Age | Commit message (Collapse) | Author |
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/a9670a8b476470e6f874fef3554e8059683e1413..345c86b1cfcc478a71a9a71f0206893fd16ae912
* Switch CRYPTO_BUFFER_POOL to SipHash-2-4.
* LSC: Apply clang-tidy's modernize-use-bool-literals to boringssl
* Fix mac_arm64 builder.
* Put Rust binding generation behind an explicit flag and only build bindings for the targeted Arch
* Add ARMV8_SHA512 detection for Fuchsia.
Update-Note: This CL is written assuming we can just rely on the SDK
changes. Per go/fuchsia-sdk-age, this seems fairly safe. If this file
fails to build due to missing symbols, update your project's Fuchsia
SDK. If this blocks something, let us know.
* Generates "low-level" bindings for Rust using bindgen
* Add note about Gerrit account creation
* Make EVP_AEAD_CTX_free accept NULL.
* Zero out the values from the integrity check.
* Ignore duplicates in |X509_STORE_add_*|
* Don't #include "internal.h" twice.
* Version bump: 2 -> 3.
* Simplify __ARM_ARCH__ definition.
Update-Note: ARM assembly now requires the compiler define __ARM_ARCH.
This is not expected to break Clang or GCC from the last 8 or 9 years.
* Don't use __ARMEL__/__ARMEB__ in aarch64 assembly
* Switch __ARM_FEATURE_CRYPTO to __ARM_FEATURE_{AES,SHA2}.
* Move CPU detection symbols to crypto/internal.h.
* Move public APIs from cpu.h to crypto.h.
Update-Note: As part of this, I conditioned cpu-arm-linux.c on
OPENSSL_LINUX, so that the header files can have accurate conditions.
This means unrecognized ARM platforms that do not set
OPENSSL_STATIC_ARMCAP will fail to build, where previously we defaulted
to the Linux mechanisms. This matches cpu-aarch64-linux.c, which is
already gated on OPENSSL_LINUX. (And the file is quite Linux-specific.
Even if a non-Linux ELF target used getauxval for ARM capabilities, it's
unlikely that our hardcoded constants and /proc behavior applies
anyway.)
* Rename CPU feature files with underscores.
* Enable SHA-512 ARM acceleration when available.
Update-Note: Consumers with a different build setup may need to
limit -D_XOPEN_SOURCE=700 to Linux or non-Apple platforms. Otherwise,
<sys/types.h> won't define some typedef needed by <sys/sysctl.h>. If you
see a build error about u_char, etc., being undefined in some system
header, that is probably the cause.
* Sync sha512-armv8.pl up to 753316232243ccbf86b96c1c51ffcb41651d9ad5.
* Import sha512-armv8.pl transforms from upstream NEON code.
* Import a few test vectors from OpenSSL.
* Use uint16_t in TestConfig and enable -Wformat-signedness.
* Reorder flags to match TestConfig struct.
* Rewrite bssl_shim command-line parser.
* Fix X509_CRL_print error-handling.
* Silence -Wformat-signedness when printing X.509 versions.
* Don't print small, negative serial numbers in decimal.
* Fix the easy -Wformat-signedness errors.
* Add BIO_tell and BIO_seek wrappers.
* Remove non-standard wildcard input DNS names.
Update-Note: ".example.com" as an input DNS name will no longer match
"www.example.com" in a certificate. (Note this does not impact wildcard
certificates. Rather, it removes a non-standard "reverse wildcard" that
OpenSSL implemented.)
* Rewrite X.509 name-matching tests.
* Remove non-standard X.509 DNS wildcard matching.
Update-Note: BoringSSL will no longer accept wildcard patterns like
*www.example.com or www*.example.com. (It already did not accept
ww*w.example.com.) X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS will also be
ignored and can no longer be used to allow foo.bar.example.com to match
*.example.com.
* Make X509_REVOKED opaque.
Update-Note: Use X509_REVOKED accessors rather than reaching into the
struct.
* Document |SSL_set1_host| return values.
* Add |SSL_set1_host| and |SSL_set_hostflags|.
* Add ERR_set_error_data for compatibility.
* Add BN_GENCB_new, BN_GENCB_free, and RSA_test_flags.
* Remove X509_REVOKED.sequence.
* Binary tag bump: 1 -> 2
* Export PKCS12_DEFAULT_ITER.
* Add SSL_has_pending.
* Update HPKE test vectors.
* Add various OpenSSL compatibility functions.
* Add PKCS7_bundle_raw_certificates function which takes CRYPTO_BUFFERs
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I6348ef26c5afb28e09132acd267be700de379cc8
|
|
This change re-lands https://r.android.com/1834454 by reverting https://r.android.com/1842042 with no changes.
Revert was due to a vendor copy of wpa_supplicant needing the same changes as https://r.android.com/1835013, this is now done and I verified that it builds correctly against this version of BoringSSL.
This CL includes the following upstream changes:
https://boringssl.googlesource.com/boringssl/+log/c1571feb5faf5cce844354c63d0f3e842464bea3..66e61c577d39e757bf491468f651461fa79fd5e1
* Allow PKCS7_sign to work for signing kernel modules.
* Speed up constant-time base64 decoding.
* Unwind remnants of ASN1_TFLG_NDEF.
* acvptool: add CS3 support.
* Ignore SIGPIPE in the bssl tool.
* Add FIPS counters for AES-GCM in EVP_AEAD.
* Refresh fuzzer corpus for ECH draft-13.
* Fix the TLS fuzzers for ECH draft-13.
* Clarify that TLS sessions are not application sessions.
* Fix BN_prime_checks_for_validation to align with false-positive rate.
* Add maskHash to RSA_PSS_PARAMS for compat
* Remove ASN1_OP_I2D_* callbacks.
* Don't read it->funcs without checking it->itype.
* Reject missing required fields in i2d functions.
Update-Note: Structures with missing mandatory fields can no longer be
encoded. Note that, apart from the cases already handled by preceding
CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main
downstream impact I've seen of this particular change is in combination
with other bugs. Consider a caller that does:
* Reject -1 types in ASN1_TYPE and MSTRINGs when encoding.
Update-Note: A default-constructed object with a required ANY or
string-like CHOICE field cannot be encoded until the field is specified.
Note this affects i2d_X509: notBefore and notAfter are string-like
CHOICEs in OpenSSL.
* Correctly handle invalid ASN1_OBJECTs when encoding.
Update-Note: A default-constructed object with a required ASN1_OBJECT
field can no longer be encoded without initializing the ASN1_OBJECT.
Note this affects X509: the signature algorithm is an ASN1_OBJECT. Tests
that try to serialize an X509_new() must fill in all required fields.
(Production code is unlikely to be affected because the output was
unparsable anyway, while tests sometimes wouldn't notice.)
* Check for invalid CHOICE selectors in i2d functions.
Update-Note: An invalid CHOICE object (e.g. GENERAL_NAME) will now fail
when encoded, rather than be silently omitted. In particular, CHOICE
objects are default-initialized by tasn_new.c in an empty -1 state.
Structures containing a required CHOICE field can no longer be encoded
without filling in the CHOICE.
* Fix x509_name_ex_i2d error-handling.
* Correctly propagate errors in i2d functions.
Update-Note: Some error cases which were silently misinterpreted as
missing OPTIONAL elements will now cause encoding to fail.
* acvptool: add hmacDRBG support
* Check for __TRUSTY__ instead of TRUSTY.
* Update comment for ECH draft-13.
* Silence a GCC false positive warning.
* Switch to the new, simpler WHATWG URL formulation.
* Revert "Guard use of sdallocx with BORINGSSL_SDALLOCX"
* Fix calculation of draft-13 ECH confirmation signal.
* Update to draft-ietf-tls-esni-13.
* Reword SSL_get0_ech_name_override documentation.
* Remove SSL_set_verify_result.
* Make most of crypto/x509 opaque.
Update-Note: Patch cl/390055173 into the roll that includes this. This
unexports most of the X.509 structs, aligning with OpenSSL. Use the
accessor APIs instead.
* Remove V_ASN1_APP_CHOOSE.
Update-Note: V_ASN1_APP_CHOOSE is removed. I only found one use, which
has been fixed.
* Rewrite ASN1_PRINTABLE_type and add tests.
* Include SHA512-256 in EVP_get_digestbyname and EVP_MD_do_all.
* NUL is not printable.
Update-Note: ASN1_mbstring_ncopy will no longer allow PrintableString
for strings containing NUL.
* Make RSA_check_key more than 2x as fast.
* Benchmark RSA private key parsing.
* Work around yet another MSVC 2015 SFINAE bug.
* Avoid re-hashing the transcript multiple times.
* Make ssl_parse_extensions a little easier to use.
* Deduplicate our three ServerHello parsers.
* Merge in OpenSSL's X.509 corpus.
* Run X509_print in the certificate fuzzer.
* Fix some error-handling in i2v functions.
* Fix typo.
* OPENSSL_strndup should not return NULL given {NULL, 0}.
* Rewrite name constraints matching with CBS.
* Add some tests for name constraints.
* Fix i2v_GENERAL_NAME to not assume NUL terminated strings
* Do not rely on ASN1_STRING being NUL-terminated.
* Add a CBB_add_zeros helper.
* Linkify RFCs in documentation.
* Refer to RFCs consistently.
* runner: Test session IDs over 32 bytes.
* Process the TLS 1.3 cipher suite in one place.
* Guard use of sdallocx with BORINGSSL_SDALLOCX
* Bump minimum GCC version and note impending VS2015 deprecation.
* Add Span::first() and Span::last().
* Simplify built-in BIOs slightly.
* Fix some error returns from SSL_read and SSL_write.
* Fix negative ENUMERATED values in multi-strings.
* Add a test for ASN1_mbstring_copy and clean up.
* Remove ASN1_TFLG_SET_ORDER.
* Fix ASN1_STRING_print_ex with negative integers.
* Check i2d_ASN1_TYPE's return value in ASN1_STRING_print_ex.
* Document ASN.1 printing functions.
* Move some ASN1 printing functions to crypto/asn1.
* Move a_strex.c back to asn1, split X509_NAME bits out.
* Unwind io_ch abstraction in print functions.
* Implement ASN1_STRING_print_ex_fp, etc., with file BIOs.
* Remove OPENSSL_NO_FP_API ifdefs.
* Move X509_ALGOR to x509.h.
* Unexport BIT_STRING_BITNAME.
* Unexport ub_* constants.
Update-Note: Removed some unnamespaced constants.
* Always use an ASN1_STRING_TABLE global mask of UTF8String.
Update-Note: The global mask for ASN1_STRING_set_by_NID is now always
UTF-8. Callers that want another type should reconsider and, if UTF-8 is
still unsuitable, just pass the actual desired type into
ASN1_mbstring_copy, X509_NAME_ENTRY_set_data, etc
* Document ASN1_mbstring_copy.
* Update ghashv8-armx.pl from upstream.
* Align with upstream on 'close STDOUT' lines.
* Avoid double-expanding variables in CMake.
* Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj.
* Add some tests for time_t to ASN1_TIME conversions.
* Remove ASN1_STRING_FLAG_MSTRING.
Update-Note: ASN1_STRING_FLAG_MSTRING is no longer defined and
X509_time_adj_ex now behaves more predictably. Callers that actually
wanted to lock to a specific type should call ASN1_UTCTIME_adj or
ASN1_GENERALIZEDTIME_adj instead.
* Document another batch of functions.
* Clarify BIO_new_mum_buf's lifetime rules.
* generate_ech.cc: include needed headers
* Don't overread in poly_Rq_mul
* acvp: recognise another style of JSON.
* Revert "Revert "Revert "Disable check that X.509 extensions implies v3."""
Change-Id: I5fe21e26f701feb315aceb86684b5bc1ee327669
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
|
|
Revert submission 1835013-bssl_update_sep2021
Reason for revert: DroidMonitor: Potential culprit for Bug 201683809 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
I27d7b79e3:Fix wpa_supplicant build with newer BoringSSL
I4f2228ef8:external/boringssl: Sync to 66e61c577d39e757bf4914...
Change-Id: If2184c4aa55b7dc89e037362e4d5cbbea1107ae2
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/c1571feb5faf5cce844354c63d0f3e842464bea3..66e61c577d39e757bf491468f651461fa79fd5e1
* Allow PKCS7_sign to work for signing kernel modules.
* Speed up constant-time base64 decoding.
* Unwind remnants of ASN1_TFLG_NDEF.
* acvptool: add CS3 support.
* Ignore SIGPIPE in the bssl tool.
* Add FIPS counters for AES-GCM in EVP_AEAD.
* Refresh fuzzer corpus for ECH draft-13.
* Fix the TLS fuzzers for ECH draft-13.
* Clarify that TLS sessions are not application sessions.
* Fix BN_prime_checks_for_validation to align with false-positive rate.
* Add maskHash to RSA_PSS_PARAMS for compat
* Remove ASN1_OP_I2D_* callbacks.
* Don't read it->funcs without checking it->itype.
* Reject missing required fields in i2d functions.
Update-Note: Structures with missing mandatory fields can no longer be
encoded. Note that, apart from the cases already handled by preceding
CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main
downstream impact I've seen of this particular change is in combination
with other bugs. Consider a caller that does:
* Reject -1 types in ASN1_TYPE and MSTRINGs when encoding.
Update-Note: A default-constructed object with a required ANY or
string-like CHOICE field cannot be encoded until the field is specified.
Note this affects i2d_X509: notBefore and notAfter are string-like
CHOICEs in OpenSSL.
* Correctly handle invalid ASN1_OBJECTs when encoding.
Update-Note: A default-constructed object with a required ASN1_OBJECT
field can no longer be encoded without initializing the ASN1_OBJECT.
Note this affects X509: the signature algorithm is an ASN1_OBJECT. Tests
that try to serialize an X509_new() must fill in all required fields.
(Production code is unlikely to be affected because the output was
unparsable anyway, while tests sometimes wouldn't notice.)
* Check for invalid CHOICE selectors in i2d functions.
Update-Note: An invalid CHOICE object (e.g. GENERAL_NAME) will now fail
when encoded, rather than be silently omitted. In particular, CHOICE
objects are default-initialized by tasn_new.c in an empty -1 state.
Structures containing a required CHOICE field can no longer be encoded
without filling in the CHOICE.
* Fix x509_name_ex_i2d error-handling.
* Correctly propagate errors in i2d functions.
Update-Note: Some error cases which were silently misinterpreted as
missing OPTIONAL elements will now cause encoding to fail.
* acvptool: add hmacDRBG support
* Check for __TRUSTY__ instead of TRUSTY.
* Update comment for ECH draft-13.
* Silence a GCC false positive warning.
* Switch to the new, simpler WHATWG URL formulation.
* Revert "Guard use of sdallocx with BORINGSSL_SDALLOCX"
* Fix calculation of draft-13 ECH confirmation signal.
* Update to draft-ietf-tls-esni-13.
* Reword SSL_get0_ech_name_override documentation.
* Remove SSL_set_verify_result.
* Make most of crypto/x509 opaque.
Update-Note: Patch cl/390055173 into the roll that includes this. This
unexports most of the X.509 structs, aligning with OpenSSL. Use the
accessor APIs instead.
* Remove V_ASN1_APP_CHOOSE.
Update-Note: V_ASN1_APP_CHOOSE is removed. I only found one use, which
has been fixed.
* Rewrite ASN1_PRINTABLE_type and add tests.
* Include SHA512-256 in EVP_get_digestbyname and EVP_MD_do_all.
* NUL is not printable.
Update-Note: ASN1_mbstring_ncopy will no longer allow PrintableString
for strings containing NUL.
* Make RSA_check_key more than 2x as fast.
* Benchmark RSA private key parsing.
* Work around yet another MSVC 2015 SFINAE bug.
* Avoid re-hashing the transcript multiple times.
* Make ssl_parse_extensions a little easier to use.
* Deduplicate our three ServerHello parsers.
* Merge in OpenSSL's X.509 corpus.
* Run X509_print in the certificate fuzzer.
* Fix some error-handling in i2v functions.
* Fix typo.
* OPENSSL_strndup should not return NULL given {NULL, 0}.
* Rewrite name constraints matching with CBS.
* Add some tests for name constraints.
* Fix i2v_GENERAL_NAME to not assume NUL terminated strings
* Do not rely on ASN1_STRING being NUL-terminated.
* Add a CBB_add_zeros helper.
* Linkify RFCs in documentation.
* Refer to RFCs consistently.
* runner: Test session IDs over 32 bytes.
* Process the TLS 1.3 cipher suite in one place.
* Guard use of sdallocx with BORINGSSL_SDALLOCX
* Bump minimum GCC version and note impending VS2015 deprecation.
* Add Span::first() and Span::last().
* Simplify built-in BIOs slightly.
* Fix some error returns from SSL_read and SSL_write.
* Fix negative ENUMERATED values in multi-strings.
* Add a test for ASN1_mbstring_copy and clean up.
* Remove ASN1_TFLG_SET_ORDER.
* Fix ASN1_STRING_print_ex with negative integers.
* Check i2d_ASN1_TYPE's return value in ASN1_STRING_print_ex.
* Document ASN.1 printing functions.
* Move some ASN1 printing functions to crypto/asn1.
* Move a_strex.c back to asn1, split X509_NAME bits out.
* Unwind io_ch abstraction in print functions.
* Implement ASN1_STRING_print_ex_fp, etc., with file BIOs.
* Remove OPENSSL_NO_FP_API ifdefs.
* Move X509_ALGOR to x509.h.
* Unexport BIT_STRING_BITNAME.
* Unexport ub_* constants.
Update-Note: Removed some unnamespaced constants.
* Always use an ASN1_STRING_TABLE global mask of UTF8String.
Update-Note: The global mask for ASN1_STRING_set_by_NID is now always
UTF-8. Callers that want another type should reconsider and, if UTF-8 is
still unsuitable, just pass the actual desired type into
ASN1_mbstring_copy, X509_NAME_ENTRY_set_data, etc
* Document ASN1_mbstring_copy.
* Update ghashv8-armx.pl from upstream.
* Align with upstream on 'close STDOUT' lines.
* Avoid double-expanding variables in CMake.
* Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj.
* Add some tests for time_t to ASN1_TIME conversions.
* Remove ASN1_STRING_FLAG_MSTRING.
Update-Note: ASN1_STRING_FLAG_MSTRING is no longer defined and
X509_time_adj_ex now behaves more predictably. Callers that actually
wanted to lock to a specific type should call ASN1_UTCTIME_adj or
ASN1_GENERALIZEDTIME_adj instead.
* Document another batch of functions.
* Clarify BIO_new_mum_buf's lifetime rules.
* generate_ech.cc: include needed headers
* Don't overread in poly_Rq_mul
* acvp: recognise another style of JSON.
* Revert "Revert "Revert "Disable check that X.509 extensions implies v3."""
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I4f2228ef815ded0599322186ab7bad49ab1bb5af
|
|
Re-lands https://r.android.com/1774909
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..7a817f48bafee508b2d23ad278f892ee1cb32b91
* Add 'generate-ech' command to bssl tool
* Don't enable atomics in NO_THREADS configurations.
* Check strtoul return for overflow error in GetUnsigned()
* Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY.
* Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs.
* Always have CRYPTO_sysrand_for_seed.
* hrss: use less stack space.
* Make X509_EXTENSION opaque.
Update-Note: Use X509_EXTENSION_get_* instead.
* Make X509_CRL opaque.
Update-Note: Use accessors instead.
* Switch another malloc to bssl::Array.
* Add a pointer alignment helper function.
* Remove unused field in X509_NAME_ENTRY.
Update-Note: Removed unused field in struct.
* Fix sign bit in BN_div if numerator and quotient alias.
* Handle the server case in SSL_get0_ech_name_override.
* Remove -2 return value from X509*_get_*_by_NID.
Update-Note: The return value convention of some functions was
simplified. This is not expected to affect any callers.
* Remove X509at_get0_data_by_OBJ.
Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of
this function.
* Document a batch of extension-related functions in x509.h.
* conf: fix getting keys from the default section.
* conf: don't crash when parsing.
* Add some OpenSSL compatibility aliases.
* Make ASN1_OBJECT opaque.
Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors.
* Rename asn1_locl.h to internal.h.
* Update hpke_test.go.
* Decorate x509v3_a2i_ipadd declaration as its definition.
* SHA-256 is used on AArch64, even if NO_ASM.
* swtb is another AArch64 magic tweak.
* Implement ClientHelloOuter handshakes.
* runner: Add a convenience function for base64 flags.
* Reduce bouncing on the cache lock in ssl_update_cache.
Update-Note: This reshuffles some locks around the session cache.
(Hopefully for the better.)
* Only clear not_resumable after the handshake.
* runner: Test that clients actually use renewed tickets.
* runner: Clean up test logic.
* runner: Fix process exit timeout.
* Remove old ASN.1 SET macros.
* Document some ASN1_INTEGER and ASN1_ENUMERATED functions.
* Document ASN1_STRING_to_UTF8.
* Const-correct ASN1_item_verify a bit more.
* Compute ASN.1 BIT STRING sizes more consistently.
* Remove lh_FOO_doall.
* Prefix internal LHASH functions.
* Unexport almost all of LHASH.
Update-Note: BoringSSL no longer provides a general-purpose hash table
to callers. Use the language's standard library, or another
implementation.
* Rename t1_lib.cc to extensions.cc.
* Prefix and unexport a2i_ipadd.
* Fix a -Wdeprecated-copy warning.
* Validate ECH public names.
* Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM.
* Make X509_VERIFY_PARAM opaque.
Update-Note: Use setters instead of configuring X509_VERIFY_PARAM
directly.
* Move crypto/x509/vpm_int.h into internal.h.
* Reformat x509_vfy.h and convert comments.
* Reland "Add util/fetch_ech_config_list.go"
* Revert "Add util/fetch_ech_config_list.go"
* Add util/fetch_ech_config_list.go
* More reliably report handshake errors through SSL_write.
* Add an option to permute ClientHello extension order.
* runner: Check the test name against the protocol being tested.
* Remove outdated comment in primality testing.
* Add most of an ECH client implementation.
* Add a basic API to make ECHConfigs.
* Make ECH server APIs take EVP_HPKE_KEY.
* Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS.
* runner: Self-check tests more accurately and earlier.
* Don't pad the second ClientHello.
* Fix ext_pre_shared_key_clienthello_length calculation.
* Tidy up the PSK binder logic.
* Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext.
* Shift some complexity out of ssl_add_clienthello_tlsext.
* Add a note about extension callback names.
* Add move support to EVP_MD_CTX.
* Replace hs->needs_psk_binder with an output parameter.
* Make add_clienthello callbacks const.
* Fix documentation typo.
* Compute the ECH GREASE payload outside of the callbacks.
* Pick up the GREASE ECH config ID from grease_seed.
* Initialize grease_seed on construction.
* Remove the extension init hook.
* Move key_share computation out of ClientHello callbacks.
* Release some temporaries outside of ClientHello callbacks.
* Move the early_data_{offered,reason} logic out of extension callbacks.
* Implement a handshake hint for certificate compression.
* runner: Implement ECH server for testing.
* runner: Parse the status_request extension more strictly.
* runner: Make echIsInner a boolean.
* runner: Revise ECHConfig type in preparation for client implementation
* Fix ECH-Server-RepeatedConfigID test.
* Add SSL_ech_accepted API and ech_is_required alerts.
* Reject the ECH extension in TLS 1.2 ServerHello.
* Move ECH-related APIs to encrypted_client_hello.cc.
* Const-correct message creation hooks.
* Remove the Channel ID callback.
Update-Note: SSL_CTX_set_channel_id_cb is removed.
SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client,
only as a server.
* Manage Channel ID handshake state better.
Update-Note: SSL_get_tls_channel_id will no longer return all zeros
during the handshake or on the client. I did not find any callers
relying on this.
* DTLS-SRTP is only defined for DTLS.
* Remove impossible ssl->s3 null check.
* fix #415: Perl scripts fail when building from a path with spaces
* Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001).
Update-Note: QUIC APIs now default to the standard code point rather
than the draft one. QUICHE has already been calling
SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once
callers implementing the draft versions cycle out, we can then drop
SSL_set_quic_use_legacy_codepoint altogether. I've also bumped
BORINGSSL_API_VERSION in case we end up needing an ifdef.
* Add compatibility impl for EVP_PKEY_get0
* Make md32_common.h single-included and use an unsized helper for SHA-256.
* Pull HASH_TRANSFORM out of md32_common.h.
* Ensure name not null in EVP_get_cipherbyname
* Fix array-parameter warnings
* Don't copy client's session ID into server's session.
* Test ECH server with unique and repeated config IDs.
* Refresh SSL corpora after adding ECH fuzzer mode.
* Implement fuzzer mode for ECH server.
* Don't try to write empty early data in the tool.
* GREASE is now RFC 8701.
* runner: Reject all zero client and server randoms.
* Const-correct SSL_get_srtp_profiles.
Update-Note: The change to the return type isn't quite compatible, but I
only found one caller of this function, which has since been fixed. (If
we need to return a non-const value for compatibility, we can do that
and document that the caller should not mutate the output.)
* Update the ECH GREASE size selection.
* fuzz/minimise_corpora.sh: Add shebang and chmod +x
* Add a missing case to SSL_error_description.
* Remove draft tokbind implementation.
Update-Note: Token binding APIs are removed.
* Make X509_REQ and X509_REQ_INFO opaque.
Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use
accessors instead.
* Check hs->early_session, not ssl->session, for the early data limit.
* Fix some includes.
* Be clearer which signing inputs are digests.
* Validate RSA public keys more consistently.
Update-Note: See above.
* Add APIs to manually fill in signatures for CRLs.
* Check for resumption identifiers in SSL_SESSION_is_resumable.
* Don't use SHA256(ticket) as the signaling session ID for tickets.
* Simplify renego + resumption handling.
* Move session ID assignment out of ssl_get_new_session.
* Fix the ech_accept comment.
* Export the HPKE implementation.
* Refer to EVP_HPKE_CTX by a consistent name.
* Shift the KEM dependency in HPKE up a step.
* Update ACVP URLs.
* Add SSL_can_release_private_key.
* Make X509_SIG and X509_CERT_AUX opaque.
Update-Note: Direct access of these structs should be replaced by
accessors.
* acvp: move hash iterations into modulewrapper.
* Switch HPKE to a three-parameter output buffer.
* Introduce EVP_HPKE_{AEAD,KDF} types.
* Don't mark up the first word in a collective comment.
* Revise the deterministic for_test variant of HPKE's SetupBaseS.
* Fix a memory leak with d2i_ASN1_OBJECT object reuse.
* Remove HPKE PSK mode.
* Remove HKDF-SHA384 and HKDF-SHA512 from HPKE.
* Correctly order PKCS#7 certificates and CRLs.
Update-Note: It is no longer the case that constructing a PKCS#7 file
and parsing them back out will keep the certificates and CRLs in the
same order.
* Implement ECH draft 10 and update HPKE to draft 08.
* Document expected use of BTI and PAC macros.
* Remove non-deterministic bits from ECDSA ACVP test.
* Reference the newer ChaCha20-Poly1305 RFC.
* Use passive entropy collection everywhere.
* Rename X509V*_VERSION constants.
Update-Note: This renames some BoringSSL-specific constants that we
recently added. It doesn't look like anyone's used them yet.
* Const-correct ASN1_OBJECT_create.
* Clarify OBJ_get0_data and OBJ_get_length.
* avcp: SHA-1 for ECDSA _verification_ is still supported by NIST.
* A couple of Aarch64 FIPS delocate fixes.
* Use a placeholder for unknown errors in ERR_*_error_string.
* Include assembly optimizations in Bazel builds on Linux-aarch64.
* Remove some BoringSSL-only X509_CINF functions.
Update-Note: X509_get_cert_info, X509_CINF_set_modified, and
X509_CINF_get_signature are removed. I believe all callers have been
updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and
X509_get0_tbs_sigalg instead.
* Document and test X509_ATTRIBUTE creation functions.
* Revert handshaker fd numbers and make StartProcess more flexible.
* Remove support for malformed X509_ATTRIBUTEs.
Update-Note: Given OpenSSL hasn't accepted these for five years, it's
unlikely anything depends on it. If something breaks, we can revert this
and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty
X509_ATTRIBUTE, so the behavior change there should be safe.
* Make X509_ATTRIBUTE opaque.
Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with
one of the accessors. I couldn't find any direct accesses, so hopefully
this is fine.
* acvptool: Fix typo hard-coding the HTTP method.
* Document a few more x509.h functions.
* Make X509_PUBKEY opaque.
Update-Note: Direct accesses of X509_PUBKEY should be replaced with one
of the accessors. I believe all callers have been fixed at this point.
* Always encode booleans as DER.
Update-Note: Callers setting ASN1_BOOLEANs to a positive value other
than 0xff will now encode 0xff. This probably fixes a bug, but if anyone
was attaching significance to incorrectly-encoded booleans, that will
break.
* Fix issuerUID and subjectUID parsing in the key usage checker.
* Add experimental handshake hints API.
* Make our Python scripts Python-3-compatible.
* Export ssl_client_hello_init for fuzzers.
* acvp: support GMAC as an algorithm.
* Record a fuzzing corpus for the ClientHelloInner decoder.
* Use a consistent plural for 'corpus'.
* Add util/bot/libFuzzer to .gitignore.
* acvp: support KAS-ECC-SSC staticUnified mode.
* Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos.
Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now
reject invalud inputs. Previously, they would accept them, but silently
send an invalid ALPN extension which the server would almost certainly
error on.
* Don't duplicate ServerHello construction code.
* Rearrange key share and early data logic.
* Only skip early data with HRR when offered.
* Add ECH server config API to ssl_ctx_api fuzzer
* Fix ppc64le build.
* Simplify the Lucky13 mitigation.
* Add ECH server (draft-ietf-tls-esni-09).
* runner: Remove unused field
* runner: Construct finishedHash earlier.
* Simplify tls_cbc.c slightly.
* Remove remnants of CBC SHA2 cipher suites.
* runner: Test different V2ClientHello challenge lengths.
* runner: Ensure helloBytes is always the same as hello.marshal().
* runner: Fix ECH confirmation calculation with PSKs in tests.
* runner: Fix HPKE parameter order.
* runner: UpdateForHelloRetryRequest cannot fail.
* runner: Don't use the buffer in TLS 1.3.
* runner: Don't maintain two copies of the same transcript hash.
* runner: Remove remnants of SSL 3.0.
* runner: Fix writeClientHash and writeRecord ordering.
* runner: Remove CheckTLS13DowngradeRandom.
* runner: Remove remnants of the separate HelloRetryRequest message.
* runner: Store a cipherSuite in ClientSessionState.
* runner: Move writeHash to the finishedHash struct.
* Fix the spelling of HPKE AEAD constants.
* Don't reset server callback expectations on new handshake.
* Fix MockQuicTransport::Flush error handling.
* Fold ripemd/internal.h into ripemd.c.
* Move load/store helpers to crypto/internal.h.
* Make words in crypto/fipsmodule/modes actually words.
* Handle EINTR more in handshaker.cc.
* Add a few missing SSL_R_BIO_NOT_SET cases.
* Fix some unreachable code in the QUIC handshaker driver.
* Rearrange SSLKeyShare::Serialize.
* Fix ssl/internal.h sectioning.
* Remove some now unnecessary test exclusions from split handshakes.
* Remove tls13-split-handshakes flag.
* Define HANDSHAKER_SUPPORTED in once place.
* Tidy up handshaker tester.
* modulewrapper: add option to print build information.
* FIPS counters for AES-CTR.
* Enforce that pre_shared_key must come with psk_key_exchange_modes.
* Zero out FIPS counters.
* Remove is_resume field on TestState.
* Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag.
* Add some warnings on how to use OPENSSL_memory_* functions.
* Use an unsized helper for truncated SHA-512 variants.
Update-Note: There is a small chance the asserts will trip something,
but hopefully not since I've left SHA512_Final alone.
* Fix mismatch between header and implementation of bn_sqr_comba8.
* Remove GCC 4.8.99 check.
* Bump minimum CMake version.
* Automatically enable C11 atomics when available.
Update-Note: If something fails to compile, we'll revert this and adjust
the check, or add an opt-out, or give up. Also, if building with
-std=c99, consider -std=c11.
* Make generate_build_files.py python3 compatible.
* Remove X509_REQ_set_extension_nids and document related functions.
Update-Note: This removes a pair of unused functions.
* Document a few more functions in x509.h.
* Do not access value.ptr with V_ASN1_BOOLEAN.
* Add X509_PUBKEY_get0_public_key.
* Test empty EVP_CIPHER inputs and fix exact memcpy overlap.
* Revert "Implement rsa_pkcs1_sha256_legacy."
* Fix unnecessarily direction-specific tests in cipher_tests.txt
* Refactor HPKE API to include explicit length parameters.
* Generalize make_errors.go to allow EVP covering multiple directories.
* Add a Windows no-op impl of BORINGSSL_self_test
* Only pass -handshaker-path in split handshakes tests.
* Add RNG support for FreeBSD.
* Move fips.c into a subdirectory.
* Implement rsa_pkcs1_sha256_legacy.
* Better document nullable X.509 getters.
* runner: Remove redundant -enable-all-curves shim flag.
* Initialize nonce in PerAEADTest.ABI.
* Document ASN1_TYPE and related functions.
* fips: add counters.
* Align with OpenSSL on constness of static ASN1_OBJECTs.
Update-Note: The change to OBJ_nid2obj should be compatible. The changes
to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some
pointer types.
* Add -rr-record flag to runner.go.
* Register NAME_CONSTRAINTS with bssl::UniquePtr.
* Register POLICY_MAPPING with bssl::UniquePtr.
* Stub out some more of PKCS7.
* Remove TODO to reverse the output of PKCS12_parse.
* Make the X509_VAL structure opaque.
Update-Note: I believe this is now safe to do. If there are compile
failures, switch to X509_get0_notBefore, X509_getm_notBefore, and
X509_set1_notBefore, or revert this if I'm wrong and too many callers
still need updating.
* Support creating unencrypted PKCS#12 files.
* Move PKCS#12 samples to embed_test_data.
* Remove some remnants of TLS 1.3 downgrade carveouts.
Update-Note:
https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these
functions a no-op, but we kept them around because there were still some
call sites floating around. That code has since been updated, so we can
remove this.
* Remove X509_REQ_to_X509.
Update-Note: This removes a function that appears to be unused. It also
hardcodes the use of MD5, so please do not use it.
* Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag
* RAND_set_rand_method returns int.
* Check the inner and outer CRL signature algorithms match.
Update-Note: Invalid CRLs with inconsistent inner and outer signature
algorithms will now be rejected.
* Remove block_mask from EVP_CIPHER_CTX.
Update-Note: It doesn't look like anyone is reading into this field. If
they are, we can ideally fix it, or revert this if absolutely necessary.
* Document a couple more functions in x509.h.
* Define X509V*_VERSION constants.
* Handle the default X.509 version explicitly.
* Compile for RISC-V.
* Add ECDSA nonce-testing functions.
* Rearrange ECDSA implementation.
* Split the FIPS mode PRNG lock in two.
* Remove legacy vs_toolchain.py environment variable.
* runner: Rename 'masterSecret' on session objects to plain 'secret'.
* Test ECDSA signing is non-deterministic.
* acvp: split ACVP modulewrapper for reuse by Trusty
* No-op CL to trigger some builds.
* Use CIPD Go packages.
* Update CMake on the bots and switch to CIPD where available.
* Future-proof vs_toolchain.py for VS2019.
* Revert "Revert "Disable check that X.509 extensions implies v3.""
* Update Clang and Go on the bots.
* Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create.
* Don't overflow the output length in EVP_CipherUpdate calls.
Update-Note: Passing extremely large input lengths into EVP_CipherUpdate
will now fail. Use EVP_AEAD instead, which is size_t-based and has more
explicit output bounds.
* Remove X509_issuer_and_serial_hash.
Update-Note: No one uses this function. It had a NULL dereference in
some error cases. See CVE-2021-23841.
* Fix Bazel build breakage.
* Specify VS toolchain by command-line argument.
* Update Android Bazel build support in BUILD.toplevel.
* Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback.
Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the
ALPN callback will change behavior. The old behavior may be restored by
returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new
recommendations on return values.
* acvp: detect header element in JSON.
* Align the ARM capability functions.
* Skip runtime NEON checks if __ARM_NEON is defined.
Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about
30KiB of dead code, but no longer work (if they even did before) on a
particular buggy CPU. Builds without __ARM_NEON are not affected.
* acvp: don't include CMAC-AES in regcap dump.
* acvp: fix CMAC verify
* Include bn/internal.h for non-bcm.c builds.
* Add various function calls to test_fips.
* Add missing include to self_check.c.
* Revert "Disable check that X.509 extensions implies v3."
* Fix TLS13SessionID-TLS13 test.
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: Idb0a37fccba5d1c3f6a40fe91a81c5189170ed23
|
|
This reverts commit d03f4c0ac5663fb300b1f40f1059c4194dd0652a.
Reason for revert: Investigating b/194282044
Change-Id: I168d73caae2cbc83921133cd47aef37d3bce8c37
|
|
Re-lands https://r.android.com/1772605 plus three newer upstream changes.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..7a817f48bafee508b2d23ad278f892ee1cb32b91
* Add 'generate-ech' command to bssl tool
* Don't enable atomics in NO_THREADS configurations.
* Check strtoul return for overflow error in GetUnsigned()
* Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY.
* Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs.
* Always have CRYPTO_sysrand_for_seed.
* hrss: use less stack space.
* Make X509_EXTENSION opaque.
Update-Note: Use X509_EXTENSION_get_* instead.
* Make X509_CRL opaque.
Update-Note: Use accessors instead.
* Switch another malloc to bssl::Array.
* Add a pointer alignment helper function.
* Remove unused field in X509_NAME_ENTRY.
Update-Note: Removed unused field in struct.
* Fix sign bit in BN_div if numerator and quotient alias.
* Handle the server case in SSL_get0_ech_name_override.
* Remove -2 return value from X509*_get_*_by_NID.
Update-Note: The return value convention of some functions was
simplified. This is not expected to affect any callers.
* Remove X509at_get0_data_by_OBJ.
Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of
this function.
* Document a batch of extension-related functions in x509.h.
* conf: fix getting keys from the default section.
* conf: don't crash when parsing.
* Add some OpenSSL compatibility aliases.
* Make ASN1_OBJECT opaque.
Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors.
* Rename asn1_locl.h to internal.h.
* Update hpke_test.go.
* Decorate x509v3_a2i_ipadd declaration as its definition.
* SHA-256 is used on AArch64, even if NO_ASM.
* swtb is another AArch64 magic tweak.
* Implement ClientHelloOuter handshakes.
* runner: Add a convenience function for base64 flags.
* Reduce bouncing on the cache lock in ssl_update_cache.
Update-Note: This reshuffles some locks around the session cache.
(Hopefully for the better.)
* Only clear not_resumable after the handshake.
* runner: Test that clients actually use renewed tickets.
* runner: Clean up test logic.
* runner: Fix process exit timeout.
* Remove old ASN.1 SET macros.
* Document some ASN1_INTEGER and ASN1_ENUMERATED functions.
* Document ASN1_STRING_to_UTF8.
* Const-correct ASN1_item_verify a bit more.
* Compute ASN.1 BIT STRING sizes more consistently.
* Remove lh_FOO_doall.
* Prefix internal LHASH functions.
* Unexport almost all of LHASH.
Update-Note: BoringSSL no longer provides a general-purpose hash table
to callers. Use the language's standard library, or another
implementation.
* Rename t1_lib.cc to extensions.cc.
* Prefix and unexport a2i_ipadd.
* Fix a -Wdeprecated-copy warning.
* Validate ECH public names.
* Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM.
* Make X509_VERIFY_PARAM opaque.
Update-Note: Use setters instead of configuring X509_VERIFY_PARAM
directly.
* Move crypto/x509/vpm_int.h into internal.h.
* Reformat x509_vfy.h and convert comments.
* Reland "Add util/fetch_ech_config_list.go"
* Revert "Add util/fetch_ech_config_list.go"
* Add util/fetch_ech_config_list.go
* More reliably report handshake errors through SSL_write.
* Add an option to permute ClientHello extension order.
* runner: Check the test name against the protocol being tested.
* Remove outdated comment in primality testing.
* Add most of an ECH client implementation.
* Add a basic API to make ECHConfigs.
* Make ECH server APIs take EVP_HPKE_KEY.
* Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS.
* runner: Self-check tests more accurately and earlier.
* Don't pad the second ClientHello.
* Fix ext_pre_shared_key_clienthello_length calculation.
* Tidy up the PSK binder logic.
* Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext.
* Shift some complexity out of ssl_add_clienthello_tlsext.
* Add a note about extension callback names.
* Add move support to EVP_MD_CTX.
* Replace hs->needs_psk_binder with an output parameter.
* Make add_clienthello callbacks const.
* Fix documentation typo.
* Compute the ECH GREASE payload outside of the callbacks.
* Pick up the GREASE ECH config ID from grease_seed.
* Initialize grease_seed on construction.
* Remove the extension init hook.
* Move key_share computation out of ClientHello callbacks.
* Release some temporaries outside of ClientHello callbacks.
* Move the early_data_{offered,reason} logic out of extension callbacks.
* Implement a handshake hint for certificate compression.
* runner: Implement ECH server for testing.
* runner: Parse the status_request extension more strictly.
* runner: Make echIsInner a boolean.
* runner: Revise ECHConfig type in preparation for client implementation
* Fix ECH-Server-RepeatedConfigID test.
* Add SSL_ech_accepted API and ech_is_required alerts.
* Reject the ECH extension in TLS 1.2 ServerHello.
* Move ECH-related APIs to encrypted_client_hello.cc.
* Const-correct message creation hooks.
* Remove the Channel ID callback.
Update-Note: SSL_CTX_set_channel_id_cb is removed.
SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client,
only as a server.
* Manage Channel ID handshake state better.
Update-Note: SSL_get_tls_channel_id will no longer return all zeros
during the handshake or on the client. I did not find any callers
relying on this.
* DTLS-SRTP is only defined for DTLS.
* Remove impossible ssl->s3 null check.
* fix #415: Perl scripts fail when building from a path with spaces
* Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001).
Update-Note: QUIC APIs now default to the standard code point rather
than the draft one. QUICHE has already been calling
SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once
callers implementing the draft versions cycle out, we can then drop
SSL_set_quic_use_legacy_codepoint altogether. I've also bumped
BORINGSSL_API_VERSION in case we end up needing an ifdef.
* Add compatibility impl for EVP_PKEY_get0
* Make md32_common.h single-included and use an unsized helper for SHA-256.
* Pull HASH_TRANSFORM out of md32_common.h.
* Ensure name not null in EVP_get_cipherbyname
* Fix array-parameter warnings
* Don't copy client's session ID into server's session.
* Test ECH server with unique and repeated config IDs.
* Refresh SSL corpora after adding ECH fuzzer mode.
* Implement fuzzer mode for ECH server.
* Don't try to write empty early data in the tool.
* GREASE is now RFC 8701.
* runner: Reject all zero client and server randoms.
* Const-correct SSL_get_srtp_profiles.
Update-Note: The change to the return type isn't quite compatible, but I
only found one caller of this function, which has since been fixed. (If
we need to return a non-const value for compatibility, we can do that
and document that the caller should not mutate the output.)
* Update the ECH GREASE size selection.
* fuzz/minimise_corpora.sh: Add shebang and chmod +x
* Add a missing case to SSL_error_description.
* Remove draft tokbind implementation.
Update-Note: Token binding APIs are removed.
Change-Id: Iecea7c3dcf9d3e2644a3b7afaf61511310b45d5f
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47584
Reviewed-by: Adam Langley <agl@google.com>
* Make X509_REQ and X509_REQ_INFO opaque.
Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use
accessors instead.
* Check hs->early_session, not ssl->session, for the early data limit.
* Fix some includes.
* Be clearer which signing inputs are digests.
* Validate RSA public keys more consistently.
Update-Note: See above.
* Add APIs to manually fill in signatures for CRLs.
* Check for resumption identifiers in SSL_SESSION_is_resumable.
* Don't use SHA256(ticket) as the signaling session ID for tickets.
* Simplify renego + resumption handling.
* Move session ID assignment out of ssl_get_new_session.
* Fix the ech_accept comment.
* Export the HPKE implementation.
* Refer to EVP_HPKE_CTX by a consistent name.
* Shift the KEM dependency in HPKE up a step.
* Update ACVP URLs.
* Add SSL_can_release_private_key.
* Make X509_SIG and X509_CERT_AUX opaque.
Update-Note: Direct access of these structs should be replaced by
accessors.
* acvp: move hash iterations into modulewrapper.
* Switch HPKE to a three-parameter output buffer.
* Introduce EVP_HPKE_{AEAD,KDF} types.
* Don't mark up the first word in a collective comment.
* Revise the deterministic for_test variant of HPKE's SetupBaseS.
* Fix a memory leak with d2i_ASN1_OBJECT object reuse.
* Remove HPKE PSK mode.
* Remove HKDF-SHA384 and HKDF-SHA512 from HPKE.
* Correctly order PKCS#7 certificates and CRLs.
Update-Note: It is no longer the case that constructing a PKCS#7 file
and parsing them back out will keep the certificates and CRLs in the
same order.
* Implement ECH draft 10 and update HPKE to draft 08.
* Document expected use of BTI and PAC macros.
* Remove non-deterministic bits from ECDSA ACVP test.
* Reference the newer ChaCha20-Poly1305 RFC.
* Use passive entropy collection everywhere.
* Rename X509V*_VERSION constants.
Update-Note: This renames some BoringSSL-specific constants that we
recently added. It doesn't look like anyone's used them yet.
* Const-correct ASN1_OBJECT_create.
* Clarify OBJ_get0_data and OBJ_get_length.
* avcp: SHA-1 for ECDSA _verification_ is still supported by NIST.
* A couple of Aarch64 FIPS delocate fixes.
* Use a placeholder for unknown errors in ERR_*_error_string.
* Include assembly optimizations in Bazel builds on Linux-aarch64.
* Remove some BoringSSL-only X509_CINF functions.
Update-Note: X509_get_cert_info, X509_CINF_set_modified, and
X509_CINF_get_signature are removed. I believe all callers have been
updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and
X509_get0_tbs_sigalg instead.
* Document and test X509_ATTRIBUTE creation functions.
* Revert handshaker fd numbers and make StartProcess more flexible.
* Remove support for malformed X509_ATTRIBUTEs.
Update-Note: Given OpenSSL hasn't accepted these for five years, it's
unlikely anything depends on it. If something breaks, we can revert this
and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty
X509_ATTRIBUTE, so the behavior change there should be safe.
* Make X509_ATTRIBUTE opaque.
Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with
one of the accessors. I couldn't find any direct accesses, so hopefully
this is fine.
* acvptool: Fix typo hard-coding the HTTP method.
* Document a few more x509.h functions.
* Make X509_PUBKEY opaque.
Update-Note: Direct accesses of X509_PUBKEY should be replaced with one
of the accessors. I believe all callers have been fixed at this point.
* Always encode booleans as DER.
Update-Note: Callers setting ASN1_BOOLEANs to a positive value other
than 0xff will now encode 0xff. This probably fixes a bug, but if anyone
was attaching significance to incorrectly-encoded booleans, that will
break.
* Fix issuerUID and subjectUID parsing in the key usage checker.
* Add experimental handshake hints API.
* Make our Python scripts Python-3-compatible.
* Export ssl_client_hello_init for fuzzers.
* acvp: support GMAC as an algorithm.
* Record a fuzzing corpus for the ClientHelloInner decoder.
* Use a consistent plural for 'corpus'.
* Add util/bot/libFuzzer to .gitignore.
* acvp: support KAS-ECC-SSC staticUnified mode.
* Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos.
Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now
reject invalud inputs. Previously, they would accept them, but silently
send an invalid ALPN extension which the server would almost certainly
error on.
* Don't duplicate ServerHello construction code.
* Rearrange key share and early data logic.
* Only skip early data with HRR when offered.
* Add ECH server config API to ssl_ctx_api fuzzer
* Fix ppc64le build.
* Simplify the Lucky13 mitigation.
* Add ECH server (draft-ietf-tls-esni-09).
* runner: Remove unused field
* runner: Construct finishedHash earlier.
* Simplify tls_cbc.c slightly.
* Remove remnants of CBC SHA2 cipher suites.
* runner: Test different V2ClientHello challenge lengths.
* runner: Ensure helloBytes is always the same as hello.marshal().
* runner: Fix ECH confirmation calculation with PSKs in tests.
* runner: Fix HPKE parameter order.
* runner: UpdateForHelloRetryRequest cannot fail.
* runner: Don't use the buffer in TLS 1.3.
* runner: Don't maintain two copies of the same transcript hash.
* runner: Remove remnants of SSL 3.0.
* runner: Fix writeClientHash and writeRecord ordering.
* runner: Remove CheckTLS13DowngradeRandom.
* runner: Remove remnants of the separate HelloRetryRequest message.
* runner: Store a cipherSuite in ClientSessionState.
* runner: Move writeHash to the finishedHash struct.
* Fix the spelling of HPKE AEAD constants.
* Don't reset server callback expectations on new handshake.
* Fix MockQuicTransport::Flush error handling.
* Fold ripemd/internal.h into ripemd.c.
* Move load/store helpers to crypto/internal.h.
* Make words in crypto/fipsmodule/modes actually words.
* Handle EINTR more in handshaker.cc.
* Add a few missing SSL_R_BIO_NOT_SET cases.
* Fix some unreachable code in the QUIC handshaker driver.
* Rearrange SSLKeyShare::Serialize.
* Fix ssl/internal.h sectioning.
* Remove some now unnecessary test exclusions from split handshakes.
* Remove tls13-split-handshakes flag.
* Define HANDSHAKER_SUPPORTED in once place.
* Tidy up handshaker tester.
* modulewrapper: add option to print build information.
* FIPS counters for AES-CTR.
* Enforce that pre_shared_key must come with psk_key_exchange_modes.
* Zero out FIPS counters.
* Remove is_resume field on TestState.
* Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag.
* Add some warnings on how to use OPENSSL_memory_* functions.
* Use an unsized helper for truncated SHA-512 variants.
Update-Note: There is a small chance the asserts will trip something,
but hopefully not since I've left SHA512_Final alone.
* Fix mismatch between header and implementation of bn_sqr_comba8.
* Remove GCC 4.8.99 check.
* Bump minimum CMake version.
* Automatically enable C11 atomics when available.
Update-Note: If something fails to compile, we'll revert this and adjust
the check, or add an opt-out, or give up. Also, if building with
-std=c99, consider -std=c11.
* Make generate_build_files.py python3 compatible.
* Remove X509_REQ_set_extension_nids and document related functions.
Update-Note: This removes a pair of unused functions.
* Document a few more functions in x509.h.
* Do not access value.ptr with V_ASN1_BOOLEAN.
* Add X509_PUBKEY_get0_public_key.
* Test empty EVP_CIPHER inputs and fix exact memcpy overlap.
* Revert "Implement rsa_pkcs1_sha256_legacy."
* Fix unnecessarily direction-specific tests in cipher_tests.txt
* Refactor HPKE API to include explicit length parameters.
* Generalize make_errors.go to allow EVP covering multiple directories.
* Add a Windows no-op impl of BORINGSSL_self_test
* Only pass -handshaker-path in split handshakes tests.
* Add RNG support for FreeBSD.
* Move fips.c into a subdirectory.
* Implement rsa_pkcs1_sha256_legacy.
* Better document nullable X.509 getters.
* runner: Remove redundant -enable-all-curves shim flag.
* Initialize nonce in PerAEADTest.ABI.
* Document ASN1_TYPE and related functions.
* fips: add counters.
* Align with OpenSSL on constness of static ASN1_OBJECTs.
Update-Note: The change to OBJ_nid2obj should be compatible. The changes
to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some
pointer types.
* Add -rr-record flag to runner.go.
* Register NAME_CONSTRAINTS with bssl::UniquePtr.
* Register POLICY_MAPPING with bssl::UniquePtr.
* Stub out some more of PKCS7.
* Remove TODO to reverse the output of PKCS12_parse.
* Make the X509_VAL structure opaque.
Update-Note: I believe this is now safe to do. If there are compile
failures, switch to X509_get0_notBefore, X509_getm_notBefore, and
X509_set1_notBefore, or revert this if I'm wrong and too many callers
still need updating.
* Support creating unencrypted PKCS#12 files.
* Move PKCS#12 samples to embed_test_data.
* Remove some remnants of TLS 1.3 downgrade carveouts.
Update-Note:
https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these
functions a no-op, but we kept them around because there were still some
call sites floating around. That code has since been updated, so we can
remove this.
* Remove X509_REQ_to_X509.
Update-Note: This removes a function that appears to be unused. It also
hardcodes the use of MD5, so please do not use it.
* Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag
* RAND_set_rand_method returns int.
* Check the inner and outer CRL signature algorithms match.
Update-Note: Invalid CRLs with inconsistent inner and outer signature
algorithms will now be rejected.
* Remove block_mask from EVP_CIPHER_CTX.
Update-Note: It doesn't look like anyone is reading into this field. If
they are, we can ideally fix it, or revert this if absolutely necessary.
* Document a couple more functions in x509.h.
* Define X509V*_VERSION constants.
* Handle the default X.509 version explicitly.
* Compile for RISC-V.
* Add ECDSA nonce-testing functions.
* Rearrange ECDSA implementation.
* Split the FIPS mode PRNG lock in two.
* Remove legacy vs_toolchain.py environment variable.
* runner: Rename 'masterSecret' on session objects to plain 'secret'.
* Test ECDSA signing is non-deterministic.
* acvp: split ACVP modulewrapper for reuse by Trusty
* No-op CL to trigger some builds.
* Use CIPD Go packages.
* Update CMake on the bots and switch to CIPD where available.
* Future-proof vs_toolchain.py for VS2019.
* Revert "Revert "Disable check that X.509 extensions implies v3.""
* Update Clang and Go on the bots.
* Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create.
* Don't overflow the output length in EVP_CipherUpdate calls.
Update-Note: Passing extremely large input lengths into EVP_CipherUpdate
will now fail. Use EVP_AEAD instead, which is size_t-based and has more
explicit output bounds.
* Remove X509_issuer_and_serial_hash.
Update-Note: No one uses this function. It had a NULL dereference in
some error cases. See CVE-2021-23841.
* Fix Bazel build breakage.
* Specify VS toolchain by command-line argument.
* Update Android Bazel build support in BUILD.toplevel.
* Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback.
Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the
ALPN callback will change behavior. The old behavior may be restored by
returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new
recommendations on return values.
* acvp: detect header element in JSON.
* Align the ARM capability functions.
* Skip runtime NEON checks if __ARM_NEON is defined.
Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about
30KiB of dead code, but no longer work (if they even did before) on a
particular buggy CPU. Builds without __ARM_NEON are not affected.
* acvp: don't include CMAC-AES in regcap dump.
* acvp: fix CMAC verify
* Include bn/internal.h for non-bcm.c builds.
* Add various function calls to test_fips.
* Add missing include to self_check.c.
* Revert "Disable check that X.509 extensions implies v3."
* Fix TLS13SessionID-TLS13 test.
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I894552c1cfb97c327808e9cdadcc7e6a7b1874e2
|
|
This reverts commit a769e3be7b5b02e3a0ee4043b6642ab0361a1420.
Reason for revert: Breaks x86 builds: b/194262305
Change-Id: I9074b7d01972b3f1162eb3ece0a591077d0b3451
|
|
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..897a2ca3f184b34278641138c726ef902ab1fab2
* Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY.
* Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs.
* Always have CRYPTO_sysrand_for_seed.
* hrss: use less stack space.
* Make X509_EXTENSION opaque.
Update-Note: Use X509_EXTENSION_get_* instead.
* Make X509_CRL opaque.
Update-Note: Use accessors instead.
* Switch another malloc to bssl::Array.
* Add a pointer alignment helper function.
* Remove unused field in X509_NAME_ENTRY.
Update-Note: Removed unused field in struct.
* Fix sign bit in BN_div if numerator and quotient alias.
* Handle the server case in SSL_get0_ech_name_override.
* Remove -2 return value from X509*_get_*_by_NID.
Update-Note: The return value convention of some functions was
simplified. This is not expected to affect any callers.
* Remove X509at_get0_data_by_OBJ.
Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function.
* Document a batch of extension-related functions in x509.h.
* conf: fix getting keys from the default section.
* conf: don't crash when parsing.
* Add some OpenSSL compatibility aliases.
* Make ASN1_OBJECT opaque.
Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors.
* Rename asn1_locl.h to internal.h.
* Update hpke_test.go.
* Decorate x509v3_a2i_ipadd declaration as its definition.
* SHA-256 is used on AArch64, even if NO_ASM.
* swtb is another AArch64 magic tweak.
* Implement ClientHelloOuter handshakes.
* runner: Add a convenience function for base64 flags.
* Reduce bouncing on the cache lock in ssl_update_cache.
Update-Note: This reshuffles some locks around the session cache.
(Hopefully for the better.)
* Only clear not_resumable after the handshake.
* runner: Test that clients actually use renewed tickets.
* runner: Clean up test logic.
* runner: Fix process exit timeout.
* Remove old ASN.1 SET macros.
* Document some ASN1_INTEGER and ASN1_ENUMERATED functions.
* Document ASN1_STRING_to_UTF8.
* Const-correct ASN1_item_verify a bit more.
* Compute ASN.1 BIT STRING sizes more consistently.
* Remove lh_FOO_doall.
* Prefix internal LHASH functions.
* Unexport almost all of LHASH.
Update-Note: BoringSSL no longer provides a general-purpose hash table
to callers. Use the language's standard library, or another
implementation.
* Rename t1_lib.cc to extensions.cc.
* Prefix and unexport a2i_ipadd.
* Fix a -Wdeprecated-copy warning.
* Validate ECH public names.
* Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM.
* Make X509_VERIFY_PARAM opaque.
Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly.
* Move crypto/x509/vpm_int.h into internal.h.
* Reformat x509_vfy.h and convert comments.
* Reland "Add util/fetch_ech_config_list.go"
* Revert "Add util/fetch_ech_config_list.go"
* Add util/fetch_ech_config_list.go
* More reliably report handshake errors through SSL_write.
* Add an option to permute ClientHello extension order.
* runner: Check the test name against the protocol being tested.
* Remove outdated comment in primality testing.
* Add most of an ECH client implementation.
* Add a basic API to make ECHConfigs.
* Make ECH server APIs take EVP_HPKE_KEY.
* Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS.
* runner: Self-check tests more accurately and earlier.
* Don't pad the second ClientHello.
* Fix ext_pre_shared_key_clienthello_length calculation.
* Tidy up the PSK binder logic.
* Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext.
* Shift some complexity out of ssl_add_clienthello_tlsext.
* Add a note about extension callback names.
* Add move support to EVP_MD_CTX.
* Replace hs->needs_psk_binder with an output parameter.
* Make add_clienthello callbacks const.
* Fix documentation typo.
* Compute the ECH GREASE payload outside of the callbacks.
* Pick up the GREASE ECH config ID from grease_seed.
* Initialize grease_seed on construction.
* Remove the extension init hook.
* Move key_share computation out of ClientHello callbacks.
* Release some temporaries outside of ClientHello callbacks.
* Move the early_data_{offered,reason} logic out of extension callbacks.
* Implement a handshake hint for certificate compression.
* runner: Implement ECH server for testing.
* runner: Parse the status_request extension more strictly.
* runner: Make echIsInner a boolean.
* runner: Revise ECHConfig type in preparation for client implementation
* Fix ECH-Server-RepeatedConfigID test.
* Add SSL_ech_accepted API and ech_is_required alerts.
* Reject the ECH extension in TLS 1.2 ServerHello.
* Move ECH-related APIs to encrypted_client_hello.cc.
* Const-correct message creation hooks.
* Remove the Channel ID callback.
Update-Note: SSL_CTX_set_channel_id_cb is removed.
SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client,
only as a server.
* Manage Channel ID handshake state better.
Update-Note: SSL_get_tls_channel_id will no longer return all zeros
during the handshake or on the client. I did not find any callers
relying on this.
* DTLS-SRTP is only defined for DTLS.
* Remove impossible ssl->s3 null check.
* fix #415: Perl scripts fail when building from a path with spaces
* Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001).
Update-Note: QUIC APIs now default to the standard code point rather
than the draft one. QUICHE has already been calling
SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once
callers implementing the draft versions cycle out, we can then drop
SSL_set_quic_use_legacy_codepoint altogether. I've also bumped
BORINGSSL_API_VERSION in case we end up needing an ifdef.
* Add compatibility impl for EVP_PKEY_get0
* Make md32_common.h single-included and use an unsized helper for SHA-256.
* Pull HASH_TRANSFORM out of md32_common.h.
* Ensure name not null in EVP_get_cipherbyname
* Fix array-parameter warnings
* Don't copy client's session ID into server's session.
* Test ECH server with unique and repeated config IDs.
* Refresh SSL corpora after adding ECH fuzzer mode.
* Implement fuzzer mode for ECH server.
* Don't try to write empty early data in the tool.
* GREASE is now RFC 8701.
* runner: Reject all zero client and server randoms.
* Const-correct SSL_get_srtp_profiles.
Update-Note: The change to the return type isn't quite compatible, but I
only found one caller of this function, which has since been fixed. (If
we need to return a non-const value for compatibility, we can do that
and document that the caller should not mutate the output.)
* Update the ECH GREASE size selection.
* fuzz/minimise_corpora.sh: Add shebang and chmod +x
* Add a missing case to SSL_error_description.
* Remove draft tokbind implementation.
Update-Note: Token binding APIs are removed.
* Make X509_REQ and X509_REQ_INFO opaque.
Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use
accessors instead.
* Check hs->early_session, not ssl->session, for the early data limit.
* Fix some includes.
* Be clearer which signing inputs are digests.
* Validate RSA public keys more consistently.
Update-Note: See above.
* Add APIs to manually fill in signatures for CRLs.
* Check for resumption identifiers in SSL_SESSION_is_resumable.
* Don't use SHA256(ticket) as the signaling session ID for tickets.
* Simplify renego + resumption handling.
* Move session ID assignment out of ssl_get_new_session.
* Fix the ech_accept comment.
* Export the HPKE implementation.
* Refer to EVP_HPKE_CTX by a consistent name.
* Shift the KEM dependency in HPKE up a step.
* Update ACVP URLs.
* Add SSL_can_release_private_key.
* Make X509_SIG and X509_CERT_AUX opaque.
Update-Note: Direct access of these structs should be replaced by accessors.
* acvp: move hash iterations into modulewrapper.
* Switch HPKE to a three-parameter output buffer.
* Introduce EVP_HPKE_{AEAD,KDF} types.
* Don't mark up the first word in a collective comment.
* Revise the deterministic for_test variant of HPKE's SetupBaseS.
* Fix a memory leak with d2i_ASN1_OBJECT object reuse.
* Remove HPKE PSK mode.
* Remove HKDF-SHA384 and HKDF-SHA512 from HPKE.
* Correctly order PKCS#7 certificates and CRLs.
Update-Note: It is no longer the case that constructing a PKCS#7 file
and parsing them back out will keep the certificates and CRLs in the
same order.
* Implement ECH draft 10 and update HPKE to draft 08.
* Document expected use of BTI and PAC macros.
* Remove non-deterministic bits from ECDSA ACVP test.
* Reference the newer ChaCha20-Poly1305 RFC.
* Use passive entropy collection everywhere.
* Rename X509V*_VERSION constants.
Update-Note: This renames some BoringSSL-specific constants that we
recently added. It doesn't look like anyone's used them yet.
* Const-correct ASN1_OBJECT_create.
* Clarify OBJ_get0_data and OBJ_get_length.
* avcp: SHA-1 for ECDSA _verification_ is still supported by NIST.
* A couple of Aarch64 FIPS delocate fixes.
* Use a placeholder for unknown errors in ERR_*_error_string.
* Include assembly optimizations in Bazel builds on Linux-aarch64.
* Remove some BoringSSL-only X509_CINF functions.
Update-Note: X509_get_cert_info, X509_CINF_set_modified, and
X509_CINF_get_signature are removed. I believe all callers have been
updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and
X509_get0_tbs_sigalg instead.
* Document and test X509_ATTRIBUTE creation functions.
* Revert handshaker fd numbers and make StartProcess more flexible.
* Remove support for malformed X509_ATTRIBUTEs.
Update-Note: Given OpenSSL hasn't accepted these for five years, it's
unlikely anything depends on it. If something breaks, we can revert this
and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty
X509_ATTRIBUTE, so the behavior change there should be safe.
* Make X509_ATTRIBUTE opaque.
Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with
one of the accessors. I couldn't find any direct accesses, so hopefully
this is fine.
* acvptool: Fix typo hard-coding the HTTP method.
* Document a few more x509.h functions.
* Make X509_PUBKEY opaque.
Update-Note: Direct accesses of X509_PUBKEY should be replaced with one
of the accessors. I believe all callers have been fixed at this point.
* Always encode booleans as DER.
Update-Note: Callers setting ASN1_BOOLEANs to a positive value other
than 0xff will now encode 0xff. This probably fixes a bug, but if anyone
was attaching significance to incorrectly-encoded booleans, that will
break.
* Fix issuerUID and subjectUID parsing in the key usage checker.
* Add experimental handshake hints API.
* Make our Python scripts Python-3-compatible.
* Export ssl_client_hello_init for fuzzers.
* acvp: support GMAC as an algorithm.
* Record a fuzzing corpus for the ClientHelloInner decoder.
* Use a consistent plural for 'corpus'.
* Add util/bot/libFuzzer to .gitignore.
* acvp: support KAS-ECC-SSC staticUnified mode.
* Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos.
Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now
reject invalud inputs. Previously, they would accept them, but silently
send an invalid ALPN extension which the server would almost certainly
error on.
* Don't duplicate ServerHello construction code.
* Rearrange key share and early data logic.
* Only skip early data with HRR when offered.
* Add ECH server config API to ssl_ctx_api fuzzer
* Fix ppc64le build.
* Simplify the Lucky13 mitigation.
* Add ECH server (draft-ietf-tls-esni-09).
* runner: Remove unused field
* runner: Construct finishedHash earlier.
* Simplify tls_cbc.c slightly.
* Remove remnants of CBC SHA2 cipher suites.
* runner: Test different V2ClientHello challenge lengths.
* runner: Ensure helloBytes is always the same as hello.marshal().
* runner: Fix ECH confirmation calculation with PSKs in tests.
* runner: Fix HPKE parameter order.
* runner: UpdateForHelloRetryRequest cannot fail.
* runner: Don't use the buffer in TLS 1.3.
* runner: Don't maintain two copies of the same transcript hash.
* runner: Remove remnants of SSL 3.0.
* runner: Fix writeClientHash and writeRecord ordering.
* runner: Remove CheckTLS13DowngradeRandom.
* runner: Remove remnants of the separate HelloRetryRequest message.
* runner: Store a cipherSuite in ClientSessionState.
* runner: Move writeHash to the finishedHash struct.
* Fix the spelling of HPKE AEAD constants.
* Don't reset server callback expectations on new handshake.
* Fix MockQuicTransport::Flush error handling.
* Fold ripemd/internal.h into ripemd.c.
* Move load/store helpers to crypto/internal.h.
* Make words in crypto/fipsmodule/modes actually words.
* Handle EINTR more in handshaker.cc.
* Add a few missing SSL_R_BIO_NOT_SET cases.
* Fix some unreachable code in the QUIC handshaker driver.
* Rearrange SSLKeyShare::Serialize.
* Fix ssl/internal.h sectioning.
* Remove some now unnecessary test exclusions from split handshakes.
* Remove tls13-split-handshakes flag.
* Define HANDSHAKER_SUPPORTED in once place.
* Tidy up handshaker tester.
* modulewrapper: add option to print build information.
* FIPS counters for AES-CTR.
* Enforce that pre_shared_key must come with psk_key_exchange_modes.
* Zero out FIPS counters.
* Remove is_resume field on TestState.
* Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag.
* Add some warnings on how to use OPENSSL_memory_* functions.
* Use an unsized helper for truncated SHA-512 variants.
Update-Note: There is a small chance the asserts will trip something,
but hopefully not since I've left SHA512_Final alone.
* Fix mismatch between header and implementation of bn_sqr_comba8.
* Remove GCC 4.8.99 check.
* Bump minimum CMake version.
* Automatically enable C11 atomics when available.
Update-Note: If something fails to compile, we'll revert this and adjust
the check, or add an opt-out, or give up. Also, if building with
-std=c99, consider -std=c11.
* Make generate_build_files.py python3 compatible.
* Remove X509_REQ_set_extension_nids and document related functions.
Update-Note: This removes a pair of unused functions.
* Document a few more functions in x509.h.
* Do not access value.ptr with V_ASN1_BOOLEAN.
* Add X509_PUBKEY_get0_public_key.
* Test empty EVP_CIPHER inputs and fix exact memcpy overlap.
* Revert "Implement rsa_pkcs1_sha256_legacy."
* Fix unnecessarily direction-specific tests in cipher_tests.txt
* Refactor HPKE API to include explicit length parameters.
* Generalize make_errors.go to allow EVP covering multiple directories.
* Add a Windows no-op impl of BORINGSSL_self_test
* Only pass -handshaker-path in split handshakes tests.
* Add RNG support for FreeBSD.
* Move fips.c into a subdirectory.
* Implement rsa_pkcs1_sha256_legacy.
* Better document nullable X.509 getters.
* runner: Remove redundant -enable-all-curves shim flag.
* Initialize nonce in PerAEADTest.ABI.
* Document ASN1_TYPE and related functions.
* fips: add counters.
* Align with OpenSSL on constness of static ASN1_OBJECTs.
Update-Note: The change to OBJ_nid2obj should be compatible. The changes
to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some
pointer types.
* Add -rr-record flag to runner.go.
* Register NAME_CONSTRAINTS with bssl::UniquePtr.
* Register POLICY_MAPPING with bssl::UniquePtr.
* Stub out some more of PKCS7.
* Remove TODO to reverse the output of PKCS12_parse.
* Make the X509_VAL structure opaque.
Update-Note: I believe this is now safe to do. If there are compile
failures, switch to X509_get0_notBefore, X509_getm_notBefore, and
X509_set1_notBefore, or revert this if I'm wrong and too many callers
still need updating.
* Support creating unencrypted PKCS#12 files.
* Move PKCS#12 samples to embed_test_data.
* Remove some remnants of TLS 1.3 downgrade carveouts.
Update-Note:
https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these
functions a no-op, but we kept them around because there were still some
call sites floating around. That code has since been updated, so we can
remove this.
* Remove X509_REQ_to_X509.
Update-Note: This removes a function that appears to be unused. It also
hardcodes the use of MD5, so please do not use it.
* Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag
* RAND_set_rand_method returns int.
* Check the inner and outer CRL signature algorithms match.
Update-Note: Invalid CRLs with inconsistent inner and outer signature
algorithms will now be rejected.
* Remove block_mask from EVP_CIPHER_CTX.
Update-Note: It doesn't look like anyone is reading into this field. If
they are, we can ideally fix it, or revert this if absolutely necessary.
* Document a couple more functions in x509.h.
* Define X509V*_VERSION constants.
* Handle the default X.509 version explicitly.
* Compile for RISC-V.
* Add ECDSA nonce-testing functions.
* Rearrange ECDSA implementation.
* Split the FIPS mode PRNG lock in two.
* Remove legacy vs_toolchain.py environment variable.
* runner: Rename 'masterSecret' on session objects to plain 'secret'.
* Test ECDSA signing is non-deterministic.
* acvp: split ACVP modulewrapper for reuse by Trusty
* No-op CL to trigger some builds.
* Use CIPD Go packages.
* Update CMake on the bots and switch to CIPD where available.
* Future-proof vs_toolchain.py for VS2019.
* Revert "Revert "Disable check that X.509 extensions implies v3.""
* Update Clang and Go on the bots.
* Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create.
* Don't overflow the output length in EVP_CipherUpdate calls.
Update-Note: Passing extremely large input lengths into EVP_CipherUpdate
will now fail. Use EVP_AEAD instead, which is size_t-based and has more
explicit output bounds.
* Remove X509_issuer_and_serial_hash.
Update-Note: No one uses this function. It had a NULL dereference in
some error cases. See CVE-2021-23841.
* Fix Bazel build breakage.
* Specify VS toolchain by command-line argument.
* Update Android Bazel build support in BUILD.toplevel.
* Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback.
Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the
ALPN callback will change behavior. The old behavior may be restored by
returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new
recommendations on return values.
* acvp: detect header element in JSON.
* Align the ARM capability functions.
* Skip runtime NEON checks if __ARM_NEON is defined.
Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about
30KiB of dead code, but no longer work (if they even did before) on a
particular buggy CPU. Builds without __ARM_NEON are not affected.
* acvp: don't include CMAC-AES in regcap dump.
* acvp: fix CMAC verify
* Include bn/internal.h for non-bcm.c builds.
* Add various function calls to test_fips.
* Add missing include to self_check.c.
* Revert "Disable check that X.509 extensions implies v3."
* Fix TLS13SessionID-TLS13 test.
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I86bd269475ed5598d81787e7ecfec010c4a128fa
|