summaryrefslogtreecommitdiff
path: root/src/ssl/extensions.cc
AgeCommit message (Collapse)Author
2022-01-25external/boringssl: Sync to 345c86b1cfcc478a71a9a71f0206893fd16ae912.Benjamin Brittain
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/a9670a8b476470e6f874fef3554e8059683e1413..345c86b1cfcc478a71a9a71f0206893fd16ae912 * Switch CRYPTO_BUFFER_POOL to SipHash-2-4. * LSC: Apply clang-tidy's modernize-use-bool-literals to boringssl * Fix mac_arm64 builder. * Put Rust binding generation behind an explicit flag and only build bindings for the targeted Arch * Add ARMV8_SHA512 detection for Fuchsia. Update-Note: This CL is written assuming we can just rely on the SDK changes. Per go/fuchsia-sdk-age, this seems fairly safe. If this file fails to build due to missing symbols, update your project's Fuchsia SDK. If this blocks something, let us know. * Generates "low-level" bindings for Rust using bindgen * Add note about Gerrit account creation * Make EVP_AEAD_CTX_free accept NULL. * Zero out the values from the integrity check. * Ignore duplicates in |X509_STORE_add_*| * Don't #include "internal.h" twice. * Version bump: 2 -> 3. * Simplify __ARM_ARCH__ definition. Update-Note: ARM assembly now requires the compiler define __ARM_ARCH. This is not expected to break Clang or GCC from the last 8 or 9 years. * Don't use __ARMEL__/__ARMEB__ in aarch64 assembly * Switch __ARM_FEATURE_CRYPTO to __ARM_FEATURE_{AES,SHA2}. * Move CPU detection symbols to crypto/internal.h. * Move public APIs from cpu.h to crypto.h. Update-Note: As part of this, I conditioned cpu-arm-linux.c on OPENSSL_LINUX, so that the header files can have accurate conditions. This means unrecognized ARM platforms that do not set OPENSSL_STATIC_ARMCAP will fail to build, where previously we defaulted to the Linux mechanisms. This matches cpu-aarch64-linux.c, which is already gated on OPENSSL_LINUX. (And the file is quite Linux-specific. Even if a non-Linux ELF target used getauxval for ARM capabilities, it's unlikely that our hardcoded constants and /proc behavior applies anyway.) * Rename CPU feature files with underscores. * Enable SHA-512 ARM acceleration when available. Update-Note: Consumers with a different build setup may need to limit -D_XOPEN_SOURCE=700 to Linux or non-Apple platforms. Otherwise, <sys/types.h> won't define some typedef needed by <sys/sysctl.h>. If you see a build error about u_char, etc., being undefined in some system header, that is probably the cause. * Sync sha512-armv8.pl up to 753316232243ccbf86b96c1c51ffcb41651d9ad5. * Import sha512-armv8.pl transforms from upstream NEON code. * Import a few test vectors from OpenSSL. * Use uint16_t in TestConfig and enable -Wformat-signedness. * Reorder flags to match TestConfig struct. * Rewrite bssl_shim command-line parser. * Fix X509_CRL_print error-handling. * Silence -Wformat-signedness when printing X.509 versions. * Don't print small, negative serial numbers in decimal. * Fix the easy -Wformat-signedness errors. * Add BIO_tell and BIO_seek wrappers. * Remove non-standard wildcard input DNS names. Update-Note: ".example.com" as an input DNS name will no longer match "www.example.com" in a certificate. (Note this does not impact wildcard certificates. Rather, it removes a non-standard "reverse wildcard" that OpenSSL implemented.) * Rewrite X.509 name-matching tests. * Remove non-standard X.509 DNS wildcard matching. Update-Note: BoringSSL will no longer accept wildcard patterns like *www.example.com or www*.example.com. (It already did not accept ww*w.example.com.) X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS will also be ignored and can no longer be used to allow foo.bar.example.com to match *.example.com. * Make X509_REVOKED opaque. Update-Note: Use X509_REVOKED accessors rather than reaching into the struct. * Document |SSL_set1_host| return values. * Add |SSL_set1_host| and |SSL_set_hostflags|. * Add ERR_set_error_data for compatibility. * Add BN_GENCB_new, BN_GENCB_free, and RSA_test_flags. * Remove X509_REVOKED.sequence. * Binary tag bump: 1 -> 2 * Export PKCS12_DEFAULT_ITER. * Add SSL_has_pending. * Update HPKE test vectors. * Add various OpenSSL compatibility functions. * Add PKCS7_bundle_raw_certificates function which takes CRYPTO_BUFFERs Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: I6348ef26c5afb28e09132acd267be700de379cc8
2021-10-01external/boringssl: Sync to 66e61c577d39e757bf491468f651461fa79fd5e1.Pete Bentley
This change re-lands https://r.android.com/1834454 by reverting https://r.android.com/1842042 with no changes. Revert was due to a vendor copy of wpa_supplicant needing the same changes as https://r.android.com/1835013, this is now done and I verified that it builds correctly against this version of BoringSSL. This CL includes the following upstream changes: https://boringssl.googlesource.com/boringssl/+log/c1571feb5faf5cce844354c63d0f3e842464bea3..66e61c577d39e757bf491468f651461fa79fd5e1 * Allow PKCS7_sign to work for signing kernel modules. * Speed up constant-time base64 decoding. * Unwind remnants of ASN1_TFLG_NDEF. * acvptool: add CS3 support. * Ignore SIGPIPE in the bssl tool. * Add FIPS counters for AES-GCM in EVP_AEAD. * Refresh fuzzer corpus for ECH draft-13. * Fix the TLS fuzzers for ECH draft-13. * Clarify that TLS sessions are not application sessions. * Fix BN_prime_checks_for_validation to align with false-positive rate. * Add maskHash to RSA_PSS_PARAMS for compat * Remove ASN1_OP_I2D_* callbacks. * Don't read it->funcs without checking it->itype. * Reject missing required fields in i2d functions. Update-Note: Structures with missing mandatory fields can no longer be encoded. Note that, apart from the cases already handled by preceding CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main downstream impact I've seen of this particular change is in combination with other bugs. Consider a caller that does: * Reject -1 types in ASN1_TYPE and MSTRINGs when encoding. Update-Note: A default-constructed object with a required ANY or string-like CHOICE field cannot be encoded until the field is specified. Note this affects i2d_X509: notBefore and notAfter are string-like CHOICEs in OpenSSL. * Correctly handle invalid ASN1_OBJECTs when encoding. Update-Note: A default-constructed object with a required ASN1_OBJECT field can no longer be encoded without initializing the ASN1_OBJECT. Note this affects X509: the signature algorithm is an ASN1_OBJECT. Tests that try to serialize an X509_new() must fill in all required fields. (Production code is unlikely to be affected because the output was unparsable anyway, while tests sometimes wouldn't notice.) * Check for invalid CHOICE selectors in i2d functions. Update-Note: An invalid CHOICE object (e.g. GENERAL_NAME) will now fail when encoded, rather than be silently omitted. In particular, CHOICE objects are default-initialized by tasn_new.c in an empty -1 state. Structures containing a required CHOICE field can no longer be encoded without filling in the CHOICE. * Fix x509_name_ex_i2d error-handling. * Correctly propagate errors in i2d functions. Update-Note: Some error cases which were silently misinterpreted as missing OPTIONAL elements will now cause encoding to fail. * acvptool: add hmacDRBG support * Check for __TRUSTY__ instead of TRUSTY. * Update comment for ECH draft-13. * Silence a GCC false positive warning. * Switch to the new, simpler WHATWG URL formulation. * Revert "Guard use of sdallocx with BORINGSSL_SDALLOCX" * Fix calculation of draft-13 ECH confirmation signal. * Update to draft-ietf-tls-esni-13. * Reword SSL_get0_ech_name_override documentation. * Remove SSL_set_verify_result. * Make most of crypto/x509 opaque. Update-Note: Patch cl/390055173 into the roll that includes this. This unexports most of the X.509 structs, aligning with OpenSSL. Use the accessor APIs instead. * Remove V_ASN1_APP_CHOOSE. Update-Note: V_ASN1_APP_CHOOSE is removed. I only found one use, which has been fixed. * Rewrite ASN1_PRINTABLE_type and add tests. * Include SHA512-256 in EVP_get_digestbyname and EVP_MD_do_all. * NUL is not printable. Update-Note: ASN1_mbstring_ncopy will no longer allow PrintableString for strings containing NUL. * Make RSA_check_key more than 2x as fast. * Benchmark RSA private key parsing. * Work around yet another MSVC 2015 SFINAE bug. * Avoid re-hashing the transcript multiple times. * Make ssl_parse_extensions a little easier to use. * Deduplicate our three ServerHello parsers. * Merge in OpenSSL's X.509 corpus. * Run X509_print in the certificate fuzzer. * Fix some error-handling in i2v functions. * Fix typo. * OPENSSL_strndup should not return NULL given {NULL, 0}. * Rewrite name constraints matching with CBS. * Add some tests for name constraints. * Fix i2v_GENERAL_NAME to not assume NUL terminated strings * Do not rely on ASN1_STRING being NUL-terminated. * Add a CBB_add_zeros helper. * Linkify RFCs in documentation. * Refer to RFCs consistently. * runner: Test session IDs over 32 bytes. * Process the TLS 1.3 cipher suite in one place. * Guard use of sdallocx with BORINGSSL_SDALLOCX * Bump minimum GCC version and note impending VS2015 deprecation. * Add Span::first() and Span::last(). * Simplify built-in BIOs slightly. * Fix some error returns from SSL_read and SSL_write. * Fix negative ENUMERATED values in multi-strings. * Add a test for ASN1_mbstring_copy and clean up. * Remove ASN1_TFLG_SET_ORDER. * Fix ASN1_STRING_print_ex with negative integers. * Check i2d_ASN1_TYPE's return value in ASN1_STRING_print_ex. * Document ASN.1 printing functions. * Move some ASN1 printing functions to crypto/asn1. * Move a_strex.c back to asn1, split X509_NAME bits out. * Unwind io_ch abstraction in print functions. * Implement ASN1_STRING_print_ex_fp, etc., with file BIOs. * Remove OPENSSL_NO_FP_API ifdefs. * Move X509_ALGOR to x509.h. * Unexport BIT_STRING_BITNAME. * Unexport ub_* constants. Update-Note: Removed some unnamespaced constants. * Always use an ASN1_STRING_TABLE global mask of UTF8String. Update-Note: The global mask for ASN1_STRING_set_by_NID is now always UTF-8. Callers that want another type should reconsider and, if UTF-8 is still unsuitable, just pass the actual desired type into ASN1_mbstring_copy, X509_NAME_ENTRY_set_data, etc * Document ASN1_mbstring_copy. * Update ghashv8-armx.pl from upstream. * Align with upstream on 'close STDOUT' lines. * Avoid double-expanding variables in CMake. * Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj. * Add some tests for time_t to ASN1_TIME conversions. * Remove ASN1_STRING_FLAG_MSTRING. Update-Note: ASN1_STRING_FLAG_MSTRING is no longer defined and X509_time_adj_ex now behaves more predictably. Callers that actually wanted to lock to a specific type should call ASN1_UTCTIME_adj or ASN1_GENERALIZEDTIME_adj instead. * Document another batch of functions. * Clarify BIO_new_mum_buf's lifetime rules. * generate_ech.cc: include needed headers * Don't overread in poly_Rq_mul * acvp: recognise another style of JSON. * Revert "Revert "Revert "Disable check that X.509 extensions implies v3.""" Change-Id: I5fe21e26f701feb315aceb86684b5bc1ee327669 Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
2021-09-30Revert "external/boringssl: Sync to 66e61c577d39e757bf491468f651..."Michael Eastwood
Revert submission 1835013-bssl_update_sep2021 Reason for revert: DroidMonitor: Potential culprit for Bug 201683809 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted. Reverted Changes: I27d7b79e3:Fix wpa_supplicant build with newer BoringSSL I4f2228ef8:external/boringssl: Sync to 66e61c577d39e757bf4914... Change-Id: If2184c4aa55b7dc89e037362e4d5cbbea1107ae2
2021-09-27external/boringssl: Sync to 66e61c577d39e757bf491468f651461fa79fd5e1.Pete Bentley
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/c1571feb5faf5cce844354c63d0f3e842464bea3..66e61c577d39e757bf491468f651461fa79fd5e1 * Allow PKCS7_sign to work for signing kernel modules. * Speed up constant-time base64 decoding. * Unwind remnants of ASN1_TFLG_NDEF. * acvptool: add CS3 support. * Ignore SIGPIPE in the bssl tool. * Add FIPS counters for AES-GCM in EVP_AEAD. * Refresh fuzzer corpus for ECH draft-13. * Fix the TLS fuzzers for ECH draft-13. * Clarify that TLS sessions are not application sessions. * Fix BN_prime_checks_for_validation to align with false-positive rate. * Add maskHash to RSA_PSS_PARAMS for compat * Remove ASN1_OP_I2D_* callbacks. * Don't read it->funcs without checking it->itype. * Reject missing required fields in i2d functions. Update-Note: Structures with missing mandatory fields can no longer be encoded. Note that, apart from the cases already handled by preceding CLs, tasn_new.c will fill in non-NULL empty objects everywhere. The main downstream impact I've seen of this particular change is in combination with other bugs. Consider a caller that does: * Reject -1 types in ASN1_TYPE and MSTRINGs when encoding. Update-Note: A default-constructed object with a required ANY or string-like CHOICE field cannot be encoded until the field is specified. Note this affects i2d_X509: notBefore and notAfter are string-like CHOICEs in OpenSSL. * Correctly handle invalid ASN1_OBJECTs when encoding. Update-Note: A default-constructed object with a required ASN1_OBJECT field can no longer be encoded without initializing the ASN1_OBJECT. Note this affects X509: the signature algorithm is an ASN1_OBJECT. Tests that try to serialize an X509_new() must fill in all required fields. (Production code is unlikely to be affected because the output was unparsable anyway, while tests sometimes wouldn't notice.) * Check for invalid CHOICE selectors in i2d functions. Update-Note: An invalid CHOICE object (e.g. GENERAL_NAME) will now fail when encoded, rather than be silently omitted. In particular, CHOICE objects are default-initialized by tasn_new.c in an empty -1 state. Structures containing a required CHOICE field can no longer be encoded without filling in the CHOICE. * Fix x509_name_ex_i2d error-handling. * Correctly propagate errors in i2d functions. Update-Note: Some error cases which were silently misinterpreted as missing OPTIONAL elements will now cause encoding to fail. * acvptool: add hmacDRBG support * Check for __TRUSTY__ instead of TRUSTY. * Update comment for ECH draft-13. * Silence a GCC false positive warning. * Switch to the new, simpler WHATWG URL formulation. * Revert "Guard use of sdallocx with BORINGSSL_SDALLOCX" * Fix calculation of draft-13 ECH confirmation signal. * Update to draft-ietf-tls-esni-13. * Reword SSL_get0_ech_name_override documentation. * Remove SSL_set_verify_result. * Make most of crypto/x509 opaque. Update-Note: Patch cl/390055173 into the roll that includes this. This unexports most of the X.509 structs, aligning with OpenSSL. Use the accessor APIs instead. * Remove V_ASN1_APP_CHOOSE. Update-Note: V_ASN1_APP_CHOOSE is removed. I only found one use, which has been fixed. * Rewrite ASN1_PRINTABLE_type and add tests. * Include SHA512-256 in EVP_get_digestbyname and EVP_MD_do_all. * NUL is not printable. Update-Note: ASN1_mbstring_ncopy will no longer allow PrintableString for strings containing NUL. * Make RSA_check_key more than 2x as fast. * Benchmark RSA private key parsing. * Work around yet another MSVC 2015 SFINAE bug. * Avoid re-hashing the transcript multiple times. * Make ssl_parse_extensions a little easier to use. * Deduplicate our three ServerHello parsers. * Merge in OpenSSL's X.509 corpus. * Run X509_print in the certificate fuzzer. * Fix some error-handling in i2v functions. * Fix typo. * OPENSSL_strndup should not return NULL given {NULL, 0}. * Rewrite name constraints matching with CBS. * Add some tests for name constraints. * Fix i2v_GENERAL_NAME to not assume NUL terminated strings * Do not rely on ASN1_STRING being NUL-terminated. * Add a CBB_add_zeros helper. * Linkify RFCs in documentation. * Refer to RFCs consistently. * runner: Test session IDs over 32 bytes. * Process the TLS 1.3 cipher suite in one place. * Guard use of sdallocx with BORINGSSL_SDALLOCX * Bump minimum GCC version and note impending VS2015 deprecation. * Add Span::first() and Span::last(). * Simplify built-in BIOs slightly. * Fix some error returns from SSL_read and SSL_write. * Fix negative ENUMERATED values in multi-strings. * Add a test for ASN1_mbstring_copy and clean up. * Remove ASN1_TFLG_SET_ORDER. * Fix ASN1_STRING_print_ex with negative integers. * Check i2d_ASN1_TYPE's return value in ASN1_STRING_print_ex. * Document ASN.1 printing functions. * Move some ASN1 printing functions to crypto/asn1. * Move a_strex.c back to asn1, split X509_NAME bits out. * Unwind io_ch abstraction in print functions. * Implement ASN1_STRING_print_ex_fp, etc., with file BIOs. * Remove OPENSSL_NO_FP_API ifdefs. * Move X509_ALGOR to x509.h. * Unexport BIT_STRING_BITNAME. * Unexport ub_* constants. Update-Note: Removed some unnamespaced constants. * Always use an ASN1_STRING_TABLE global mask of UTF8String. Update-Note: The global mask for ASN1_STRING_set_by_NID is now always UTF-8. Callers that want another type should reconsider and, if UTF-8 is still unsuitable, just pass the actual desired type into ASN1_mbstring_copy, X509_NAME_ENTRY_set_data, etc * Document ASN1_mbstring_copy. * Update ghashv8-armx.pl from upstream. * Align with upstream on 'close STDOUT' lines. * Avoid double-expanding variables in CMake. * Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj. * Add some tests for time_t to ASN1_TIME conversions. * Remove ASN1_STRING_FLAG_MSTRING. Update-Note: ASN1_STRING_FLAG_MSTRING is no longer defined and X509_time_adj_ex now behaves more predictably. Callers that actually wanted to lock to a specific type should call ASN1_UTCTIME_adj or ASN1_GENERALIZEDTIME_adj instead. * Document another batch of functions. * Clarify BIO_new_mum_buf's lifetime rules. * generate_ech.cc: include needed headers * Don't overread in poly_Rq_mul * acvp: recognise another style of JSON. * Revert "Revert "Revert "Disable check that X.509 extensions implies v3.""" Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: I4f2228ef815ded0599322186ab7bad49ab1bb5af
2021-07-23external/boringssl: Sync to 7a817f48bafee508b2d23ad278f892ee1cb32b91.Pete Bentley
Re-lands https://r.android.com/1774909 This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..7a817f48bafee508b2d23ad278f892ee1cb32b91 * Add 'generate-ech' command to bssl tool * Don't enable atomics in NO_THREADS configurations. * Check strtoul return for overflow error in GetUnsigned() * Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY. * Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs. * Always have CRYPTO_sysrand_for_seed. * hrss: use less stack space. * Make X509_EXTENSION opaque. Update-Note: Use X509_EXTENSION_get_* instead. * Make X509_CRL opaque. Update-Note: Use accessors instead. * Switch another malloc to bssl::Array. * Add a pointer alignment helper function. * Remove unused field in X509_NAME_ENTRY. Update-Note: Removed unused field in struct. * Fix sign bit in BN_div if numerator and quotient alias. * Handle the server case in SSL_get0_ech_name_override. * Remove -2 return value from X509*_get_*_by_NID. Update-Note: The return value convention of some functions was simplified. This is not expected to affect any callers. * Remove X509at_get0_data_by_OBJ. Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function. * Document a batch of extension-related functions in x509.h. * conf: fix getting keys from the default section. * conf: don't crash when parsing. * Add some OpenSSL compatibility aliases. * Make ASN1_OBJECT opaque. Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors. * Rename asn1_locl.h to internal.h. * Update hpke_test.go. * Decorate x509v3_a2i_ipadd declaration as its definition. * SHA-256 is used on AArch64, even if NO_ASM. * swtb is another AArch64 magic tweak. * Implement ClientHelloOuter handshakes. * runner: Add a convenience function for base64 flags. * Reduce bouncing on the cache lock in ssl_update_cache. Update-Note: This reshuffles some locks around the session cache. (Hopefully for the better.) * Only clear not_resumable after the handshake. * runner: Test that clients actually use renewed tickets. * runner: Clean up test logic. * runner: Fix process exit timeout. * Remove old ASN.1 SET macros. * Document some ASN1_INTEGER and ASN1_ENUMERATED functions. * Document ASN1_STRING_to_UTF8. * Const-correct ASN1_item_verify a bit more. * Compute ASN.1 BIT STRING sizes more consistently. * Remove lh_FOO_doall. * Prefix internal LHASH functions. * Unexport almost all of LHASH. Update-Note: BoringSSL no longer provides a general-purpose hash table to callers. Use the language's standard library, or another implementation. * Rename t1_lib.cc to extensions.cc. * Prefix and unexport a2i_ipadd. * Fix a -Wdeprecated-copy warning. * Validate ECH public names. * Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM. * Make X509_VERIFY_PARAM opaque. Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly. * Move crypto/x509/vpm_int.h into internal.h. * Reformat x509_vfy.h and convert comments. * Reland "Add util/fetch_ech_config_list.go" * Revert "Add util/fetch_ech_config_list.go" * Add util/fetch_ech_config_list.go * More reliably report handshake errors through SSL_write. * Add an option to permute ClientHello extension order. * runner: Check the test name against the protocol being tested. * Remove outdated comment in primality testing. * Add most of an ECH client implementation. * Add a basic API to make ECHConfigs. * Make ECH server APIs take EVP_HPKE_KEY. * Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS. * runner: Self-check tests more accurately and earlier. * Don't pad the second ClientHello. * Fix ext_pre_shared_key_clienthello_length calculation. * Tidy up the PSK binder logic. * Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext. * Shift some complexity out of ssl_add_clienthello_tlsext. * Add a note about extension callback names. * Add move support to EVP_MD_CTX. * Replace hs->needs_psk_binder with an output parameter. * Make add_clienthello callbacks const. * Fix documentation typo. * Compute the ECH GREASE payload outside of the callbacks. * Pick up the GREASE ECH config ID from grease_seed. * Initialize grease_seed on construction. * Remove the extension init hook. * Move key_share computation out of ClientHello callbacks. * Release some temporaries outside of ClientHello callbacks. * Move the early_data_{offered,reason} logic out of extension callbacks. * Implement a handshake hint for certificate compression. * runner: Implement ECH server for testing. * runner: Parse the status_request extension more strictly. * runner: Make echIsInner a boolean. * runner: Revise ECHConfig type in preparation for client implementation * Fix ECH-Server-RepeatedConfigID test. * Add SSL_ech_accepted API and ech_is_required alerts. * Reject the ECH extension in TLS 1.2 ServerHello. * Move ECH-related APIs to encrypted_client_hello.cc. * Const-correct message creation hooks. * Remove the Channel ID callback. Update-Note: SSL_CTX_set_channel_id_cb is removed. SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client, only as a server. * Manage Channel ID handshake state better. Update-Note: SSL_get_tls_channel_id will no longer return all zeros during the handshake or on the client. I did not find any callers relying on this. * DTLS-SRTP is only defined for DTLS. * Remove impossible ssl->s3 null check. * fix #415: Perl scripts fail when building from a path with spaces * Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001). Update-Note: QUIC APIs now default to the standard code point rather than the draft one. QUICHE has already been calling SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once callers implementing the draft versions cycle out, we can then drop SSL_set_quic_use_legacy_codepoint altogether. I've also bumped BORINGSSL_API_VERSION in case we end up needing an ifdef. * Add compatibility impl for EVP_PKEY_get0 * Make md32_common.h single-included and use an unsized helper for SHA-256. * Pull HASH_TRANSFORM out of md32_common.h. * Ensure name not null in EVP_get_cipherbyname * Fix array-parameter warnings * Don't copy client's session ID into server's session. * Test ECH server with unique and repeated config IDs. * Refresh SSL corpora after adding ECH fuzzer mode. * Implement fuzzer mode for ECH server. * Don't try to write empty early data in the tool. * GREASE is now RFC 8701. * runner: Reject all zero client and server randoms. * Const-correct SSL_get_srtp_profiles. Update-Note: The change to the return type isn't quite compatible, but I only found one caller of this function, which has since been fixed. (If we need to return a non-const value for compatibility, we can do that and document that the caller should not mutate the output.) * Update the ECH GREASE size selection. * fuzz/minimise_corpora.sh: Add shebang and chmod +x * Add a missing case to SSL_error_description. * Remove draft tokbind implementation. Update-Note: Token binding APIs are removed. * Make X509_REQ and X509_REQ_INFO opaque. Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use accessors instead. * Check hs->early_session, not ssl->session, for the early data limit. * Fix some includes. * Be clearer which signing inputs are digests. * Validate RSA public keys more consistently. Update-Note: See above. * Add APIs to manually fill in signatures for CRLs. * Check for resumption identifiers in SSL_SESSION_is_resumable. * Don't use SHA256(ticket) as the signaling session ID for tickets. * Simplify renego + resumption handling. * Move session ID assignment out of ssl_get_new_session. * Fix the ech_accept comment. * Export the HPKE implementation. * Refer to EVP_HPKE_CTX by a consistent name. * Shift the KEM dependency in HPKE up a step. * Update ACVP URLs. * Add SSL_can_release_private_key. * Make X509_SIG and X509_CERT_AUX opaque. Update-Note: Direct access of these structs should be replaced by accessors. * acvp: move hash iterations into modulewrapper. * Switch HPKE to a three-parameter output buffer. * Introduce EVP_HPKE_{AEAD,KDF} types. * Don't mark up the first word in a collective comment. * Revise the deterministic for_test variant of HPKE's SetupBaseS. * Fix a memory leak with d2i_ASN1_OBJECT object reuse. * Remove HPKE PSK mode. * Remove HKDF-SHA384 and HKDF-SHA512 from HPKE. * Correctly order PKCS#7 certificates and CRLs. Update-Note: It is no longer the case that constructing a PKCS#7 file and parsing them back out will keep the certificates and CRLs in the same order. * Implement ECH draft 10 and update HPKE to draft 08. * Document expected use of BTI and PAC macros. * Remove non-deterministic bits from ECDSA ACVP test. * Reference the newer ChaCha20-Poly1305 RFC. * Use passive entropy collection everywhere. * Rename X509V*_VERSION constants. Update-Note: This renames some BoringSSL-specific constants that we recently added. It doesn't look like anyone's used them yet. * Const-correct ASN1_OBJECT_create. * Clarify OBJ_get0_data and OBJ_get_length. * avcp: SHA-1 for ECDSA _verification_ is still supported by NIST. * A couple of Aarch64 FIPS delocate fixes. * Use a placeholder for unknown errors in ERR_*_error_string. * Include assembly optimizations in Bazel builds on Linux-aarch64. * Remove some BoringSSL-only X509_CINF functions. Update-Note: X509_get_cert_info, X509_CINF_set_modified, and X509_CINF_get_signature are removed. I believe all callers have been updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and X509_get0_tbs_sigalg instead. * Document and test X509_ATTRIBUTE creation functions. * Revert handshaker fd numbers and make StartProcess more flexible. * Remove support for malformed X509_ATTRIBUTEs. Update-Note: Given OpenSSL hasn't accepted these for five years, it's unlikely anything depends on it. If something breaks, we can revert this and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty X509_ATTRIBUTE, so the behavior change there should be safe. * Make X509_ATTRIBUTE opaque. Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with one of the accessors. I couldn't find any direct accesses, so hopefully this is fine. * acvptool: Fix typo hard-coding the HTTP method. * Document a few more x509.h functions. * Make X509_PUBKEY opaque. Update-Note: Direct accesses of X509_PUBKEY should be replaced with one of the accessors. I believe all callers have been fixed at this point. * Always encode booleans as DER. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. * Fix issuerUID and subjectUID parsing in the key usage checker. * Add experimental handshake hints API. * Make our Python scripts Python-3-compatible. * Export ssl_client_hello_init for fuzzers. * acvp: support GMAC as an algorithm. * Record a fuzzing corpus for the ClientHelloInner decoder. * Use a consistent plural for 'corpus'. * Add util/bot/libFuzzer to .gitignore. * acvp: support KAS-ECC-SSC staticUnified mode. * Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos. Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now reject invalud inputs. Previously, they would accept them, but silently send an invalid ALPN extension which the server would almost certainly error on. * Don't duplicate ServerHello construction code. * Rearrange key share and early data logic. * Only skip early data with HRR when offered. * Add ECH server config API to ssl_ctx_api fuzzer * Fix ppc64le build. * Simplify the Lucky13 mitigation. * Add ECH server (draft-ietf-tls-esni-09). * runner: Remove unused field * runner: Construct finishedHash earlier. * Simplify tls_cbc.c slightly. * Remove remnants of CBC SHA2 cipher suites. * runner: Test different V2ClientHello challenge lengths. * runner: Ensure helloBytes is always the same as hello.marshal(). * runner: Fix ECH confirmation calculation with PSKs in tests. * runner: Fix HPKE parameter order. * runner: UpdateForHelloRetryRequest cannot fail. * runner: Don't use the buffer in TLS 1.3. * runner: Don't maintain two copies of the same transcript hash. * runner: Remove remnants of SSL 3.0. * runner: Fix writeClientHash and writeRecord ordering. * runner: Remove CheckTLS13DowngradeRandom. * runner: Remove remnants of the separate HelloRetryRequest message. * runner: Store a cipherSuite in ClientSessionState. * runner: Move writeHash to the finishedHash struct. * Fix the spelling of HPKE AEAD constants. * Don't reset server callback expectations on new handshake. * Fix MockQuicTransport::Flush error handling. * Fold ripemd/internal.h into ripemd.c. * Move load/store helpers to crypto/internal.h. * Make words in crypto/fipsmodule/modes actually words. * Handle EINTR more in handshaker.cc. * Add a few missing SSL_R_BIO_NOT_SET cases. * Fix some unreachable code in the QUIC handshaker driver. * Rearrange SSLKeyShare::Serialize. * Fix ssl/internal.h sectioning. * Remove some now unnecessary test exclusions from split handshakes. * Remove tls13-split-handshakes flag. * Define HANDSHAKER_SUPPORTED in once place. * Tidy up handshaker tester. * modulewrapper: add option to print build information. * FIPS counters for AES-CTR. * Enforce that pre_shared_key must come with psk_key_exchange_modes. * Zero out FIPS counters. * Remove is_resume field on TestState. * Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag. * Add some warnings on how to use OPENSSL_memory_* functions. * Use an unsized helper for truncated SHA-512 variants. Update-Note: There is a small chance the asserts will trip something, but hopefully not since I've left SHA512_Final alone. * Fix mismatch between header and implementation of bn_sqr_comba8. * Remove GCC 4.8.99 check. * Bump minimum CMake version. * Automatically enable C11 atomics when available. Update-Note: If something fails to compile, we'll revert this and adjust the check, or add an opt-out, or give up. Also, if building with -std=c99, consider -std=c11. * Make generate_build_files.py python3 compatible. * Remove X509_REQ_set_extension_nids and document related functions. Update-Note: This removes a pair of unused functions. * Document a few more functions in x509.h. * Do not access value.ptr with V_ASN1_BOOLEAN. * Add X509_PUBKEY_get0_public_key. * Test empty EVP_CIPHER inputs and fix exact memcpy overlap. * Revert "Implement rsa_pkcs1_sha256_legacy." * Fix unnecessarily direction-specific tests in cipher_tests.txt * Refactor HPKE API to include explicit length parameters. * Generalize make_errors.go to allow EVP covering multiple directories. * Add a Windows no-op impl of BORINGSSL_self_test * Only pass -handshaker-path in split handshakes tests. * Add RNG support for FreeBSD. * Move fips.c into a subdirectory. * Implement rsa_pkcs1_sha256_legacy. * Better document nullable X.509 getters. * runner: Remove redundant -enable-all-curves shim flag. * Initialize nonce in PerAEADTest.ABI. * Document ASN1_TYPE and related functions. * fips: add counters. * Align with OpenSSL on constness of static ASN1_OBJECTs. Update-Note: The change to OBJ_nid2obj should be compatible. The changes to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some pointer types. * Add -rr-record flag to runner.go. * Register NAME_CONSTRAINTS with bssl::UniquePtr. * Register POLICY_MAPPING with bssl::UniquePtr. * Stub out some more of PKCS7. * Remove TODO to reverse the output of PKCS12_parse. * Make the X509_VAL structure opaque. Update-Note: I believe this is now safe to do. If there are compile failures, switch to X509_get0_notBefore, X509_getm_notBefore, and X509_set1_notBefore, or revert this if I'm wrong and too many callers still need updating. * Support creating unencrypted PKCS#12 files. * Move PKCS#12 samples to embed_test_data. * Remove some remnants of TLS 1.3 downgrade carveouts. Update-Note: https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these functions a no-op, but we kept them around because there were still some call sites floating around. That code has since been updated, so we can remove this. * Remove X509_REQ_to_X509. Update-Note: This removes a function that appears to be unused. It also hardcodes the use of MD5, so please do not use it. * Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag * RAND_set_rand_method returns int. * Check the inner and outer CRL signature algorithms match. Update-Note: Invalid CRLs with inconsistent inner and outer signature algorithms will now be rejected. * Remove block_mask from EVP_CIPHER_CTX. Update-Note: It doesn't look like anyone is reading into this field. If they are, we can ideally fix it, or revert this if absolutely necessary. * Document a couple more functions in x509.h. * Define X509V*_VERSION constants. * Handle the default X.509 version explicitly. * Compile for RISC-V. * Add ECDSA nonce-testing functions. * Rearrange ECDSA implementation. * Split the FIPS mode PRNG lock in two. * Remove legacy vs_toolchain.py environment variable. * runner: Rename 'masterSecret' on session objects to plain 'secret'. * Test ECDSA signing is non-deterministic. * acvp: split ACVP modulewrapper for reuse by Trusty * No-op CL to trigger some builds. * Use CIPD Go packages. * Update CMake on the bots and switch to CIPD where available. * Future-proof vs_toolchain.py for VS2019. * Revert "Revert "Disable check that X.509 extensions implies v3."" * Update Clang and Go on the bots. * Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create. * Don't overflow the output length in EVP_CipherUpdate calls. Update-Note: Passing extremely large input lengths into EVP_CipherUpdate will now fail. Use EVP_AEAD instead, which is size_t-based and has more explicit output bounds. * Remove X509_issuer_and_serial_hash. Update-Note: No one uses this function. It had a NULL dereference in some error cases. See CVE-2021-23841. * Fix Bazel build breakage. * Specify VS toolchain by command-line argument. * Update Android Bazel build support in BUILD.toplevel. * Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback. Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the ALPN callback will change behavior. The old behavior may be restored by returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new recommendations on return values. * acvp: detect header element in JSON. * Align the ARM capability functions. * Skip runtime NEON checks if __ARM_NEON is defined. Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about 30KiB of dead code, but no longer work (if they even did before) on a particular buggy CPU. Builds without __ARM_NEON are not affected. * acvp: don't include CMAC-AES in regcap dump. * acvp: fix CMAC verify * Include bn/internal.h for non-bcm.c builds. * Add various function calls to test_fips. * Add missing include to self_check.c. * Revert "Disable check that X.509 extensions implies v3." * Fix TLS13SessionID-TLS13 test. Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: Idb0a37fccba5d1c3f6a40fe91a81c5189170ed23
2021-07-23Revert "external/boringssl: Sync to 7a817f48bafee508b2d23ad278f892ee1cb32b91."Sergey Volnov
This reverts commit d03f4c0ac5663fb300b1f40f1059c4194dd0652a. Reason for revert: Investigating b/194282044 Change-Id: I168d73caae2cbc83921133cd47aef37d3bce8c37
2021-07-22external/boringssl: Sync to 7a817f48bafee508b2d23ad278f892ee1cb32b91.Pete Bentley
Re-lands https://r.android.com/1772605 plus three newer upstream changes. This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..7a817f48bafee508b2d23ad278f892ee1cb32b91 * Add 'generate-ech' command to bssl tool * Don't enable atomics in NO_THREADS configurations. * Check strtoul return for overflow error in GetUnsigned() * Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY. * Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs. * Always have CRYPTO_sysrand_for_seed. * hrss: use less stack space. * Make X509_EXTENSION opaque. Update-Note: Use X509_EXTENSION_get_* instead. * Make X509_CRL opaque. Update-Note: Use accessors instead. * Switch another malloc to bssl::Array. * Add a pointer alignment helper function. * Remove unused field in X509_NAME_ENTRY. Update-Note: Removed unused field in struct. * Fix sign bit in BN_div if numerator and quotient alias. * Handle the server case in SSL_get0_ech_name_override. * Remove -2 return value from X509*_get_*_by_NID. Update-Note: The return value convention of some functions was simplified. This is not expected to affect any callers. * Remove X509at_get0_data_by_OBJ. Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function. * Document a batch of extension-related functions in x509.h. * conf: fix getting keys from the default section. * conf: don't crash when parsing. * Add some OpenSSL compatibility aliases. * Make ASN1_OBJECT opaque. Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors. * Rename asn1_locl.h to internal.h. * Update hpke_test.go. * Decorate x509v3_a2i_ipadd declaration as its definition. * SHA-256 is used on AArch64, even if NO_ASM. * swtb is another AArch64 magic tweak. * Implement ClientHelloOuter handshakes. * runner: Add a convenience function for base64 flags. * Reduce bouncing on the cache lock in ssl_update_cache. Update-Note: This reshuffles some locks around the session cache. (Hopefully for the better.) * Only clear not_resumable after the handshake. * runner: Test that clients actually use renewed tickets. * runner: Clean up test logic. * runner: Fix process exit timeout. * Remove old ASN.1 SET macros. * Document some ASN1_INTEGER and ASN1_ENUMERATED functions. * Document ASN1_STRING_to_UTF8. * Const-correct ASN1_item_verify a bit more. * Compute ASN.1 BIT STRING sizes more consistently. * Remove lh_FOO_doall. * Prefix internal LHASH functions. * Unexport almost all of LHASH. Update-Note: BoringSSL no longer provides a general-purpose hash table to callers. Use the language's standard library, or another implementation. * Rename t1_lib.cc to extensions.cc. * Prefix and unexport a2i_ipadd. * Fix a -Wdeprecated-copy warning. * Validate ECH public names. * Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM. * Make X509_VERIFY_PARAM opaque. Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly. * Move crypto/x509/vpm_int.h into internal.h. * Reformat x509_vfy.h and convert comments. * Reland "Add util/fetch_ech_config_list.go" * Revert "Add util/fetch_ech_config_list.go" * Add util/fetch_ech_config_list.go * More reliably report handshake errors through SSL_write. * Add an option to permute ClientHello extension order. * runner: Check the test name against the protocol being tested. * Remove outdated comment in primality testing. * Add most of an ECH client implementation. * Add a basic API to make ECHConfigs. * Make ECH server APIs take EVP_HPKE_KEY. * Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS. * runner: Self-check tests more accurately and earlier. * Don't pad the second ClientHello. * Fix ext_pre_shared_key_clienthello_length calculation. * Tidy up the PSK binder logic. * Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext. * Shift some complexity out of ssl_add_clienthello_tlsext. * Add a note about extension callback names. * Add move support to EVP_MD_CTX. * Replace hs->needs_psk_binder with an output parameter. * Make add_clienthello callbacks const. * Fix documentation typo. * Compute the ECH GREASE payload outside of the callbacks. * Pick up the GREASE ECH config ID from grease_seed. * Initialize grease_seed on construction. * Remove the extension init hook. * Move key_share computation out of ClientHello callbacks. * Release some temporaries outside of ClientHello callbacks. * Move the early_data_{offered,reason} logic out of extension callbacks. * Implement a handshake hint for certificate compression. * runner: Implement ECH server for testing. * runner: Parse the status_request extension more strictly. * runner: Make echIsInner a boolean. * runner: Revise ECHConfig type in preparation for client implementation * Fix ECH-Server-RepeatedConfigID test. * Add SSL_ech_accepted API and ech_is_required alerts. * Reject the ECH extension in TLS 1.2 ServerHello. * Move ECH-related APIs to encrypted_client_hello.cc. * Const-correct message creation hooks. * Remove the Channel ID callback. Update-Note: SSL_CTX_set_channel_id_cb is removed. SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client, only as a server. * Manage Channel ID handshake state better. Update-Note: SSL_get_tls_channel_id will no longer return all zeros during the handshake or on the client. I did not find any callers relying on this. * DTLS-SRTP is only defined for DTLS. * Remove impossible ssl->s3 null check. * fix #415: Perl scripts fail when building from a path with spaces * Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001). Update-Note: QUIC APIs now default to the standard code point rather than the draft one. QUICHE has already been calling SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once callers implementing the draft versions cycle out, we can then drop SSL_set_quic_use_legacy_codepoint altogether. I've also bumped BORINGSSL_API_VERSION in case we end up needing an ifdef. * Add compatibility impl for EVP_PKEY_get0 * Make md32_common.h single-included and use an unsized helper for SHA-256. * Pull HASH_TRANSFORM out of md32_common.h. * Ensure name not null in EVP_get_cipherbyname * Fix array-parameter warnings * Don't copy client's session ID into server's session. * Test ECH server with unique and repeated config IDs. * Refresh SSL corpora after adding ECH fuzzer mode. * Implement fuzzer mode for ECH server. * Don't try to write empty early data in the tool. * GREASE is now RFC 8701. * runner: Reject all zero client and server randoms. * Const-correct SSL_get_srtp_profiles. Update-Note: The change to the return type isn't quite compatible, but I only found one caller of this function, which has since been fixed. (If we need to return a non-const value for compatibility, we can do that and document that the caller should not mutate the output.) * Update the ECH GREASE size selection. * fuzz/minimise_corpora.sh: Add shebang and chmod +x * Add a missing case to SSL_error_description. * Remove draft tokbind implementation. Update-Note: Token binding APIs are removed. Change-Id: Iecea7c3dcf9d3e2644a3b7afaf61511310b45d5f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47584 Reviewed-by: Adam Langley <agl@google.com> * Make X509_REQ and X509_REQ_INFO opaque. Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use accessors instead. * Check hs->early_session, not ssl->session, for the early data limit. * Fix some includes. * Be clearer which signing inputs are digests. * Validate RSA public keys more consistently. Update-Note: See above. * Add APIs to manually fill in signatures for CRLs. * Check for resumption identifiers in SSL_SESSION_is_resumable. * Don't use SHA256(ticket) as the signaling session ID for tickets. * Simplify renego + resumption handling. * Move session ID assignment out of ssl_get_new_session. * Fix the ech_accept comment. * Export the HPKE implementation. * Refer to EVP_HPKE_CTX by a consistent name. * Shift the KEM dependency in HPKE up a step. * Update ACVP URLs. * Add SSL_can_release_private_key. * Make X509_SIG and X509_CERT_AUX opaque. Update-Note: Direct access of these structs should be replaced by accessors. * acvp: move hash iterations into modulewrapper. * Switch HPKE to a three-parameter output buffer. * Introduce EVP_HPKE_{AEAD,KDF} types. * Don't mark up the first word in a collective comment. * Revise the deterministic for_test variant of HPKE's SetupBaseS. * Fix a memory leak with d2i_ASN1_OBJECT object reuse. * Remove HPKE PSK mode. * Remove HKDF-SHA384 and HKDF-SHA512 from HPKE. * Correctly order PKCS#7 certificates and CRLs. Update-Note: It is no longer the case that constructing a PKCS#7 file and parsing them back out will keep the certificates and CRLs in the same order. * Implement ECH draft 10 and update HPKE to draft 08. * Document expected use of BTI and PAC macros. * Remove non-deterministic bits from ECDSA ACVP test. * Reference the newer ChaCha20-Poly1305 RFC. * Use passive entropy collection everywhere. * Rename X509V*_VERSION constants. Update-Note: This renames some BoringSSL-specific constants that we recently added. It doesn't look like anyone's used them yet. * Const-correct ASN1_OBJECT_create. * Clarify OBJ_get0_data and OBJ_get_length. * avcp: SHA-1 for ECDSA _verification_ is still supported by NIST. * A couple of Aarch64 FIPS delocate fixes. * Use a placeholder for unknown errors in ERR_*_error_string. * Include assembly optimizations in Bazel builds on Linux-aarch64. * Remove some BoringSSL-only X509_CINF functions. Update-Note: X509_get_cert_info, X509_CINF_set_modified, and X509_CINF_get_signature are removed. I believe all callers have been updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and X509_get0_tbs_sigalg instead. * Document and test X509_ATTRIBUTE creation functions. * Revert handshaker fd numbers and make StartProcess more flexible. * Remove support for malformed X509_ATTRIBUTEs. Update-Note: Given OpenSSL hasn't accepted these for five years, it's unlikely anything depends on it. If something breaks, we can revert this and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty X509_ATTRIBUTE, so the behavior change there should be safe. * Make X509_ATTRIBUTE opaque. Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with one of the accessors. I couldn't find any direct accesses, so hopefully this is fine. * acvptool: Fix typo hard-coding the HTTP method. * Document a few more x509.h functions. * Make X509_PUBKEY opaque. Update-Note: Direct accesses of X509_PUBKEY should be replaced with one of the accessors. I believe all callers have been fixed at this point. * Always encode booleans as DER. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. * Fix issuerUID and subjectUID parsing in the key usage checker. * Add experimental handshake hints API. * Make our Python scripts Python-3-compatible. * Export ssl_client_hello_init for fuzzers. * acvp: support GMAC as an algorithm. * Record a fuzzing corpus for the ClientHelloInner decoder. * Use a consistent plural for 'corpus'. * Add util/bot/libFuzzer to .gitignore. * acvp: support KAS-ECC-SSC staticUnified mode. * Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos. Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now reject invalud inputs. Previously, they would accept them, but silently send an invalid ALPN extension which the server would almost certainly error on. * Don't duplicate ServerHello construction code. * Rearrange key share and early data logic. * Only skip early data with HRR when offered. * Add ECH server config API to ssl_ctx_api fuzzer * Fix ppc64le build. * Simplify the Lucky13 mitigation. * Add ECH server (draft-ietf-tls-esni-09). * runner: Remove unused field * runner: Construct finishedHash earlier. * Simplify tls_cbc.c slightly. * Remove remnants of CBC SHA2 cipher suites. * runner: Test different V2ClientHello challenge lengths. * runner: Ensure helloBytes is always the same as hello.marshal(). * runner: Fix ECH confirmation calculation with PSKs in tests. * runner: Fix HPKE parameter order. * runner: UpdateForHelloRetryRequest cannot fail. * runner: Don't use the buffer in TLS 1.3. * runner: Don't maintain two copies of the same transcript hash. * runner: Remove remnants of SSL 3.0. * runner: Fix writeClientHash and writeRecord ordering. * runner: Remove CheckTLS13DowngradeRandom. * runner: Remove remnants of the separate HelloRetryRequest message. * runner: Store a cipherSuite in ClientSessionState. * runner: Move writeHash to the finishedHash struct. * Fix the spelling of HPKE AEAD constants. * Don't reset server callback expectations on new handshake. * Fix MockQuicTransport::Flush error handling. * Fold ripemd/internal.h into ripemd.c. * Move load/store helpers to crypto/internal.h. * Make words in crypto/fipsmodule/modes actually words. * Handle EINTR more in handshaker.cc. * Add a few missing SSL_R_BIO_NOT_SET cases. * Fix some unreachable code in the QUIC handshaker driver. * Rearrange SSLKeyShare::Serialize. * Fix ssl/internal.h sectioning. * Remove some now unnecessary test exclusions from split handshakes. * Remove tls13-split-handshakes flag. * Define HANDSHAKER_SUPPORTED in once place. * Tidy up handshaker tester. * modulewrapper: add option to print build information. * FIPS counters for AES-CTR. * Enforce that pre_shared_key must come with psk_key_exchange_modes. * Zero out FIPS counters. * Remove is_resume field on TestState. * Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag. * Add some warnings on how to use OPENSSL_memory_* functions. * Use an unsized helper for truncated SHA-512 variants. Update-Note: There is a small chance the asserts will trip something, but hopefully not since I've left SHA512_Final alone. * Fix mismatch between header and implementation of bn_sqr_comba8. * Remove GCC 4.8.99 check. * Bump minimum CMake version. * Automatically enable C11 atomics when available. Update-Note: If something fails to compile, we'll revert this and adjust the check, or add an opt-out, or give up. Also, if building with -std=c99, consider -std=c11. * Make generate_build_files.py python3 compatible. * Remove X509_REQ_set_extension_nids and document related functions. Update-Note: This removes a pair of unused functions. * Document a few more functions in x509.h. * Do not access value.ptr with V_ASN1_BOOLEAN. * Add X509_PUBKEY_get0_public_key. * Test empty EVP_CIPHER inputs and fix exact memcpy overlap. * Revert "Implement rsa_pkcs1_sha256_legacy." * Fix unnecessarily direction-specific tests in cipher_tests.txt * Refactor HPKE API to include explicit length parameters. * Generalize make_errors.go to allow EVP covering multiple directories. * Add a Windows no-op impl of BORINGSSL_self_test * Only pass -handshaker-path in split handshakes tests. * Add RNG support for FreeBSD. * Move fips.c into a subdirectory. * Implement rsa_pkcs1_sha256_legacy. * Better document nullable X.509 getters. * runner: Remove redundant -enable-all-curves shim flag. * Initialize nonce in PerAEADTest.ABI. * Document ASN1_TYPE and related functions. * fips: add counters. * Align with OpenSSL on constness of static ASN1_OBJECTs. Update-Note: The change to OBJ_nid2obj should be compatible. The changes to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some pointer types. * Add -rr-record flag to runner.go. * Register NAME_CONSTRAINTS with bssl::UniquePtr. * Register POLICY_MAPPING with bssl::UniquePtr. * Stub out some more of PKCS7. * Remove TODO to reverse the output of PKCS12_parse. * Make the X509_VAL structure opaque. Update-Note: I believe this is now safe to do. If there are compile failures, switch to X509_get0_notBefore, X509_getm_notBefore, and X509_set1_notBefore, or revert this if I'm wrong and too many callers still need updating. * Support creating unencrypted PKCS#12 files. * Move PKCS#12 samples to embed_test_data. * Remove some remnants of TLS 1.3 downgrade carveouts. Update-Note: https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these functions a no-op, but we kept them around because there were still some call sites floating around. That code has since been updated, so we can remove this. * Remove X509_REQ_to_X509. Update-Note: This removes a function that appears to be unused. It also hardcodes the use of MD5, so please do not use it. * Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag * RAND_set_rand_method returns int. * Check the inner and outer CRL signature algorithms match. Update-Note: Invalid CRLs with inconsistent inner and outer signature algorithms will now be rejected. * Remove block_mask from EVP_CIPHER_CTX. Update-Note: It doesn't look like anyone is reading into this field. If they are, we can ideally fix it, or revert this if absolutely necessary. * Document a couple more functions in x509.h. * Define X509V*_VERSION constants. * Handle the default X.509 version explicitly. * Compile for RISC-V. * Add ECDSA nonce-testing functions. * Rearrange ECDSA implementation. * Split the FIPS mode PRNG lock in two. * Remove legacy vs_toolchain.py environment variable. * runner: Rename 'masterSecret' on session objects to plain 'secret'. * Test ECDSA signing is non-deterministic. * acvp: split ACVP modulewrapper for reuse by Trusty * No-op CL to trigger some builds. * Use CIPD Go packages. * Update CMake on the bots and switch to CIPD where available. * Future-proof vs_toolchain.py for VS2019. * Revert "Revert "Disable check that X.509 extensions implies v3."" * Update Clang and Go on the bots. * Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create. * Don't overflow the output length in EVP_CipherUpdate calls. Update-Note: Passing extremely large input lengths into EVP_CipherUpdate will now fail. Use EVP_AEAD instead, which is size_t-based and has more explicit output bounds. * Remove X509_issuer_and_serial_hash. Update-Note: No one uses this function. It had a NULL dereference in some error cases. See CVE-2021-23841. * Fix Bazel build breakage. * Specify VS toolchain by command-line argument. * Update Android Bazel build support in BUILD.toplevel. * Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback. Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the ALPN callback will change behavior. The old behavior may be restored by returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new recommendations on return values. * acvp: detect header element in JSON. * Align the ARM capability functions. * Skip runtime NEON checks if __ARM_NEON is defined. Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about 30KiB of dead code, but no longer work (if they even did before) on a particular buggy CPU. Builds without __ARM_NEON are not affected. * acvp: don't include CMAC-AES in regcap dump. * acvp: fix CMAC verify * Include bn/internal.h for non-bcm.c builds. * Add various function calls to test_fips. * Add missing include to self_check.c. * Revert "Disable check that X.509 extensions implies v3." * Fix TLS13SessionID-TLS13 test. Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: I894552c1cfb97c327808e9cdadcc7e6a7b1874e2
2021-07-21Revert "external/boringssl: Sync to 897a2ca3f184b34278641138c726ef902ab1fab2."Pete Bentley
This reverts commit a769e3be7b5b02e3a0ee4043b6642ab0361a1420. Reason for revert: Breaks x86 builds: b/194262305 Change-Id: I9074b7d01972b3f1162eb3ece0a591077d0b3451
2021-07-20external/boringssl: Sync to 897a2ca3f184b34278641138c726ef902ab1fab2.Pete Bentley
This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/ae2bb641735447496bed334c495e4868b981fe32..897a2ca3f184b34278641138c726ef902ab1fab2 * Add convenience functions to malloc EVP_HPKE_CTX and EVP_HPKE_KEY. * Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs. * Always have CRYPTO_sysrand_for_seed. * hrss: use less stack space. * Make X509_EXTENSION opaque. Update-Note: Use X509_EXTENSION_get_* instead. * Make X509_CRL opaque. Update-Note: Use accessors instead. * Switch another malloc to bssl::Array. * Add a pointer alignment helper function. * Remove unused field in X509_NAME_ENTRY. Update-Note: Removed unused field in struct. * Fix sign bit in BN_div if numerator and quotient alias. * Handle the server case in SSL_get0_ech_name_override. * Remove -2 return value from X509*_get_*_by_NID. Update-Note: The return value convention of some functions was simplified. This is not expected to affect any callers. * Remove X509at_get0_data_by_OBJ. Update-Note: X509at_get0_data_by_OBJ is removed. We found no callers of this function. * Document a batch of extension-related functions in x509.h. * conf: fix getting keys from the default section. * conf: don't crash when parsing. * Add some OpenSSL compatibility aliases. * Make ASN1_OBJECT opaque. Update-Note: ASN1_OBJECT is now opaque. Callers should use accessors. * Rename asn1_locl.h to internal.h. * Update hpke_test.go. * Decorate x509v3_a2i_ipadd declaration as its definition. * SHA-256 is used on AArch64, even if NO_ASM. * swtb is another AArch64 magic tweak. * Implement ClientHelloOuter handshakes. * runner: Add a convenience function for base64 flags. * Reduce bouncing on the cache lock in ssl_update_cache. Update-Note: This reshuffles some locks around the session cache. (Hopefully for the better.) * Only clear not_resumable after the handshake. * runner: Test that clients actually use renewed tickets. * runner: Clean up test logic. * runner: Fix process exit timeout. * Remove old ASN.1 SET macros. * Document some ASN1_INTEGER and ASN1_ENUMERATED functions. * Document ASN1_STRING_to_UTF8. * Const-correct ASN1_item_verify a bit more. * Compute ASN.1 BIT STRING sizes more consistently. * Remove lh_FOO_doall. * Prefix internal LHASH functions. * Unexport almost all of LHASH. Update-Note: BoringSSL no longer provides a general-purpose hash table to callers. Use the language's standard library, or another implementation. * Rename t1_lib.cc to extensions.cc. * Prefix and unexport a2i_ipadd. * Fix a -Wdeprecated-copy warning. * Validate ECH public names. * Fold X509_VERIFY_PARAM_ID into X509_VERIFY_PARAM. * Make X509_VERIFY_PARAM opaque. Update-Note: Use setters instead of configuring X509_VERIFY_PARAM directly. * Move crypto/x509/vpm_int.h into internal.h. * Reformat x509_vfy.h and convert comments. * Reland "Add util/fetch_ech_config_list.go" * Revert "Add util/fetch_ech_config_list.go" * Add util/fetch_ech_config_list.go * More reliably report handshake errors through SSL_write. * Add an option to permute ClientHello extension order. * runner: Check the test name against the protocol being tested. * Remove outdated comment in primality testing. * Add most of an ECH client implementation. * Add a basic API to make ECHConfigs. * Make ECH server APIs take EVP_HPKE_KEY. * Rename SSL_ECH_SERVER_CONFIG_LIST to SSL_ECH_KEYS. * runner: Self-check tests more accurately and earlier. * Don't pad the second ClientHello. * Fix ext_pre_shared_key_clienthello_length calculation. * Tidy up the PSK binder logic. * Move the TLS vs DTLS header length adjustment into ssl_add_clienthello_tlsext. * Shift some complexity out of ssl_add_clienthello_tlsext. * Add a note about extension callback names. * Add move support to EVP_MD_CTX. * Replace hs->needs_psk_binder with an output parameter. * Make add_clienthello callbacks const. * Fix documentation typo. * Compute the ECH GREASE payload outside of the callbacks. * Pick up the GREASE ECH config ID from grease_seed. * Initialize grease_seed on construction. * Remove the extension init hook. * Move key_share computation out of ClientHello callbacks. * Release some temporaries outside of ClientHello callbacks. * Move the early_data_{offered,reason} logic out of extension callbacks. * Implement a handshake hint for certificate compression. * runner: Implement ECH server for testing. * runner: Parse the status_request extension more strictly. * runner: Make echIsInner a boolean. * runner: Revise ECHConfig type in preparation for client implementation * Fix ECH-Server-RepeatedConfigID test. * Add SSL_ech_accepted API and ech_is_required alerts. * Reject the ECH extension in TLS 1.2 ServerHello. * Move ECH-related APIs to encrypted_client_hello.cc. * Const-correct message creation hooks. * Remove the Channel ID callback. Update-Note: SSL_CTX_set_channel_id_cb is removed. SSL_set_tls_channel_id_enabled no longer enables Channel ID as a client, only as a server. * Manage Channel ID handshake state better. Update-Note: SSL_get_tls_channel_id will no longer return all zeros during the handshake or on the client. I did not find any callers relying on this. * DTLS-SRTP is only defined for DTLS. * Remove impossible ssl->s3 null check. * fix #415: Perl scripts fail when building from a path with spaces * Cite an RFC over 9000 (draft-ietf-quic-tls is now RFC 9001). Update-Note: QUIC APIs now default to the standard code point rather than the draft one. QUICHE has already been calling SSL_set_quic_use_legacy_codepoint, so this should not affect them. Once callers implementing the draft versions cycle out, we can then drop SSL_set_quic_use_legacy_codepoint altogether. I've also bumped BORINGSSL_API_VERSION in case we end up needing an ifdef. * Add compatibility impl for EVP_PKEY_get0 * Make md32_common.h single-included and use an unsized helper for SHA-256. * Pull HASH_TRANSFORM out of md32_common.h. * Ensure name not null in EVP_get_cipherbyname * Fix array-parameter warnings * Don't copy client's session ID into server's session. * Test ECH server with unique and repeated config IDs. * Refresh SSL corpora after adding ECH fuzzer mode. * Implement fuzzer mode for ECH server. * Don't try to write empty early data in the tool. * GREASE is now RFC 8701. * runner: Reject all zero client and server randoms. * Const-correct SSL_get_srtp_profiles. Update-Note: The change to the return type isn't quite compatible, but I only found one caller of this function, which has since been fixed. (If we need to return a non-const value for compatibility, we can do that and document that the caller should not mutate the output.) * Update the ECH GREASE size selection. * fuzz/minimise_corpora.sh: Add shebang and chmod +x * Add a missing case to SSL_error_description. * Remove draft tokbind implementation. Update-Note: Token binding APIs are removed. * Make X509_REQ and X509_REQ_INFO opaque. Update-Note: Callers that reach into X509_REQ and X509_REQ_INFO must use accessors instead. * Check hs->early_session, not ssl->session, for the early data limit. * Fix some includes. * Be clearer which signing inputs are digests. * Validate RSA public keys more consistently. Update-Note: See above. * Add APIs to manually fill in signatures for CRLs. * Check for resumption identifiers in SSL_SESSION_is_resumable. * Don't use SHA256(ticket) as the signaling session ID for tickets. * Simplify renego + resumption handling. * Move session ID assignment out of ssl_get_new_session. * Fix the ech_accept comment. * Export the HPKE implementation. * Refer to EVP_HPKE_CTX by a consistent name. * Shift the KEM dependency in HPKE up a step. * Update ACVP URLs. * Add SSL_can_release_private_key. * Make X509_SIG and X509_CERT_AUX opaque. Update-Note: Direct access of these structs should be replaced by accessors. * acvp: move hash iterations into modulewrapper. * Switch HPKE to a three-parameter output buffer. * Introduce EVP_HPKE_{AEAD,KDF} types. * Don't mark up the first word in a collective comment. * Revise the deterministic for_test variant of HPKE's SetupBaseS. * Fix a memory leak with d2i_ASN1_OBJECT object reuse. * Remove HPKE PSK mode. * Remove HKDF-SHA384 and HKDF-SHA512 from HPKE. * Correctly order PKCS#7 certificates and CRLs. Update-Note: It is no longer the case that constructing a PKCS#7 file and parsing them back out will keep the certificates and CRLs in the same order. * Implement ECH draft 10 and update HPKE to draft 08. * Document expected use of BTI and PAC macros. * Remove non-deterministic bits from ECDSA ACVP test. * Reference the newer ChaCha20-Poly1305 RFC. * Use passive entropy collection everywhere. * Rename X509V*_VERSION constants. Update-Note: This renames some BoringSSL-specific constants that we recently added. It doesn't look like anyone's used them yet. * Const-correct ASN1_OBJECT_create. * Clarify OBJ_get0_data and OBJ_get_length. * avcp: SHA-1 for ECDSA _verification_ is still supported by NIST. * A couple of Aarch64 FIPS delocate fixes. * Use a placeholder for unknown errors in ERR_*_error_string. * Include assembly optimizations in Bazel builds on Linux-aarch64. * Remove some BoringSSL-only X509_CINF functions. Update-Note: X509_get_cert_info, X509_CINF_set_modified, and X509_CINF_get_signature are removed. I believe all callers have been updated. Callers should use i2d_re_X509_tbs, i2d_X509_tbs, and X509_get0_tbs_sigalg instead. * Document and test X509_ATTRIBUTE creation functions. * Revert handshaker fd numbers and make StartProcess more flexible. * Remove support for malformed X509_ATTRIBUTEs. Update-Note: Given OpenSSL hasn't accepted these for five years, it's unlikely anything depends on it. If something breaks, we can revert this and revisit. No one calls X509_ATTRIBUTE_set1_data on a non-empty X509_ATTRIBUTE, so the behavior change there should be safe. * Make X509_ATTRIBUTE opaque. Update-Note: Direct accesses of X509_ATTRIBUTE should be replaced with one of the accessors. I couldn't find any direct accesses, so hopefully this is fine. * acvptool: Fix typo hard-coding the HTTP method. * Document a few more x509.h functions. * Make X509_PUBKEY opaque. Update-Note: Direct accesses of X509_PUBKEY should be replaced with one of the accessors. I believe all callers have been fixed at this point. * Always encode booleans as DER. Update-Note: Callers setting ASN1_BOOLEANs to a positive value other than 0xff will now encode 0xff. This probably fixes a bug, but if anyone was attaching significance to incorrectly-encoded booleans, that will break. * Fix issuerUID and subjectUID parsing in the key usage checker. * Add experimental handshake hints API. * Make our Python scripts Python-3-compatible. * Export ssl_client_hello_init for fuzzers. * acvp: support GMAC as an algorithm. * Record a fuzzing corpus for the ClientHelloInner decoder. * Use a consistent plural for 'corpus'. * Add util/bot/libFuzzer to .gitignore. * acvp: support KAS-ECC-SSC staticUnified mode. * Check for invalid ALPN inputs in SSL_(CTX_)set_alpn_protos. Update-Note: SSL_CTX_set_alpn_protos and SSL_set_alpn_protos will now reject invalud inputs. Previously, they would accept them, but silently send an invalid ALPN extension which the server would almost certainly error on. * Don't duplicate ServerHello construction code. * Rearrange key share and early data logic. * Only skip early data with HRR when offered. * Add ECH server config API to ssl_ctx_api fuzzer * Fix ppc64le build. * Simplify the Lucky13 mitigation. * Add ECH server (draft-ietf-tls-esni-09). * runner: Remove unused field * runner: Construct finishedHash earlier. * Simplify tls_cbc.c slightly. * Remove remnants of CBC SHA2 cipher suites. * runner: Test different V2ClientHello challenge lengths. * runner: Ensure helloBytes is always the same as hello.marshal(). * runner: Fix ECH confirmation calculation with PSKs in tests. * runner: Fix HPKE parameter order. * runner: UpdateForHelloRetryRequest cannot fail. * runner: Don't use the buffer in TLS 1.3. * runner: Don't maintain two copies of the same transcript hash. * runner: Remove remnants of SSL 3.0. * runner: Fix writeClientHash and writeRecord ordering. * runner: Remove CheckTLS13DowngradeRandom. * runner: Remove remnants of the separate HelloRetryRequest message. * runner: Store a cipherSuite in ClientSessionState. * runner: Move writeHash to the finishedHash struct. * Fix the spelling of HPKE AEAD constants. * Don't reset server callback expectations on new handshake. * Fix MockQuicTransport::Flush error handling. * Fold ripemd/internal.h into ripemd.c. * Move load/store helpers to crypto/internal.h. * Make words in crypto/fipsmodule/modes actually words. * Handle EINTR more in handshaker.cc. * Add a few missing SSL_R_BIO_NOT_SET cases. * Fix some unreachable code in the QUIC handshaker driver. * Rearrange SSLKeyShare::Serialize. * Fix ssl/internal.h sectioning. * Remove some now unnecessary test exclusions from split handshakes. * Remove tls13-split-handshakes flag. * Define HANDSHAKER_SUPPORTED in once place. * Tidy up handshaker tester. * modulewrapper: add option to print build information. * FIPS counters for AES-CTR. * Enforce that pre_shared_key must come with psk_key_exchange_modes. * Zero out FIPS counters. * Remove is_resume field on TestState. * Remove OPENSSL_DANGEROUS_RELEASE_PTHREAD_KEY build flag. * Add some warnings on how to use OPENSSL_memory_* functions. * Use an unsized helper for truncated SHA-512 variants. Update-Note: There is a small chance the asserts will trip something, but hopefully not since I've left SHA512_Final alone. * Fix mismatch between header and implementation of bn_sqr_comba8. * Remove GCC 4.8.99 check. * Bump minimum CMake version. * Automatically enable C11 atomics when available. Update-Note: If something fails to compile, we'll revert this and adjust the check, or add an opt-out, or give up. Also, if building with -std=c99, consider -std=c11. * Make generate_build_files.py python3 compatible. * Remove X509_REQ_set_extension_nids and document related functions. Update-Note: This removes a pair of unused functions. * Document a few more functions in x509.h. * Do not access value.ptr with V_ASN1_BOOLEAN. * Add X509_PUBKEY_get0_public_key. * Test empty EVP_CIPHER inputs and fix exact memcpy overlap. * Revert "Implement rsa_pkcs1_sha256_legacy." * Fix unnecessarily direction-specific tests in cipher_tests.txt * Refactor HPKE API to include explicit length parameters. * Generalize make_errors.go to allow EVP covering multiple directories. * Add a Windows no-op impl of BORINGSSL_self_test * Only pass -handshaker-path in split handshakes tests. * Add RNG support for FreeBSD. * Move fips.c into a subdirectory. * Implement rsa_pkcs1_sha256_legacy. * Better document nullable X.509 getters. * runner: Remove redundant -enable-all-curves shim flag. * Initialize nonce in PerAEADTest.ABI. * Document ASN1_TYPE and related functions. * fips: add counters. * Align with OpenSSL on constness of static ASN1_OBJECTs. Update-Note: The change to OBJ_nid2obj should be compatible. The changes to X509_PUBKEY_set0_param and X509_ALGOR_set0 may require fixing some pointer types. * Add -rr-record flag to runner.go. * Register NAME_CONSTRAINTS with bssl::UniquePtr. * Register POLICY_MAPPING with bssl::UniquePtr. * Stub out some more of PKCS7. * Remove TODO to reverse the output of PKCS12_parse. * Make the X509_VAL structure opaque. Update-Note: I believe this is now safe to do. If there are compile failures, switch to X509_get0_notBefore, X509_getm_notBefore, and X509_set1_notBefore, or revert this if I'm wrong and too many callers still need updating. * Support creating unencrypted PKCS#12 files. * Move PKCS#12 samples to embed_test_data. * Remove some remnants of TLS 1.3 downgrade carveouts. Update-Note: https://boringssl-review.googlesource.com/c/boringssl/+/44124 made these functions a no-op, but we kept them around because there were still some call sites floating around. That code has since been updated, so we can remove this. * Remove X509_REQ_to_X509. Update-Note: This removes a function that appears to be unused. It also hardcodes the use of MD5, so please do not use it. * Fix OPENSSL_EC_* constants and add EC_GROUP_get_asn1_flag * RAND_set_rand_method returns int. * Check the inner and outer CRL signature algorithms match. Update-Note: Invalid CRLs with inconsistent inner and outer signature algorithms will now be rejected. * Remove block_mask from EVP_CIPHER_CTX. Update-Note: It doesn't look like anyone is reading into this field. If they are, we can ideally fix it, or revert this if absolutely necessary. * Document a couple more functions in x509.h. * Define X509V*_VERSION constants. * Handle the default X.509 version explicitly. * Compile for RISC-V. * Add ECDSA nonce-testing functions. * Rearrange ECDSA implementation. * Split the FIPS mode PRNG lock in two. * Remove legacy vs_toolchain.py environment variable. * runner: Rename 'masterSecret' on session objects to plain 'secret'. * Test ECDSA signing is non-deterministic. * acvp: split ACVP modulewrapper for reuse by Trusty * No-op CL to trigger some builds. * Use CIPD Go packages. * Update CMake on the bots and switch to CIPD where available. * Future-proof vs_toolchain.py for VS2019. * Revert "Revert "Disable check that X.509 extensions implies v3."" * Update Clang and Go on the bots. * Check for OBJ_nid2obj failures in X509_ATTRIBUTE_create. * Don't overflow the output length in EVP_CipherUpdate calls. Update-Note: Passing extremely large input lengths into EVP_CipherUpdate will now fail. Use EVP_AEAD instead, which is size_t-based and has more explicit output bounds. * Remove X509_issuer_and_serial_hash. Update-Note: No one uses this function. It had a NULL dereference in some error cases. See CVE-2021-23841. * Fix Bazel build breakage. * Specify VS toolchain by command-line argument. * Update Android Bazel build support in BUILD.toplevel. * Honor SSL_TLSEXT_ERR_ALERT_FATAL in the ALPN callback. Update-Note: Callers that return SSL_TLSEXT_ERR_ALERT_FATAL from the ALPN callback will change behavior. The old behavior may be restored by returning SSL_TLSEXT_ERR_NOACK, though see the documentation for new recommendations on return values. * acvp: detect header element in JSON. * Align the ARM capability functions. * Skip runtime NEON checks if __ARM_NEON is defined. Update-Note: Builds with __ARM_NEON (-mfpu=neon) will now drop about 30KiB of dead code, but no longer work (if they even did before) on a particular buggy CPU. Builds without __ARM_NEON are not affected. * acvp: don't include CMAC-AES in regcap dump. * acvp: fix CMAC verify * Include bn/internal.h for non-bcm.c builds. * Add various function calls to test_fips. * Add missing include to self_check.c. * Revert "Disable check that X.509 extensions implies v3." * Fix TLS13SessionID-TLS13 test. Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases Change-Id: I86bd269475ed5598d81787e7ecfec010c4a128fa
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-10 21:16:12 +0000