header files under current source dir
* Drop the preference for 256-bit ciphers with CECPQ2.
* Remove custom CONF methods from X509V3_CTX.
Update-Note: X509V3_CONF_METHOD is removed. Code search says no one uses
this.
* Unexport various X509V3_CTX and NCONF helper functions.
* Reword hardware support for AES-GCM.
* Add a link for FIPS cert #4409.
* [clang-warning] Don't pass -stdlib=libc++ on Apple platforms
* Use -pthread instead of -lpthread in Bazel.
* Add some tests for policy mapping.
* Add some tests for anyPolicy.
* Fix some memory leaks in policy_cache_new.
* Add prefetch to aesni_ctr32_ghash_6x
* Add tests for rejecting duplicate policy OIDs.
* Fuzz x509v3_cache_extensions.
* Fix handling of EXFLAG_INVALID_POLICY on the leaf.
* Restore ASN1_TIME_set_string's behavior on NULL.
* Fix return value on malloc failure in tree_calculate_user_set.
* Const-correct and simplify X509_VERIFY_PARAM_set1_policies.
* Add a basic threading test for X509 verification.
* Explicitly warn about streaming AEADs with EVP_CIPHER_CTX.
* acvptool: add support for uploading results.
* acvptool: factor out getResultsWithRetry
* acvptool: factor out logic for connecting to the server
* Switch X509 ex_* flags to uint32_t.
* Rename and tidy up x509v3_name_cmp.
* Fix some more implicit size_t truncations.
* acvptool: factor out uploadResult
* Unexport X509V3_NAME_from_section and fix the type of chtype.
* Finish porting dh_test.cc and ripemd_test.cc to GTest.
* Replace comment with static assert.
* Add a tool to check whether a binary has an executable stack
* Disable blinding for boringssl_self_test_rsa().
* Drop the workaround for the third-party Android CMake toolchain.
* Fully condition all assembly files.
* See whether relative links work for the documentation.
* Add SSL_was_key_usage_invalid.
* Add an 'all' option to generate_build_files.py
* delocate: match all the ARM register extension patterns.
* Fix -Wshorten-64-to-32 errors in ex_data.c.
* acvptool: KDA replaces KAS-KDF for HKDF.
* Add NO_CHECK_TIME to SSLTest.ECHBuiltinVerifier too
* Rewrite i2o_ECPublicKey with CBB_finish_i2d.
* Fix timebomb by disabling time check in this test
* [Bazel] Support More Platforms
* Add int casts to BIO_ctrl calls where appropriate.
* Switch microsecond and iteration counts in bssl speed to uint64_t.
* Finish porting dsa_test.cc to GTest.
* Remove unnecessary L suffixes on DES constants.
* Fix up some integer types in crypto/asn1
* Use a sized type for asn1t.h flags.
* Don't allow the caller to configure invalid signature algorithms.
Update-Note: This CL makes unknown values fail
SSL_set_verify_algorithm_prefs, etc. SSL_SIGN_RSA_PKCS1_MD5_SHA1 is
silently dropped from the list, rather than an error because, although
documented as incorrect, this hole in the abstraction seems to be
confusing. I think there's some code in Chromium which accidentally puts
it in the signing prefs (wrong but harmless) and I often need to explain
to folks that it doesn't belowing in verify prefs (puts it in the
ClientHello). This makes us tolerate the value by ignoring it.
* Never accidentally use SSL_SIGN_RSA_PKCS1_MD5_SHA1 at TLS 1.2.
* Add a copy of ninja from CIPD to util/bot/DEPS
* Include ctrdrbg.h in the Rust wrapper.
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases boringssl_crypto_test boringssl_ssl_test
Change-Id: I610a9df05083e51407fadb98a7cfc46d75028cce
|
|
Revert submission 2446033-revert-2319094-bssl_jan2023-OYGIWALFXH
Reason for revert: Re-landing change.
Reverted changes: /q/submissionid:2446033-revert-2319094-bssl_jan2023-OYGIWALFXH
Change-Id: I4fd320e52c7e0e1ab0ba4b71539daa29fb7d29bc
|
|
Revert submission 2319094-bssl_jan2023
Reason for revert: cause broken build
Reverted changes: /q/submissionid:2319094-bssl_jan2023
Change-Id: I9b79af5b9e8884bfa887f06fc272bb312d23d73c
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/1530333b25589ee4d4d52b10e78ee55dd82f6dcd..e40d0f8ee1361fbff2927a6806c755acea79a521
* Test, re-document, and deprecate EVP_Cipher.
* Test streaming the AAD into EVP_CIPHER_CTX.
* Add negative tests for the EVP_CIPHER tag check.
* Test the most likely point for calling EVP_CIPHER_CTX_copy.
* Give cipher tests a common entrypoint.
* Correct the maximum output size in cipher_test.cc
* Tidy up cipher_test.cc slightly
* Cap Montgomery moduli to 8 KiB.
Update-Note: This will not affect any cryptography implemented by
BoringSSL, such as RSA, but other callers may run into this limit. If
necessary, we can raise this a bit, but the stack allocation means we
don't want to go *significantly* beyond what's in this CL.
* Fix allocation size in BN_mod_exp_mont_consttime.
* delocate: learn about more Aarch64 registers.
* Preprocess asm on all platforms with delocate.
* Add a note in bn.h that this is not for general-purpose math.
* Minor style tweaks in BN_mod_exp_mont_consttime.
* Bump Go version in go.mod and run go mod tidy.
* Split bn_tests.txt into several test files.
* Work around some valgrind warnings in GTest.
* Fix comments now BN_mod_exp_mont_consttime is not cache-line-sensitive
* Replace MOD_EXP_CTIME_ALIGN with align_pointer.
* Add a hint to the C++ ending guard message
* Make OPENSSL_tm_to_posix and OPENSSL_posix_to_tm public API
* delocate: be able to preprocess inputs.
* Update x86_64-mont5.pl and RSAZ comments a bit.
* Update SDE.
* Update build tools.
* Bump minimum CMake version.
* Migrate io/ioutil uses to new APIs.
* Switch blinding indices to size_t.
* Remove ASN1_PRINTABLE_type.
Update-Note: All callers of this function since been removed.
* Replace malloc/memcpy pairs with memdup.
* Release memory earlier when clearing ASN1_ENCODING.
* Align the generated gni files with the new Chromium copyright header
* Define CBS/CBB tags as uint32_t with a typedef.
Update-Note: Some APIs switch from unsigned * to uint32_t * out
pointers. This is only source-compatible if unsigned and uint32_t are
the exact same type. The CQ suggests this is indeed true. If they are
not, replace unsigned with CBS_ASN1_TAG to fix the build.
* More -Wshorten-64-to-32 fixes.
* Introduce ossl_ssize_t and use it in ASN1_STRING_set.
* Do not allow changing keys with parameters already set.
* Fix the comment in ecp_nistz256_ord_sqr_mont to match code and prototype.
* Allow EVP_PKEY_copy_parameters into an untyped EVP_PKEY.
* Fix integer overflow in OPENSSL_gmtime_adj
* Check for overflow in i2c_ASN1_BIT_STRING.
* Add the suite of EC_KEY and EC_POINT serializers.
* Skip the field inversion when just measuring output size.
* Allow using the TLS exporter in more cases.
* Print the curve name, not bit length in EVP_PKEY_print_*
* Remove tautological comparison.
* Fix EC public key output in EVP_PKEY_print_*
* Add missing heading to DSA output.
* Fix trailing whitespace in EVP_PKEY_print_*
* Revert "Default SSL_set_enforce_rsa_key_usage to enabled."
* Simplify crypto/evp/print.c.
* Add tests for EVP_PKEY_print_*
* Clean up short BIGNUM handling in bn_print.
* Miscellaneous -Wshorten-64-to-32 fixes.
* Make EVP_PKEY_*_tls_encodedpoint work with EVP_PKEY_EC.
* Fix linking with non-MSVC toolchain in Windows platform
* Break FIPS tests by zeroing out the entire value.
* Remove CMake install command for modulewrapper.
* Enable -Wstring-concatenation and silence warning.
* Switch RSA_sign to size_t.
* Further fixups on the new tests.
* Also detect Armv8.2 SHA-512 extensions on FreeBSD.
* Fix comments around TBSCertificate cache.
* Test (and, for CSRs, fix) TBS cache invalidation on signing.
* Add support for arm/aarch64 on FreeBSD
* Replace UTF8_putc with cbb_add_utf8.
* Some CBB_init_fixed simplifications.
* Make CBB_init_fixed infallible and allocationless.
* Check for TLS 1.3 in SSL_generate_key_block.
Update-Note: SSL_generate_key_block gets a new error case, but callers
that hit this were getting back useless output anyway.
* acvp: support fetching expected results.
* Add CBB_add_asn1_[u]int64_with_tag.
* Make DH opaque.
Update-Note: DH is now an opaque structure. Callers should use accessors
instead of accessing fields.
* Default SSL_set_enforce_rsa_key_usage to enabled.
Update-Note: Clients will now require RSA server certificates used in
TLS 1.2 and earlier to include the keyEncipherment or digitalSignature
bit. keyEncipherment is required if using RSA key exchange.
digitalSignature is required if using ECDHE_RSA key exchange.
* Test i2d_re_* for CRLs and CSRs too.
* Add EVP_HPKE_KEM_public_key_len and EVP_HPKE_KEM_private_key_len.
* Remove the experimental in-place record APIs.
Update-Note: Removed some unused, experimental APIs.
* Maintain the sequence number as a uint64_t.
* Add int64 ASN1_INTEGER setters too.
* Also check for V_ASN1_NEG_INTEGER when checking types.
* Write a test for CONF_parse_list.
* Make CONF_parse_list size_t-clean.
* Unexport CONF_parse_list.
Update-Note: CONF_parse_list was removed. If parsing strings, use a
dedicated string library.
* Use Array<uint8_t> in DTLS1_OUTGOING_MESSAGE.
* Move the DTLS cookie to SSL_HANDSHAKE.
* Use the new macOS sysctl names when available
* Various -Wshorten-64-to-32 fixes.
* Document and tidy up X509_find_by_*.
Update-Note: Removed X509_issuer_and_serial_cmp as it's unused.
* Remove unused X509_LOOKUP_by_* functions.
Update-Note: Some unused functions were removed.
* Check some ASN1_STRING types in crypto/x509
* Replace even more ad-hoc bytes/integer conversions.
* Specify all library install destinations
* Add a poisoned field to EVP_CIPHER_CTX.
* Stub out DSA paramgen functions.
* Stub out the OpenSSL secure heap.
* Define OPENSSL_NO_SSL_TRACE.
* Add ASN1_INTEGER_get_int64 and ASN1_ENUMERATED_get_int64.
* Add the "groups" variants of SSL_CTX_set1_curves_list.
* Provide the other primes from RFC 3526.
* Silence a GCC 12 -Warray-bounds false positive warning.
* Rework truncated SHA-2 to silence GCC 12 false positive warning.
Update-Note: Truncated SHA-2 Final functions change behavior slightly,
but anyone affected by this behavior change would already have tripped
an assert() in debug builds.
* Require getrandom in all FIPS builds.
Update-Note: The /dev/urandom fallback is no longer available in FIPS
builds. This fallback relied on RNGGETENTCNT and was quite flaky.
* Incorporate OS entropy on FIPS CTR-DRBG reseed, not just init.
* Add RAND_get_system_entropy_for_custom_prng
* Rewrite RSA_verify_PKCS1_PSS_mgf1 with size_t.
* Check set_encrypt_key return value in AESTest.ABI.
* Prefer established session properties mid renegotiation.
Update-Note: Some APIs will now behave differently mid-renegotation. I
think this is the safer option, but it is possible code was relying on
the other one.
* Add EVP_HPKE_KDF_hkdf_md.
* Find threading library
* Use O_CLOEXEC instead of fcntl(FD_CLOEXEC)
Update-Note: BoringSSL's /dev/urandom code now assumes the platform
supports O_CLOEXEC.
* Add an EVP_HPKE_KEM_enc_len API.
* Track SSL_ERROR_ZERO_RETURN explicitly.
Update-Note: This is intended to be safe, but if anything breaks around
EOFs, this change is a likely culprit.
* Clean up header to reuse __riscv definition
* Tighten up supported PSS combinations in X.509.
Update-Note: Unusual RSA-PSS combinations in X.509 are no longer
accepted. This same change (actually a slightly stricter version) has
already landed in Chrome.
* Add HMAC_CTX_get_md.
* Add a test for SSL_CTX_set_quiet_shutdown.
* Add X509_STORE_CTX_set0_trusted_stack.
* Add X509_V_FLAG_NO_CHECK_TIME.
* Add DSA_bits and DH_bits.
* Add handshake hints for TLS 1.2 session tickets.
* Rework STACK_OF(T) documentation.
* Fix some typos in comments.
* Remove stale comment.
* Fix SSL_load_client_CA_file when given an empty file.
* Define NR_getrandom for riscv64
* Adapt break-tests.sh to run on an attached Android device.
* Include hopefully all ARM instructions with condition codes.
* Replace OPENSSL_STATIC_ASSERT with static_assert.
* Make time_t conversions. Give up on the OS provided ones.
* Test that close_notify state does not impair SSL_ERROR_SYSCALL.
* Convert more of the SSL write path to size_t and Spans.
* Revert "Fetch entropy from a system daemon in FIPS mode on Android."
* Fetch entropy from a system daemon in FIPS mode on Android.
* Merge entropy read in FIPS mode.
* Rename |from_cpu| to |want_additional_input|.
* Support handshake hints for TLS 1.2 full handshakes.
* Expose the CTR_DRBG API.
* Don't try and test 3DES with ACVP.
* Fix possible ODR violations for ecp_nistz256_from_mont
* Don't try to specify SHA-256 for Aarch64 FIPS.
* Fix up book-keeping between the write buffer and pending writes.
* Fix an edge case in SSL_write's retry mechanism.
* Fix unused variable warning on macOS + ASan
* Remove PEM_X509_INFO_write_bio.
* Add SSL_CTX_get_num_tickets.
Update-Note: When this is merged into the internal repository, we can
simplify the CPython patches.
* Mostly Revert 52426 - Drop AVCP support for 3DES
* Add script to run FIPS break tests.
* More alignment with OpenSSL on TLS 1.3 cipher suite constants.
* Align with OpenSSL on TLS 1.3 cipher suite constants.
* Document and organize some of the basic extensions functions.
* Const-correct X509_EXTENSION functions, as best we can.
* Document all the dup functions.
* Const-correct X509_REVOKED as well.
* Const-correct and document EVP_PKCS82PKEY and EVP_PKEY2PKCS8.
* Remove PKCS8_pkey_get0 and PKCS8_pkey_set0.
Update-Note: Removed some unused accessors.
* Move all the miscelleneous convenience functions into a section.
* Fix the documentation of X509_pubkey_digest.
* Remove the last of the Suite B code.
Update-Note: Suite B flags in the X.509 stack are no longer supported.
This isn't expected to affect anything but bindings wrapping unused
options.
* Remove X509_ocspid_print.
Update-Note: An unused function was removed.
Commit-Queue: David Benjamin <davidben@google.com>
* Unexport all low-level policy machinery.
Update-Note: It is no longer possibly to see the policy tree after an
X.509 verification. As far as we can tell, this feature is unused.
* Document most X509_NAME functions.
* Add some tests for X509_NAME_ENTRY management.
* Clarify thisUpdate vs. lastUpdate in docs.
* Start grouping x509.h into sections.
* Start expanding DECLARE_ASN1_* macros in x509.h.
* Bump CMake requirement to 3.8.
* Remove X509_ALGORS.
Update-Note: X509_ALGORS is removed. If someone was relying on it, we
can re-export it.
* Remove X509_REQ's refcount.
* Const-correct the i2d/dup functions we can.
* Use GTest's built-in sharding feature
* Fix memory leak with X509V3_ADD_DELETE.
* Tidy up ASN1_GENERALIZEDTIME_adj and ASN1_UTCTIME_adj.
* Check for invalid UCS-2 and UTF-32 in ASN1_STRING_print_ex.
Update-Note: This will make ASN1_STRING_print_ex newly fail, but such
inputs should be unreachable from the parser as of an earlier change.
* Check Unicode string encodings in crypto/asn1.
Update-Note: Invalid strings in X.509 certificates and other ASN.1
structures will now be rejected. This change is less risky than it seems
because most strings in X.509 are in X509_NAME, which already rejected
invalid instances of these string types (but not other string types)
during canonicalization. See https://crbug.com/boringssl/412 for a
discussion of that mess.
* Rewrite scalar operations in spake25519.c with BN_ULONG
* Accept invalid "v3" CSRs.
* Drop stdout when looking for abort messages
* Add a CCM AEAD for Matter, the IoT standard.
* Remove some unnecessary NULL checks.
* Reimplement ASN1_TIME_print with the new parser.
Update-Note: ASN1_TIME_print, ASN1_UTCTIME_print, and
ASN1_GENERALIZEDTIME_print will no longer accept various invalid inputs.
* Dedup a few more load/store implementations.
* Remove a few more unions.
* Remove p256_point_union_t.
* Don't use a union in Ed25519 EVP_PKEYs.
* Set is_first and is_last correctly with ASN1_STRFLGS_UTF8_CONVERT.
* Remove unnecessary parens on return.
* Post-clang-format fixups.
* Run convert_comments.go on the recently-converted files
* Re-run clang-format with InsertBraces.
* clang-format remaining directories.
* Add fixed key generation for Trust Token.
* Fix duplicate declarations
* Validate ASN.1 times according to RFC 5280
Update-Note: Certificates containing invalid ASN.1 times will no longer parse.
* Define STACK_OF(OPENSSL_STRING) more straight-forwardly.
* Rewrite SSL_add_file_cert_subjects_to_stack
* Rearrange the C11 vs MSVC check.
* Fix build with MSVC 2022.
* Don't guard alignof static asserts on GCC/Clang.
* Add BN_GENCB_get_arg.
* Const-correct bn_gather5.
* Get the EVP_PKEY_METHOD from EVP_PKEY_ASN1_METHOD.
* Add SHA3 support
* More includes for builds that don't use bcm.c
* Replace some more C unions.
* Add X509_REQ_set1_signature_algo and X509_REQ_set1_signature_value.
* Add support for RISC-V 64-bit architecture
* Add EVP_PKEY_HKDF for OpenSSL compatibility.
* Make it more obvious that am and tmp's widths are accurate.
* Add some more includes.
* Align rsaz and mont5 table construction.
* Simplify mont5 table computation.
* Add an extra reduction step to the end of RSAZ.
* Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.
* Use // instead of # for comments inside armv8 asm.
* Add SSL_[CTX_]_set_compliance_policy.
* Increase ACVP sizes.
* Add a fuzzer to check CBS is a DER parser.
* Add some missing includes.
* Move digestsign.c into the module.
* Manually fix a few tables in advance of clang-format.
* Remove leading blank lines in convert_comments.go
* Rewrite ASN1_STRING_print_ex escaping.
* Convince clang-format to handle ASN1_ITEM definitions better
* Do not allow md4 or md5 based signatures in X.509 certificates.
* Fix docs for EVP_Cipher given an AEAD.
* Remove a layer of indirection from most EVP_CIPHERs
* Make EVP_CIPHER opaque.
Update-Note: EVP_CIPHER is now opaque. Use accessors instead.
* Use the correct function types in X509V3_EXT_METHODs.
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases boringssl_crypto_test boringssl_ssl_test
Change-Id: I25369ac73ffb70dec5571f8d5006849d051f53c7
|
|
Cherry-picked from
https://boringssl-review.googlesource.com/c/boringssl/+/49745
and
https://boringssl-review.googlesource.com/c/boringssl/+/49746
Cherry-picked outside normal BoringSSL release process to allow
easier cherry-picking to Mainline (see bug for details).
The first cherry-pick is a test-only fix to pick up correct defaults,
the rest of this commit message refers to the second.
The OpenSSL X.509 verifier lacks a proper path builder. When there are
two paths available for a certificate, we pick one without looking at
expiry, etc.
In scenarios like one below, X509_V_FLAG_TRUSTED_FIRST will prefer
Leaf -> Intermediate -> Root1. Otherwise, we will prefer
Leaf -> Intermediate -> Root1Cross -> Root2:
Root2
|
Root1 Root1Cross
\ /
Intermediate
|
Leaf
If Root2 is expired, as with Let's Encrypt, X509_V_FLAG_TRUSTED_FIRST
will find the path we want. Same if Root1Cross is expired. (Meanwhile,
if Root1 is expired, TRUSTED_FIRST will break and leaving it off works.
TRUSTED_FIRST does not actually select chains with validity in mind. It
just changes the semi-arbitrary decision.)
OpenSSL 1.1.x now defaults to X509_V_FLAG_TRUSTED_FIRST by default, so
match them. Hopefully the shorter chain is more likely to be correct.
Update-Note: X509_verify_cert will now build slightly different chains
by default. Hopefully, this fixes more issues than it causes, but there
is a risk of trusted_first breaking other scenarios. Those scenarios
will also break OpenSSL 1.1.x defaults, so hopefully this is fine.
BoringSSL-Bug: 439
Bug: 201667701
Test: atest boringssl_crypto_test
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/49746
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
(cherry picked from BoringSSL commit 8f5eb80b810ff63d14ad3535cb16f7cb8271a4f5)
Change-Id: Ib75feb0081ced6520f9547ff381ee7b4dee75010
|
|
Re-lands https://r.android.com/1774909
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..7a817f48bafee508b2d23ad278f892ee1cb32b91
* Add 'generate-ech' command to bssl tool
* Don't enable atomics in NO_THREADS configurations.
* Check strtoul return for overflow error in GetUnsigned()
* Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY.
* Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs.
* Always have CRYPTO_sysrand_for_seed.
* hrss: use less stack space.
* Make X509_EXTENSION opaque.
Update-Note: Use X509_EXTENSION_get_* instead.
* Make X509_CRL opaque.
Update-Note: Use accessors instead.
* Switch another malloc to bssl::Array.
* Add a pointer alignment helper function.
* Remove unused field in X509_NAME_ENTRY.
Update-Note: Removed unused field in struct.
* Fix sign bit in BN_div if numerator and quotient alias.
* Handle the server case in SSL_get0_ech_name_override.
* Remove -2 return value from X509*_get_*_by_NID.
Update-Note: The return value convention of some functions was
simplified. This is not expected to affect any callers.
* Remove X509at_get0_data_by_OBJ.
Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of
this function.
* Document a batch of extension-related functions in x509.h.
* conf: fix getting keys from the default section.
* conf: don't crash when parsing.
* Add some OpenSSL compatibility aliases.
* Make ASN1_OBJECT opaque.
Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors.
* Rename asn1_locl.h to internal.h.
* Update hpke_test.go.
* Decorate x509v3_a2i_ipadd declaration as its definition.
* SHA-256 is used on AArch64, even if NO_ASM.
* swtb is another AArch64 magic tweak.
* Implement ClientHelloOuter handshakes.
* runner: Add a convenience function for base64 flags.
* Reduce bouncing on the cache lock in ssl_update_cache.
Update-Note: This reshuffles some locks around the session cache.
(Hopefully for the better.)
* Only clear not_resumable after the handshake.
* runner: Test that clients actually use renewed tickets.
* runner: Clean up test logic.
* runner: Fix process exit timeout.
* Remove old ASN.1 SET macros.
* Document some ASN1_INTEGER and ASN1_ENUMERATED functions.
* Document ASN1_STRING_to_UTF8.
* Const-correct ASN1_item_verify a bit more.
* Compute ASN.1 BIT STRING sizes more consistently.
* Remove lh_FOO_doall.
* Prefix internal LHASH functions.
* Unexport almost all of LHASH.
Update-Note: BoringSSL no longer provides a general-purpose hash table
to callers. Use the language's standard library, or another
implementation.
* Rename t1_lib.cc to extensions.cc.
* Prefix and unexport a2i_ipadd.
* Fix a -Wdeprecated-copy warning.
* Validate ECH public names.
* Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM.
* Make X509_VERIFY_PARAM opaque.
Update-Note: Use setters instead of configuring X509_VERIFY_PARAM
directly.
* Move crypto/x509/vpm_int.h into internal.h.
* Reformat x509_vfy.h and convert comments.
* Reland "Add util/fetch_ech_config_list.go"
* Revert "Add util/fetch_ech_config_list.go"
* Add util/fetch_ech_config_list.go
* More reliably report handshake errors through SSL_write.
* Add an option to permute ClientHello extension order.
* runner: Check the test name against the protocol being tested.
* Remove outdated comment in primality testing.
* Add most of an ECH client implementation.
* Add a basic API to make ECHConfigs.
* Make ECH server APIs take EVP_HPKE_KEY.
* Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS.
* runner: Self-check tests more accurately and earlier.
* Don't pad the second ClientHello.
* Fix ext_pre_shared_key_clienthello_length calculation.
* Tidy up the PSK binder logic.
* Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext.
* Shift some complexity out of ssl_add_clienthello_tlsext.
* Add a note about extension callback names.
* Add move support to EVP_MD_CTX.
* Replace hs->needs_psk_binder with an output parameter.
* Make add_clienthello callbacks const.
* Fix documentation typo.
* Compute the ECH GREASE payload outside of the callbacks.
* Pick up the GREASE ECH config ID from grease_seed.
* Initialize grease_seed on construction.
* Remove the extension init hook.
* Move key_share computation out of ClientHello callbacks.
* Release some temporaries outside of ClientHello callbacks.
* Move the early_data_{offered,reason} logic out of extension callbacks.
* Implement a handshake hint for certificate compression.
* runner: Implement ECH server for testing.
* runner: Parse the status_request extension more strictly.
* runner: Make echIsInner a boolean.
* runner: Revise ECHConfig type in preparation for client implementation
* Fix ECH-Server-RepeatedConfigID test.
* Add SSL_ech_accepted API and ech_is_required alerts.
* Reject the ECH extension in TLS 1.2 ServerHello.
* Move ECH-related APIs to encrypted_client_hello.cc.
* Const-correct message creation hooks.
* Remove the Channel ID callback.
Update-Note: SSL_CTX_set_channel_id_cb is removed.
SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client,
only as a server.
* Manage Channel ID handshake state better.
Update-Note: SSL_get_tls_channel_id will no longer return all zeros
during the handshake or on the client. I did not find any callers
relying on this.
* DTLS-SRTP is only defined for DTLS.
* Remove impossible ssl->s3 null check.
* fix #415: Perl scripts fail when building from a path with spaces
* Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001).
Update-Note: QUIC APIs now default to the standard code point rather
than the draft one. QUICHE has already been calling
SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once
callers implementing the draft versions cycle out, we can then drop
SSL_set_quic_use_legacy_codepoint altogether. I've also bumped
BORINGSSL_API_VERSION in case we end up needing an ifdef.
* Add compatibility impl for EVP_PKEY_get0
* Make md32_common.h single-included and use an unsized helper for SHA-256.
* Pull HASH_TRANSFORM out of md32_common.h.
* Ensure name not null in EVP_get_cipherbyname
* Fix array-parameter warnings
* Don't copy client's session ID into server's session.
* Test ECH server with unique and repeated config IDs.
* Refresh SSL corpora after adding ECH fuzzer mode.
* Implement fuzzer mode for ECH server.
* Don't try to write empty early data in the tool.
* GREASE is now RFC 8701.
* runner: Reject all zero client and server randoms.
* Const-correct SSL_get_srtp_profiles.
Update-Note: The change to the return type isn't quite compatible, but I
only found one caller of this function, which has since been fixed. (If
we need to return a non-const value for compatibility, we can do that
and document that the caller should not mutate the output.)
* Update the ECH GREASE size selection.
* fuzz/minimise_corpora.sh: Add shebang and chmod +x
* Add a missing case to SSL_error_description.
* Remove draft tokbind implementation.
Update-Note: Token binding APIs are removed.
* Make X509_REQ and X509_REQ_INFO opaque.
Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use
accessors instead.
* Check hs->early_session, not ssl->session, for the early data limit.
* Fix some includes.
* Be clearer which signing inputs are digests.
* Validate RSA public keys more consistently.
Update-Note: See above.
* Add APIs to manually fill in signatures for CRLs.
* Check for resumption identifiers in SSL_SESSION_is_resumable.
* Don't use SHA256(ticket) as the signaling session ID for tickets.
* Simplify renego + resumption handling.
* Move session ID assignment out of ssl_get_new_session.
* Fix the ech_accept comment.
* Export the HPKE implementation.
* Refer to EVP_HPKE_CTX by a consistent name.
* Shift the KEM dependency in HPKE up a step.
* Update ACVP URLs.
* Add SSL_can_release_private_key.
* Make X509_SIG and X509_CERT_AUX opaque.
Update-Note: Direct access of these structs should be replaced by
accessors.
* acvp: move hash iterations into modulewrapper.
* Switch HPKE to a three-parameter output buffer.
* Introduce EVP_HPKE_{AEAD,KDF} types.
* Don't mark up the first word in a collective comment.
* Revise the deterministic for_test variant of HPKE's SetupBaseS.
* Fix a memory leak with d2i_ASN1_OBJECT object reuse.
* Remove HPKE PSK mode.
* Remove HKDF-SHA384 and HKDF-SHA512 from HPKE.
* Correctly order PKCS#7 certificates and CRLs.
Update-Note: It is no longer the case that constructing a PKCS#7 file
and parsing them back out will keep the certificates and CRLs in the
same order.
* Implement ECH draft 10 and update HPKE to draft 08.
* Document expected use of BTI and PAC macros.
* Remove non-deterministic bits from ECDSA ACVP test.
* Reference the newer ChaCha20-Poly1305 RFC.
* Use passive entropy collection everywhere.
* Rename X509V*_VERSION constants.
Update-Note: This renames some BoringSSL-specific constants that we
recently added. It doesn't look like anyone's used them yet.
* Const-correct ASN1_OBJECT_create.
* Clarify OBJ_get0_data and OBJ_get_length.
* avcp: SHA-1 for ECDSA _verification_ is still supported by NIST.
* A couple of Aarch64 FIPS delocate fixes.
* Use a placeholder for unknown errors in ERR_*_error_string.
* Include assembly optimizations in Bazel builds on Linux-aarch64.
* Remove some BoringSSL-only X509_CINF functions.
Update-Note: X509_get_cert_info, X509_CINF_set_modified, and
X509_CINF_get_signature are removed. I believe all callers have been
updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and
X509_get0_tbs_sigalg instead.
* Document and test X509_ATTRIBUTE creation functions.
* Revert handshaker fd numbers and make StartProcess more flexible.
* Remove support for malformed X509_ATTRIBUTEs.
Update-Note: Given OpenSSL hasn't accepted these for five years, it's
unlikely anything depends on it. If something breaks, we can revert this
and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty
X509_ATTRIBUTE, so the behavior change there should be safe.
* Make X509_ATTRIBUTE opaque.
Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with
one of the accessors. I couldn't find any direct accesses, so hopefully
this is fine.
* acvptool: Fix typo hard-coding the HTTP method.
* Document a few more x509.h functions.
* Make X509_PUBKEY opaque.
Update-Note: Direct accesses of X509_PUBKEY should be replaced with one
of the accessors. I believe all callers have been fixed at this point.
* Always encode booleans as DER.
Update-Note: Callers setting ASN1_BOOLEANs to a positive value other
than 0xff will now encode 0xff. This probably fixes a bug, but if anyone
was attaching significance to incorrectly-encoded booleans, that will
break.
* Fix issuerUID and subjectUID parsing in the key usage checker.
* Add experimental handshake hints API.
* Make our Python scripts Python-3-compatible.
* Export ssl_client_hello_init for fuzzers.
* acvp: support GMAC as an algorithm.
* Record a fuzzing corpus for the ClientHelloInner decoder.
* Use a consistent plural for 'corpus'.
* Add util/bot/libFuzzer to .gitignore.
* acvp: support KAS-ECC-SSC staticUnified mode.
* Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos.
Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now
reject invalud inputs. Previously, they would accept them, but silently
send an invalid ALPN extension which the server would almost certainly
error on.
* Don't duplicate ServerHello construction code.
* Rearrange key share and early data logic.
* Only skip early data with HRR when offered.
* Add ECH server config API to ssl_ctx_api fuzzer
* Fix ppc64le build.
* Simplify the Lucky13 mitigation.
* Add ECH server (draft-ietf-tls-esni-09).
* runner: Remove unused field
* runner: Construct finishedHash earlier.
* Simplify tls_cbc.c slightly.
* Remove remnants of CBC SHA2 cipher suites.
* runner: Test different V2ClientHello challenge lengths.
* runner: Ensure helloBytes is always the same as hello.marshal().
* runner: Fix ECH confirmation calculation with PSKs in tests.
* runner: Fix HPKE parameter order.
* runner: UpdateForHelloRetryRequest cannot fail.
* runner: Don't use the buffer in TLS 1.3.
* runner: Don't maintain two copies of the same transcript hash.
* runner: Remove remnants of SSL 3.0.
* runner: Fix writeClientHash and writeRecord ordering.
* runner: Remove CheckTLS13DowngradeRandom.
* runner: Remove remnants of the separate HelloRetryRequest message.
* runner: Store a cipherSuite in ClientSessionState.
* runner: Move writeHash to the finishedHash struct.
* Fix the spelling of HPKE AEAD constants.
* Don't reset server callback expectations on new handshake.
* Fix MockQuicTransport::Flush error handling.
* Fold ripemd/internal.h into ripemd.c.
* Move load/store helpers to crypto/internal.h.
* Make words in crypto/fipsmodule/modes actually words.
* Handle EINTR more in handshaker.cc.
* Add a few missing SSL_R_BIO_NOT_SET cases.
* Fix some unreachable code in the QUIC handshaker driver.
* Rearrange SSLKeyShare::Serialize.
* Fix ssl/internal.h sectioning.
* Remove some now unnecessary test exclusions from split handshakes.
* Remove tls13-split-handshakes flag.
* Define HANDSHAKER_SUPPORTED in once place.
* Tidy up handshaker tester.
* modulewrapper: add option to print build information.
* FIPS counters for AES-CTR.
* Enforce that pre_shared_key must come with psk_key_exchange_modes.
* Zero out FIPS counters.
* Remove is_resume field on TestState.
* Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag.
* Add some warnings on how to use OPENSSL_memory_* functions.
* Use an unsized helper for truncated SHA-512 variants.
Update-Note: There is a small chance the asserts will trip something,
but hopefully not since I've left SHA512_Final alone.
* Fix mismatch between header and implementation of bn_sqr_comba8.
* Remove GCC 4.8.99 check.
* Bump minimum CMake version.
* Automatically enable C11 atomics when available.
Update-Note: If something fails to compile, we'll revert this and adjust
the check, or add an opt-out, or give up. Also, if building with
-std=c99, consider -std=c11.
* Make generate_build_files.py python3 compatible.
* Remove X509_REQ_set_extension_nids and document related functions.
Update-Note: This removes a pair of unused functions.
* Document a few more functions in x509.h.
* Do not access value.ptr with V_ASN1_BOOLEAN.
* Add X509_PUBKEY_get0_public_key.
* Test empty EVP_CIPHER inputs and fix exact memcpy overlap.
* Revert "Implement rsa_pkcs1_sha256_legacy."
* Fix unnecessarily direction-specific tests in cipher_tests.txt
* Refactor HPKE API to include explicit length parameters.
* Generalize make_errors.go to allow EVP covering multiple directories.
* Add a Windows no-op impl of BORINGSSL_self_test
* Only pass -handshaker-path in split handshakes tests.
* Add RNG support for FreeBSD.
* Move fips.c into a subdirectory.
* Implement rsa_pkcs1_sha256_legacy.
* Better document nullable X.509 getters.
* runner: Remove redundant -enable-all-curves shim flag.
* Initialize nonce in PerAEADTest.ABI.
* Document ASN1_TYPE and related functions.
* fips: add counters.
* Align with OpenSSL on constness of static ASN1_OBJECTs.
Update-Note: The change to OBJ_nid2obj should be compatible. The changes
to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some
pointer types.
* Add -rr-record flag to runner.go.
* Register NAME_CONSTRAINTS with bssl::UniquePtr.
* Register POLICY_MAPPING with bssl::UniquePtr.
* Stub out some more of PKCS7.
* Remove TODO to reverse the output of PKCS12_parse.
* Make the X509_VAL structure opaque.
Update-Note: I believe this is now safe to do. If there are compile
failures, switch to X509_get0_notBefore, X509_getm_notBefore, and
X509_set1_notBefore, or revert this if I'm wrong and too many callers
still need updating.
* Support creating unencrypted PKCS#12 files.
* Move PKCS#12 samples to embed_test_data.
* Remove some remnants of TLS 1.3 downgrade carveouts.
Update-Note:
https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these
functions a no-op, but we kept them around because there were still some
call sites floating around. That code has since been updated, so we can
remove this.
* Remove X509_REQ_to_X509.
Update-Note: This removes a function that appears to be unused. It also
hardcodes the use of MD5, so please do not use it.
* Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag
* RAND_set_rand_method returns int.
* Check the inner and outer CRL signature algorithms match.
Update-Note: Invalid CRLs with inconsistent inner and outer signature
algorithms will now be rejected.
* Remove block_mask from EVP_CIPHER_CTX.
Update-Note: It doesn't look like anyone is reading into this field. If
they are, we can ideally fix it, or revert this if absolutely necessary.
* Document a couple more functions in x509.h.
* Define X509V*_VERSION constants.
* Handle the default X.509 version explicitly.
* Compile for RISC-V.
* Add ECDSA nonce-testing functions.
* Rearrange ECDSA implementation.
* Split the FIPS mode PRNG lock in two.
* Remove legacy vs_toolchain.py environment variable.
* runner: Rename 'masterSecret' on session objects to plain 'secret'.
* Test ECDSA signing is non-deterministic.
* acvp: split ACVP modulewrapper for reuse by Trusty
* No-op CL to trigger some builds.
* Use CIPD Go packages.
* Update CMake on the bots and switch to CIPD where available.
* Future-proof vs_toolchain.py for VS2019.
* Revert "Revert "Disable check that X.509 extensions implies v3.""
* Update Clang and Go on the bots.
* Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create.
* Don't overflow the output length in EVP_CipherUpdate calls.
Update-Note: Passing extremely large input lengths into EVP_CipherUpdate
will now fail. Use EVP_AEAD instead, which is size_t-based and has more
explicit output bounds.
* Remove X509_issuer_and_serial_hash.
Update-Note: No one uses this function. It had a NULL dereference in
some error cases. See CVE-2021-23841.
* Fix Bazel build breakage.
* Specify VS toolchain by command-line argument.
* Update Android Bazel build support in BUILD.toplevel.
* Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback.
Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the
ALPN callback will change behavior. The old behavior may be restored by
returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new
recommendations on return values.
* acvp: detect header element in JSON.
* Align the ARM capability functions.
* Skip runtime NEON checks if __ARM_NEON is defined.
Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about
30KiB of dead code, but no longer work (if they even did before) on a
particular buggy CPU. Builds without __ARM_NEON are not affected.
* acvp: don't include CMAC-AES in regcap dump.
* acvp: fix CMAC verify
* Include bn/internal.h for non-bcm.c builds.
* Add various function calls to test_fips.
* Add missing include to self_check.c.
* Revert "Disable check that X.509 extensions implies v3."
* Fix TLS13SessionID-TLS13 test.
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: Idb0a37fccba5d1c3f6a40fe91a81c5189170ed23
|
|
This reverts commit d03f4c0ac5663fb300b1f40f1059c4194dd0652a.
Reason for revert: Investigating b/194282044
Change-Id: I168d73caae2cbc83921133cd47aef37d3bce8c37
|
|
Re-lands https://r.android.com/1772605 plus three newer upstream changes.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..7a817f48bafee508b2d23ad278f892ee1cb32b91
* Add 'generate-ech' command to bssl tool
* Don't enable atomics in NO_THREADS configurations.
* Check strtoul return for overflow error in GetUnsigned()
* Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY.
* Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs.
* Always have CRYPTO_sysrand_for_seed.
* hrss: use less stack space.
* Make X509_EXTENSION opaque.
Update-Note: Use X509_EXTENSION_get_* instead.
* Make X509_CRL opaque.
Update-Note: Use accessors instead.
* Switch another malloc to bssl::Array.
* Add a pointer alignment helper function.
* Remove unused field in X509_NAME_ENTRY.
Update-Note: Removed unused field in struct.
* Fix sign bit in BN_div if numerator and quotient alias.
* Handle the server case in SSL_get0_ech_name_override.
* Remove -2 return value from X509*_get_*_by_NID.
Update-Note: The return value convention of some functions was
simplified. This is not expected to affect any callers.
* Remove X509at_get0_data_by_OBJ.
Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of
this function.
* Document a batch of extension-related functions in x509.h.
* conf: fix getting keys from the default section.
* conf: don't crash when parsing.
* Add some OpenSSL compatibility aliases.
* Make ASN1_OBJECT opaque.
Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors.
* Rename asn1_locl.h to internal.h.
* Update hpke_test.go.
* Decorate x509v3_a2i_ipadd declaration as its definition.
* SHA-256 is used on AArch64, even if NO_ASM.
* swtb is another AArch64 magic tweak.
* Implement ClientHelloOuter handshakes.
* runner: Add a convenience function for base64 flags.
* Reduce bouncing on the cache lock in ssl_update_cache.
Update-Note: This reshuffles some locks around the session cache.
(Hopefully for the better.)
* Only clear not_resumable after the handshake.
* runner: Test that clients actually use renewed tickets.
* runner: Clean up test logic.
* runner: Fix process exit timeout.
* Remove old ASN.1 SET macros.
* Document some ASN1_INTEGER and ASN1_ENUMERATED functions.
* Document ASN1_STRING_to_UTF8.
* Const-correct ASN1_item_verify a bit more.
* Compute ASN.1 BIT STRING sizes more consistently.
* Remove lh_FOO_doall.
* Prefix internal LHASH functions.
* Unexport almost all of LHASH.
Update-Note: BoringSSL no longer provides a general-purpose hash table
to callers. Use the language's standard library, or another
implementation.
* Rename t1_lib.cc to extensions.cc.
* Prefix and unexport a2i_ipadd.
* Fix a -Wdeprecated-copy warning.
* Validate ECH public names.
* Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM.
* Make X509_VERIFY_PARAM opaque.
Update-Note: Use setters instead of configuring X509_VERIFY_PARAM
directly.
* Move crypto/x509/vpm_int.h into internal.h.
* Reformat x509_vfy.h and convert comments.
* Reland "Add util/fetch_ech_config_list.go"
* Revert "Add util/fetch_ech_config_list.go"
* Add util/fetch_ech_config_list.go
* More reliably report handshake errors through SSL_write.
* Add an option to permute ClientHello extension order.
* runner: Check the test name against the protocol being tested.
* Remove outdated comment in primality testing.
* Add most of an ECH client implementation.
* Add a basic API to make ECHConfigs.
* Make ECH server APIs take EVP_HPKE_KEY.
* Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS.
* runner: Self-check tests more accurately and earlier.
* Don't pad the second ClientHello.
* Fix ext_pre_shared_key_clienthello_length calculation.
* Tidy up the PSK binder logic.
* Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext.
* Shift some complexity out of ssl_add_clienthello_tlsext.
* Add a note about extension callback names.
* Add move support to EVP_MD_CTX.
* Replace hs->needs_psk_binder with an output parameter.
* Make add_clienthello callbacks const.
* Fix documentation typo.
* Compute the ECH GREASE payload outside of the callbacks.
* Pick up the GREASE ECH config ID from grease_seed.
* Initialize grease_seed on construction.
* Remove the extension init hook.
* Move key_share computation out of ClientHello callbacks.
* Release some temporaries outside of ClientHello callbacks.
* Move the early_data_{offered,reason} logic out of extension callbacks.
* Implement a handshake hint for certificate compression.
* runner: Implement ECH server for testing.
* runner: Parse the status_request extension more strictly.
* runner: Make echIsInner a boolean.
* runner: Revise ECHConfig type in preparation for client implementation
* Fix ECH-Server-RepeatedConfigID test.
* Add SSL_ech_accepted API and ech_is_required alerts.
* Reject the ECH extension in TLS 1.2 ServerHello.
* Move ECH-related APIs to encrypted_client_hello.cc.
* Const-correct message creation hooks.
* Remove the Channel ID callback.
Update-Note: SSL_CTX_set_channel_id_cb is removed.
SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client,
only as a server.
* Manage Channel ID handshake state better.
Update-Note: SSL_get_tls_channel_id will no longer return all zeros
during the handshake or on the client. I did not find any callers
relying on this.
* DTLS-SRTP is only defined for DTLS.
* Remove impossible ssl->s3 null check.
* fix #415: Perl scripts fail when building from a path with spaces
* Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001).
Update-Note: QUIC APIs now default to the standard code point rather
than the draft one. QUICHE has already been calling
SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once
callers implementing the draft versions cycle out, we can then drop
SSL_set_quic_use_legacy_codepoint altogether. I've also bumped
BORINGSSL_API_VERSION in case we end up needing an ifdef.
* Add compatibility impl for EVP_PKEY_get0
* Make md32_common.h single-included and use an unsized helper for SHA-256.
* Pull HASH_TRANSFORM out of md32_common.h.
* Ensure name not null in EVP_get_cipherbyname
* Fix array-parameter warnings
* Don't copy client's session ID into server's session.
* Test ECH server with unique and repeated config IDs.
* Refresh SSL corpora after adding ECH fuzzer mode.
* Implement fuzzer mode for ECH server.
* Don't try to write empty early data in the tool.
* GREASE is now RFC 8701.
* runner: Reject all zero client and server randoms.
* Const-correct SSL_get_srtp_profiles.
Update-Note: The change to the return type isn't quite compatible, but I
only found one caller of this function, which has since been fixed. (If
we need to return a non-const value for compatibility, we can do that
and document that the caller should not mutate the output.)
* Update the ECH GREASE size selection.
* fuzz/minimise_corpora.sh: Add shebang and chmod +x
* Add a missing case to SSL_error_description.
* Remove draft tokbind implementation.
Update-Note: Token binding APIs are removed.
Change-Id: Iecea7c3dcf9d3e2644a3b7afaf61511310b45d5f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47584
Reviewed-by: Adam Langley <agl@google.com>
* Make X509_REQ and X509_REQ_INFO opaque.
Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use
accessors instead.
* Check hs->early_session, not ssl->session, for the early data limit.
* Fix some includes.
* Be clearer which signing inputs are digests.
* Validate RSA public keys more consistently.
Update-Note: See above.
* Add APIs to manually fill in signatures for CRLs.
* Check for resumption identifiers in SSL_SESSION_is_resumable.
* Don't use SHA256(ticket) as the signaling session ID for tickets.
* Simplify renego + resumption handling.
* Move session ID assignment out of ssl_get_new_session.
* Fix the ech_accept comment.
* Export the HPKE implementation.
* Refer to EVP_HPKE_CTX by a consistent name.
* Shift the KEM dependency in HPKE up a step.
* Update ACVP URLs.
* Add SSL_can_release_private_key.
* Make X509_SIG and X509_CERT_AUX opaque.
Update-Note: Direct access of these structs should be replaced by
accessors.
* acvp: move hash iterations into modulewrapper.
* Switch HPKE to a three-parameter output buffer.
* Introduce EVP_HPKE_{AEAD,KDF} types.
* Don't mark up the first word in a collective comment.
* Revise the deterministic for_test variant of HPKE's SetupBaseS.
* Fix a memory leak with d2i_ASN1_OBJECT object reuse.
* Remove HPKE PSK mode.
* Remove HKDF-SHA384 and HKDF-SHA512 from HPKE.
* Correctly order PKCS#7 certificates and CRLs.
Update-Note: It is no longer the case that constructing a PKCS#7 file
and parsing them back out will keep the certificates and CRLs in the
same order.
* Implement ECH draft 10 and update HPKE to draft 08.
* Document expected use of BTI and PAC macros.
* Remove non-deterministic bits from ECDSA ACVP test.
* Reference the newer ChaCha20-Poly1305 RFC.
* Use passive entropy collection everywhere.
* Rename X509V*_VERSION constants.
Update-Note: This renames some BoringSSL-specific constants that we
recently added. It doesn't look like anyone's used them yet.
* Const-correct ASN1_OBJECT_create.
* Clarify OBJ_get0_data and OBJ_get_length.
* avcp: SHA-1 for ECDSA _verification_ is still supported by NIST.
* A couple of Aarch64 FIPS delocate fixes.
* Use a placeholder for unknown errors in ERR_*_error_string.
* Include assembly optimizations in Bazel builds on Linux-aarch64.
* Remove some BoringSSL-only X509_CINF functions.
Update-Note: X509_get_cert_info, X509_CINF_set_modified, and
X509_CINF_get_signature are removed. I believe all callers have been
updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and
X509_get0_tbs_sigalg instead.
* Document and test X509_ATTRIBUTE creation functions.
* Revert handshaker fd numbers and make StartProcess more flexible.
* Remove support for malformed X509_ATTRIBUTEs.
Update-Note: Given OpenSSL hasn't accepted these for five years, it's
unlikely anything depends on it. If something breaks, we can revert this
and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty
X509_ATTRIBUTE, so the behavior change there should be safe.
* Make X509_ATTRIBUTE opaque.
Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with
one of the accessors. I couldn't find any direct accesses, so hopefully
this is fine.
* acvptool: Fix typo hard-coding the HTTP method.
* Document a few more x509.h functions.
* Make X509_PUBKEY opaque.
Update-Note: Direct accesses of X509_PUBKEY should be replaced with one
of the accessors. I believe all callers have been fixed at this point.
* Always encode booleans as DER.
Update-Note: Callers setting ASN1_BOOLEANs to a positive value other
than 0xff will now encode 0xff. This probably fixes a bug, but if anyone
was attaching significance to incorrectly-encoded booleans, that will
break.
* Fix issuerUID and subjectUID parsing in the key usage checker.
* Add experimental handshake hints API.
* Make our Python scripts Python-3-compatible.
* Export ssl_client_hello_init for fuzzers.
* acvp: support GMAC as an algorithm.
* Record a fuzzing corpus for the ClientHelloInner decoder.
* Use a consistent plural for 'corpus'.
* Add util/bot/libFuzzer to .gitignore.
* acvp: support KAS-ECC-SSC staticUnified mode.
* Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos.
Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now
reject invalud inputs. Previously, they would accept them, but silently
send an invalid ALPN extension which the server would almost certainly
error on.
* Don't duplicate ServerHello construction code.
* Rearrange key share and early data logic.
* Only skip early data with HRR when offered.
* Add ECH server config API to ssl_ctx_api fuzzer
* Fix ppc64le build.
* Simplify the Lucky13 mitigation.
* Add ECH server (draft-ietf-tls-esni-09).
* runner: Remove unused field
* runner: Construct finishedHash earlier.
* Simplify tls_cbc.c slightly.
* Remove remnants of CBC SHA2 cipher suites.
* runner: Test different V2ClientHello challenge lengths.
* runner: Ensure helloBytes is always the same as hello.marshal().
* runner: Fix ECH confirmation calculation with PSKs in tests.
* runner: Fix HPKE parameter order.
* runner: UpdateForHelloRetryRequest cannot fail.
* runner: Don't use the buffer in TLS 1.3.
* runner: Don't maintain two copies of the same transcript hash.
* runner: Remove remnants of SSL 3.0.
* runner: Fix writeClientHash and writeRecord ordering.
* runner: Remove CheckTLS13DowngradeRandom.
* runner: Remove remnants of the separate HelloRetryRequest message.
* runner: Store a cipherSuite in ClientSessionState.
* runner: Move writeHash to the finishedHash struct.
* Fix the spelling of HPKE AEAD constants.
* Don't reset server callback expectations on new handshake.
* Fix MockQuicTransport::Flush error handling.
* Fold ripemd/internal.h into ripemd.c.
* Move load/store helpers to crypto/internal.h.
* Make words in crypto/fipsmodule/modes actually words.
* Handle EINTR more in handshaker.cc.
* Add a few missing SSL_R_BIO_NOT_SET cases.
* Fix some unreachable code in the QUIC handshaker driver.
* Rearrange SSLKeyShare::Serialize.
* Fix ssl/internal.h sectioning.
* Remove some now unnecessary test exclusions from split handshakes.
* Remove tls13-split-handshakes flag.
* Define HANDSHAKER_SUPPORTED in once place.
* Tidy up handshaker tester.
* modulewrapper: add option to print build information.
* FIPS counters for AES-CTR.
* Enforce that pre_shared_key must come with psk_key_exchange_modes.
* Zero out FIPS counters.
* Remove is_resume field on TestState.
* Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag.
* Add some warnings on how to use OPENSSL_memory_* functions.
* Use an unsized helper for truncated SHA-512 variants.
Update-Note: There is a small chance the asserts will trip something,
but hopefully not since I've left SHA512_Final alone.
* Fix mismatch between header and implementation of bn_sqr_comba8.
* Remove GCC 4.8.99 check.
* Bump minimum CMake version.
* Automatically enable C11 atomics when available.
Update-Note: If something fails to compile, we'll revert this and adjust
the check, or add an opt-out, or give up. Also, if building with
-std=c99, consider -std=c11.
* Make generate_build_files.py python3 compatible.
* Remove X509_REQ_set_extension_nids and document related functions.
Update-Note: This removes a pair of unused functions.
* Document a few more functions in x509.h.
* Do not access value.ptr with V_ASN1_BOOLEAN.
* Add X509_PUBKEY_get0_public_key.
* Test empty EVP_CIPHER inputs and fix exact memcpy overlap.
* Revert "Implement rsa_pkcs1_sha256_legacy."
* Fix unnecessarily direction-specific tests in cipher_tests.txt
* Refactor HPKE API to include explicit length parameters.
* Generalize make_errors.go to allow EVP covering multiple directories.
* Add a Windows no-op impl of BORINGSSL_self_test
* Only pass -handshaker-path in split handshakes tests.
* Add RNG support for FreeBSD.
* Move fips.c into a subdirectory.
* Implement rsa_pkcs1_sha256_legacy.
* Better document nullable X.509 getters.
* runner: Remove redundant -enable-all-curves shim flag.
* Initialize nonce in PerAEADTest.ABI.
* Document ASN1_TYPE and related functions.
* fips: add counters.
* Align with OpenSSL on constness of static ASN1_OBJECTs.
Update-Note: The change to OBJ_nid2obj should be compatible. The changes
to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some
pointer types.
* Add -rr-record flag to runner.go.
* Register NAME_CONSTRAINTS with bssl::UniquePtr.
* Register POLICY_MAPPING with bssl::UniquePtr.
* Stub out some more of PKCS7.
* Remove TODO to reverse the output of PKCS12_parse.
* Make the X509_VAL structure opaque.
Update-Note: I believe this is now safe to do. If there are compile
failures, switch to X509_get0_notBefore, X509_getm_notBefore, and
X509_set1_notBefore, or revert this if I'm wrong and too many callers
still need updating.
* Support creating unencrypted PKCS#12 files.
* Move PKCS#12 samples to embed_test_data.
* Remove some remnants of TLS 1.3 downgrade carveouts.
Update-Note:
https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these
functions a no-op, but we kept them around because there were still some
call sites floating around. That code has since been updated, so we can
remove this.
* Remove X509_REQ_to_X509.
Update-Note: This removes a function that appears to be unused. It also
hardcodes the use of MD5, so please do not use it.
* Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag
* RAND_set_rand_method returns int.
* Check the inner and outer CRL signature algorithms match.
Update-Note: Invalid CRLs with inconsistent inner and outer signature
algorithms will now be rejected.
* Remove block_mask from EVP_CIPHER_CTX.
Update-Note: It doesn't look like anyone is reading into this field. If
they are, we can ideally fix it, or revert this if absolutely necessary.
* Document a couple more functions in x509.h.
* Define X509V*_VERSION constants.
* Handle the default X.509 version explicitly.
* Compile for RISC-V.
* Add ECDSA nonce-testing functions.
* Rearrange ECDSA implementation.
* Split the FIPS mode PRNG lock in two.
* Remove legacy vs_toolchain.py environment variable.
* runner: Rename 'masterSecret' on session objects to plain 'secret'.
* Test ECDSA signing is non-deterministic.
* acvp: split ACVP modulewrapper for reuse by Trusty
* No-op CL to trigger some builds.
* Use CIPD Go packages.
* Update CMake on the bots and switch to CIPD where available.
* Future-proof vs_toolchain.py for VS2019.
* Revert "Revert "Disable check that X.509 extensions implies v3.""
* Update Clang and Go on the bots.
* Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create.
* Don't overflow the output length in EVP_CipherUpdate calls.
Update-Note: Passing extremely large input lengths into EVP_CipherUpdate
will now fail. Use EVP_AEAD instead, which is size_t-based and has more
explicit output bounds.
* Remove X509_issuer_and_serial_hash.
Update-Note: No one uses this function. It had a NULL dereference in
some error cases. See CVE-2021-23841.
* Fix Bazel build breakage.
* Specify VS toolchain by command-line argument.
* Update Android Bazel build support in BUILD.toplevel.
* Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback.
Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the
ALPN callback will change behavior. The old behavior may be restored by
returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new
recommendations on return values.
* acvp: detect header element in JSON.
* Align the ARM capability functions.
* Skip runtime NEON checks if __ARM_NEON is defined.
Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about
30KiB of dead code, but no longer work (if they even did before) on a
particular buggy CPU. Builds without __ARM_NEON are not affected.
* acvp: don't include CMAC-AES in regcap dump.
* acvp: fix CMAC verify
* Include bn/internal.h for non-bcm.c builds.
* Add various function calls to test_fips.
* Add missing include to self_check.c.
* Revert "Disable check that X.509 extensions implies v3."
* Fix TLS13SessionID-TLS13 test.
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I894552c1cfb97c327808e9cdadcc7e6a7b1874e2
|
|
This reverts commit a769e3be7b5b02e3a0ee4043b6642ab0361a1420.
Reason for revert: Breaks x86 builds: b/194262305
Change-Id: I9074b7d01972b3f1162eb3ece0a591077d0b3451
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..897a2ca3f184b34278641138c726ef902ab1fab2
* Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY.
* Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs.
* Always have CRYPTO_sysrand_for_seed.
* hrss: use less stack space.
* Make X509_EXTENSION opaque.
Update-Note: Use X509_EXTENSION_get_* instead.
* Make X509_CRL opaque.
Update-Note: Use accessors instead.
* Switch another malloc to bssl::Array.
* Add a pointer alignment helper function.
* Remove unused field in X509_NAME_ENTRY.
Update-Note: Removed unused field in struct.
* Fix sign bit in BN_div if numerator and quotient alias.
* Handle the server case in SSL_get0_ech_name_override.
* Remove -2 return value from X509*_get_*_by_NID.
Update-Note: The return value convention of some functions was
simplified. This is not expected to affect any callers.
* Remove X509at_get0_data_by_OBJ.
Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function.
* Document a batch of extension-related functions in x509.h.
* conf: fix getting keys from the default section.
* conf: don't crash when parsing.
* Add some OpenSSL compatibility aliases.
* Make ASN1_OBJECT opaque.
Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors.
* Rename asn1_locl.h to internal.h.
* Update hpke_test.go.
* Decorate x509v3_a2i_ipadd declaration as its definition.
* SHA-256 is used on AArch64, even if NO_ASM.
* swtb is another AArch64 magic tweak.
* Implement ClientHelloOuter handshakes.
* runner: Add a convenience function for base64 flags.
* Reduce bouncing on the cache lock in ssl_update_cache.
Update-Note: This reshuffles some locks around the session cache.
(Hopefully for the better.)
* Only clear not_resumable after the handshake.
* runner: Test that clients actually use renewed tickets.
* runner: Clean up test logic.
* runner: Fix process exit timeout.
* Remove old ASN.1 SET macros.
* Document some ASN1_INTEGER and ASN1_ENUMERATED functions.
* Document ASN1_STRING_to_UTF8.
* Const-correct ASN1_item_verify a bit more.
* Compute ASN.1 BIT STRING sizes more consistently.
* Remove lh_FOO_doall.
* Prefix internal LHASH functions.
* Unexport almost all of LHASH.
Update-Note: BoringSSL no longer provides a general-purpose hash table
to callers. Use the language's standard library, or another
implementation.
* Rename t1_lib.cc to extensions.cc.
* Prefix and unexport a2i_ipadd.
* Fix a -Wdeprecated-copy warning.
* Validate ECH public names.
* Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM.
* Make X509_VERIFY_PARAM opaque.
Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly.
* Move crypto/x509/vpm_int.h into internal.h.
* Reformat x509_vfy.h and convert comments.
* Reland "Add util/fetch_ech_config_list.go"
* Revert "Add util/fetch_ech_config_list.go"
* Add util/fetch_ech_config_list.go
* More reliably report handshake errors through SSL_write.
* Add an option to permute ClientHello extension order.
* runner: Check the test name against the protocol being tested.
* Remove outdated comment in primality testing.
* Add most of an ECH client implementation.
* Add a basic API to make ECHConfigs.
* Make ECH server APIs take EVP_HPKE_KEY.
* Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS.
* runner: Self-check tests more accurately and earlier.
* Don't pad the second ClientHello.
* Fix ext_pre_shared_key_clienthello_length calculation.
* Tidy up the PSK binder logic.
* Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext.
* Shift some complexity out of ssl_add_clienthello_tlsext.
* Add a note about extension callback names.
* Add move support to EVP_MD_CTX.
* Replace hs->needs_psk_binder with an output parameter.
* Make add_clienthello callbacks const.
* Fix documentation typo.
* Compute the ECH GREASE payload outside of the callbacks.
* Pick up the GREASE ECH config ID from grease_seed.
* Initialize grease_seed on construction.
* Remove the extension init hook.
* Move key_share computation out of ClientHello callbacks.
* Release some temporaries outside of ClientHello callbacks.
* Move the early_data_{offered,reason} logic out of extension callbacks.
* Implement a handshake hint for certificate compression.
* runner: Implement ECH server for testing.
* runner: Parse the status_request extension more strictly.
* runner: Make echIsInner a boolean.
* runner: Revise ECHConfig type in preparation for client implementation
* Fix ECH-Server-RepeatedConfigID test.
* Add SSL_ech_accepted API and ech_is_required alerts.
* Reject the ECH extension in TLS 1.2 ServerHello.
* Move ECH-related APIs to encrypted_client_hello.cc.
* Const-correct message creation hooks.
* Remove the Channel ID callback.
Update-Note: SSL_CTX_set_channel_id_cb is removed.
SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client,
only as a server.
* Manage Channel ID handshake state better.
Update-Note: SSL_get_tls_channel_id will no longer return all zeros
during the handshake or on the client. I did not find any callers
relying on this.
* DTLS-SRTP is only defined for DTLS.
* Remove impossible ssl->s3 null check.
* fix #415: Perl scripts fail when building from a path with spaces
* Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001).
Update-Note: QUIC APIs now default to the standard code point rather
than the draft one. QUICHE has already been calling
SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once
callers implementing the draft versions cycle out, we can then drop
SSL_set_quic_use_legacy_codepoint altogether. I've also bumped
BORINGSSL_API_VERSION in case we end up needing an ifdef.
* Add compatibility impl for EVP_PKEY_get0
* Make md32_common.h single-included and use an unsized helper for SHA-256.
* Pull HASH_TRANSFORM out of md32_common.h.
* Ensure name not null in EVP_get_cipherbyname
* Fix array-parameter warnings
* Don't copy client's session ID into server's session.
* Test ECH server with unique and repeated config IDs.
* Refresh SSL corpora after adding ECH fuzzer mode.
* Implement fuzzer mode for ECH server.
* Don't try to write empty early data in the tool.
* GREASE is now RFC 8701.
* runner: Reject all zero client and server randoms.
* Const-correct SSL_get_srtp_profiles.
Update-Note: The change to the return type isn't quite compatible, but I
only found one caller of this function, which has since been fixed. (If
we need to return a non-const value for compatibility, we can do that
and document that the caller should not mutate the output.)
* Update the ECH GREASE size selection.
* fuzz/minimise_corpora.sh: Add shebang and chmod +x
* Add a missing case to SSL_error_description.
* Remove draft tokbind implementation.
Update-Note: Token binding APIs are removed.
* Make X509_REQ and X509_REQ_INFO opaque.
Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use
accessors instead.
* Check hs->early_session, not ssl->session, for the early data limit.
* Fix some includes.
* Be clearer which signing inputs are digests.
* Validate RSA public keys more consistently.
Update-Note: See above.
* Add APIs to manually fill in signatures for CRLs.
* Check for resumption identifiers in SSL_SESSION_is_resumable.
* Don't use SHA256(ticket) as the signaling session ID for tickets.
* Simplify renego + resumption handling.
* Move session ID assignment out of ssl_get_new_session.
* Fix the ech_accept comment.
* Export the HPKE implementation.
* Refer to EVP_HPKE_CTX by a consistent name.
* Shift the KEM dependency in HPKE up a step.
* Update ACVP URLs.
* Add SSL_can_release_private_key.
* Make X509_SIG and X509_CERT_AUX opaque.
Update-Note: Direct access of these structs should be replaced by accessors.
* acvp: move hash iterations into modulewrapper.
* Switch HPKE to a three-parameter output buffer.
* Introduce EVP_HPKE_{AEAD,KDF} types.
* Don't mark up the first word in a collective comment.
* Revise the deterministic for_test variant of HPKE's SetupBaseS.
* Fix a memory leak with d2i_ASN1_OBJECT object reuse.
* Remove HPKE PSK mode.
* Remove HKDF-SHA384 and HKDF-SHA512 from HPKE.
* Correctly order PKCS#7 certificates and CRLs.
Update-Note: It is no longer the case that constructing a PKCS#7 file
and parsing them back out will keep the certificates and CRLs in the
same order.
* Implement ECH draft 10 and update HPKE to draft 08.
* Document expected use of BTI and PAC macros.
* Remove non-deterministic bits from ECDSA ACVP test.
* Reference the newer ChaCha20-Poly1305 RFC.
* Use passive entropy collection everywhere.
* Rename X509V*_VERSION constants.
Update-Note: This renames some BoringSSL-specific constants that we
recently added. It doesn't look like anyone's used them yet.
* Const-correct ASN1_OBJECT_create.
* Clarify OBJ_get0_data and OBJ_get_length.
* avcp: SHA-1 for ECDSA _verification_ is still supported by NIST.
* A couple of Aarch64 FIPS delocate fixes.
* Use a placeholder for unknown errors in ERR_*_error_string.
* Include assembly optimizations in Bazel builds on Linux-aarch64.
* Remove some BoringSSL-only X509_CINF functions.
Update-Note: X509_get_cert_info, X509_CINF_set_modified, and
X509_CINF_get_signature are removed. I believe all callers have been
updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and
X509_get0_tbs_sigalg instead.
* Document and test X509_ATTRIBUTE creation functions.
* Revert handshaker fd numbers and make StartProcess more flexible.
* Remove support for malformed X509_ATTRIBUTEs.
Update-Note: Given OpenSSL hasn't accepted these for five years, it's
unlikely anything depends on it. If something breaks, we can revert this
and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty
X509_ATTRIBUTE, so the behavior change there should be safe.
* Make X509_ATTRIBUTE opaque.
Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with
one of the accessors. I couldn't find any direct accesses, so hopefully
this is fine.
* acvptool: Fix typo hard-coding the HTTP method.
* Document a few more x509.h functions.
* Make X509_PUBKEY opaque.
Update-Note: Direct accesses of X509_PUBKEY should be replaced with one
of the accessors. I believe all callers have been fixed at this point.
* Always encode booleans as DER.
Update-Note: Callers setting ASN1_BOOLEANs to a positive value other
than 0xff will now encode 0xff. This probably fixes a bug, but if anyone
was attaching significance to incorrectly-encoded booleans, that will
break.
* Fix issuerUID and subjectUID parsing in the key usage checker.
* Add experimental handshake hints API.
* Make our Python scripts Python-3-compatible.
* Export ssl_client_hello_init for fuzzers.
* acvp: support GMAC as an algorithm.
* Record a fuzzing corpus for the ClientHelloInner decoder.
* Use a consistent plural for 'corpus'.
* Add util/bot/libFuzzer to .gitignore.
* acvp: support KAS-ECC-SSC staticUnified mode.
* Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos.
Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now
reject invalud inputs. Previously, they would accept them, but silently
send an invalid ALPN extension which the server would almost certainly
error on.
* Don't duplicate ServerHello construction code.
* Rearrange key share and early data logic.
* Only skip early data with HRR when offered.
* Add ECH server config API to ssl_ctx_api fuzzer
* Fix ppc64le build.
* Simplify the Lucky13 mitigation.
* Add ECH server (draft-ietf-tls-esni-09).
* runner: Remove unused field
* runner: Construct finishedHash earlier.
* Simplify tls_cbc.c slightly.
* Remove remnants of CBC SHA2 cipher suites.
* runner: Test different V2ClientHello challenge lengths.
* runner: Ensure helloBytes is always the same as hello.marshal().
* runner: Fix ECH confirmation calculation with PSKs in tests.
* runner: Fix HPKE parameter order.
* runner: UpdateForHelloRetryRequest cannot fail.
* runner: Don't use the buffer in TLS 1.3.
* runner: Don't maintain two copies of the same transcript hash.
* runner: Remove remnants of SSL 3.0.
* runner: Fix writeClientHash and writeRecord ordering.
* runner: Remove CheckTLS13DowngradeRandom.
* runner: Remove remnants of the separate HelloRetryRequest message.
* runner: Store a cipherSuite in ClientSessionState.
* runner: Move writeHash to the finishedHash struct.
* Fix the spelling of HPKE AEAD constants.
* Don't reset server callback expectations on new handshake.
* Fix MockQuicTransport::Flush error handling.
* Fold ripemd/internal.h into ripemd.c.
* Move load/store helpers to crypto/internal.h.
* Make words in crypto/fipsmodule/modes actually words.
* Handle EINTR more in handshaker.cc.
* Add a few missing SSL_R_BIO_NOT_SET cases.
* Fix some unreachable code in the QUIC handshaker driver.
* Rearrange SSLKeyShare::Serialize.
* Fix ssl/internal.h sectioning.
* Remove some now unnecessary test exclusions from split handshakes.
* Remove tls13-split-handshakes flag.
* Define HANDSHAKER_SUPPORTED in once place.
* Tidy up handshaker tester.
* modulewrapper: add option to print build information.
* FIPS counters for AES-CTR.
* Enforce that pre_shared_key must come with psk_key_exchange_modes.
* Zero out FIPS counters.
* Remove is_resume field on TestState.
* Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag.
* Add some warnings on how to use OPENSSL_memory_* functions.
* Use an unsized helper for truncated SHA-512 variants.
Update-Note: There is a small chance the asserts will trip something,
but hopefully not since I've left SHA512_Final alone.
* Fix mismatch between header and implementation of bn_sqr_comba8.
* Remove GCC 4.8.99 check.
* Bump minimum CMake version.
* Automatically enable C11 atomics when available.
Update-Note: If something fails to compile, we'll revert this and adjust
the check, or add an opt-out, or give up. Also, if building with
-std=c99, consider -std=c11.
* Make generate_build_files.py python3 compatible.
* Remove X509_REQ_set_extension_nids and document related functions.
Update-Note: This removes a pair of unused functions.
* Document a few more functions in x509.h.
* Do not access value.ptr with V_ASN1_BOOLEAN.
* Add X509_PUBKEY_get0_public_key.
* Test empty EVP_CIPHER inputs and fix exact memcpy overlap.
* Revert "Implement rsa_pkcs1_sha256_legacy."
* Fix unnecessarily direction-specific tests in cipher_tests.txt
* Refactor HPKE API to include explicit length parameters.
* Generalize make_errors.go to allow EVP covering multiple directories.
* Add a Windows no-op impl of BORINGSSL_self_test
* Only pass -handshaker-path in split handshakes tests.
* Add RNG support for FreeBSD.
* Move fips.c into a subdirectory.
* Implement rsa_pkcs1_sha256_legacy.
* Better document nullable X.509 getters.
* runner: Remove redundant -enable-all-curves shim flag.
* Initialize nonce in PerAEADTest.ABI.
* Document ASN1_TYPE and related functions.
* fips: add counters.
* Align with OpenSSL on constness of static ASN1_OBJECTs.
Update-Note: The change to OBJ_nid2obj should be compatible. The changes
to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some
pointer types.
* Add -rr-record flag to runner.go.
* Register NAME_CONSTRAINTS with bssl::UniquePtr.
* Register POLICY_MAPPING with bssl::UniquePtr.
* Stub out some more of PKCS7.
* Remove TODO to reverse the output of PKCS12_parse.
* Make the X509_VAL structure opaque.
Update-Note: I believe this is now safe to do. If there are compile
failures, switch to X509_get0_notBefore, X509_getm_notBefore, and
X509_set1_notBefore, or revert this if I'm wrong and too many callers
still need updating.
* Support creating unencrypted PKCS#12 files.
* Move PKCS#12 samples to embed_test_data.
* Remove some remnants of TLS 1.3 downgrade carveouts.
Update-Note:
https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these
functions a no-op, but we kept them around because there were still some
call sites floating around. That code has since been updated, so we can
remove this.
* Remove X509_REQ_to_X509.
Update-Note: This removes a function that appears to be unused. It also
hardcodes the use of MD5, so please do not use it.
* Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag
* RAND_set_rand_method returns int.
* Check the inner and outer CRL signature algorithms match.
Update-Note: Invalid CRLs with inconsistent inner and outer signature
algorithms will now be rejected.
* Remove block_mask from EVP_CIPHER_CTX.
Update-Note: It doesn't look like anyone is reading into this field. If
they are, we can ideally fix it, or revert this if absolutely necessary.
* Document a couple more functions in x509.h.
* Define X509V*_VERSION constants.
* Handle the default X.509 version explicitly.
* Compile for RISC-V.
* Add ECDSA nonce-testing functions.
* Rearrange ECDSA implementation.
* Split the FIPS mode PRNG lock in two.
* Remove legacy vs_toolchain.py environment variable.
* runner: Rename 'masterSecret' on session objects to plain 'secret'.
* Test ECDSA signing is non-deterministic.
* acvp: split ACVP modulewrapper for reuse by Trusty
* No-op CL to trigger some builds.
* Use CIPD Go packages.
* Update CMake on the bots and switch to CIPD where available.
* Future-proof vs_toolchain.py for VS2019.
* Revert "Revert "Disable check that X.509 extensions implies v3.""
* Update Clang and Go on the bots.
* Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create.
* Don't overflow the output length in EVP_CipherUpdate calls.
Update-Note: Passing extremely large input lengths into EVP_CipherUpdate
will now fail. Use EVP_AEAD instead, which is size_t-based and has more
explicit output bounds.
* Remove X509_issuer_and_serial_hash.
Update-Note: No one uses this function. It had a NULL dereference in
some error cases. See CVE-2021-23841.
* Fix Bazel build breakage.
* Specify VS toolchain by command-line argument.
* Update Android Bazel build support in BUILD.toplevel.
* Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback.
Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the
ALPN callback will change behavior. The old behavior may be restored by
returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new
recommendations on return values.
* acvp: detect header element in JSON.
* Align the ARM capability functions.
* Skip runtime NEON checks if __ARM_NEON is defined.
Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about
30KiB of dead code, but no longer work (if they even did before) on a
particular buggy CPU. Builds without __ARM_NEON are not affected.
* acvp: don't include CMAC-AES in regcap dump.
* acvp: fix CMAC verify
* Include bn/internal.h for non-bcm.c builds.
* Add various function calls to test_fips.
* Add missing include to self_check.c.
* Revert "Disable check that X.509 extensions implies v3."
* Fix TLS13SessionID-TLS13 test.
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I86bd269475ed5598d81787e7ecfec010c4a128fa
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/7f02881e96e51f1873afcf384d02f782b48967ca..2fb729d4f36beaf263ad85e24a790b571652679c
Test: atest CtsLibcoreTestCases
Change-Id: I46a15a7bae971f16f957b04bcbb771a6936d5c1b
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/f11ea19043f2b3ee42e4a76d0645914347e1a36e..9f0e7cb314ae64234b928fd379381ae9760a9a5f
Test: BoringSSL CTS Presubmits.
Change-Id: I9296845fe9db4baae2afc03328c5bc17f76a752f
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/d89d65ba12e28e543df4fd9dfbc687bb8be1dba7..ba9da449a4bf5b90cd020807f2c4176e3ab6fe3e
Test: BoringSSL CTS Presubmits.
Change-Id: Id99aa90153bb7fc37270e9c58d406e5d8c7c44d3
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/45210dd4e21ace9d28cb76b3f83303fcdd2efcce..d89d65ba12e28e543df4fd9dfbc687bb8be1dba7
Test: BoringSSL CTS Presubmits.
Change-Id: I2dc13b549eac1f345553da07b7fb66824fc77204
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/7f8c553d7f4db0a6ce727f2986d41bf8fe8ec4bf..ba94746eb2b4b59a0eb72047e4ca2d2d54454c87
Test: BoringSSL CTS Presubmits
Change-Id: I5283ca8ec80f4abbc2543fece2ecf2b33240c6e4
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/629db8cd0c84628e37aa81242b5b07fec7602f55..9c33ae85621ef8e00a42309b5101e0bedd02b816
Bug: 33622440
Test: BoringSSL tests
Change-Id: I20da15ad995a620b6b2f08db20c77ebd0f05ca10
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/3cbdc34619daafb9f8527fb9dd27afc8ee7dcf19..3ef7697ed30f28367395a5aafb57a12a19906d96
This also updates the UPDATING script to create the git commit
automatically.
Test: make checkbuild
Test: cts-tradefed run cts -m CtsLibcoreOkHttpTestCases -a arm64-v8a
Test: cts-tradefed run cts -m CtsLibcoreTestCases -a arm64-v8a
Change-Id: I9e785971e5be19daf29697f010c3ae4e1ca70b04
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/e34bcc91c07c0bf65ecc53a814d51f5246007150..3cbdc34619daafb9f8527fb9dd27afc8ee7dcf19
This removes android_compat_keywrap.c, as these APIs are now provided
natively by BoringSSL.
Test: cts-tradefed run cts -m CtsLibcoreTestCases -m
CtsLibcoreOkHttpTestCases -a arm64-v8a
Change-Id: I29bce93c45eb5b80fa739667bf6e357e0af03b7f
|
|
This includes the following changes which are far too many to list here:
https://boringssl.googlesource.com/boringssl/+log/7b8b9c17db93ea5287575b437c77fb36eeb81b31..d18cb77864dcc4b5c7cb08c2331008c01165f34f
This also retires one function from android_compat_hacks.c which is no longer
necessary.
Change-Id: Ie00536d7ad815464b2b031f7bcd1b683e12c1623
|
|
This change bumps the BoringSSL revision to the current tip-of-tree.
Change-Id: I91d5bf467e16e8d86cb19a4de873985f524e5faa
|
|
|
