-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update to upstream ae88f19 #100
Commits on Feb 9, 2023
-
Bound the overall output size of ASN1_generate_v3
The output of ASN1_generate_v3 is *mostly* linear with the input, except SEQ and SET reference config sections. Sections can be referenced multiple times, and so the structure grows exponentially. Cap the total output size to mitigate this. As before, we don't consider these functions safe to use with untrusted inputs, but unbounded growth will frustrate fuzzing. This CL sets the limit to 64K, which should be enough for anyone. (This is the size of a single X.509 extension, whereas certificates themselves should not get that large.) While not strictly necessary, this also rearranges the ASN1_mbstring_copy call to pass in a maximum output. This portion does scale linearly with the output, so it's fine, but the fuzzer discovered an input with a 700K-byte input, which, with fuzzer instrumentation and sanitizers, seems to be a bit slow. This change should help the fuzzer get past those cases faster. Update-Note: The stringly-typed API for constructing X.509 extensions now has a maximum output size. If anyone was constructing an extension larger than 64K, this will break. This is unlikely and should be caught by unit tests; if a project hits this outside of tests, that means they are passing untrusted input into this function, which is a security vulnerability in itself, and means they especially need this change to avoid a DoS. Bug: oss-fuzz:55725 Change-Id: Ibb65854293f44bf48ed5855016ef7cd46d2fae77 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57125 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9580424 - Browse repository at this point
Copy the full SHA 9580424View commit details
Commits on Feb 10, 2023
-
Generate Rust wrappers for HKDF
This change exposes the necessary APIs for rust-openssl's HKDF wrappers in [PKeyCtxRef] (https://docs.rs/openssl/latest/openssl/pkey_ctx/struct.PkeyCtxRef.html#method.set_hkdf_mode). Diff of the generated bindings: https://gist.github.com/mauricelam/51602bf17d4a5f9023a27cbe5f9ff705 Change-Id: Ic8df3d5308cfee5964ceadd3c2524b77e12512fb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57066 Reviewed-by: Alex Gaynor <alex.gaynor@gmail.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Maurice Lam authored and Boringssl LUCI CQ committedFeb 10, 2023 Configuration menu - View commit details
-
Copy full SHA for bd7e419 - Browse repository at this point
Copy the full SHA bd7e419View commit details -
Add a note in INCORPORATING about which branch to use
Especially when they were named "2214" instead of "chromium-2214", I've seen papers and other projects treat them as releases. Add a note to make it clear they are not releases. Change-Id: Ie820b800de3d25a31d3083d4ceff75e1d7f74a06 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57145 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for ace3316 - Browse repository at this point
Copy the full SHA ace3316View commit details
Commits on Feb 11, 2023
-
Add OPENSSL_asprintf and friends for asprintf(3) functionality.
This includes an internal version which allows a flag to specify the use of system malloc, or OPENSSL_malloc - this in turn allows us to use this function in the ERR family of functions and allow for ERR to not call OPENSSL_malloc with a circular dependency. Bug: 564 Change-Id: Ifd02d062fda9695cddbb0dbef2e1c1db0802a486 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57005 Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Bob Beck authored and Boringssl LUCI CQ committedFeb 11, 2023 Configuration menu - View commit details
-
Copy full SHA for 350f854 - Browse repository at this point
Copy the full SHA 350f854View commit details -
Make ERR and thread use system malloc.
This will let us call ERR and thread_local from OPENSSL_malloc without creating a circular dependency. We also make ERR_get_error_line_data add ERR_FLAG_MALLOCED to the returned flags value, since some projects appear to be making assumptions about it being there. Bug: 564 Update-Note: Any recent documentation (in all OpenSSL forks) for the ERR functions cautions against freeing the returned ERR "data" strings, as freeing them is handled by the error library. This change can make an existing double free bug more obvious by being more likely to cause a crash with the double free. Change-Id: Ie30bd3aee0b506473988b90675c48510969db31a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57045 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: Bob Beck <bbe@google.com>
Bob Beck authored and Boringssl LUCI CQ committedFeb 11, 2023 Configuration menu - View commit details
-
Copy full SHA for fc524c1 - Browse repository at this point
Copy the full SHA fc524c1View commit details
Commits on Feb 13, 2023
-
Cap decimal input sizes in s2i_ASN1_INTEGER
Decoding from decimal takes quadratic time, and BN_dec2bn will happily decode however large of input you pass in. This frustrates fuzzers. I've added a cap to the input length in s2i_ASN1_INTEGER for now, rather than BN_dec2bn, because we've seen people use BN for surprisingly large calculator operations, and BN generally doesn't cap inputs to quadratic (or worse) algorithms beyond memory limits. (We generally rely on cryptography using fixed parameter sizes, though RSA, DSA, and DH were misstandardized and need ad-hoc limits everywhere.) Update-Note: The stringly-typed API for constructing X.509 extensions now has (very generous) maximum input length for decimal integers of 8,192 digits. If anyone was relying on a higher input, this will break. This is unlikely and should be caught by unit tests; if a project hits this outside of tests, that means they are passing untrusted input into this function, which is a security vulnerability in itself, and means they especially need this change to avoid a DoS. Bug: chromium:1415108 Change-Id: I138249d23ca6b1996f8437dba98633349bb3042b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57205 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d5e93f5 - Browse repository at this point
Copy the full SHA d5e93f5View commit details -
Make OPENSSL_malloc push ERR_R_MALLOC_FAILURE on failure.
Remove all the other ERR_R_MALLOC_FAILURES from the codebase. Also changes cbb to push to the error stack, to correctly report cbb failures instead of now only reporting malloc failures. Previously it turned all cbb failures into a malloc failure Bug: 564 Change-Id: Ic13208bf9d9aaa470e83b2f15782fc94946bbc7b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57046 Auto-Submit: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Bob Beck authored and Boringssl LUCI CQ committedFeb 13, 2023 Configuration menu - View commit details
-
Copy full SHA for dcabfe2 - Browse repository at this point
Copy the full SHA dcabfe2View commit details
Commits on Feb 14, 2023
-
Fix a -Wignored-qualifiers warning in trust_token_test.cc
The const bool doesn't do anything. While I'm here, make the methods const. Change-Id: Id8c31d5fcda6d8bc244c64b02b1d758e4eff6849 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57185 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com>
Configuration menu - View commit details
-
Copy full SHA for ec64d7e - Browse repository at this point
Copy the full SHA ec64d7eView commit details -
Align the hash-to-curve formulation with draft-16.
draft-07 to draft-16 is mostly editorial, but there were a few notable changes: - Empty DST values are forbidden. - The sample implementation for map_to_curve_simple_swu has completely changed. The new formulation has the same performance (if not a smidge faster), and aligning with the spec seems generally useful. - P-384 is now paired with SHA-384, not SHA-512. As this would be a breaking change for the trust tokens code, I've left that in. A follow-up CL will add implementations of draft-16, which is expected to match the final draft. Before: Did 77000 hash-to-curve P384_XMD:SHA-512_SSWU_RO_ operations in 4025677us (19127.2 ops/sec) Did 7156000 hash-to-scalar P384_XMD:SHA-512 operations in 4000385us (1788827.8 ops/sec) After: Did 77000 hash-to-curve P384_XMD:SHA-512_SSWU_RO_ operations in 4009708us (19203.4 ops/sec) [+0.4%] Did 7327000 hash-to-scalar P384_XMD:SHA-512 operations in 4000477us (1831531.6 ops/sec) [+2.4%] Bug: 1414562 Change-Id: Ic3c37061e325250d5d8723fd9aa263930c6023cf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57146 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: Steven Valdez <svaldez@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9c9b2c2 - Browse repository at this point
Copy the full SHA 9c9b2c2View commit details -
Implement P256_XMD:SHA-256_SSWU_RO_ and P384_XMD:SHA-384_SSWU_RO_
Also add public APIs for this, now that the specification is no longer expected to change, and because a project external to the library wishes to use it. For now, I've kept the P-256 version using the generic felem_exp, but we should update that to use the specialized field arithmetic. Trust Tokens will presumably move to this later and, in the meantime, another team wants this. Bug: chromium:1414562 Change-Id: Ie38203b4439ff55659c4fb2070f45d524c55aa2a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57147 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Steven Valdez <svaldez@google.com>
Configuration menu - View commit details
-
Copy full SHA for 3950d6c - Browse repository at this point
Copy the full SHA 3950d6cView commit details -
Unify the two copies of bn_add_words and bn_sub_words
Compilers are fine at inlining functions nowadays. We can hide the BN_ULLONG vs. manual carry extraction inside an inline function. I've patterned the type signatures intentionally after Clang's builtins, in case we want to use them in the future. (Previously I wrote in https://boringssl-review.googlesource.com/c/boringssl/+/56966 that the builtins weren't good on aarch64. This wasn't quite right. Rather, they were bad on both x86_64 and aarch64 in LLVM 13, but they're fine on both in LLVM 14. My machine's Xcode was just a little old.) Change-Id: I666466dce7a146d5e49e94ff372ea018b610ef34 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57245 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for de12e3c - Browse repository at this point
Copy the full SHA de12e3cView commit details -
Specify -Iinclude with the crypto target.
It's unclear to me whether doing it target-by-target is an improvement in crypto/fipsmodule, but this otherwise does seem a bit tidier. This aligns with CMake's documentation and "modern CMake" which prefers this pattern. Change-Id: I36c81842bff8b36eeaaf5dd3e0695fb45f3376c9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56585 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 0e68520 - Browse repository at this point
Copy the full SHA 0e68520View commit details -
Don't include custom builds of libc++ in CMake installs
Also stick the very verbose default install directory in a variable so we don't have to repeat it everywhere. Change-Id: I1a6a85c4d42d3a6e766e52b2d0ecd8e81c6ed4e3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56607 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for e5f7266 - Browse repository at this point
Copy the full SHA e5f7266View commit details -
Remove global_target from build.
This was added with the generated symbol-prefixing header. But it seems to be sufficient for crypto to have a dependency on the generated header, along with some of the stray bits of delocate. It's a little unclear from CMake documentation how these are processed; normally .o files can be built before libraries are built or linked, only the link step depends on. But, empirically, if A links B, and B has a dependency on C, then CMake seems to run C before building any of A. I tested this by making a small project where the generation step slept for three seconds and running with enough parallelism that we'd have tripped. Interestingly, in the Makefile output, the individual object file targets didn't have that dependency, but the target itself did. But this was true on both A and B, so I think that just might not work. Also fix the dependency in the custom target. The old formulation broke when using an absolute path to the symbols file. Change-Id: I2053d44949f907d465da403a5ec69c191740268f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56928 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8c75ed0 - Browse repository at this point
Copy the full SHA 8c75ed0View commit details -
Remove proxy certificate support.
Nothing uses this, and the code is somewhat decrepit. Instead of fixing it and continuing to maintain it as attack surface, we send this off to the farm where it can run and play all day with the other unused X.509 extensions. Update-note: This removes the proxy certificate extension from the recognized certificate extensions. Previously by default a certificate with a critical proxy certificate extension would have been rejected with "proxy certificate not allowed", but will now be rejected with an unrecognized critical extension error. Fixed: 568 Change-Id: I5f838d69c59517254b4fa83f6e2abe6057fa66c7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57265 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com>
Bob Beck authored and Boringssl LUCI CQ committedFeb 14, 2023 Configuration menu - View commit details
-
Copy full SHA for 503ba98 - Browse repository at this point
Copy the full SHA 503ba98View commit details -
Tidy up check_chain_extensions after proxy certificate removal
Change-Id: I0b1ba546374aa8b0fe79528f56e19f261536e565 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57305 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for ca1690e - Browse repository at this point
Copy the full SHA ca1690eView commit details -
Use --allowlist-file in bssl-sys
bindgen, by default, will bind every random symbol in the libc, which is clearly unreasonable. Now that --allowlist-file exists, we can switch to doing what it should have done from the beginning. This produces a pretty large diff in the bindgen output, but it's all to exclude miscellaneous bits of libc. Change-Id: I9a35fda10ff6f1b82449919f9fcc2ea86ad5b802 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57325 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Alex Gaynor <alex.gaynor@gmail.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for b8b924c - Browse repository at this point
Copy the full SHA b8b924cView commit details -
Change-Id: I5682358b5564dbaa734c5910c11a8274e88ca67a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57186 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for f30c031 - Browse repository at this point
Copy the full SHA f30c031View commit details
Commits on Feb 15, 2023
-
Make boringssl_gtest_main a STATIC library
Prior to 3.12 (which we won't be requiring until July), OBJECT libraries cannot be used with target_link_libraries. That means they cannot pick up INTERFACE_INCLUDE_DIRECTORIES, which makes them pretty unusable in the "modern CMake" style. Just switch it to a static library to unbreak the build in CMake 3.10. For some link ordering reason I don't understand, this also requires explicitly linking boringssl_gtest to libcxx when we USE_CUSTOM_LIBCXX is set. Change-Id: Ia9d8351551f5da060248aa3ca73fe04473bf62aa Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57345 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 987dff1 - Browse repository at this point
Copy the full SHA 987dff1View commit details
Commits on Feb 16, 2023
-
While hiding 'type' isn't such a huge deal, accessing 'pkey' without a type check is very dangerous. The accessors are type-checked and avoid this problem. It also gets us slightly closer to not needing to utter CRYPTO_refcount_t in public headers, as we're currently not quite declaring it right. And it allows us to remove another union: https://boringssl-review.googlesource.com/c/boringssl/+/57106 This matches what upstream did in OpenSSL 1.1.0. Update-Note: Code that reaches into the EVP_PKEY struct will no longer compile, like in OpenSSL. I believe I've fixed all the cases. If I missed any, the fix is to switch code to accessors. EVP_PKEY_id(pkey) for pkey->type is the most common fix. Change-Id: Ibe8d6b6cb8fbd141ea1cef0d02dc1ae3703e9469 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57105 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 890c201 - Browse repository at this point
Copy the full SHA 890c201View commit details -
Replace the union inside EVP_PKEY with void*.
The union isn't actually providing type-safety: nothing checks that we access the correct arm of the union, and it has a void* arm anyway. Instead, it's just adding some strict aliasing risk by relying on type-punning: we usually write to the pointer as void*, via EVP_PKEY_assign, but then we read from it as the underlying type. This is allowed in C, but not in C++. And even in C, while that is allowed, if we ever wrote &pkey->pkey.rsa, it would suddenly be a strict aliasing violation. Just use a void*, which means we don't type-pun pointer types against each other. While I'm here, I made the free callbacks for EVP_PKEYs also NULL the pointer. The one caller also NULLs it, so its fine, but some did and some didn't do it, and this seems prudent. Bug: 301 Change-Id: I74c76ed3984527df66f64bb2d397af44f63920bd Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57106 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for ffb8050 - Browse repository at this point
Copy the full SHA ffb8050View commit details -
This convention seems to break with some other tooling we have. Until we figure out how to resolve that, remove the lines. This partially reverts 54b04fd but keeps the fixes to the license header comments. Change-Id: I4f08a9f3daf65d17b4c78ac6f4ac3de234ec3436 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57366 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for bab2f96 - Browse repository at this point
Copy the full SHA bab2f96View commit details
Commits on Feb 17, 2023
-
Change-Id: I7dea47e73cbfbfa48a8924f3a633215c06730b22 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57425 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Bob Beck authored and Boringssl LUCI CQ committedFeb 17, 2023 Configuration menu - View commit details
-
Copy full SHA for badf673 - Browse repository at this point
Copy the full SHA badf673View commit details -
Move constants from .text to .rodata on aarch64
This extends the support for execute-only memory in AArch64 assembly and uses adrp and add instead of adr. Change-Id: I388a13ec754e7f179d7a234516f1bb4ff6a5c919 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57446 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for e18ba27 - Browse repository at this point
Copy the full SHA e18ba27View commit details
Commits on Feb 21, 2023
-
Ran go get -u all, followed by go mod tidy. Some tools are flagging CVE-2021-43565 and CVE-2022-27191 in some of the Go packages. Our uses of x/crypto are x/net are not impacted by either bug, but update anyway to silence the tools. Change-Id: Ia0e2757625b58d964aedd4217f21b72f293b910b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57485 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for bade461 - Browse repository at this point
Copy the full SHA bade461View commit details
Commits on Feb 22, 2023
-
It happened that it used to be possible to run `acvptool` with `-json` and not need a config file. That stopped working as of 02397c7 but the test runner needs to be updated accordingly. Change-Id: I54cf0fc7420d18749e93c3d85201ba24d0a59e15 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57465 Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 016de5a - Browse repository at this point
Copy the full SHA 016de5aView commit details -
acvp: write updated tests without
.bz2
suffixGo has a bzip2 decoder but not an encoder (because I only needed a decoder when I wrote the package). Thus when updated ACVP tests are written they aren't compressed. This change removes the `.bz2` suffix from paths when writing updated tests, which makes it easier to compress them. Change-Id: I9de6a1845cdf1cddca2e5d253b97262b023393f6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57466 Auto-Submit: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for f39826d - Browse repository at this point
Copy the full SHA f39826dView commit details -
acvp: update test expectations
1740ff9 added an "algorithm" key to the output. The test expectations need to be updated accordingly. Also drops 3DES tests since they were removed from the regcap in 8241345. Change-Id: Ibd23f6166111be361511c2f7974348400f7151e2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57467 Reviewed-by: David Benjamin <davidben@google.com> Auto-Submit: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 583c60b - Browse repository at this point
Copy the full SHA 583c60bView commit details -
Fix Android tests with new recipe changes
After https://chromium-review.googlesource.com/c/chromium/tools/build/+/4277422, the old ANDROID_NATIVE_API_LEVEL values are no longer in CMakeCache.txt. Change-Id: If0c724081ef99bf3bc2e714fe84b6d16925bd116 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57507 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9227295 - Browse repository at this point
Copy the full SHA 9227295View commit details -
Gracefully handle DSA objects with missing fields
OpenSSL's APIs are full of empty objects that aren't captured in the type system. A DSA object may represent any of nothing, a group, a public key, or a private key. Since the type system doesn't capture this, better to check which type we've got and NULL-check the fields we need for the operation. Change-Id: I32b09ebaad58fcb2a0bfc9ad56d381f95099bf7b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57225 Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 7c860a4 - Browse repository at this point
Copy the full SHA 7c860a4View commit details -
Reject zero ECDSA keys in EC_KEY_set_private_key
We already reject values that are out of bounds. Also we were using the wrong error, so fix that. Zero should additionally be rejected, otherwise, when signing an all-zero digest (impossible unless your system signs untrusted, pre-hashed inputs), ECDSA can infinite loop. Thanks to Guido Vranken who reported an analogous issue with DSA in openssl/openssl#20268 When EC_KEYs are obtained through the parser, this CL is a no-op. The corresponding public key is the point at infinity, which we'll reject at both parse time and in EC_KEY_check_key. But as EC_KEY runs into OpenSSL's usual API design flaw (mutable, field-by-field setters over constructor functions for immutable objects), we should reject this in EC_KEY_set_private_key too. Update-Note: Systems that manually construct an EC_KEY (i.e. not from parsing), and either omit the public key or don't call EC_KEY_check_key will start rejecting the zero private key. If such a system *also* signs untrusted digests, this fixes an infinite loop in ECDSA. Change-Id: I3cc9cd2cc59eb6d16826beab3db71d66b23e83ff Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57226 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for aa8d3b5 - Browse repository at this point
Copy the full SHA aa8d3b5View commit details -
Revert "Revert "Fetch entropy from a system daemon in FIPS mode on An…
…droid."" This reverts commit 8ce0e1c. The original commit didn't work on Android because: a) urandom_test didn't handle the fact that Android requires getrandom() and will never fall back to /dev/urandom. b) Android may open files in /dev/__properties__ which confused urandom_test. The original change is patchset 1 so the differences build on that. Change-Id: Ib840ec20d60cb28d126d3d09271b18fbd9ec1371 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53705 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: Adam Langley <agl@google.com>
Adam Langley authored and Boringssl LUCI CQ committedFeb 22, 2023 Configuration menu - View commit details
-
Copy full SHA for 85a1e2e - Browse repository at this point
Copy the full SHA 85a1e2eView commit details
Commits on Feb 23, 2023
-
Add more DSA consistency checks.
DSA private keys cannot be zero. If they are, trying to sign an all zeros digest loops forever. Thanks to Guido Vranken who reported this in openssl/openssl#20268 Along the way, because OpenSSL's bad API design made constructing DSA objects such a mess, just move all the consistency checks to dsa_check_parameters (now dsa_check_key) so it is consistently checked everywhere. Ideally we'd get a better handle on DSA state, like we hope to do for RSA state (though not there yet), so checks only happen once. But we consider DSA deprecated so it's not worth putting much effort into it. Update-Note: Some invalid DSA keys will be rejected by the parser and at use. Nothing should be using DSA anymore. Change-Id: I25d3faf145a85389c47abdd9db8e9b0056b37d8a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57227 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 788bf74 - Browse repository at this point
Copy the full SHA 788bf74View commit details -
Cap the number of ECDSA and DSA sign iterations.
When the parameters are incorrect, all assumptions of (EC)DSA fly out the window, including whether the retry loop actually terminates. While ECDSA is broadly used with fixed, named groups, DSA was catastrophically mis-specified with arbitrary parameters being the default and only mode. Cap the number of retries in DSA_do_sign so invalid DSA groups cannot infinite loop, e.g. if the "generator" is really nilpotent. This also caps the iteration count for ECDSA. We do, sadly, support arbitrary curves via EC_GROUP_new_curve_GFp, to help Conscrypt remain compatible with a badly-designed Java API. After https://boringssl-review.googlesource.com/c/boringssl/+/51925, we documented that untrusted parameters are not supported and may produce garbage outputs, but we did not document that infinite loops are possible. I don't have an example where an invalid curve breaks ECDSA, but as it breaks all preconditions, I cannot be confident it doesn't exist, so just cap the iterations. Thanks to Hanno Böck who originally reported an infinite loop on invalid DSA groups. While that variation did not affect BoringSSL, it inspired us to find other invalid groups which did. Thanks also to Guido Vranken who found, in openssl/openssl#20268, an infinite loop when the private key is zero. That was fixed in the preceding CL, as it impacts valid groups too, but the infinite loop is ultimately in the same place, so this change also would have mitigated the loop. Update-Note: If signing starts failing with ECDSA_R_INVALID_ITERATIONS, something went horribly wrong because it should not be possible with real curves. (Needing even one retry has probability 2^-256 or so.) Change-Id: If8fb0157055d3d8cb180fe4f27ea7eb349ec2738 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57228 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 474ddf8 - Browse repository at this point
Copy the full SHA 474ddf8View commit details -
Tweak urandom_test for Android devices without getrandom.
Some Android devices in our builder pool are so old that they lack getrandom. This change attempts to make them happy. Change-Id: I5eea04f1b1dc599852e3b8448ad829bea05b9fe9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57527 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 3cd7faa - Browse repository at this point
Copy the full SHA 3cd7faaView commit details -
Start a Kyber implementation with basic Keccak code.
Change-Id: I8e9a0b83453e44bdecab017144596bd3d61898ac Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57385 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 7864b14 - Browse repository at this point
Copy the full SHA 7864b14View commit details -
Move data from .text to .rodata on x86_64
Various constants and strings identifying the authors are currently misplaced in .text. This change allows using execute-only .text on platforms that enforce it by default, such as OpenBSD. Modify x86_64-xlate.pl to replace .rodata with __DATA,__const for macs. Adapt the nasm/masm path to emit an .rdata segment with alignment of 8. This last change is not strictly needed but makes things explicit. Change-Id: If716b892c1faabd85c6c70bdd75e145304841f83 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57445 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for ebd43ef - Browse repository at this point
Copy the full SHA ebd43efView commit details -
Print the reason the child stopped in urandom_test
Change-Id: I736c7dc17efcaa5c3d8bd5fdee36d2dcb86ae627 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57567 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for bffae8a - Browse repository at this point
Copy the full SHA bffae8aView commit details -
Pass the full user_regs_struct to PTRACE_SETREGS
At least on the devices we have on CI, PTRACE_SETREGS seems to break things when passing in a slightly smaller structure. I'm guessing the other registers get set to zero, so we SIGILL. Cq-Include-Trybots: luci.boringssl.try:android_aarch64 Change-Id: I09da595dba2b6b70805c9a79c71c797c0f6635c0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57585 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8251dd8 - Browse repository at this point
Copy the full SHA 8251dd8View commit details -
Go back to breaking syscalls with the syscall number
Setting the first argument to -1 works, but changing the syscall number is more straightforward. It's doable on aarch64 too, if we use a different regset. Cq-Include-Trybots: luci.boringssl.try:android_aarch64 Change-Id: I6c3c2d3dc67c06a44b181f9086cb5c9d343d51bc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57587 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5eb9343 - Browse repository at this point
Copy the full SHA 5eb9343View commit details -
Require getauxval on 32-bit Arm Linux
We used to have a tower of fallbacks to support older Androids that were missing getauxval. The comments say getauxval is available in Android API level 20 or higher, but this wasn't right. It's actually API level 18 or higher per the NDK headers and https://developer.android.com/ndk/guides/cpu-features Android API level 18 is Android 4.3, or Jelly Bean MR2. Recent versions of the NDK (starting r24, March 2022) don't even support Jelly Bean, i.e. the minimum API level is 19, and the usage statistics in the latest Android Studio stop at KitKat. As far as I know, nothing needs us to support API levels 17 and below anymore. Update-Note: BoringSSL now requires API level 18 or later. Projects needing to support API level of 17 or below will fail to build due to the use of getauxval. If any such projects exist, please contact BoringSSL maintainers. Change-Id: Iedc4836ffd701428ab6d11253d4ebd5a9121e667 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57506 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6ab4f0a - Browse repository at this point
Copy the full SHA 6ab4f0aView commit details
Commits on Feb 24, 2023
-
Create the SSLKeyShare object in TLS 1.2 client ECDHE slightly later
We call Accept as a TLS 1.2 client and a TLS 1.3 server. In the latter, we create an SSLKeyShare object, Accept, and immediately destroy it. In the former, we create the SSLKeyShare object a couple steps before actually using it. It's equivalent to create the object just before Accept, so switch to that. This change means that hs->key_shares now only ever contains objects in between Offer and Finish. Or, in KEM terms, it only ever contains KEM private keys. (SSLKeyShare objects are currently a little confused about what kind of state they contain.) Change-Id: Idec62ac298785f784485bc9065f7647034d2a607 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57605 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 7fa0910 - Browse repository at this point
Copy the full SHA 7fa0910View commit details -
Move the ASN.1-based SSLKeyShare serialization to handoff.cc.
We've got two layers of serialization. There's the lower-level SerializePrivateKey/DeserializePrivateKey functions that just encode a private key assuming you already know the group, and then there's Serialize/Create which output an INTEGER and OCTET STRING pair. The latter is only used by handoff.cc, so move them there. This trims the SSLKeyShare abstraction slightly. Change-Id: I1c901d7c16b082bfe1b6acd0a1711575e7f95c05 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57625 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for a5dcf35 - Browse repository at this point
Copy the full SHA a5dcf35View commit details -
Since this was written, we've tidied up the EC code a bit: 1. While not quite yet infallible (but we should get there), the output of EC_GROUP_new_by_curve_name no longer needs to be freed. 2. BN_CTX no longer does anything in EC code, so just pass in NULL. We really should build a real ECDH API, but for now just improve our use of the current thing. Change-Id: I44f5429afec06c28372ae70148eb8de263d716f3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57626 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9cbff81 - Browse repository at this point
Copy the full SHA 9cbff81View commit details -
This was added in https://crbug.com/1414198. Extracting it to the same place as before to avoid needing to update the recipe. Change-Id: I02dd8bc2a9c0fc54236e10e13a43e716f1a34247 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57647 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 55902f2 - Browse repository at this point
Copy the full SHA 55902f2View commit details -
Pick up a VS 2022 toolchain from Chromium
Nothing uses it yet, but this makes it available for any CI builders that set vs_version to 2022. Bug: 569 Change-Id: I7058157182f3e7762a35f8138977f37d56d65094 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57648 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for b3c2c75 - Browse repository at this point
Copy the full SHA b3c2c75View commit details
Commits on Feb 27, 2023
-
Run Go tests as part of run_tests
This doesn't run them as part of CI yet, but I'll follow-up with a recipe change to read the same util/go_tests.txt file and run Go tests in there. Bug: 506 Change-Id: Ifd527b1d00ec30896582360132249230fab7e7c0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57645 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for f53ca9f - Browse repository at this point
Copy the full SHA f53ca9fView commit details -
Ignore elf.ErrNoSymbols in util/read_symbols.go
It seems empty assembly files generate object files without a symbol section at all. Just skip them. Change-Id: I1bf06050dbde793e57faaeb2e40bcc4b6de497a6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57665 Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 1b666dd - Browse repository at this point
Copy the full SHA 1b666ddView commit details -
Replace almost all instances of CMAKE_SOURCE_DIR and CMAKE_BINARY_DIR
If another project includes us as a subproject, as gRPC does, CMAKE_SOURCE_DIR points to the top-level source directory, not ours. PROJECT_SOURCE_DIR points to ours. Likewise, CMAKE_BINARY_DIR will point to the top-level one. gRPC doesn't consume this CMake build, but in preparation for eventually unifying the two CMake builds, replace CMAKE_SOURCE_DIR and CMAKE_BINARY_DIR with a combination of CMAKE_CURRENT_{SOURCE,BINARY}_DIR and PROJECT_SOURCE_DIR. There's one more CMAKE_SOURCE_DIR which controls some default install directory. I've left that one alone for now as I'm not sure what to do with it. Probably the answer is to, like in gRPC, disable the install target by default when we're not the top-level source directory. Bug: 542 Change-Id: Iea26bbef8a4637671fd0e7476101512e871e7e18 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57686 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8c4ec3b - Browse repository at this point
Copy the full SHA 8c4ec3bView commit details -
This fixes two issues introduced in 0e68520. First, libssl never had a dependency on libcrypto, so the include directory did not get passed along. Second, although this build (unlike the other CMake build) doesn't define an install target, gRPC includes it and then pulls it into its own install target. That then runs afoul of CMake's check against include directories in install targets. To avoid this, condition the src/include directory on $<BUILD_INTERFACE:...> but omit a corresponding $<INSTALL_INTERFACE:...>. Since we're not the ones providing an install target, we don't actually know the value to use. Per [0], using the generator expression means we need to manually make it absolute ourselves. [0] https://cmake.org/cmake/help/latest/command/target_include_directories.html Change-Id: I2a25cc8382116c5957d94f65641220559b7af87d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57685 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 92859cc - Browse repository at this point
Copy the full SHA 92859ccView commit details -
Workaround yet more NULL + 0 language bugs
No new tests because they're actually caught by our own tests. I just forgot to put UBSan on CI! Will fix this shortly. For BLAKE2, fix this by checking for zero. For c2i_ASN1_INTEGER, rewrite it with CBS, which has the side effect of avoiding this. (It's effectively maintaining in->data + start as a temporary, rather than start itself.) Bug: fuchsia:46910 Change-Id: I9366f1ba4fd0b0140d64c56e0534d7b060ab90e5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57687 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 3c6085b - Browse repository at this point
Copy the full SHA 3c6085bView commit details -
https://boringssl-review.googlesource.com/c/boringssl/+/57645 wasn't quite right. The cd to run ssl/test/runner affects the subsequent commands. Fix this by running the Go tests first. They're very fast compared to the others anyway. Change-Id: Id5ea54a9787173eb3ed80e9db2c9ecfe064a93b0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57688 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for e3a5fac - Browse repository at this point
Copy the full SHA e3a5facView commit details
Commits on Feb 28, 2023
-
Use the common location for CMake in the bots
Follow-up to https://chromium-review.googlesource.com/c/chromium/tools/build/+/4296194/ But mostly I've since added a lot more configurations to CI and want to make sure I haven't broken anything. Change-Id: I627711356004bf2244bd729b6055e9e0e619724e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57691 Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for f88b7c8 - Browse repository at this point
Copy the full SHA f88b7c8View commit details -
Define a NID for P-384 + Kyber768.
We do not expect to support this combination, but other consumers of BoringSSL may choose to. Change-Id: Ifdafa6a0032af078343bb9ecd80eea89eee582be Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57705 Auto-Submit: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 028bae7 - Browse repository at this point
Copy the full SHA 028bae7View commit details
Commits on Mar 1, 2023
-
Use KEM terminology in TLS ECDHE and key_share abstractions
TLS 1.2 ECDHE and TLS 1.3 key shares were originally designed around Diffie-Hellman-like primitives and use language based on that. Post-quantum replacements do not look like Diffie-Hellman, where each part exchanges a public key, but schemes that work differently can still slot in without protocol changes. We previously came up with our own Offer/Accept/Finish abstraction for early post-quantum experiments, but the NIST constructions are all expressed as KEMs: First, the recipient generates a keypair and sends the public key. Then the sender encapsulates a symmetric secret and sends the ciphertext. Finally, the recipient decapsulates the ciphertext to get the secret. Align our C++ and Go abstractions to this terminology. The functions are now called Generate/Encap/Decap, and the output of Encap is called "ciphertext", which seems to align with what most folks use. (RFC 9180 uses "enc" for "encapsulated key", but they staple a KEM to an AEAD, so "ciphertext" would be ambiguous.) Where variable names refer to parts of the protocol, rather than the the underlying KEM-like construction, I've kept variable names matching the protocol mechanism, so we still talk about "curves" and "key shares", but, when using the post-quantum replacements, the terminology is no longer quite accurate. I've also not yet renamed SSLKeyShare yet, though the name is now inaccurate. Also ideally we'd touch that up so the stateful object is just a KEM private key, for SSLKEMKey. Though at that point, we maybe should just add EVP_KEM and EVP_KEM_KEY APIs to libcrypto. Change-Id: Icbcc1840c5d2dfad210ef4caad2a7c4bf8146553 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57726 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 08b1f38 - Browse repository at this point
Copy the full SHA 08b1f38View commit details -
urandom_test: force MADV_WIPEONFORK both ways.
This test could simulate the lack of MADV_WIPEONFORK on systems with it, but couldn't simulate having it if the kernel didn't support it. This change makes the presence / absence of BORINGSSL_IGNORE_MADV_WIPEONFORK control whether MADV_WIPEONFORK is "supported" in the test environment or not, and corrects the test for the case where it's missing. Change-Id: I23876788a0e0a4fd2a148f98b6b94e40880b6fc9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57745 Auto-Submit: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 76cb7c5 - Browse repository at this point
Copy the full SHA 76cb7c5View commit details
Commits on Mar 2, 2023
-
Fix use of unitialized cbb on failure case.
This made fido2's fuzzer angry: https://buganizer.corp.google.com/issues/271220905 Change-Id: Ib1b909be10f230df2daea3942f35cba0a81dcedb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57765 Commit-Queue: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Bob Beck authored and Boringssl LUCI CQ committedMar 2, 2023 Configuration menu - View commit details
-
Copy full SHA for e06f172 - Browse repository at this point
Copy the full SHA e06f172View commit details
Commits on Mar 3, 2023
-
Add a few more assertions to compiler_test.cc.
Also turn assertions into static_assert where we can. These should be no-ops with existing assertions. The int assertion is tighter, but we already assert this in constant_time_declassify_int. We cannot support 64-bit int because it messes up integer promotion rules. Change-Id: I628d2d7decdfa8bc01d8c6013bc7c20f927d63b1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57785 Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 93e8d44 - Browse repository at this point
Copy the full SHA 93e8d44View commit details
Commits on Mar 5, 2023
-
Plug a leak in ASN1_item_i2d()
ASN1_item_ex_i2d() does not take ownership of the memory pointed at by *out, so it's the caller's responsibility to free it on error. Change-Id: Id8cb70e50f280944418629a32b53fd4ca248b0bd Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57805 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 3a7dfdb - Browse repository at this point
Copy the full SHA 3a7dfdbView commit details
Commits on Mar 6, 2023
-
I did not have "find a bug in the assembler" on my bingo card today, but here we are. NASM 2.15, prior to 2.15.04, has a bug where, if a section that already exists is referenced again with alignment qualifiers, it incorrect adds padding and mangles the output. See https://bugzilla.nasm.us/show_bug.cgi?id=3392701. Work around this by suppressing the perlasm-emitted qualifiers the second time a section is emitted. We likely don't need these qualifiers because, for all sections we care about, NASM's defaults are fine, but perlasm tries to align .text more aggressively than the default, so let it do that. Bug: chromium:1422018 Change-Id: Iade5702c139b70772d4957a83c8f9be86c8af97c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57825 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for abb9af8 - Browse repository at this point
Copy the full SHA abb9af8View commit details -
test_fips: flush stdout before aborting on failure.
When running on a device via `adb shell`, stdout will be a pipe and so is block buffered, leading to lost output if abort() is called before flushing. Change-Id: Ica67132fb8b2b1e7967df89fa3d0a9a793d8cbbf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/54025 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 082e953 - Browse repository at this point
Copy the full SHA 082e953View commit details
Commits on Mar 7, 2023
-
Remove EVP_PKEY_ASN1_METHOD and EVP_PKEY_METHOD from public headers
With EVP_PKEY and EVP_PKEY_CTX opaque, these symbols don't appear in any public APIs anymore. Make them internal, which also opens the door to renaming them: - EVP_PKEY_METHOD is more accurately EVP_PKEY_CTX_METHOD - EVP_PKEY_ASN1_METHOD is more accurately EVP_PKEY_METHOD Or perhaps the split doesn't mean much and we should fold them together. Change-Id: I8a0f7c2e07445dc981c7cef697263e59dba7784e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57885 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for a925c22 - Browse repository at this point
Copy the full SHA a925c22View commit details -
Add prefetch to sha1_block_data_order_shaext
Similar idea to https://boringssl-review.googlesource.com/c/boringssl/+/55466 Results are pretty close to the current state, e.g. tool speed goes from Did 74000 SHA-1 (16384 bytes) operations in 1004094us (73698.3 ops/sec): 1207.5 MB/s to Did 75000 SHA-1 (16384 bytes) operations in 1004022us (74699.6 ops/sec): 1223.9 MB/s But on AMD with prefetchers disabled and large enough data size, to force cache misses this gives ~3x improvement: name old time/op new time/op delta BM_SHA1Hash/2 141ns ± 1% 143ns ± 2% ~ (p=0.421 n=5+5) BM_SHA1Hash/4 143ns ± 2% 143ns ± 3% ~ (p=0.841 n=5+5) BM_SHA1Hash/8 141ns ± 1% 141ns ± 2% ~ (p=1.000 n=5+5) BM_SHA1Hash/16 141ns ± 1% 141ns ± 1% ~ (p=0.841 n=5+5) BM_SHA1Hash/32 143ns ± 2% 143ns ± 1% ~ (p=0.690 n=5+5) BM_SHA1Hash/64 178ns ± 1% 179ns ± 1% ~ (p=0.151 n=5+5) BM_SHA1Hash/512 454ns ± 1% 454ns ± 1% ~ (p=0.841 n=5+5) BM_SHA1Hash/4k 2.66µs ± 1% 2.65µs ± 1% ~ (p=1.000 n=5+5) BM_SHA1Hash/32k 20.3µs ± 1% 20.3µs ± 2% ~ (p=1.000 n=5+5) BM_SHA1Hash/256k 162µs ± 1% 161µs ± 1% ~ (p=0.548 n=5+5) BM_SHA1Hash/1M 644µs ± 1% 645µs ± 1% ~ (p=0.841 n=5+5) BM_SHA1Hash/2M 1.29ms ± 1% 1.29ms ± 2% ~ (p=0.690 n=5+5) BM_SHA1Hash/4M 2.58ms ± 1% 2.58ms ± 1% ~ (p=0.841 n=5+5) BM_SHA1Hash/8M 5.14ms ± 0% 5.15ms ± 1% ~ (p=0.286 n=4+5) BM_SHA1Hash/16M 11.4ms ± 3% 10.3ms ± 1% -9.04% (p=0.016 n=4+5) BM_SHA1Hash/128M 249ms ± 0% 83ms ± 1% -66.73% (p=0.008 n=5+5) Change-Id: I7cae746b6d8a705d6bf2d5c5df6a2dca6d44791a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57826 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for ecb722a - Browse repository at this point
Copy the full SHA ecb722aView commit details
Commits on Mar 9, 2023
-
Add OPENSSL_EXPORT to BN_mod_inverse_blinded
Change-Id: Ie7543047c6f489ae849b3c27703948f0977c33fd Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57905 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8aa51dd - Browse repository at this point
Copy the full SHA 8aa51ddView commit details
Commits on Mar 14, 2023
-
initial setup for bssl crate with hmac and sha2 bindings
- update rust folder to split into `bssl` and `bssl-sys` - add initial bindings for hmac and a subset of sha2 Change-Id: I09e0e778c1590de6818a49e19529ceb011e4d9f6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57285 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Adam Langley <agl@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedMar 14, 2023 Configuration menu - View commit details
-
Copy full SHA for be79283 - Browse repository at this point
Copy the full SHA be79283View commit details -
Add Cargo.lock to .gitignore for rust/bssl-crypto and remove generated file Clean up cargo deny warnings and set reasonable starting point in deny.toml Change-Id: I0b925408ab6b7947b1b01282bac803feb769421a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57985 Reviewed-by: Nabil Wadih <nwadih@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Bob Beck authored and Boringssl LUCI CQ committedMar 14, 2023 Configuration menu - View commit details
-
Copy full SHA for 6f3e822 - Browse repository at this point
Copy the full SHA 6f3e822View commit details -
Rust bindings to boringssl plain AES implementation
Change-Id: Idbf0be16fbda2f0cb2444837021d4f95c29a1857 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57405 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedMar 14, 2023 Configuration menu - View commit details
-
Copy full SHA for 39da68f - Browse repository at this point
Copy the full SHA 39da68fView commit details -
Guarding the OPENSSL_memset was unnecessary since OPENSSL_memset with zero length works fine. Also OPENSSL_memset, to workaround a C bug, internally does the same check anyway. (But also this wasn't a context where the C bug applied.) Also don't bother calling EVP_MD_block_size a second time when we already saved it into block_size. Finally, don't bother filling key_block up to the whole EVP_MAX_MD_BLOCK_SIZE size. I could believe the fixed size is easier for the compiler to optimize, but the XORs in setting up an HMAC cannot possibly be performance-sensitive, and using the actual length is clearer. Also add an assert that the hash's output size fits in the block size. We're implicitly relying on this when hashing the key down. Change-Id: I6ce37d41ea5bdbc8890bde7910e1b5651bc35709 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58027 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 50bc2ea - Browse repository at this point
Copy the full SHA 50bc2eaView commit details
Commits on Mar 15, 2023
-
Test that X509_NAMEs sort their RDNs when encoding.
RDNs are a SET OF attributes which means they should be sorted by DER encoding length, then lexicographically. We didn't have any test coverage for this. Bug: 548 Change-Id: I542196aae26984aeee4f1c6774878b121675b0dc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58025 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d0cff63 - Browse repository at this point
Copy the full SHA d0cff63View commit details -
Const-correct and document a few functions in x509v3.h.
Change-Id: I59bcacf10a59ffdf9709785727f5f8b73c992f6e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58026 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8c7aa6b - Browse repository at this point
Copy the full SHA 8c7aa6bView commit details -
Hmac should be able to take longer keys
HMAC hashes long keys internally using the provided hash function. This removes the arbitrary limit of EVP_MAX_MD_SIZE on the length of the key. Change-Id: I56d68cbd2ddaf1f5f1fa4ecc40105b00b2ccd87c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58006 Reviewed-by: Nabil Wadih <nwadih@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Bob Beck authored and Boringssl LUCI CQ committedMar 15, 2023 Configuration menu - View commit details
-
Copy full SHA for 3002573 - Browse repository at this point
Copy the full SHA 3002573View commit details -
Add CTRDBG_STATE to bssl::UniquePtr
Change-Id: I18596751776262be09d8ba09ed258e1f66d90654 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58046 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 7464656 - Browse repository at this point
Copy the full SHA 7464656View commit details
Commits on Mar 16, 2023
-
Add a test for OPTIONAL CHOICE values
An in-progress rewrite of tasn_dec.c accidentally broke this, so add a regression test. Bug: 548 Change-Id: Iac6a23acbc08459187c96a2f6471f0aa97d445a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58125 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6a231e5 - Browse repository at this point
Copy the full SHA 6a231e5View commit details -
Reduce type-punning in ASN1_TYPE
ASN1_TYPE is a union of a bunch of pointer types. Often it takes a shorthand and accesses a->value.ptr directly. This is allowed in C, but not C++. Writing the switch/case barely takes more code, so just write it that way. Along the way, extract the code for cleaning up an ASN1_TYPE from tasn_fre.c. This is a small step towards being able to use crypto/asn1's types without depending on the templates. ASN1_TYPE_free still, for now, calls into the templates. That will be fixable once tasn_*.c are rewritten a bit further. This also removes the weird hack here ASN1_primitive_free (an internal function) with NULL ASN1_ITEM secretly meant to partially clean up the ASN1_TYPE. We can just call the function directly now. Bug: 574 Change-Id: Ie2ba41418801a366ab2f12eccc01e8dadf82c33e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58126 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 860cc73 - Browse repository at this point
Copy the full SHA 860cc73View commit details -
Set up cargo deny to deny new dependencies by default.
Mark the two existing dependencies which should be made to go away. This is a bindings library to boringssl. it should really *not* need extra dependencies on external crates. Change-Id: Ia687510247154634e6d8b2be4c2f5840dabc1c89 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58107 Auto-Submit: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Bob Beck authored and Boringssl LUCI CQ committedMar 16, 2023 Configuration menu - View commit details
-
Copy full SHA for 9ea4128 - Browse repository at this point
Copy the full SHA 9ea4128View commit details -
Get rid of the libc crate dependency in bssl-sys
It appears to no longer be needed. Change-Id: Idd9aa128192eb0f1bdff52e190fd032090411d43 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58165 Auto-Submit: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Nabil Wadih <nwadih@google.com>
Bob Beck authored and Boringssl LUCI CQ committedMar 16, 2023 Configuration menu - View commit details
-
Copy full SHA for 7b04d72 - Browse repository at this point
Copy the full SHA 7b04d72View commit details -
add bindings for hkdf and update panic handler
Change-Id: Ic0149a69cc27727c2302bc2a90d03839fd5637b5 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57545 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedMar 16, 2023 Configuration menu - View commit details
-
Copy full SHA for cc57542 - Browse repository at this point
Copy the full SHA cc57542View commit details -
Rewrite ASN1_OBJECT and ASN1_BOOLEAN d2i/i2d functions.
These functions already don't go through tasn_*.c. Rewrite them to use CBS and CBB. This removes some dependencies on ASN1_get_object and ASN1_put_object. Update-Note: d2i_ASN1_OBJECT and d2i_ASN1_BOOLEAN will no longer accept non-minimal length prefixes (forbidden in DER). d2i_ASN1_BOOLEAN will also no longer accept non-canonical representations of TRUE (also forbidden in DER). This does not affect certificate parsing, as that still goes through the old template system, though we will make a similar change to those functions later. Bug: 354, 548 Change-Id: I0b7aa96f47aca5c31ec4f702e27108b4106311f2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58145 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2cb7b33 - Browse repository at this point
Copy the full SHA 2cb7b33View commit details -
Make ASN1_OBJECT_create size_t-clean.
Change-Id: If7eb9daf65f6c9480a9bffb5f1e1ea3143c5faf7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58146 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 173b639 - Browse repository at this point
Copy the full SHA 173b639View commit details -
Removing object reuse makes it dramatically simpler. Along the way, lift the OID validity checker into crypto/bytestring, so we can use it more generally. (Although the difference between invalid OID and unknown OID is pretty academic, so this check isn't that important.) For now I've preserved the existing behavior, where the OID validity checker accepts arbitrarily large OID components. Though this results in an oddity where the OID to string functions reject inputs that the parser accepts. (There we only allow up to 2^64-1.) Update-Note: When we removed object-reuse from all the d2i functions, we missed one d2i_ASN1_OBJECT. See https://boringssl-review.googlesource.com/c/boringssl/+/56647. Otherwise, this CL is not expected to change behavior. Change-Id: If4d2d83d9f3c96abfdc268e156f2cf3a9a903b0c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58147 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 898de8d - Browse repository at this point
Copy the full SHA 898de8dView commit details
Commits on Mar 20, 2023
-
- remove dependency on hex-literal crate
- add helper for converting between hex strings and bytes Change-Id: I073b597cfb1b2687dd7d1743441bdfaaf601810d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58225 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedMar 20, 2023 Configuration menu - View commit details
-
Copy full SHA for 92de195 - Browse repository at this point
Copy the full SHA 92de195View commit details
Commits on Mar 21, 2023
-
Represent unknown universal types with V_ASN1_OTHER
OpenSSL's ASN1_STRING representation has many cases. There's a grab-bag V_ASN1_OTHER cases that can represent any element. But it is currently only used for non-universal tags. Unknown universal tags go into the type field directly. This has a few problems: - Certain high values, V_ASN1_NEG_INTEGER and V_ASN1_NEG_ENUMERATED, are treated special. This was one of the two causes behind CVE-2016-2108 and had to be worked around with V_ASN1_MAX_UNIVERSAL. - OpenSSL can never compatibly support a new universal type in a non-ASN1_STRING form. Otherwise ASN1_TYPE's union changes its in-memory representation. - It is a bit ambiguous when OpenSSL does or doesn't know the type. - This is broadly implemented by having a default in all the switch/cases, which is a little awkward. - It's yet another "unknown tag" case when V_ASN1_OTHER covers such cases just fine. Remove this representation and use V_ASN1_OTHER. This more unambiguously resolves CVE-2016-2108. ASN1_STRING's and ASN1_TYPE's respective type fields are now a closed set. Update the documenthation accordingly. Formally allowing universal types in ASN1_STRING also opens the door to clearing the ASN1_PRINTABLE mess (https://crbug.com/boringssl/412). BoringSSL currently rejects X.509 names that are actually valid, because the OpenSSL X509_NAME representation cannot represent them. This allows us to introduce an ASN1_STRING-based ANY representation, which just represents all non-ASN1_STRING types in an V_ASN1_OTHER. The implementation is a little clumsy (the way things tasn_dec.c is written, I had to introduce yet another check), but I'm hoping that, when the parser is rewritten with CBS, this can be integrated into a single type dispatch. Update-Note: This does not change the set of inputs accepted or rejected by the ASN.1 parser. It does, however, change the in-memory representation in edge cases. Unless the application was specifically inspecting the in-memory representation for these unknown types, we expect this to have no impact. Fixed: 561 Change-Id: Ibf9550e285ce50b11c7609d28b139354b9dd41dc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58148 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8c8629b - Browse repository at this point
Copy the full SHA 8c8629bView commit details -
Change-Id: I9ec56ae8d4ca0a28dccbf2a04c4c675791c053b8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58265 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedMar 21, 2023 Configuration menu - View commit details
-
Copy full SHA for 172b291 - Browse repository at this point
Copy the full SHA 172b291View commit details -
Reimplement X509 parsing without templates
This is a cursory conversion and is, currently, very tedious because it needs to bridge calling conventions. After tasn_*.c and all the underlying primitives have CBS/CBB-based calling conventions, this should be a lot cleaner. This is to break a dependency cycle: - We'd like to rewrite d2i_X509 with CBS - To do that, we need to rewrite its underlying types with CBS - Those parsers are tied up in tasn_dec.c, so we effectively need to rewrite tasn_dec.c with CBS. - CBS is designed for DER, not BER, so such a change would most naturally switch the TLV parser to require DER. - We've *almost* done that already except https://boringssl-review.googlesource.com/c/boringssl/+/51626 had to stop at non-minimal definite lengths, which are allowed in BER but forbidden in DER. See b/18228011 for a bunch of certificates which have a non-minimal definite length at *just* the signature field. - So, to do that, we'd ideally special case just that field, or BIT STRINGs in general, to tolerate minimal lengths. That's easiest done when d2i_X509 is CBS, so we can just do what we want in imperative code. And thus we're back full circle. So, detach X509 from the templates now. It's a bit tedious because we need to switch calling conventions for now, but it breaks the cycle. Later, we can revisit this and get all the benefits of a fully CBS-based path. For now, I haven't added an ASN1_ITEM. If it comes up, we can make an EXTERN ASN1_ITEM. Update-Note: The ASN1_ITEM removal means custom ASN.1 templates (which are discouraged in favor of our much simpler CBS and CBB types) using X509 will fail to compile. We don't believe anyone is relying on this, but this can be restored if we find something. Update-Note: Certificate parsing is slightly stricter: the outermost TLVs, except for the signature field, no longer accept non-minimal lengths, as mandated by DER. This strictness was broadly already applied by the libssl parser. Bug: 547 Change-Id: Ie5ad8ba4bb39f54fdd3dd45c53965b72a3850709 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58185 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2a52444 - Browse repository at this point
Copy the full SHA 2a52444View commit details -
Reject non-minimal lengths in ASN1_get_object
Now that the preceding CL has isolated the X.509 signature hack, we can apply the strictness across the legacy parser. This is particularly important for the TBSCertificate parser, where it is ambiguous which value one checks the signature over. (Officially, you're supposed to re-encode as DER. In practice, people don't do this.) This change means many of our primitive types are actually parsed as DER. I've removed the bug references in the comment in the documentation where I believe they're finally correct. Update-Note: Non-minimal lengths in certificates are no longer accepted, as required for standards compliance. The one exception is the signature field, where we still carry an exception. Some of this was already enforced by libssl's parser. Bug: 354 Change-Id: I57cfa7df9e1ec5707390e9b32fe1ec6b5d8172f9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58186 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8ebfea7 - Browse repository at this point
Copy the full SHA 8ebfea7View commit details
Commits on Mar 22, 2023
-
I mistakenly thought no one needed X509 as an ASN1_ITEM, but that wasn't true. wpa_supplicant relies on this. Restore this and add a test for it. As with the rest of the rewrite, this is currently a little tedious. I'm hoping that, as the internals are rewritten with CBS and CBB, we can establish some cleaner patterns and abstractions. Bug: 547 Change-Id: I761ee058f8ec916b2ec7f4730a764d46d72f1f10 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58285 Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for b6a50fd - Browse repository at this point
Copy the full SHA b6a50fdView commit details
Commits on Mar 24, 2023
-
Fix parameter name for i2d_X509_EXTENSION
alg was a copy-paste error. Change-Id: I4c591bb98f7da853c79679727d49a00c7c65ad91 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58305 Reviewed-by: Alex Gaynor <alex.gaynor@gmail.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2e13e36 - Browse repository at this point
Copy the full SHA 2e13e36View commit details
Commits on Mar 28, 2023
-
Add a warning about OBJ_create and global state
This function is probably not what you want. I think the X509V3_EXT_METHOD and ASN1_STRING_TABLE_add stuff are the only cases where you actually need an OID. Those, themselves, have problems with conflicting registrations and aren't really necessary. ASN1_STRING_TABLE_add has a similar warning on it. X509V3_EXT_METHOD is not yet documented, but should get a similar warning when we document it. Change-Id: I173918a3f7db25059ed078b2f67b23acfb43033d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58365 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 0e8e3c6 - Browse repository at this point
Copy the full SHA 0e8e3c6View commit details -
Sort various X.509 global lists sooner
These functions need a lot more work, documentation, warnings that using them isn't a good idea, and really we should just remove them entirely. But, for now, this is a minimal fix to the most egregious of issues: not only are the functions themselves not thread-safe (i.e. you must call it in some program-global initialization), but using them puts you in a state where future uses of the X.509 library are not thread-safe! Fix the latter by sorting the list at the point we're already mutating things. Re-sorting a list after every addition is not a particularly sensible implementation, but we can assume these lists will only ever contain O(1) entries. (The sort calls date to https://boringssl-review.googlesource.com/c/boringssl/+/27304, but the issue was there before. Prior to that CL, sk_FOO_find implicitly sorted the list. That CL made sk_FOO_find itself a const operation, necessary for this, and just added explicit sk_FOO_sort calls to preserve the existing behavior, initially.) Change-Id: I063b8e708eaf17dfe66c5a3e8d33733adb3297e9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58385 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 97d48db - Browse repository at this point
Copy the full SHA 97d48dbView commit details
Commits on Mar 29, 2023
-
This is a double-pointer and both layers should be const. This matches OpenSSL 1.1.1, so in addition to being more const-correct, we're more OpenSSL-compatible. Update-Note: Anything that defines a comparison function would need to fix the type signature. I found only one external caller, Envoy, that defines it. envoyproxy/envoy#25051 fixes it. (That we hadn't run into the upstream incompatibility suggests this is just not a feature folks use outside the library much.) Bumping BORINGSSL_API_VERSION, in case I missed any, and there's some caller where we can't just use C++14 generic lambdas to smooth it over. Fixed: 498 Change-Id: I8f07ff42215172aa65ad8819acf69b63d6d8e54c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/56190 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for af0739f - Browse repository at this point
Copy the full SHA af0739fView commit details -
Remove dynamic X509_VERIFY_PARAM registration
This was not thread-safe and, until the previous CL, egregiously so. No one uses this API, so remove it. Update-Note: Various unused functions for registering named X509_VERIFY_PARAMs were removed. These functions only exist to make X509_VERIFY_PARAM_lookup return a custom value. Instead, applications that want a particular X509_VERIFY_PARAM can just configure it directly, rather than stashing it in library-global state and then looking it back up with X509_VERIFY_PARAM_lookup. Change-Id: I8d532a1a137c7abbc131f2cb5d12ba94e5728e2d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58386 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 678bae4 - Browse repository at this point
Copy the full SHA 678bae4View commit details -
Fix policy validation when the user policy set is NULL
OpenSSL interprets NULL and empty lists as {anyPolicy}. I intended to implement this, but didn't quite get the NULL case right. Fix this and add a test. Change-Id: I50dbf02695f424697e28a6e0ec4fd50b2822f44f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58425 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for fca688f - Browse repository at this point
Copy the full SHA fca688fView commit details
Commits on Mar 30, 2023
-
Fix handling of critical X.509 policy constraints
If we see a critical policy constraints extension, we have two options: We can either process it, which requires running policy validation, or reject the certificate. We and OpenSSL do neither by default, which means we may accept certificate chains that we weren't supposed to. This fixes it by enabling X.509 policy validation unconditionally and makes X509_V_FLAG_POLICY_CHECK moot. As a side effect, callers no longer need to do anything for CVE-2023-0466. This is the opposite of [0]'s advice, which instead recommends skipping the feature and rejecting critical policy contraints. That would be a good move for a new X.509 implementation. Policy validation is badly-designed, even by X.509's standards. But we have OpenSSL's history of previously accepting critical policy constraints (even though it didn't check it). I also found at least one caller that tests a chain with policy constraints, albeit a non-critical one. We now have an efficient policy validation implementation, so just enable it. Of course, fixing this bug in either direction has compatibility risks: either we take on the compat risk of being newly incompatible with policyConstraints-using PKIs, or we take on the compat risk of newly rejecting certificates that were invalid due to a policy validation error, but no one noticed. The latter case seems safer because the chain is unambiguously invalid. Update-Note: X.509 certificate verification (not parsing) will now notice policy-validation-related errors in the certificate chain. These include syntax errors in policy-related extensions, and chains with a requireExplicitPolicy policy constraint that are valid for no certificate policies. Such chains are unambiguously invalid. We just did not check it before by default. This is an obscure corner of X.509 and not expected to come up in most PKIs. [0] https://www.ietf.org/archive/id/draft-davidben-x509-policy-graph-01.html#section-3.4.4 Fixed: 557 Change-Id: Icc00c7797bb95fd3b14570eb068543fd83cda7b9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58426 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 28226f5 - Browse repository at this point
Copy the full SHA 28226f5View commit details -
Adding a C implementation of Kyber.
Passes test vectors, and should be constant time, but is currently not optimized and neither the API nor the standard is stable. Change-Id: I89b90877e023a43ee7238e11b86065444ab3bdec Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57845 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 58472cc - Browse repository at this point
Copy the full SHA 58472ccView commit details
Commits on Mar 31, 2023
-
Add comment about regenerating peg files.
Change-Id: I0d1b4ebb291b19bf549f863a1aaaa07e770328a9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58505 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for bc49415 - Browse repository at this point
Copy the full SHA bc49415View commit details -
This updated value is not in the private use area and can hopefully be more stable over time. Change-Id: Ieda34ec0f356cfd03365973f611a6edc23431e29 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58525 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d897027 - Browse repository at this point
Copy the full SHA d897027View commit details
Commits on Apr 3, 2023
-
Add various tests for memory BIOs.
Our test coverage for BIOs isn't great. Fill in missing memory BIO tests, in preparation for reworking it a bit to be size_t-clean. Change-Id: I77aeab93d6d9275c65e998d517463f4cc10efcf3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58545 Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 502d24c - Browse repository at this point
Copy the full SHA 502d24cView commit details -
Convert a few more ints to bools in libssl.
There was even a bug where we returned -1 out of a function whose callers use !. Change-Id: Ic815ea9f013bcbca41ef84b9ffa9fb867f716aa6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58465 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6e723e5 - Browse repository at this point
Copy the full SHA 6e723e5View commit details
Commits on Apr 7, 2023
-
Fix size_t truncations in bio_mem.c
The outl <= 0, etc., checks are actually redundant with logic in the wrappers, but it seems easier to just add the check and avoid worrying about it. Maybe someday we'll make the internals use size_t and this will be moot. Bug: 516 Change-Id: I0bea5ac325c79b9765d822c816661fe4f2bcd4cc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58546 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for e8b168d - Browse repository at this point
Copy the full SHA e8b168dView commit details -
Tidy up some lengths in SSL_SESSION
Normally these would be size_t, but we try to reduce per-connection memory in libssl, so use uint8_t, then add asserts, checks, and casts as appropriate. Bug: 516 Change-Id: Ibdd9d88f2b05173daee2db5f6fb77d619302bfdf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58547 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 44a389a - Browse repository at this point
Copy the full SHA 44a389aView commit details
Commits on Apr 10, 2023
-
RESOURCE_LEAK in method STACK_OF(TRUST_TOKEN) *voprf_unblind before r…
…eturn 0 Change-Id: I4288988f3742f14b15f80a3023b716392a667631 Signed-off-by: wangjiale3 <wangjiale3@xiaomi.corp-partner.google.com> Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58485 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9a56503 - Browse repository at this point
Copy the full SHA 9a56503View commit details -
Don't consume the newline in BIO_gets for fds
We support BIO_gets on three BIOs. They're all slightly different. File BIOs have the NUL truncation bug. fd BIOs swallow the embedded newline. This CL fixes the second issue and updates the BIO_gets test to cover all three. See also upstream's openssl/openssl#3442 Update-Note: BIO_gets on an fd BIO now returns the newline, to align with memory and file BIOs. BIO_gets is primarily used in the PEM parser, which tries to tolerate both cases, but this reduces the risk of some weird bug that only appears in fd BIOs. Change-Id: Ia8ffb8c67b6981d6ef7144a1522f8605dc01d525 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58552 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 0c069cb - Browse repository at this point
Copy the full SHA 0c069cbView commit details
Commits on Apr 11, 2023
-
If the ret is not null, it needs to be released before return
Change-Id: Idcf0fdcc88af509958e56052c1925f3f695bc3e3 Signed-off-by: wangjiale3 <wangjiale3@xiaomi.corp-partner.google.com> Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58487 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8843d98 - Browse repository at this point
Copy the full SHA 8843d98View commit details -
Run
go fmt
inssl/test/runner
.Change-Id: I06773ff0c42c68f1f2d4c581f52b71008c4cdb3c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58625 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> Auto-Submit: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for fe7a067 - Browse repository at this point
Copy the full SHA fe7a067View commit details -
Remove SSL_CIPHER_get_rfc_name
This was replaced with the upstream-compatible SSL_CIPHER_standard_name in https://boringssl-review.googlesource.com/17324. It looks like we've since migrated everything off the old name, so let's just remove it. Update-Note: SSL_CIPHER_get_rfc_name calls can be replaced with SSL_CIPHER_standard_name, which is also more efficient as it avoids an allocation and copy. If anyone's using this function and can't easily migrate, let us know and we can put this back for a little longer. Change-Id: I6bce40a8a146671429641a5dbff6f614006a9a1c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58665 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for bf1b792 - Browse repository at this point
Copy the full SHA bf1b792View commit details -
Fix miscellaneous size_t truncations
Also unexport PEM_proc_type and PEM_dek_info. They're never called externally, just private functions within one file. Also, while I'm here, fix the include guard on asn1/internal.h. Bug: 516 Change-Id: I6961a65f638e7b464a8c349663898a954d7826b4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58548 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for a438519 - Browse repository at this point
Copy the full SHA a438519View commit details -
leaked_storage in method POLICYQUALINFO *notice_section
Change-Id: I43dd18f7d70ee06ca25affad0ab06e5d5ef8263d Signed-off-by: wangjiale3 <wangjiale3@xiaomi.corp-partner.google.com> Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58489 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 7b9b9ba - Browse repository at this point
Copy the full SHA 7b9b9baView commit details
Commits on Apr 12, 2023
-
Move RSA (en|de)cryption out of the FIPS module.
Change-Id: I330ac0fa7f0b2c9984d12da831d8f34019ea2c49 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58526 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 89de6e1 - Browse repository at this point
Copy the full SHA 89de6e1View commit details -
Add Trust Token version using standardized hash2curve.
Change-Id: I6e53434246f3fef06d4f88924bfe1cbfad0543e8 Bug: chromium:1414562 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58205 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Steven Valdez <svaldez@google.com>
Configuration menu - View commit details
-
Copy full SHA for c5f762d - Browse repository at this point
Copy the full SHA c5f762dView commit details -
Fix up do_ext_i2d's error-handling
Thanks to wangjiale3 for noticing a leak of ext_oct on malloc error in https://boringssl-review.googlesource.com/c/boringssl/+/58488. This is a fixed version of that CL, and also fixes a leak of ext_der on malloc failure. Change-Id: I2c7ece6b2950a9cb807d78e72b2fddc21897a019 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58686 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9423510 - Browse repository at this point
Copy the full SHA 9423510View commit details -
Add functions to allow the mocking of AES hw support for testing.
Bug: 586 Change-Id: I5bc8e6df3a5a14e6b218f41181d06406e835f9c1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58605 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Bob Beck authored and Boringssl LUCI CQ committedApr 12, 2023 Configuration menu - View commit details
-
Copy full SHA for 8cacbd9 - Browse repository at this point
Copy the full SHA 8cacbd9View commit details -
Restore some default cases in tasn_dec.c and tasn_enc.c
This reverts a small portion of 8c8629b. The parsers for ANY remain unchanged, but we inadvertently changed a corner case of ASN1_PRINTABLE MSTRINGs. This is a huge mess. utype in these switch cases is usually the type of the ASN1_ITEM, but, with ANY and MSTRING, it is the tag of the value we found. (An MSTRING or "multi-string" is a CHOICE of string-like types.) When parsing ANY, this is moot because the is_supported_universal_type logic ensures we'll never pass in an invalid type. When encoding ANY, this only happens if you manually construct such an ASN1_TYPE. MSTRINGs *should* be similar because of the bitmask they apply on tag types. However, there is one MSTRING type whose bitmask, B_ASN1_PRINTABLE, includes B_ASN1_UNKNOWN. ASN1_tag2bit, arbitrarily maps eight unsupported tags to B_ASN1_UNKNOWN and instead of zero. These are: - ObjectDescriptor - EXTERNAL - REAL - EMBEDDED PDV - RELATIVE-OID - TIME (note this is not the same as the X.509 Time CHOICE type) - [UNIVERSAL 15], which is not even a defined type! - CHARACTER STRING (ENUMERATED is also mapped to B_ASN1_UNKNOWN, but it's supported.) These eight tags were previously accepted in d2i_X509_NAME but 8c8629b inadvertently started rejecting them. For now, restore the default in the switch/case so that we accept them again. Per https://crbug.com/boringssl/412, attribute values are ANY DEFINED BY types, so we actually should be accepting *all* types. We do not, because B_ASN1_PRINTABLE is completely incoherent. But because ANY is the correct type, going from the original incoherent set, to this new, smaller incoherent set is arguably a regression. This is a minimal fix. Long-term, we should handle that ANY correctly, and avoid unexpected ASN1_STRING type values, by mapping all unsupported types to V_ASN1_OTHER. This would allow us to support all types correctly. A follow-up change will do that. Update-Note: The X.509 name parser will go back to accepting a handful of universal tag types that were inadvertently rejected in 8c8629b. It is extremely unlikely that anyone uses these as they're unsupported, obscure types. This CL also makes our ASN1_TYPE encoder slightly more permissive again, if the caller manually constructs an legacy in-memory representation of an unsupported tag. But the follow-up change will restore the stricter behavior. Bug: 412, 561 Change-Id: Ia44a270f12f3021154761a1cd285707416d8787e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58705 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for abfd5eb - Browse repository at this point
Copy the full SHA abfd5ebView commit details
Commits on Apr 13, 2023
-
Remove support for "old-style" X509V3_EXT_METHODs.
I don't believe these codepaths have ever been run. All the built-in X509V3_EXT_METHODs are ASN1_ITEM-based, as are all callers I found of X509V3_EXT_add and X509V3_EXT_add_list. Also document not to use those APIs because they're pointless and (for now) not even thread-safe. Making them thread-safe is doable, but it'd add rwlock contention in certificate verification, unless we first rework certificate verification to ignore custom registrations, because it never uses them anyway. But that only proves that this whole feature was pointless, so this time may be better spent trying to get rid of this API. Update-Note: Externally-installed X509V3_EXT_METHODs now must be ASN1_ITEM-based. I believe all existing ones already are. If there are any that aren't, let us know. We'll either revert this for now, or export a way to implement custom ASN1_ITEMs, or, most likely, try to move the caller off custom X509V3_EXT_METHODs altogether. Like most of OpenSSL's other global registration APIs, this one is unsafe (two callers may conflict) and there isn't much reason to register it with the library because OpenSSL doesn't do much with the registration anyway. Bug: 590 Change-Id: Ice0e246d50069e10e6cca8949f60fac474d0846c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58687 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8abd1b5 - Browse repository at this point
Copy the full SHA 8abd1b5View commit details -
Remove X509V3_EXT_add_list and X509V3_EXT_cleanup
These are already unused, though add and add_alias will need more work. In doing so, simplify the X509V3_EXT_DYNAMIC business. I added some cleanup calls to https://boringssl-review.googlesource.com/2208, but that should have been in the error-handling path of X509V3_EXT_add_alias, the only case that cares about this. Update-Note: Removed unused API. Bug: 590 Change-Id: Idd97366d90d7aab0ca2e020c76a7c8065b3dd7ff Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58765 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5fb362c - Browse repository at this point
Copy the full SHA 5fb362cView commit details -
expose a reset API on hmac which resets the current instance back to …
…its original state keeping the same key as initially used Change-Id: Ie781e2a20da26b50b34f35ea0a5cfc578b64ee7f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58565 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedApr 13, 2023 Configuration menu - View commit details
-
Copy full SHA for 298e6c2 - Browse repository at this point
Copy the full SHA 298e6c2View commit details
Commits on Apr 14, 2023
-
HRSS itself remains in libcrypto because there are some direct users of it. But this will let it be dropped by the linker in many cases. Change-Id: I870eda30c9ed1d08693c770e9e7df45a2711b7df Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58645 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 4ae4fb7 - Browse repository at this point
Copy the full SHA 4ae4fb7View commit details -
Move HKDF into the FIPS module.
Change-Id: I7c5b0a24c26b83779cf889d890e2c18ae13187c3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58725 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d3acd45 - Browse repository at this point
Copy the full SHA d3acd45View commit details
Commits on Apr 17, 2023
-
Move TLS 1.3 KDF functions into the FIPS module.
Change-Id: I32a40a73f96e029ac9096af826d15b22d9dcad28 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58745 Auto-Submit: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 480344d - Browse repository at this point
Copy the full SHA 480344dView commit details -
Include bindgen generated file via a build time env var, this plays n…
…icer with other build systems like Soong and Gn. Change-Id: I42e40da22dd243796cd735e09a9821cc2d114200 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58785 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedApr 17, 2023 Configuration menu - View commit details
-
Copy full SHA for 404d98b - Browse repository at this point
Copy the full SHA 404d98bView commit details -
add extra lints to align with Chromium rust toolchain
Change-Id: Ib3372c2a4e0e6189402485e87963d8151ad29981 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58786 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: danakj <danakj@chromium.org> Commit-Queue: Bob Beck <bbe@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedApr 17, 2023 Configuration menu - View commit details
-
Copy full SHA for fa7afff - Browse repository at this point
Copy the full SHA fa7afffView commit details -
Default SSL_set_enforce_rsa_key_usage to enabled.
This relands https://boringssl-review.googlesource.com/c/boringssl/+/54606, which was temporarily reverted. Update-Note: By default, clients will now require RSA server certificates used in TLS 1.2 and earlier to include the keyEncipherment or digitalSignature bit. keyEncipherment is required if using RSA key exchange. digitalSignature is required if using ECDHE_RSA key exchange. If unsure, TLS RSA server signatures should include both, but some deployments may wish to include only one if separating keys, or simply disabling RSA key exchange. The latter is useful to mitigate either the Bleichenbacher attack (from 1998, most recently resurfaced in 2017 as ROBOT), or to strengthen TLS 1.3 downgrade protections, which is particularly important for enterprise environments using client certificates (aka "mTLS") because, prior to TLS 1.3, the TLS client certificate flow was insufficiently encrypted or authenticated. Without reflecting an RSA key exchange disable into key usage, and then the client checking it, an attacker can spoof a CertificateRequest as coming from some server. This aligns with standard security requirements for using X.509 certificates, specified in RFC 5280, section 4.2.1.3, and reiterated in TLS as early as TLS 1.0, RFC 2246, section 7.4.2, published 24 years ago on January 1999. Constraints on usage of keys are important to mitigate cross-protocol attacks, a class of cryptographic attacks that is well-studied in the literature. We already checked this for each of ECDSA, TLS 1.3, and servers verifying client certificates, so this just fills in the remaining hole. As a result, this change is also important for avoiding some weird behaviors when configuration changes transition a server in or out of this hole. (We've seen connection failures get misattributed to TLS 1.3 when it was really a certificate misconfiguration.) Chrome has also enforced this for some time with publicly-trusted certificates. As a temporary measure for callers that need more time, the SSL_set_enforce_rsa_key_usage API, added to BoringSSL in January 2019, still exists where we need to turn this off. Fixed: 519 Change-Id: I91bf2cfb04c92aec7875e640f90ba6f837146dc1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58805 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for cee2dbb - Browse repository at this point
Copy the full SHA cee2dbbView commit details -
Switch to new ACVP test for TLS 1.2 KDF.
NIST has deprecated the test that we were using and replaced it with the one that this change switches BoringSSL to using. Change-Id: Iff975cda33153f8db42d9c01457d104c502485b9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58787 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6e1e367 - Browse repository at this point
Copy the full SHA 6e1e367View commit details -
Skip some BIO_gets tests if tmpfile fails on Android
On Android, when running from an APK, |tmpfile| does not work. See b/36991167#comment8. Change-Id: I1415471907e61da5e8c8d1530a2b915fcd991d53 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58845 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for c466222 - Browse repository at this point
Copy the full SHA c466222View commit details
Commits on Apr 18, 2023
-
break-tests.sh: break run-time tests and use two test_fips binaries.
(This change breaks running on Android. But it's close to what we used for non-Android FIPS testing so is useful to have on the record.) This change adds testing of the run-time break tests: the pair-wise consistency tests and the RNG test. It also switches to using two test_fips binaries: an unmodified one for showing a clean up and testing the integrity test, and a test_fips_break which makes integrity test failures non-fatal (for KAT testing) and which allows the run-time tests to be triggered. Change-Id: Id2787723059cfb17cc2d22013ad66b985ef86701 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53885 Reviewed-by: David Benjamin <davidben@google.com> Auto-Submit: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Adam Langley authored and Boringssl LUCI CQ committedApr 18, 2023 Configuration menu - View commit details
-
Copy full SHA for a4593ce - Browse repository at this point
Copy the full SHA a4593ceView commit details -
Update test_fips.c with new functions added to FIPS module.
Change-Id: Ibe428995fbc03669bf822296741574e2bbeb482d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58865 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6776d5c - Browse repository at this point
Copy the full SHA 6776d5cView commit details
Commits on Apr 19, 2023
-
Widen ASN1_mbstring_copy and ASN1_mbstring_ncopy to ossl_ssize_t
Bug: 516 Change-Id: I3f374f05188bebe7aa4cbf45c81a6f945d3ce97c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58549 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 32b5130 - Browse repository at this point
Copy the full SHA 32b5130View commit details -
Generate 64-bit Curve25519 and P256 code for MSVC
Change-Id: I2218807c6bfe445460a01f6c86712640915e87df Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/57666 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for aa31748 - Browse repository at this point
Copy the full SHA aa31748View commit details -
Document a pile of X509 print functions
I had a branch lying around to rewrite X509_NAME_print(_ex) because those functions are a disaster, but it needs more work and probably isn't high priority. In the meantime, document what we've got. Also tidy up X509_print_ex slightly. m was completely unused and some variable declarations could be moved closer to their definition. Bug: 426 Change-Id: I24295048c36268c745f579ad66f34736cfe6830f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58925 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d9f209b - Browse repository at this point
Copy the full SHA d9f209bView commit details -
Organize X509_ATTRIBUTE functions into sections.
Also organize the low-level signature verification functions. I missed those in the first pass. Bug: 426 Change-Id: I9c93d643d8f0f77a35ee132f31377ba447f2f2f1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58926 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 787713b - Browse repository at this point
Copy the full SHA 787713bView commit details -
They're not used anywhere, as X509_REQ doesn't expose the underlying STACK_OF(X509_ATTRIBUTE) anyway. They're also very thin wrappers over the stack functions, so just delete them and inline them into X509_REQ functions. While I'm here, I've tidied up the add1_attr_by_* functions to reduce an unnecessary copy. Change-Id: Iec002c83ab7ad7267314e98866d680d12a82e971 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58927 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 437ef4d - Browse repository at this point
Copy the full SHA 437ef4dView commit details -
Move the X509 time functions under "Convenience functions"
These probably don't need their own section. They're just thin wrappers over other ASN1_TIME functions. Bug: 426 Change-Id: I8672feb0ca7ba1cf69b56d02d2559de5b80a3ee7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58928 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 58a4094 - Browse repository at this point
Copy the full SHA 58a4094View commit details -
Clarify in ssl.h documentation not to use the verify callback
Change-Id: I54195f3fabbed788d3cf299d478d5151acfe2a4f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58929 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 3e91d37 - Browse repository at this point
Copy the full SHA 3e91d37View commit details -
Remove --size_t-is-usize from bindgen call
This has been on by default since rust-lang/rust-bindgen@cc78b6f, and now removed from recent bindgen altogether. Change-Id: Iea4c2a7480fe8b138c375686ca6b36e6d68257b3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58965 Reviewed-by: Nabil Wadih <nwadih@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for e2d1401 - Browse repository at this point
Copy the full SHA e2d1401View commit details -
Trim some unused XN_FLAG_* values
These appear to be unused. Some ones of note: - XN_FLAG_FN_ALIGN breaks with multi-attribute RDNs anyway - XN_FLAG_FN_NONE is completely pointless Update-Note: Some seemingly unused XN_FLAG_* values were removed. If some project fails to build, we can put them back but one shouldn't be using this function in the first place. Change-Id: I4d8472e1e31aeec623b4d4e2aea48da7b1ef6798 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58930 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 26ead95 - Browse repository at this point
Copy the full SHA 26ead95View commit details -
Update docs to recommend a much more convenient CMake invocation
Newer CMakes support a -B parameter, which saves some fuss. Change-Id: Ifdbbb50b3720cdc42af098eb32941283692e9d99 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58966 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Reviewed-by: Nabil Wadih <nwadih@google.com>
Configuration menu - View commit details
-
Copy full SHA for 1a5570b - Browse repository at this point
Copy the full SHA 1a5570bView commit details -
Fix allowlist regex in bindgen invocation
The allowlist is just a regex, which means bindgen leaves it to the user to resolve Windows vs POSIX filepath differences. We need to support both / and \. It's unclear why only some headers are broken, but it's probably something to do with whether the header is included directly or indirectly. Unfortunately, in doing so, we run into a mess of escaping issues, so the regex is more permissing than ideal. Bug: 595 Change-Id: I8b785aeaaeff162d9eb2aced89928f9602445903 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58967 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for a38d600 - Browse repository at this point
Copy the full SHA a38d600View commit details -
Replace sort.Sort with sort.Slice
Change-Id: I6e0361a42b9612ba4294cc8806203ea445bc9257 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58945 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for bcecc7d - Browse repository at this point
Copy the full SHA bcecc7dView commit details
Commits on Apr 21, 2023
-
Spell includes in wrapper.h like the rest of the project
We already require that #include <openssl/blah.h> work. May as well be consistent in wrapper.h, so it's less path-sensitive. Change-Id: Idd12e1c56a6e5d11623b4da82e405a5e976601b0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59045 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d5ac273 - Browse repository at this point
Copy the full SHA d5ac273View commit details -
Add mechanism for deprecated declarations.
This allows us to mark functions as deprecated declarations with OPENSSL_DEPRECATED. We also add an OPENSSL_BEGIN_ALLOW_DEPRECATED and an OPENSSL_END_ALLOW_DEPRECATED for testing use to test deprecated functions. The purpose of this is to allow us to mark things people should not be using as deprecated, and force some inconvenience on the user of such things to notice them (as opposed to a only a warning to not use it that they may not see or read without something tripping them up.) The intent is to still allow use, with some effort, before removing the function, or moving it to libdecrepit. We initially mark X509V3_EXT_add and X509V3_EXT_add_alias as deprecated. Update-Note: We are starting to mark some functions in boringssl as deprecated declarations which will cause the compiler to emit warnings if they are used. The intention is both to prevent accidental use in new code, and to to call attention to call sites in existing code so that the documentation for the deprecated function can be revisted and appropriate action taken. Bug: 584 Change-Id: Ia9ff386f0d22588e8a5999eda1a48b8c28dca2de Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58405 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Bob Beck authored and Boringssl LUCI CQ committedApr 21, 2023 Configuration menu - View commit details
-
Copy full SHA for ac6d558 - Browse repository at this point
Copy the full SHA ac6d558View commit details -
Only rerun bindgen when its dependencies change
This took a bit of wrangling to get the depfiles working, but I eventually figured it out. ninja -d explain is very useful. Fixed: 597 Change-Id: I909a4c9418e9dc954e3d328da8f3a825e62544e4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59005 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for b0b1f9d - Browse repository at this point
Copy the full SHA b0b1f9dView commit details
Commits on Apr 24, 2023
-
Per b/31553927, the last use of this is long gone. This cipher has been deprecated since it was (re)-added in 2015, so it's long past time to remove it. Update-Note: TLS_RSA_WITH_NULL_SHA is no longer available. Nothing should be enabling it anymore. Callers using SSL_CTX_set_strict_cipher_list instead of SSL_CTX_set_cipher_list will notice if they're affected very quickly, because the functino will fail if this cipher is referenced. As a deprecated cipher suite, this cipher was already unavailable unless explicitly named, so if your configuration doesn't say "TLS_RSA_WITH_NULL_SHA" or "NULL-SHA", you were not using this cipher. Bug: b:31553927 Change-Id: Id560bb4f9b156be3650d63f4ecf7783fad5ae209 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59145 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for de2d610 - Browse repository at this point
Copy the full SHA de2d610View commit details
Commits on Apr 25, 2023
-
Allow passing extra flags to BoGo shim
Add a new flag, -shim-extra-flags, which allows specifying additional flags to pass to the shim binary on all invocations. These flags will be passed as the first flags to the shim in order to take advantage of some slightly confusing Go flag semantics. Change-Id: I382f47bfe2662903b43135fcb249b46646fc9e7b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59245 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for edf7662 - Browse repository at this point
Copy the full SHA edf7662View commit details -
Move convert_wycheproof into its own package
This can still be run like go run ../../util/convert_wycheproof. This is part of an attempt to reland 54b04fd, which ran into an issue with internal tooling that could not handle standalone Go files. Since the only such target we actually needed to run in that repository is convert_wycheproof, just promote it into its own package. Then we can stop trying to import util. Change-Id: I6237777dad09e5c81ad961816ce14a287ab2d46a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59185 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5748eb8 - Browse repository at this point
Copy the full SHA 5748eb8View commit details -
This reverts commit bab2f96. This clears the sea of red in my editor. Change-Id: I600ef6c36556fb526da729f0f0d8bc69db5c5a08 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59186 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for ece1f86 - Browse repository at this point
Copy the full SHA ece1f86View commit details -
Align TRUST_TOKEN_pst_v1_voprf with draft-21 of VOPRF
This aligns the DLEQ proof portion of TRUST_TOKEN_pst_v1_voprf with draft-irtf-cfrg-voprf-21. The blind and finalize operations still differ. Additionally, as VOPRF doesn't include batched issuance, the issuance process around the DLEQ proof is adapted from draft-robert-privacypass-batched-tokens-01. Bug: chromium:1414562 Change-Id: If1c6de0f92089a826968a57279ae598ccf89ca3e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58906 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 4b6d950 - Browse repository at this point
Copy the full SHA 4b6d950View commit details -
Squeeze a block at a time when computing the matrix in Kyber
We were currently squeezing 3 bytes at a time. And because kyber.c and keccak.c are separate files, we've got an optimization barrier, at least in non-LTO builds, at a very inconvenient place. Instead, extract the full 168 bytes (SHAKE-128 rate) at a time. This is conveniently a multiple of three, so we don't need to worry about partial coefficients. We're still doing a copy due to the Keccak abstraction, but it should extend cleanly to either LTO or a different abstraction to read from the state directly. Even without that, it's a significant perf win. Benchmarks on an M1: Before: Did 87390 Kyber generate + decap operations in 4001590us (21838.8 ops/sec) Did 119000 Kyber parse + encap operations in 4009460us (29679.8 ops/sec) After: Did 96747 Kyber generate + decap operations in 4003687us (24164.5 ops/sec) [+10.6%] Did 152000 Kyber parse + encap operations in 4018360us (37826.4 ops/sec) [+27.4%] Change-Id: Iada393edf0c634b7410a34374fb90242a392a9d3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59265 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d5f3a9e - Browse repository at this point
Copy the full SHA d5f3a9eView commit details
Commits on Apr 26, 2023
-
Specify the TLS cipher order more straightforwardly
We previously used the functions from the cipher language to define it, but it's more straightforward to just list them out. Change-Id: I1467d6db47a93c8443a0a448ef974c827b1b3233 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59146 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d42c4e4 - Browse repository at this point
Copy the full SHA d42c4e4View commit details -
When building BCM sources individually, this gets missed. Change-Id: I58858da441daaeffc5e54b653f5436fe817c4178 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59306 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for a0afd6a - Browse repository at this point
Copy the full SHA a0afd6aView commit details -
X509_sign, etc., should return the length of the signature on success
Prior to https://boringssl-review.googlesource.com/c/boringssl/+/58548, ASN1_item_sign_ctx returned the length of the signature on success. It's unclear why anyone would ever want this, but some test was sensitive to it. (I think it was a typo.) Restore the old behavior. Change-Id: Ibf3e45331a339226744d51df703634d02b08a7c4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59307 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 0c7527b - Browse repository at this point
Copy the full SHA 0c7527bView commit details -
Remove go:build ignore from convert_wycheproof
The reason to make it a package was to avoid needing this, but I missed that git put it back. Change-Id: Idd6df275aa964083db525d4d5e300128b204d973 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59305 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for b352546 - Browse repository at this point
Copy the full SHA b352546View commit details -
Don't copy all of bssl-sys into the CMake build directory
Instead, just have it look for the files it needs via a BORINGSSL_BUILD_DIR environment variable. This avoids hardcoding "../../build" anywhere that cannot be easily overriden by the user. Although this puts logic in a build.rs file, which is problematic for repositories with more coherent build stories like Android or Chromium, those are already driving the bindgen and link process themselves, without calling CMake. I.e. this file should already only be used for standalone development and testing and not directly impact them. (Though we'd like to keep it vaguely analogous to better predict without a change will impact downstream folks.) For now, I've kept bindgen generated from CMake, mostly in anticipation of using the inline functions feature. Building the synthesized C file from CMake seems less of a headache than Cargo. Additionally, calling bindgen from the command-line is closer to how those consumers will do it, so this forces us to stick to bindgen invocations that can be expressed via command-line arguments. (E.g. the mess that is regexes and escaping.) As part of this, I've removed the messy "find the first matching wrapper file" behavior in build.rs. Instead, it knows the expected TARGET and just finds the file with matching name. This means we'll be stricter about matching the two. (Otherwise there's no point in naming it by target name anyway.) Fixed: 598 Change-Id: I07fa74f7e5f5f008d6f0ceec648a2378df7d317a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59105 Reviewed-by: Matthew Maurer <mmaurer@google.com> Reviewed-by: Nabil Wadih <nwadih@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 26669ff - Browse repository at this point
Copy the full SHA 26669ffView commit details -
Remove unimplemented SSL BIO_ctrl values
We have since added an implementation of a subset of the SSL BIO, but we don't implement all the features, notably some of the BIO_ctrl values. Remove them, so it doesn't look like they should work. Update-Note: I found no code using those symbols (that we build). If anything was, they most likely were broken. Now they'll fail to build and the brokenness will be more obvious. (If we find something needs it, we can always go back and implement them.) Fixed: 420 Change-Id: Iad03fa65f098023dca555a9b2ac0214ba4264546 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59125 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 691e45a - Browse repository at this point
Copy the full SHA 691e45aView commit details -
Move the old SPKAC types to their own section
Also fixes some copy-paste errors in earlier docs. Bug: 426 Change-Id: I330445477b6feb50f65a868130387804114f23a8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59205 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for d206f3d - Browse repository at this point
Copy the full SHA d206f3dView commit details -
runner: Remove an unnecessary use of AllCurves
AllCurves interferes with cross-version handshake hint tests. If any curve is removed, the test breaks. This is a particular nuisance for signing tests, where we'd rather like to see cross-version hint compatibility. It's also a nuisance for writing test suppressions because the remove curve is not actually listed in the test name. The signing tests don't actually need to enable all curves. They just need to handle some TLS 1.2 ECDSA rules. Fix that by having the test know the expected curve and to configure it explicitly. Hopefully that'll reduce the exceptions needed in the future. Change-Id: I432e084c49a943afc92726ccf0b73658e7bd30b1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59325 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for a02b743 - Browse repository at this point
Copy the full SHA a02b743View commit details
Commits on Apr 28, 2023
-
Support WPA 3.1 "enterprise" mode.
It's unwise for organisations to try and define TLS profiles. As in this case, they usually make security worse. However, since this is already established and supported by Android, this change raises it to the level of a supported policy. Change-Id: Ic66d5eaa33d884e57fc6d8eb922d86882b621e9e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/58626 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2f6409e - Browse repository at this point
Copy the full SHA 2f6409eView commit details -
Invalidated cached RSA, DH, and DSA state when changing keys
As part of getting a handle on RSA state, I would like for RSA keys created from parsing to come pre-"frozen". This reduces some contention on first use. But that potentially breaks an existing use case: today, you're allowed to parse a private key and then override one field without problems, because none of the cached state has materialized yet. If the caller modified the RSA key by reaching into the struct, it's hopeless. If they used the setters, we actually can handle it correctly, so go ahead and make this work. DH and DSA aren't of particular interest to us, but fix them while I'm at it. This also avoids having to later document that something doesn't work, just that it's a terrible API. Bug: 316 Change-Id: Idf02c777b932a62df9396e21de459381455950e0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59385 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9939e14 - Browse repository at this point
Copy the full SHA 9939e14View commit details
Commits on May 1, 2023
-
Change-Id: I49920d3917f0aebf1b9efbd45d0bcd944d6c8117 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59405 Auto-Submit: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for b811a6c - Browse repository at this point
Copy the full SHA b811a6cView commit details -
Disable BlindingCacheConcurrency on FreeBSD.
Per the bug discussion, FreeBSD seems to default to a cap of 1500 threads per process. Just turn the test off. But enable the test unconditionally if building with TSan. With TSan on, we only spawn two threads, which should be within everyone's bounds. Fixed: 603 Change-Id: Ic8c49e5ce7c3f2d09487debc72b7e4c54b04a77c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59445 Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 048d21c - Browse repository at this point
Copy the full SHA 048d21cView commit details -
Add new APIs for creating RSA keys
This adds APIs for constructing RSA keys given all the parameters. This is much less tedious than the set0 functions, and also avoids issues caused by deferred initialization. It doesn't quite finish initializing the keys on construction, as that is tied up in the rest of this mess. But later work, probably after Conscrypt is moved to these APIs, will do this. As part of this, add APIs that explicitly create RSA keys with no e. There is actually no way to do this right now without reaching into library internals, because RSA_set0_key refuses to accept an e-less private key. Handle this by adding a flag. I also had to add a path for Conscrypt to make an RSA_METHOD-backed key with n but no e. (They need n to compute RSA-PSS padding.) I think that all wants to be rethought but, for now, just add an API for it. This bumps BORINGSSL_API_VERSION so Conscrypt can have an easier time switching to the new APIs. Bug: 316 Change-Id: I81498a7d0690886842016c3680ea27d1ee0fa490 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59386 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 86ada1e - Browse repository at this point
Copy the full SHA 86ada1eView commit details
Commits on May 2, 2023
-
Satisfy a go lint. As of Go 1.18, any is the preferred spelling of interface{}. Also remove an instance of redundant types in util/fipstools/acvp/acvptool/acvp.go because my editor warned about it. (A []map[string]any{map[string]any{...}, map[string]any{...}} literal can omit the inner copy of the type because it's implicit from the outer one.) Change-Id: I2251b2285c16c19bc779fa41d1011f7fa1392563 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59465 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 77b6f25 - Browse repository at this point
Copy the full SHA 77b6f25View commit details -
Update references to draft-irtf-cfrg-gcmsiv
It is now RFC 8452. The final RFC also has a few more test vectors, so import those too. Change-Id: Ib7667802973df7733ba981f16ef6a129cb4f62e7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59485 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 051f891 - Browse repository at this point
Copy the full SHA 051f891View commit details -
Implement the AuthEncap/AuthDecap HPKE modes
Relevant spec bits: https://www.rfc-editor.org/rfc/rfc9180.html#section-4.1 https://www.rfc-editor.org/rfc/rfc9180.html#section-5.1.3 Change-Id: Iddb151afc92f7a91beb9ca52caceec6cb5383206 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59387 Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 4c8bcf0 - Browse repository at this point
Copy the full SHA 4c8bcf0View commit details
Commits on May 3, 2023
-
Don't make assumptions about GCM128_CONTEXT layout in aesv8-gcm-armv8.pl
This isn't captured by the comments, the ABI tests have technically been going out of bounds, and is entirely unnecessary. It can just take Htable as a parameter. Change-Id: Iad748d5b649333985ebaa1f84031fbe9a2339a85 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59505 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for a7f83c4 - Browse repository at this point
Copy the full SHA a7f83c4View commit details -
Don't make assumptions about GCM128_CONTEXT layout in aesni-gcm-x86_6…
…4.pl This is a little trickier because Intel architectures are so inconveniently register-starved. This code was already using every register. However, since Xi is only needed at the start and end of the function, I just swapped the Xi and Htable parameters. Xi is passed on the stack, so we don't need to explicitly spill it. Change-Id: I2ef4552fc181a5350c9b1c733cf2319377a06b74 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59525 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 62f9751 - Browse repository at this point
Copy the full SHA 62f9751View commit details -
This was originally removed in https://boringssl-review.googlesource.com/12477, but restored in https://boringssl-review.googlesource.com/c/boringssl/+/13122, which also restored a comment the assembly code secretly relies on the struct layout. Our comment references the MOVBE-based assembly, which could mean either the stitched AES+GCM code, or the GHASH-only code. I don't see an obvious place where the GHASH-only code does this. The stitched ones (both x86_64 and aarch64, counter to the comment) did this, but the preceding CLs fix this. I think we can now remove this comment. In OpenSSL, this comment dates to d8d958323bb116bf9f88137ba46948dcb1691a77 in upstream. That commit also removed a field, so we can assume no assembly prior to that change relied on that layout. That commit immediately preceded 1e86318091817459351a19e72f7d12959e9ec570, which was likely the motivation. At the time, gcm_gmult_neon had some code with a comment "point at H in GCM128_CTX". At the time, Htable wasn't even filled in, and the function relied on H being 16 bytes before Htable. gcm_ghash_neon also relies on them being reachable from Xi. This code changed in f8cee9d08181f9e966ef01d3b69ba78b6cb7c8a8 and, at a glance, the file doesn't seem to be making this assumption anymore. I think, prior to that change, Htable wasn't filled in for the NEON code at all. With all this now resolved, remove the comment and unused copy of H in GCM128_KEY. Change-Id: I4eb16cfff5dd41a59a0231a998d5502057336215 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59526 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for e7c3f47 - Browse repository at this point
Copy the full SHA e7c3f47View commit details -
Remove unions in polyval implementation
This can be done with just memcpy, which tempts the compiler slightly less. Bug: 574 Change-Id: I7b46c2f2578abc85621834426de20d5eaf492a74 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59527 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 85e6453 - Browse repository at this point
Copy the full SHA 85e6453View commit details
Commits on May 4, 2023
-
Align Kyber names with draft-tls-westerbaan-xyber768d00
The initial codepoint is called X25519Kyber786Draft00 in the draft, so align with that name for this version. Also remove the placeholder bits for the other combinations, which haven't gotten that far yet. Update-Note: Update references to NID_X25519Kyber768 to NID_X25519Kyber768Draft00. For now, the old name is available as an alias. Change-Id: I2e531947f41e589cec61607944dca844722f0947 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59605 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 1b724a6 - Browse repository at this point
Copy the full SHA 1b724a6View commit details -
Clarify that X25519 also supports EVP_PKEY_new_raw_private_key, etc
Fixed: 605 Change-Id: Id2b7d0221c3e43c102ce77c800f7ab65c74e0582 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59625 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2e565ef - Browse repository at this point
Copy the full SHA 2e565efView commit details -
Rename EC_RAW_POINT to EC_JACOBIAN
EC_RAW_POINT is a confusing name. It's mostly about whether this is stack-allocated EC_POINT without the EC_GROUP pointer. Now that we have EC_AFFINE, EC_JACOBIAN captures what it's doing a bit better. Fixed: 326 Change-Id: I5b71a387e899a94c79be8cd5e0b54b8432f7d5da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59565 Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5e988c4 - Browse repository at this point
Copy the full SHA 5e988c4View commit details
Commits on May 5, 2023
-
Remove unions in GCM implementation
This was a bit of a mess. There are three assembly functions to juggle here. Their current type signatures are: void gcm_init_v8(u128 Htable[16], const uint64_t H[2]); void gcm_gmult_v8(uint64_t Xi[2], const u128 Htable[16]); void gcm_ghash_v8(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp, size_t len); Except for gcm_nohw.c, this is all assembly, so they don't follow the C abstract machine's theory of typed memory. That means types are mostly arbitrary and we have room to rearrange them. They do carry an implicit alignment requirement, but none of these assembly files care about this[*]. Values passed to gcm_gmult and gcm_ghash get XORed byte-by-byte in places, which is inconvenient to do as uint64_t. They also get passed to AES functions, which want bytes. Thus I think uint8_t[16] is the most natural and convenient type to use. H in gcm_init is interesting. gcm_init already doesn't take a GHASH key in the natural byte representation. The two 8-byte halves are byte-swapped, but the halves are not swapped, so it's not quite a byte reversal. I opted to leave that as uint64_t[2], mostly to capture that something odd is happening here. [*] We only have GHASH assembly for x86, x86_64, armv7, and aarch64. We used to have armv4 GHASH assembly, but that's been removed from gcm_nohw.c. Thus we can assume none of these files care about alignment for plain scalar loads. Alignment does matter for vmovdqa vs vmovdqu, but that requires 16-byte alignment and uint64_t only implies 4- or 8-byte alignment on these architectures. Bug: 574 Change-Id: If7dba9b41ff62204f4cf8fcd54eb4a4c54214c6e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59528 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5b32e81 - Browse repository at this point
Copy the full SHA 5b32e81View commit details -
Add APIs to support RSA keys with large e.
We cap e in RSA for DoS reasons. draft-amjad-cfrg-partially-blind-rsa needs to create RSA keys with very large e. To support this, add an API which disables this check. Also add some missing checks for negative n and negative e. (Already rejected by the parser, just not at this layer.) Change-Id: Ia996bb1b46fc8b73db704f492b3df72b254a15a4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59645 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6d55dc3 - Browse repository at this point
Copy the full SHA 6d55dc3View commit details -
Add a more general mechanism for deprecating TLS ciphers
This generalizes the scheme we previously had with TLS_RSA_WITH_NULL_SHA, in preparation for TLS_RSA_WITH_3DES_EDE_CBC_SHA (to be deprecated in a later CL) and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (to regretably be added back in, but in a deprecated state). The story is that deprecated ciphers can always be listed by name, but by default, selectors will not match them when adding ciphers. They will still match them when removing ciphers. This is so instructions like "@strength" or "!RSA" will still sort or disable the deprecated ciphers, rather than accidentally leaving them at the front or enabled. Additionally, a selector can mark itself as including deprecated ciphers. This is specifically for TLS_RSA_WITH_3DES_EDE_CBC_SHA, because many callers reference it with just "3DES". As an added quirk, "RSA+3DES" will also match it. (The rule is that, if any selector matches deprecated ciphers, we'll allow the overall expression to match it. This is slightly weird, but keeps "RSA+3DES" working.) Note, in this CL, 3DES is not actually deprecated. This just sets up the machinery and doesn't do anything with it. But the blockers for deprecating that should hopefully be resolved soon. Bug: 599 Change-Id: I7212bdc879b0e49c6742025644f3100026f24228 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59646 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 4d30888 - Browse repository at this point
Copy the full SHA 4d30888View commit details -
Fix PKCS8Test to not rely on RSA-512
rsa_test.cc and a few of the tests in evp_tests.txt still do, but refresh the easy one. I switched it to a P-256 key to keep the input small. Bug: 607 Change-Id: Ie0614280d12012bbd928f095eb4531e4d7550ae1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59666 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 722f5d8 - Browse repository at this point
Copy the full SHA 722f5d8View commit details -
Add back support for TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
This TLS 1.2 algorithm is substantially inferior to AES-GCM and should never be used. It will not be available unless configured by name. However, in can be used to provide backwards-compatibility with devices that cannot be updated if so needed. Change-Id: I1fd78efeb33aceca76ec2e7cb76b70f761ed1af8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59585 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for b1c6f45 - Browse repository at this point
Copy the full SHA b1c6f45View commit details
Commits on May 8, 2023
-
Add APIs to query a list of possible strings for TLS features
Envoy needs to have the possible cipher, etc., strings predeclared to reduce synchronization needs in the steady state. It currently does this by (1) iterating over SSL_CTX_get_ciphers at SSL_CTX creation time and (2) hard-coding a lists of known TLS 1.3 ciphers, TLS versions, NamedGroups, etc. (1) would work for some applications, but it breaks any applications that configure ciphers on the SSL on a certificate callback, etc. If the callback configures a cipher that wasn't configured on the SSL_CTX (e.g. if the SSL_CTX were left at defaults), Envoy's logging breaks and we hit an ENVOY_BUG assertion. (2) breaks whenever BoringSSL adds a new feature. In principle, we could update Envoy when updating BoringSSL, but this is an unresasonable development overhead for just one of many BoringSSL consumers to impose. Such costs are particularly high when considering needing to coordinate updates to Envoy and BoringSSL across different repositories. Add APIs to enumerate the possible strings these functions can return. These string lists are a superset of those that any one application may care about (e.g. we may have a deprecated cipher that Envoy no longer needs, or an experimental cipher that's not yet ready for Envoy's stability goals), but this is fine provided this is just used to initialize the table. In particular, they are *not* intended to enumerate supported features. Bump BORINGSSL_API_VERSION to aid in patching these into Envoy. Bug: b:280350955 Change-Id: I4d11db980eebed5620d3657778c09dbec004653c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59667 Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for a972b78 - Browse repository at this point
Copy the full SHA a972b78View commit details -
Bump the minimum supported MSVC version to VS2019
This aligns with google/oss-policies-info#8 and grpc/grpc#32614. VS2019 adds a C11 mode, which is useful for us, because it means stdalign.h works correctly. Also bump the minimum Windows SDK to https://devblogs.microsoft.com/cppblog/c11-and-c17-standard-support-arriving-in-msvc/. If you have a new MSVC, CMake will enable C11 mode by default. But if C11 mode is enabled but your Windows SDK is too old, things break. After this change, the CI will include some redundant configurations. All the VS2017 configurations will start testing on VS2019, so the VS2019-specific configurations won't do anything. I'll follow this up with a change to bump those to VS2022, where we're currently missing coverage. Update-Note: BoringSSL now requires VS2019 or later and no longer supports VS2017. VS2017 has been past its "mainstream end date" for over a year now, per https://learn.microsoft.com/en-us/lifecycle/products/visual-studio-2017 Change-Id: I3f359e8ea7c9428ddaa9fcc4ffead2ef903398be Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59665 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2aae3f5 - Browse repository at this point
Copy the full SHA 2aae3f5View commit details
Commits on May 10, 2023
-
Remove unions in BLAKE2b implementation
Bug: 574 Change-Id: Ief8030a4c9257a05defdc2dc02d496c63f06626a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59545 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for c6dd304 - Browse repository at this point
Copy the full SHA c6dd304View commit details
Commits on May 11, 2023
-
Includes bits by me and Robert Nagy <robert.nagy@gmail.com> who has a google CLA. Update-Note: Additionally, BoringSSL now requires macOS 10.12 or later for getentropy support. This is consistent with https://github.com/google/oss-policies-info/blob/main/foundational-cxx-support-matrix.md WANT_LGTM=all Change-Id: I5ab74fa8a6677fac29c316aa29a954df401ba647 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59225 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 4540c3c - Browse repository at this point
Copy the full SHA 4540c3cView commit details -
Change-Id: I1a4914cc4859ed1e0797a046a1abec8921c4a9cf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59746 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 4137759 - Browse repository at this point
Copy the full SHA 4137759View commit details -
It's been a couple years since we did that. I had to upstream a fix to CreateArgvFromArgs, but that landed quickly, so we're actually carrying no googletest patches with this. Change-Id: Ifaf3476f2079d444512a235756cfe54f492b9c92 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59745 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for bf80254 - Browse repository at this point
Copy the full SHA bf80254View commit details -
acvptool: implement pipelining.
This causes avcptool to send requests without blocking on responses. See the diff in ACVP.md for details of how to use this feature. Change-Id: I922b3bd2383cb7d22a5d12ead49d2fa733ee1b97 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55345 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Adam Langley authored and Boringssl LUCI CQ committedMay 11, 2023 Configuration menu - View commit details
-
Copy full SHA for e24491a - Browse repository at this point
Copy the full SHA e24491aView commit details
Commits on May 12, 2023
-
Cap the input size to the conf fuzzer
Trying to fix all the places where these formats go quadratic isn't a good use of time. We've already documented that they're not safe for use with untrusted inputs. Even without such DoS issues, they cannot be safely used anyway. (E.g. RUSTSEC-2023-0023.) Just cap the fuzzer input. It'd be nice if we could avoid this more systematically in the function, but they're not structured to make this easy to do, and anyone concerned about DoS in this function has worse problems. Bug: chromium:1444420, oss-fuzz:56048, 611 Change-Id: I53eeb346f59278ec2db3aac4a92573b927ed8003 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59785 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for b92fcfd - Browse repository at this point
Copy the full SHA b92fcfdView commit details -
Use a helper function to implement get_all_foo_names functions.
Saves some duplicated logic. Change-Id: I202fa92a88101f9ad735648bc414ab05752641da Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59685 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Adam Langley authored and Boringssl LUCI CQ committedMay 12, 2023 Configuration menu - View commit details
-
Copy full SHA for c215ce7 - Browse repository at this point
Copy the full SHA c215ce7View commit details
Commits on May 14, 2023
-
Add a multi-threaded mode to bssl speed
This is inspired somewhat from how https://github.com/google/benchmark's threaded benchmark support works. (It seems to spawn a bunch of threads, latch them all together, and then run.) This adds a TimeFunctionParallel which runs multiple copies of the benchmark in parallel, after waiting for all the threads to synchronize. Some functions had to be tweaked so they don't write to a single, shared output buffer. This probably could use some improvement. In playing with it, the numbers are pretty unstable. We also don't currently benchmark anything that captures EVP's internal refcounts. But hopefully it's enough to get a start. I am able to measure impacts from the PRNG locks at least. Bug: 570 Change-Id: I92c29a05ba082fc45701afd6f0effe23f7b148bd Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59845 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for c1f5d79 - Browse repository at this point
Copy the full SHA c1f5d79View commit details
Commits on May 15, 2023
-
Add documentation for X509_STORE_CTX_set_verify_cb and friends
Change-Id: Ibcc3faa4c3e03713a0c8f6dc24119e4579a5b4e4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59025 Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Bob Beck authored and Boringssl LUCI CQ committedMay 15, 2023 Configuration menu - View commit details
-
Copy full SHA for 706846d - Browse repository at this point
Copy the full SHA 706846dView commit details -
RSATest.MissingParameters tests this case a bit more extensively. Change-Id: I61e38bd139c6334ff9d5c9636a159cb20bcd7f7b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59825 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 15a0c9a - Browse repository at this point
Copy the full SHA 15a0c9aView commit details -
Check public components in freeze_private_key
We currently don't enforce rsa_check_public_key invariants on private key operations, only public key operations and RSA_check_key. This means it was actually possible, in some corner cases, to perform operations with oversized e or n. Fix this. This gets us a bit closer to aligning the mess of RSA invariants. (RSA_check_key still performs some extra checks, but most of those should be redundant with the CRT self-check.) Update-Note: Manually constructed RSA private keys with invalid n or e will now fail private key operations. Such keys would always fail at public key operations (so the signatures would never verify). They also already failed RSA_check_key and parsing. The one incompatibility of note is keys with only n and d, constructed by reaching into the internal RSA struct, no longer work. Instead, use RSA_new_private_key_no_e. Conscrypt used to do this but has since been migrated to the new API. Bug: 316 Change-Id: I062fdad924b8698e257dab9760687e4b381c970d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59826 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 786554f - Browse repository at this point
Copy the full SHA 786554fView commit details -
Reject RSA keys under 512 bits
512-bit RSA was factored in 1999, so this limit barely means anything. But establish some limit now to ratchet in what we can. We'll raise this limit as we clear through further rounds of bad keys in tests. As part of this, I've touched up rsa_test.cc a bit. All the functions that made assumptions on key size now use std::vector with RSA_size. kKey1 and kKey2 were also 512- and 400-bit RSA, respectively. In principle, we could keep kKey1 for now, but the next stage will break it anyway. I've replaced them with kFIPSKey (which was "FIPS-compliant" but actually 1024-bit) and kTwoPrime (remnant of multi-prime RSA, 2048-bit). As neither name makes sense, they're just the new kKey1 and kKey2. I've also switched from string literals to arrays, which avoids the pesky trailing NUL. Sadly, it is a bit more verbose. Maybe we should switch to writing something like: const std::vector<uint8_t> kKey1 = MustDecodeHex("abcdef1234..."); Static initializers don't matter in tests, after all. Update-Note: We no longer accept 511-bit RSA and below. If you run into this, update test keys to more modern sizes as we plan to raise the limit beyond 512-bit RSA in the future. 512-bit RSA was factored in 1999, so keys at or near this limit have been obsolete for a very, very long time. Bug: 607 Change-Id: I13c3366d7e5f326710f1d1b298f4150a4e8e4d78 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59827 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for dd9ee60 - Browse repository at this point
Copy the full SHA dd9ee60View commit details
Commits on May 16, 2023
-
Use Windows Interlocked* APIs for refcounts when C11 isn't available
Right now, MSVC has to fallback to refcount_lock.c, which uses a single, global lock for all refcount operations. Instead, use the Interlocked* APIs to implement them. The motivation is two-fold. First, this removes a performance cliff when building for Windows on a non-Clang compiler. (Although I've not been able to measure it in an end-to-end EVP benchmark, only a synthetic refcount-only benchmark.) More importantly, it gets us closer to assuming atomics support on all non-NO_THREADS configurations. (The next CL will clear through that.) That, in turn, will make it easier to add an atomics-like abstractions to some of our hotter synchronization points. (Even in newer glibc, with its better rwlock, read locks fundamentally need to write to memory, so we have some cacheline contention on shared locks.) Annoyingly, the Windows atomic_load replacement is not quite right. I've used a "no-op" InterlockedCompareExchange(p, 0, 0) which, empirically, still results in a write. But a write to the refcount cacheline is surely better than taking a global exclusive lock. See comments in file for details. OpenSSL uses InterlockedOr(p, 0), but that actually results in even worse code. (InterlockedOr needs a retry loop when the underlying cmpxchg fails, whereas InterlockedCompareExchange is a single cmpxchg.) Hopefully, in the future (perhaps when we require VS 2022's successor, based on [1]), this can be removed in favor of C11 atomics everywhere. [1] https://devblogs.microsoft.com/cppblog/c11-atomics-in-visual-studio-2022-version-17-5-preview-2/ Bug: 570 Cq-Include-Trybots: luci.boringssl.try:linux_clang_rel_tsan Change-Id: I125da139e2fd3ae51e54309309fda16ba97ccf20 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59846 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5b845de - Browse repository at this point
Copy the full SHA 5b845deView commit details -
Remove the lock-based atomics fallback
On Windows, we can rely on Interlocked APIs. On non-Windows builds, we currently require C11 but permit C11 atomics to be missing, via __STDC_NO_ATOMICS__. This CL tightens this so C11 atomics are required on non-MSVC builds. My hope is that, now that we require C11 on non-Windows, this is a fairly safe requirement. We already require pthreads on any platform where this might apply, and it's hard to imagine someone has C11, pthreads, but not C11 atomics. This change means that, in later work, we can refactor the refcount logic to instead be a <stdatomic.h> compatibility layer, and then an atomics-targetting CRYPTO_refcount_t implementation. With a <stdatomic.h> compatibility layer, we can use atomics in more places, notably where our uses of read locks are causing cacheline contention. The platform restriction isn't *strictly* necessary. We could, like with refcounts, emulate <stdatomic.h> with a single, global lock. Indeed any platforms in this situation have already been living with that lock for refcounts without noticing. But then later work to add "atomics" to read locks would regress contention for those platforms. So I'm starting by rejecting this, so if any such platform exists, we can understand their performance needs before doing that. Update-Note: On non-Windows platforms, we now require C11 atomics support. Note we already require C11 itself. If this affects your build, get in touch with BoringSSL maintainers. Bug: 570 Cq-Include-Trybots: luci.boringssl.try:linux_clang_rel_tsan Change-Id: I868fa4ba87ed73dfc9d52e80d46853ef56715a5f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59847 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8a85012 - Browse repository at this point
Copy the full SHA 8a85012View commit details -
Add an atomics library to crypto/internal.h
refcount.c is now a single, generic file that calls into C11-atomic-like APIs. Behind the scenes, this selects one of C11 atomics, Windows interlocked APIs, or unsynchronized reads/writes (in the no-threads build). This frees us up to use atomics elsewhere in the library. For now, this only binds sequentially consistent atomics, but we can add other memory orders if needed. In particular, I believe up_ref only needs relaxed atomics. Some of the later change I think only need acquire and release, but I'm not positive. Bug: 570 Cq-Include-Trybots: luci.boringssl.try:linux_clang_rel_tsan Change-Id: Ifcd7357611bb7a8cd14b82c23ad080d1a2df1386 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59848 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for a05691d - Browse repository at this point
Copy the full SHA a05691dView commit details -
Remove read locks from PRNG steady state
We don't take write locks in the PRNG, steady state, but we do take some read locks: computing fork generation, reading the fork-unsafe buffering flag, and a FIPS-only artifact of some global state clearing mess. That last one is completely useless, but it's a consequence of FIPS's understanding of process exit being comically inconsistent with reality. Taking read locks is, in principle, parallel, but the cacheline write causes some contention, even in newer glibcs with faster read locks. Fix these: - Use atomic reads to check the fork generation. We only need to lock when we observe a fork. - Replace the fork-unsafe buffering flag with an atomic altogether. - Split state_clear_all_lock into a per-rand_thread_state lock. We still need a read lock, but a completely uncontended one until process exit. With many threads, this gives a significant perf boost. x86_64, non-FIPS, Intel(R) Xeon(R) Gold 6154 CPU @ 3.00GHz, 30 threads: Before: Did 45131875 RNG (16 bytes) operations in 300039649us (150419.7 ops/sec): 2.4 MB/s Did 44089000 RNG (32 bytes) operations in 300053237us (146937.3 ops/sec): 4.7 MB/s Did 43328000 RNG (256 bytes) operations in 300058423us (144398.5 ops/sec): 37.0 MB/s Did 45857000 RNG (1350 bytes) operations in 300095943us (152807.8 ops/sec): 206.3 MB/s Did 43249000 RNG (8192 bytes) operations in 300102698us (144114.0 ops/sec): 1180.6 MB/s After: Did 296204000 RNG (16 bytes) operations in 300009524us (987315.3 ops/sec): 15.8 MB/s Did 311347000 RNG (32 bytes) operations in 300014396us (1037773.5 ops/sec): 33.2 MB/s Did 295104000 RNG (256 bytes) operations in 300012657us (983638.5 ops/sec): 251.8 MB/s Did 255721000 RNG (1350 bytes) operations in 300016481us (852356.5 ops/sec): 1150.7 MB/s Did 103339000 RNG (8192 bytes) operations in 300040059us (344417.3 ops/sec): 2821.5 MB/s (Smaller PRNG draws are more impacted because they spend less time in the DRBG. But they're also more likely because you rarely need to pull 8K of data out at once.) x86_64, FIPS, Intel(R) Xeon(R) Gold 6154 CPU @ 3.00GHz, 30 threads: Before: Did 29060000 RNG (16 bytes) operations in 300081190us (96840.5 ops/sec): 1.5 MB/s Did 31882000 RNG (32 bytes) operations in 300118031us (106231.5 ops/sec): 3.4 MB/s Did 30925000 RNG (256 bytes) operations in 300113646us (103044.3 ops/sec): 26.4 MB/s Did 31969000 RNG (1350 bytes) operations in 300096688us (106529.0 ops/sec): 143.8 MB/s Did 33434000 RNG (8192 bytes) operations in 300093240us (111412.0 ops/sec): 912.7 MB/s After: Did 299013000 RNG (16 bytes) operations in 300012167us (996669.6 ops/sec): 15.9 MB/s Did 289788000 RNG (32 bytes) operations in 300014611us (965913.0 ops/sec): 30.9 MB/s Did 298699000 RNG (256 bytes) operations in 300013443us (995618.7 ops/sec): 254.9 MB/s Did 247061000 RNG (1350 bytes) operations in 300018215us (823486.7 ops/sec): 1111.7 MB/s Did 100479000 RNG (8192 bytes) operations in 300037708us (334887.9 ops/sec): 2743.4 MB/s On an M1 Pro, it's mostly a wash by default (fewer threads because this chip has fewer cores) aarch64, M1 Pro, 8 threads: Before: Did 23218000 RNG (16 bytes) operations in 80009131us (290191.9 ops/sec): 4.6 MB/s Did 23021000 RNG (256 bytes) operations in 80007544us (287735.4 ops/sec): 73.7 MB/s Did 22853000 RNG (1350 bytes) operations in 80013184us (285615.4 ops/sec): 385.6 MB/s Did 25407000 RNG (8192 bytes) operations in 80008371us (317554.3 ops/sec): 2601.4 MB/s Did 22128000 RNG (16384 bytes) operations in 80013269us (276554.1 ops/sec): 4531.1 MB/s After: Did 23303000 RNG (16 bytes) operations in 80011433us (291245.9 ops/sec): 4.7 MB/s Did 23072000 RNG (256 bytes) operations in 80008755us (288368.4 ops/sec): 73.8 MB/s Did 22807000 RNG (1350 bytes) operations in 80013355us (285039.9 ops/sec): 384.8 MB/s Did 23759000 RNG (8192 bytes) operations in 80010212us (296949.6 ops/sec): 2432.6 MB/s Did 23193000 RNG (16384 bytes) operations in 80011537us (289870.7 ops/sec): 4749.2 MB/s This is likely because, without RDRAND or MADV_WIPEONFORK, we draw from the OS on every call. We're likely bottlenecked by getentropy, whether it's some internal synchronization or syscall overherad. With fork-unsafe buffering enabled, this change shows even more significant wins on the M1 Pro. aarch64, fork-unsafe buffering, M1 Pro, 8 threads: Before: Did 25727000 RNG (16 bytes) operations in 80010579us (321545.0 ops/sec): 5.1 MB/s Did 25776000 RNG (32 bytes) operations in 80008587us (322165.4 ops/sec): 10.3 MB/s Did 25780000 RNG (256 bytes) operations in 80006127us (322225.3 ops/sec): 82.5 MB/s Did 33171250 RNG (1350 bytes) operations in 80002532us (414627.5 ops/sec): 559.7 MB/s Did 54784000 RNG (8192 bytes) operations in 80005706us (684751.2 ops/sec): 5609.5 MB/s After: Did 573826000 RNG (16 bytes) operations in 80000668us (7172765.1 ops/sec): 114.8 MB/s Did 571329000 RNG (32 bytes) operations in 80000423us (7141574.7 ops/sec): 228.5 MB/s Did 435043750 RNG (256 bytes) operations in 80000214us (5438032.3 ops/sec): 1392.1 MB/s Did 229536000 RNG (1350 bytes) operations in 80001888us (2869132.3 ops/sec): 3873.3 MB/s Did 57253000 RNG (8192 bytes) operations in 80004974us (715618.0 ops/sec): 5862.3 MB/s Note that, on hardware with RDRAND, the read lock in rand_fork_unsafe_buffering_enabled() doesn't do much. But without RDRAND, we hit that on every RAND_bytes call. More importantly, the subsequent CL will fix a bug that will require us to hit it more frequently. I've removed the volatile on g_fork_detect_addr because I think we didn't need it and this avoids thinking about the interaction between volatile and atomics. The pointer is passed into madvise, so the compiler knows the pointer escapes. For it to be invalid, the compiler would need to go out of its way to model madvise as not remembering the pointer, which would be incorrect of it for MADV_WIPEONFORK. Bug: 570 Cq-Include-Trybots: luci.boringssl.try:linux_clang_rel_tsan Change-Id: Ie6977acd1b8e7639aaa419cf6f4f5f0645bde9d1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59849 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 1599fea - Browse repository at this point
Copy the full SHA 1599feaView commit details -
This is intended to be run under TSan. ex_data currently works by taking a global read lock every time an RSA, SSL, SSL_CTX, etc., is freed. We should be able to fix that but, first, make sure we have test coverage for the threading requirements. Bug: 570 Cq-Include-Trybots: luci.boringssl.try:linux_clang_rel_tsan Change-Id: I0e12907e116481d88e45191a1f15f3a51833bf6d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59865 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2eaf070 - Browse repository at this point
Copy the full SHA 2eaf070View commit details -
Fix RAND_enable_fork_unsafe_buffering when called after fork
If a process calls fork(), then the child process never forks again, the child may wish to call RAND_enable_fork_unsafe_buffering(). However, doing so exposes a bug: we assume that, if the flag is set, we don't need to worry about fork-safety. But it is possible that the PRNG state was cloned from another process which does not work. Concretely, consider a zygote process, e.g. Chromium's. A zygote process would retain fork-safety, but pass along its PRNG state to each of its children. If the children never fork, they might disable fork-safety, hitting this bug. (Chromium does not call this API. This is just a hypothetical scenario.) Fix this by reseeding whenever the fork-safety bit changes. This fix does not strictly depend on the atomics work, but it causes us to unconditionally sample rand_fork_unsafe_buffering_enabled(). This no longer causes contention because it's just another atomic load. This only affects systems without MADV_WIPEONFORK and without fast RDRAND. If RDRAND is fast, we're always fork-safe and MADV_WIPEONFORK allows us to efficiently detect forks. Cq-Include-Trybots: luci.boringssl.try:linux_clang_rel_tsan Change-Id: I6d0c471c62c951254faf85420a7dc3f4a9d65ee0 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59850 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for dd52194 - Browse repository at this point
Copy the full SHA dd52194View commit details
Commits on May 18, 2023
-
Update hkdf.c to avoid potentially vulnerable code pattern.
Change-Id: I190fcdb0b9667b0ac6f490b36edc63237af7fffb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59905 Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 47b2fef - Browse repository at this point
Copy the full SHA 47b2fefView commit details -
Add a comment about the Chromium sandbox for macOS sysctls
https://crrev.com/c/4415225 had to react to us querying these. Add a comment so we can fix this proactively in the future. Bug: chromium:1432323 Change-Id: I2ffe4d90e32215b521815a25f3448502da2156bf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59925 Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 74a75b3 - Browse repository at this point
Copy the full SHA 74a75b3View commit details
Commits on May 19, 2023
-
Don't include <stdatomic.h> in C++
OPENSSL_C11_ATOMIC is both computed in crypto/internal.h and also defined externally. This is a remnant of C11 atomics were an opt-in feature. If defined externally, this means OPENSSL_C11_ATOMIC might be defined when built as C++. That, in turn, causes <stdatomic.h> to be included in C++ mode. At least one of our users toolchains has a <stdatomic.h> that is incompatible with C++. We don't get anything out of including it, so just gate the include on !defined(__cplusplus) for now. Things to look into as follow-up: - Fix build files to stop defining OPENSSL_C11_ATOMIC. Prior to https://boringssl-review.googlesource.com/c/boringssl/+/59847, it was still serving a purpose: in server builds, if autodetection fails, we would rather fail to build than accidentally fallback to locks. There is no lock fallback anymore. - Fix that toolchain so their <stdatomic.h> is C++-compatible. It's certainly not C++23-conformant. I suspect it's also not C++11-conformant, but I'm not positive. Change-Id: I13bcd8380efeb87b9f9cc439fe24a743e48aec60 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59985 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8abcb6f - Browse repository at this point
Copy the full SHA 8abcb6fView commit details
Commits on May 23, 2023
-
Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA by default
3DES has long been obsolete. It uses a small block size, making it vulnerable to attacks at sufficiently high volumes (see https://sweet32.info/, CVE-2016-6329). On top of this, it is slow even without constant-time protections, making it a DoS risk for server operators. Since the alias "3DES" has existed in OpenSSL for a long time, keep that one working, to reduce the risk of breaking someone who specifically wanted 3DES enabled. Update-Note: This CL disables TLS_RSA_WITH_3DES_EDE_CBC_SHA by default. Specifically, it will not be included unless explicitly listed in the cipher config, as "TLS_RSA_WITH_3DES_EDE_CBC_SHA", its legacy OpenSSL name "DES-CBC3-SHA", or the alias "3DES". To restore it, add one of the above to your cipher config. Bug: 599 Change-Id: Ib94a2f149b3bfa240ef1008b9f3729a9c10368fb Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59425 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for b0251b1 - Browse repository at this point
Copy the full SHA b0251b1View commit details -
Avoid locks in CRYPTO_free_ex_data
Every time we free a type with ex_data (RSA, EC_KEY, DSA, SSL_CTX, SSL, SSL_SESSION, X509, X509_STORE), we allocate and take a read lock. The allocation means, if we believe in malloc failures, it is possible to leak memory on malloc failure. The read lock causes an unnecessary bit of contention writing to the cache line. Instead, since we never remove ex_data entries, just thread them in a singly-linked list. This way we only need to synchronize when to stop iterating. Add a counter to synchronize that. (Or we could make each 'next' pointers atomic, but this seemed more straightforward.) (I suspect this doesn't matter much, but it was shorter and we were already allocating the funcs structures anyway.) Bug: 570 Change-Id: Ie7ba5cc44f2b71ebd79c8971e784912d53af7f5c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60025 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for f712c86 - Browse repository at this point
Copy the full SHA f712c86View commit details -
The Close() method of the middle often wasn't getting called because `os.Exit(0)` was used in some places. Once that's fixed, it's clear that the queue of pending reads needed to be closed before waiting for the reader goroutine to finish. Lastly, don't bother trying to record the error that the reader saw: just panic the process if the modulewrapper dies during processing. Change-Id: Icf077cefd0ace2ef721a493f99fede6269531257 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60045 Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for cf3851c - Browse repository at this point
Copy the full SHA cf3851cView commit details -
Bound STACK_OF(T) sizes by int
Although we've switched STACK_OF(T) to use size_t, OpenSSL used int pervasively. Much of crypto/x509 and third-party callers use int indices. As much of that is in the public API now, ensure that STACK_OF(T) can never exceed INT_MAX elements. Bug: 516 Change-Id: I26b8fe590655f8c3e449b749b5d0222e28c413f8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60065 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8c7e925 - Browse repository at this point
Copy the full SHA 8c7e925View commit details -
Add int casts as needed around STACK_OF(T) sizes and indices
We now ensure STACK_OF(T) sizes and indices fit in INT_MAX, so it's safe to cast to int. Bug: 516 Change-Id: I33dd1de6d60a852d510b9b5c3ac70e2eacbc8905 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60066 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 89a6253 - Browse repository at this point
Copy the full SHA 89a6253View commit details -
Miscellaneous size_t truncation fixes
Bug: 516 Change-Id: I3cc7e85687a29201a325b498eecf3694e0429ebc Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60067 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 7e56051 - Browse repository at this point
Copy the full SHA 7e56051View commit details
Commits on May 24, 2023
-
Test the CONF parser more extensively
Change-Id: I8792f118d281bc7a407dfbabe1c8b8e63f9eed9f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60085 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 83a6ba1 - Browse repository at this point
Copy the full SHA 83a6ba1View commit details -
Remove some unnecessary NULL checks in conf.c.
This file needs more work, but apply some small, local simplifications. Change-Id: Ia2b93f847e67ae7738afc791acb9ce3cc6cc0342 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60086 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5aefcba - Browse repository at this point
Copy the full SHA 5aefcbaView commit details -
Remove some unreachable character types in the CONF parser
DQUOTE and FCOMMENT are remnants of a second parser in OpenSSL. OpenSSL has CONF_type_default, which is the one we imported, and CONF_type_win32 which is a different syntax which looks to be modeled after Windows ini files. DQUOTE and FCOMMENT only exist in this one. Change-Id: Iffa01fcb012b0f3e7f8dbf87a01ba867bdc7bcc7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60087 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for f31b45d - Browse repository at this point
Copy the full SHA f31b45dView commit details -
Remove variable expansion from CONF fuzzer
CONF supports a variable expansion feature, which allows a config file to easily grow exponentially. 2d05568 (upstream's 6a6213556a80ab0a9eb926a1d6023b8bf44f2afd) capped the expansion to 65536 bytes, but this still allows a small input to produce a fairly large output. (Once we have one large value, it only takes five characters make a new key that references it, which is an expansion factor of around 13,000.) This, combined with the string-based extensions machinery's many quadratic behaviors (see b92fcfd), means fuzzers hit timeouts. We have very few uses of these APIs left, and none of them use this feature. Just remove it. While none of these super-linear behaviors are DoS bugs per se (they should never be passed untrusted input), there's no sense in carrying an unused feature that only frustrates the fuzzers. Update-Note: NCONF_load and NCONF_load_bio no longer support the $foo variable expansion syntax. If you are using these functions in your project, remove them. Bug: oss-fuzz:59049 Change-Id: I85832ae1d05373ee420f4fb68197786736ca8272 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60105 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 825bec8 - Browse repository at this point
Copy the full SHA 825bec8View commit details -
Add prefetch to aes_hw_ctr32_encrypt_blocks
Similar idea to https://boringssl-review.googlesource.com/c/boringssl/+/55466 Results are pretty close to the current state, AMD (rome): BM_Encrypt/64/0 344ns ± 3% 343ns ± 1% ~ (p=0.728 n=20+19) BM_Encrypt/64/1 394ns ± 2% 394ns ± 3% ~ (p=0.919 n=18+20) BM_Encrypt/64/8 391ns ± 1% 390ns ± 2% ~ (p=0.165 n=17+19) BM_Encrypt/64/64 342ns ± 3% 341ns ± 2% ~ (p=0.686 n=19+19) BM_Encrypt/64/97 393ns ± 1% 394ns ± 3% ~ (p=0.639 n=17+19) BM_Encrypt/512/0 437ns ± 2% 437ns ± 1% ~ (p=0.819 n=20+19) BM_Encrypt/512/1 566ns ± 1% 551ns ± 3% -2.65% (p=0.000 n=18+18) BM_Encrypt/512/8 563ns ± 2% 555ns ± 4% -1.48% (p=0.003 n=18+20) BM_Encrypt/512/64 434ns ± 3% 439ns ± 3% +1.03% (p=0.008 n=19+20) BM_Encrypt/512/97 565ns ± 2% 555ns ± 4% -1.88% (p=0.001 n=18+20) BM_Encrypt/4k/0 1.03µs ± 2% 0.99µs ± 2% -4.29% (p=0.000 n=20+20) BM_Encrypt/4k/1 1.18µs ± 3% 1.11µs ± 3% -5.66% (p=0.000 n=20+20) BM_Encrypt/4k/8 1.17µs ± 3% 1.11µs ± 2% -5.51% (p=0.000 n=20+20) BM_Encrypt/4k/64 1.03µs ± 1% 0.99µs ± 1% -4.08% (p=0.000 n=19+19) BM_Encrypt/4k/97 1.17µs ± 3% 1.11µs ± 2% -5.65% (p=0.000 n=20+19) BM_Encrypt/32k/0 5.26µs ± 1% 5.19µs ± 2% -1.29% (p=0.000 n=19+20) BM_Encrypt/32k/1 5.49µs ± 2% 5.38µs ± 1% -2.01% (p=0.000 n=20+20) BM_Encrypt/32k/8 5.45µs ± 2% 5.34µs ± 1% -2.12% (p=0.000 n=20+19) BM_Encrypt/32k/64 5.28µs ± 1% 5.19µs ± 1% -1.66% (p=0.000 n=19+20) BM_Encrypt/32k/97 5.49µs ± 1% 5.38µs ± 1% -2.02% (p=0.000 n=20+17) BM_Encrypt/256k/0 38.9µs ± 1% 38.5µs ± 2% -1.09% (p=0.000 n=20+20) BM_Encrypt/256k/1 40.3µs ± 2% 39.6µs ± 1% -1.74% (p=0.000 n=20+20) BM_Encrypt/256k/8 39.7µs ± 2% 39.0µs ± 1% -1.82% (p=0.000 n=19+18) BM_Encrypt/256k/64 38.9µs ± 1% 38.4µs ± 1% -1.35% (p=0.000 n=20+18) BM_Encrypt/256k/97 40.1µs ± 1% 39.6µs ± 1% -1.32% (p=0.000 n=20+20) BM_Encrypt/1M/0 154µs ± 1% 153µs ± 1% -0.62% (p=0.001 n=17+18) BM_Encrypt/1M/1 160µs ± 2% 158µs ± 1% -1.44% (p=0.000 n=19+20) BM_Encrypt/1M/8 158µs ± 1% 155µs ± 1% -1.62% (p=0.000 n=20+19) BM_Encrypt/1M/64 155µs ± 2% 153µs ± 1% -1.48% (p=0.000 n=20+20) BM_Encrypt/1M/97 160µs ± 1% 158µs ± 2% -1.46% (p=0.000 n=20+20) BM_EncryptCord/1/0 310ns ± 3% 307ns ± 4% ~ (p=0.101 n=19+20) Intel (skylake): BM_Encrypt/64/0 326ns ± 5% 325ns ± 4% ~ (p=0.817 n=16+17) BM_Encrypt/64/1 368ns ± 2% 387ns ±13% ~ (p=0.845 n=17+20) BM_Encrypt/64/8 385ns ±14% 365ns ± 3% -5.12% (p=0.013 n=20+18) BM_Encrypt/64/64 325ns ± 4% 325ns ± 6% ~ (p=0.621 n=18+16) BM_Encrypt/64/97 367ns ± 3% 366ns ± 3% ~ (p=0.963 n=18+18) BM_Encrypt/512/0 504ns ± 4% 456ns ± 3% -9.52% (p=0.000 n=17+20) BM_Encrypt/512/1 568ns ± 2% 528ns ± 4% -7.09% (p=0.000 n=15+17) BM_Encrypt/512/8 580ns ± 3% 541ns ± 4% -6.66% (p=0.000 n=20+17) BM_Encrypt/512/64 500ns ± 3% 454ns ± 4% -9.26% (p=0.000 n=17+17) BM_Encrypt/512/97 564ns ± 2% 526ns ± 4% -6.82% (p=0.000 n=18+17) BM_Encrypt/4k/0 1.26µs ± 2% 1.23µs ± 5% -2.77% (p=0.000 n=19+18) BM_Encrypt/4k/1 1.33µs ± 2% 1.28µs ± 3% -4.34% (p=0.000 n=18+18) BM_Encrypt/4k/8 1.35µs ± 3% 1.29µs ± 3% -4.31% (p=0.000 n=19+17) BM_Encrypt/4k/64 1.27µs ± 3% 1.23µs ± 4% -3.32% (p=0.000 n=18+18) BM_Encrypt/4k/97 1.34µs ± 3% 1.29µs ± 3% -3.98% (p=0.000 n=18+16) BM_Encrypt/32k/0 8.24µs ± 4% 7.99µs ± 5% -3.00% (p=0.001 n=17+16) BM_Encrypt/32k/1 8.23µs ± 2% 7.99µs ± 5% -2.95% (p=0.000 n=17+16) BM_Encrypt/32k/8 8.64µs ±15% 8.05µs ± 5% -6.92% (p=0.000 n=20+18) BM_Encrypt/32k/64 8.14µs ± 3% 7.96µs ± 3% -2.23% (p=0.000 n=18+17) BM_Encrypt/32k/97 8.72µs ±14% 8.01µs ± 4% -8.20% (p=0.000 n=20+17) BM_Encrypt/256k/0 63.2µs ± 4% 61.7µs ± 3% -2.35% (p=0.003 n=19+18) BM_Encrypt/256k/1 63.5µs ± 4% 61.8µs ± 3% -2.75% (p=0.000 n=17+19) BM_Encrypt/256k/8 63.6µs ± 9% 61.0µs ± 1% -4.08% (p=0.000 n=18+16) BM_Encrypt/256k/64 63.1µs ± 3% 61.5µs ± 5% -2.60% (p=0.001 n=18+16) BM_Encrypt/256k/97 65.6µs ±16% 61.6µs ± 4% -6.09% (p=0.000 n=19+17) BM_Encrypt/1M/0 253µs ± 5% 246µs ± 5% -2.88% (p=0.001 n=19+19) BM_Encrypt/1M/1 253µs ± 6% 244µs ± 1% -3.71% (p=0.000 n=16+17) BM_Encrypt/1M/8 254µs ± 5% 244µs ± 3% -4.15% (p=0.000 n=18+18) BM_Encrypt/1M/64 253µs ± 4% 245µs ± 4% -3.10% (p=0.000 n=19+19) BM_Encrypt/1M/97 267µs ±14% 246µs ± 4% -8.13% (p=0.000 n=20+18) But on AMD with prefetchers disabled and large enough data size, to force cache misses this gives >2x improvement: BM_Encrypt/64/0 342ns ± 1% 336ns ± 1% -1.63% (p=0.000 n=19+19) BM_Encrypt/64/1 485ns ± 2% 484ns ± 2% ~ (p=0.396 n=19+20) BM_Encrypt/64/8 490ns ± 1% 488ns ± 2% ~ (p=0.098 n=18+19) BM_Encrypt/64/64 340ns ± 2% 335ns ± 1% -1.50% (p=0.000 n=19+19) BM_Encrypt/64/97 483ns ± 1% 483ns ± 1% ~ (p=0.912 n=16+20) BM_Encrypt/512/0 566ns ± 3% 521ns ± 2% -7.99% (p=0.000 n=18+20) BM_Encrypt/512/1 744ns ± 2% 667ns ± 1% -10.31% (p=0.000 n=20+20) BM_Encrypt/512/8 745ns ± 1% 666ns ± 1% -10.53% (p=0.000 n=18+20) BM_Encrypt/512/64 566ns ± 3% 520ns ± 2% -8.05% (p=0.000 n=17+19) BM_Encrypt/512/97 740ns ± 1% 666ns ± 1% -9.92% (p=0.000 n=18+19) BM_Encrypt/4k/0 2.50µs ± 1% 1.35µs ± 1% -45.82% (p=0.000 n=19+19) BM_Encrypt/4k/1 2.65µs ± 3% 1.50µs ± 1% -43.50% (p=0.000 n=19+19) BM_Encrypt/4k/8 2.66µs ± 1% 1.49µs ± 1% -43.71% (p=0.000 n=19+19) BM_Encrypt/4k/64 2.47µs ± 4% 1.36µs ± 1% -45.05% (p=0.000 n=20+20) BM_Encrypt/4k/97 2.66µs ± 1% 1.50µs ± 2% -43.54% (p=0.000 n=18+19) BM_Encrypt/32k/0 18.0µs ± 1% 8.0µs ± 1% -55.38% (p=0.000 n=18+19) BM_Encrypt/32k/1 18.2µs ± 1% 8.2µs ± 1% -54.91% (p=0.000 n=14+20) BM_Encrypt/32k/8 18.2µs ± 1% 8.2µs ± 1% -54.93% (p=0.000 n=19+18) BM_Encrypt/32k/64 18.0µs ± 1% 8.0µs ± 1% -55.35% (p=0.000 n=16+20) BM_Encrypt/32k/97 18.1µs ± 3% 8.2µs ± 1% -54.84% (p=0.000 n=20+19) BM_Encrypt/256k/0 148µs ± 1% 63µs ± 1% -57.59% (p=0.000 n=18+19) BM_Encrypt/256k/1 150µs ± 1% 63µs ± 1% -57.78% (p=0.000 n=16+20) BM_Encrypt/256k/8 147µs ± 5% 63µs ± 1% -56.95% (p=0.000 n=20+20) BM_Encrypt/256k/64 148µs ± 2% 63µs ± 1% -57.40% (p=0.000 n=18+20) BM_Encrypt/256k/97 146µs ± 4% 63µs ± 1% -56.82% (p=0.000 n=20+19) BM_Encrypt/1M/0 595µs ± 1% 254µs ± 1% -57.33% (p=0.000 n=19+20) BM_Encrypt/1M/1 590µs ± 4% 255µs ± 1% -56.78% (p=0.000 n=20+20) BM_Encrypt/1M/8 593µs ± 2% 254µs ± 1% -57.10% (p=0.000 n=18+19) BM_Encrypt/1M/64 595µs ± 1% 254µs ± 1% -57.34% (p=0.000 n=16+19) BM_Encrypt/1M/97 589µs ± 4% 255µs ± 1% -56.74% (p=0.000 n=20+20) Change-Id: I13c783ad261093009b2aa5ff56ce569f45ed3300 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60027 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 5fcd47d - Browse repository at this point
Copy the full SHA 5fcd47dView commit details
Commits on May 26, 2023
-
Add constant-time validation for curve25519
Also add some tests for X25519_public_from_private, as we apparently weren't directly testing it with test vectors. Change-Id: I1b73a9655323d507a8e022c62530ddd4610db4b9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60109 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for da757e6 - Browse repository at this point
Copy the full SHA da757e6View commit details -
Add an ABI test for x25519_NEON
Change-Id: I84dd6750276b334bf3349b4592fee6227403580c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60145 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for e30750c - Browse repository at this point
Copy the full SHA e30750cView commit details -
Change-Id: I7458b1d7aa1736d586dc80660d59c07fa2ac1c8a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/59805 Reviewed-by: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Nabil Wadih authored and Boringssl LUCI CQ committedMay 26, 2023 Configuration menu - View commit details
-
Copy full SHA for b0a026f - Browse repository at this point
Copy the full SHA b0a026fView commit details
Commits on May 31, 2023
-
Update-Note: SSL_CIPHER_get_value was our original name for the function. OpenSSL later called it SSL_CIPHER_get_protocol_id. I believe all external callers have since been updated to use the new function. (If I missed a few stragglers, replace with SSL_CIPHER_get_protocol_id to fix.) Change-Id: I956fb49bf2d13a898eed73177493d2c8d50778ad Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60205 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 4631ccc - Browse repository at this point
Copy the full SHA 4631cccView commit details -
Align on using the "group" over "curve" for ECDH in TLS
We're this awkward mix of "group" and "curve" right now. On the spec side, this is because they used to be "curves", but then RFC 7919 renamed to "group" in an attempt to generalize FFDH and ECDH. The negotiated FFDH stuff never really went anywhere (the way it used cipher suite values in TLS 1.2 made it unusable), but the name change stuck. In our implementation and API, we originally called it "curve". In preparation for TLS 1.3, we renamed the internals to "group" to match the spec in https://boringssl-review.googlesource.com/c/boringssl/+/7955, but the public API was still "curve". Then we exported a few more things in https://boringssl-review.googlesource.com/c/boringssl/+/8565, but I left it at "curve" to keep the public API self-consistent. Then we added OpenSSL's new "group" APIs in https://boringssl-review.googlesource.com/c/boringssl/+/54306, but didn't go as far to deprecate the old ones yet. Now I'd like to add new APIs to clear up the weird mix of TLS codepoints and NIDs that appear in our APIs. But our naming is a mess, so either choice of "group" or "curve" for the new API looks weird. In hindsight, we probably should have left it at "curve". Both terms are equally useless for the future post-quantum KEMs, but at least "curve" is more unique of a name than "group". But at this point, I think we're too far through the "group" rename to really backtrack: - Chromium says "group" in its internals - QUICHE says "group" in its internals and public API - Our internals say "group" - OpenSSL has switched to "group" and deprecated "curve", so new APIs will be based on "group" So align with all this and say "group". This CL handles set1_curves and set1_curves_list APIs, which already have "group" replacements from OpenSSL. A follow-up CL will handle our APIs. This is a soft deprecation because I don't think updating things is particularly worth the churn, but get the old names out of the way, so new code can have a simpler API to target. Also rewrite the documentation for that section accordingly. I don't think we need to talk about how it's always enabled now. That's a reference to some very, very old OpenSSL behavior where ECDH negotiation needed to be separately enabled. Change-Id: I7a356793d36419fc668364c912ca7b4f5c6c23a2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60206 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2da5ba9 - Browse repository at this point
Copy the full SHA 2da5ba9View commit details -
Align remaining TLS ECDH APIs on "group" terminology
This adds "group" versions of our codepoint-based APIs. This is mostly because it looks weird to switch terminology randomly in the implementation. See I7a356793d36419fc668364c912ca7b4f5c6c23a2 for additional context. I've not bothered renaming the bssl_shim flags. That seems a waste of time. Change-Id: I566ad132f5a33d99efd8cb2bb8b76d9a6038c825 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60207 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 335523a - Browse repository at this point
Copy the full SHA 335523aView commit details -
Align NIDs vs group IDs in TLS group APIs
Right now we use NIDs to configure the group list, but group IDs (the TLS codepoints) to return the negotiated group. The NIDs come from OpenSSL, while the group ID was original our API. OpenSSL has since added SSL_get_negotiated_group, but we don't implement it. To add Kyber to QUIC, we'll need to add an API for configuring groups to QUICHE. Carrying over our inconsistency into QUICHE's public API would be unfortunate, so let's use this as the time to align things. We could either align with OpenSSL and say NIDs are now the group representation at the public API, or we could add a parallel group ID API. (Or we could make a whole new SSL_NAMED_GROUP object to pattern after SSL_CIPHER, which isn't wrong, but is even more new APIs.) Aligning with OpenSSL would be fewer APIs, but NIDs aren't a great representation. The numbers are ad-hoc and even diverge a bit between OpenSSL and BoringSSL. The TLS codepoints are better to export out to callers. Also QUICHE has exported the negotiated group using the codepoints, so the natural solution would be to use codepoints on input too. Thus, this CL adds SSL_CTX_set1_group_ids and SSL_set1_group_ids. It also rearranges the API docs slightly to put the group ID ones first, and leaves a little note about the NID representation before introducing those. While I'm here, I've added SSL_get_negotiated_group. NGINX seems to use it when available, so we may as well fill in that unnecessary compatibility hole. Bug: chromium:1442377 Change-Id: I47ca8ae52c274133f28da9893aed7fc70f942bf8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60208 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 6cf9820 - Browse repository at this point
Copy the full SHA 6cf9820View commit details -
Add a value barrier when checking for point doubling.
Many of our point addition functions internally check for the doubling case and branch because the addition formulas are incomplete. This branch is fine because the multiplication formulas are arranged to not hit this case. However, we don't want to leak the couple of intermedate values that determine whether to branch. Previously, we ran into this with https://boringssl-review.googlesource.com/c/boringssl/+/36465. This wasn't sufficient. The compiler understands if (a & b) enough to compile into two branches. Thanks to Moritz Schneider, Nicolas Dutly, Daniele Lain, Ivan Puddu, and Srdjan Capkun for reporting this! Fix the leak by adding a value barrier on the final value. As we're also intentionally leaking the result of otherwise secret data flow, I've used the constant_time_declassify functions, which feed into our valgrind-based constant-time validation and double as barriers. Accordingly, I've also added some CONSTTIME_SECRET markers around the ECDSA nonce value, so we can check with valgrind the fix worked. The marker really should be at a lower level, at ec_random_nonzero_scalar or further (maybe RAND_bytes?), but for now I've just marked the nonce. To then clear valgrind, add constant_time_declassify in a few other places, like trying to convert infinity to affine coordinates. (ECDH deals with secret points, but it is public that the point isn't infinity.) Valgrind now says this code is constant-time, at least up to compilation differences introduced by the annotations. I've also inspected the compiler output. This seems to be fine, though neither test is quite satisfying. Ideally we could add annotations in ways that don't influence compiler output. Change-Id: Idfc413a75d92514717520404a0f5424903cb4453 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60225 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 55b069d - Browse repository at this point
Copy the full SHA 55b069dView commit details
Commits on Jun 1, 2023
-
Constant-time test that X25519 has a single path.
All inputs are marked as secret. This is not to support a use case for calling X25519 with a secret *point* as the input, but rather to ensure that the choice of the point cannot influence whether the scalar is leaked or not. Same for the initial contents of the output buffer. This is a conservative choice and may be revised in the future. Change-Id: I595d454a8e1fdc409912aee751bb0b3cf46f5430 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60186 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for be0fdf7 - Browse repository at this point
Copy the full SHA be0fdf7View commit details -
NGINX requires this constant if SSL_get_negotiated_group is defined. OpenSSL returns this to indicate a named group constant it doesn't understand, which doesn't make sense out of SSL_get_negotiated_group because the library wouldn't negotiate a group it doesn't know about. Nonetheless, define it for compatibility. Fixed: 615 Change-Id: I05a6d607912bb8507be9ac6ff5fe1699b4715f6b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60326 Commit-Queue: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 28c2409 - Browse repository at this point
Copy the full SHA 28c2409View commit details
Commits on Jun 2, 2023
-
Remove BN_DEC_FMT2 and test the others
Andres Erbsen noticed we didn't actually have tests to catch when the format macros were wrong. In doing so, remove BN_DEC_FMT2. It was unused and only makes sense in the context of the bignum-to-decimal conversion, where we no longer use it anyway. None of these macros are exported in OpenSSL at all, so it should be safe to remove it. (We possibly can remove the others too. I see one use outside the library, and that use would probably be better written differently anyway.) Change-Id: I4ffc7f9f7dfb399ac060af3caff0778000010303 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60325 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for e106b53 - Browse repository at this point
Copy the full SHA e106b53View commit details -
Make BN_mod_inverse() deal with repeated arguments
BN_nnmod() can deal with the situation that the first and the second arguments are the same, but it cannot deal with the first and the second argument being equal. In that situation, if BN_mod(x, y, x, ctx) results in a negative x, then the result of BN_nnmod() is zero. This breaks the strange BN_mod_inverse(m, a, m, ctx). Reported by Guido Vranken in openssl/openssl#21110 Change-Id: I8584720660f214f172b3b33716a5e3b29e8f2fd8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60365 Reviewed-by: Bob Beck <bbe@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for b034104 - Browse repository at this point
Copy the full SHA b034104View commit details
Commits on Jun 5, 2023
-
Add SHA256 and SHA512 bindings to bssl-crypto
Bug: 285222360 Change-Id: I7f35bcc734dd853e99cb691bdc681f75c9f137e4 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60265 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Maurice Lam authored and Boringssl LUCI CQ committedJun 5, 2023 Configuration menu - View commit details
-
Copy full SHA for 4a0393f - Browse repository at this point
Copy the full SHA 4a0393fView commit details
Commits on Jun 6, 2023
-
Use packed representation for large Curve25519 table
Did 59000 Ed25519 key generation operations in 1004188us (58753.9 ops/sec) [+8.3%] Did 57000 Ed25519 signing operations in 1005649us (56679.8 ops/sec) [+7.9%] Did 19000 Ed25519 verify operations in 1054380us (18020.1 ops/sec) [-2.0%] Did 61000 Curve25519 base-point multiplication operations in 1007401us (60551.9 ops/sec) [+8.3%] Did 22000 Curve25519 arbitrary point multiplication operations in 1022882us (21507.9 ops/sec) [+0.5%] Change-Id: I14668f658b1ae99850cb0f8938f90f988d0edd0b Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60107 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d605df5 - Browse repository at this point
Copy the full SHA d605df5View commit details -
Handle ChaCha20 counter overflow consistently
The assembly functions from OpenSSL vary in how the counter overflow works. The aarch64 implementation uses a mix of 32-bit and 64-bit counters. This is because, when packing a block into 64-bit general-purpose registers, it is easier to implement a 64-bit counter than a 32-bit one. Whereas, on 32-bit general-purpose registers, or when using vector registers with 32-bit lanes, it is easier to implement a 32-bit counter. Counters will never overflow with the AEAD, which sets the length limit so it never happens. (Failing to do so will reuse a key/nonce/counter triple.) RFC 8439 is silent on what happens on overflow, so at best one can say it is implicitly undefined behavior. This came about because pyca/cryptography reportedly exposed a ChaCha20 API which encouraged callers to randomize the starting counter. Wrapping with a randomized starting counter isn't inherently wrong, though it is pointless and goes against how the spec recommends using the initial counter value. Nonetheless, we would prefer our functions behave consistently across platforms, rather than silently give ill-defined output given some inputs. So, normalize the behavior to the wrapping version in CRYPTO_chacha_20 by dividing up into multiple ChaCha20_ctr32 calls as needed. Fixed: 614 Change-Id: I191461f25753b9f6b59064c6c08cd4299085e172 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60387 Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for df9955b - Browse repository at this point
Copy the full SHA df9955bView commit details -
Add saturated X25519 for x86_64+ADX running Linux
Did 29000 Curve25519 arbitrary point multiplication operations in 1026074us (28263.1 ops/sec) [+31.2%] Change-Id: I9c7d47a047dc68d37202b6cf40d7d12b5b4936f8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60385 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 43f8891 - Browse repository at this point
Copy the full SHA 43f8891View commit details -
Update-Note: Accessing the DSA struct directly is no longer supported. Use accessors instead. Bug: 325 Change-Id: I73dc20f2e275d48648ca84d2db7806fe155c567d Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60425 Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for f4a4e27 - Browse repository at this point
Copy the full SHA f4a4e27View commit details -
Use ADX asm for Curve25519 base-point multiplication
Did 75000 Ed25519 key generation operations in 1007110us (74470.5 ops/sec) [+26.9%] Did 72000 Ed25519 signing operations in 1011133us (71207.2 ops/sec) [+25.5%] Did 78000 Curve25519 base-point multiplication operations in 1006737us (77478.0 ops/sec) [+27.5%] Change-Id: I32ca2056f42f9b92af315d8381e1b72be69dd331 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60386 Commit-Queue: Andres Erbsen <andreser@google.com> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9d4f833 - Browse repository at this point
Copy the full SHA 9d4f833View commit details
Commits on Jun 7, 2023
-
Add .type, .hidden, and .size to the new fiat ADX assembly
.type seems to be needed for the unwind tester to report symbols correctly. I assume it does other useful things. .hidden (.private_extern on macOS) keeps it from being exported out of shared libraries. I'm not positive what .size does, but if ELF wants to know the size of the function, we should probably tell it that. Change-Id: Iaa2e4f8a72e81092ec1d81ee2177504c7dc89c76 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60465 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Andres Erbsen <andreser@google.com> Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d995d82 - Browse repository at this point
Copy the full SHA d995d82View commit details -
Prefix the private stack functions
OpenSSL 1.1.x renamed these functions with an OPENSSL_ prefix. Unfortunately, rust-openssl uses these, losing type-safety, rather than the type-safe macros. It currently expects the old, unprefixed names due to a different bug (sfackler/rust-openssl#1944), but to fix that, we'll need to align with the OpenSSL names. To keep the current version of rust-openssl working, I've preserved the old names that rust-openssl uses, but we should clear these out. Bug: 499 Change-Id: I3be56a54ef503620b92ce8154fafd46b2906ae63 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60505 Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 99d3c22 - Browse repository at this point
Copy the full SHA 99d3c22View commit details -
Add fiat_curve25519_adx.S to generate_build_files.py
We have too many build systems and need to unify the source of truth between them. Change-Id: If8a71f400dd478f8890ff56062210295d5e6785e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60545 Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9dcc97d - Browse repository at this point
Copy the full SHA 9dcc97dView commit details -
Remove a pointer indirection in STACK_OF(T) comparisons
At the public API, the comparison functions are a double pointer to match qsort. qsort comparators are passed pointers to the list elements, and our list elements are T*. qsort needs this indirection because it can sort values of arbitrary size. However, our type-erased versions have no such constraints. Since we know our all elements are pointers, we can skip the indirection. Change-Id: Ibb102b51a5aaf0a68a7318bf14ec8f4f9c7a3daf Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60506 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 9d48902 - Browse repository at this point
Copy the full SHA 9d48902View commit details -
Give up on qsort for sk_FOO_sort
OpenSSL's API constraints are such that sk_FOO_sort must take a comparison function of type int (*cmp)(const FOO *const *a, const FOO *const *b) However qsort expects a comparison function of type int (*cmp)(const void *a, const void *b) In C, it is UB to cast a function pointer to a different type and call it, even if the underlying calling conventions are the same. Moreover, as qsort doesn't take a context parameter on its comparisons, we cannot do the usual convention with closures in C. qsort_r and qsort_s would avoid this, but they are unusable. Too many libcs don't have them, and those that do define them inconsistently. See https://stackoverflow.com/a/39561369 It seems this UB has finally hit a sanitizer in fxbug.dev/128274. Irritating as it is to not even have a working sort function, I think the easiest option is to just give up on qsort. As we did with bsearch in https://boringssl-review.googlesource.com/c/boringssl/+/35304, just implement an in-place heap sort ourselves. Bug: fxbug.dev/128274 Change-Id: I9de6b4018bf635da0d0c5a680bd7811d297b0bb3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60507 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 1340a5b - Browse repository at this point
Copy the full SHA 1340a5bView commit details -
Also teach update_clang.py how to download Chromium's Clang on macOS. We don't currently use it in CI, but I've patched this in enough times for local testing, that having it seems convenient. This picks up -fsanitize=function, though it wouldn't have caught the qsort issue anyway. I'm guessing the libc must be built with UBSan too. Change-Id: I8c396a10b32e69fe7013283b1bb4320bc35756b6 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60547 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for d86e2fd - Browse repository at this point
Copy the full SHA d86e2fdView commit details -
Fix the combined asm source lists in generate_build_files.py
This fixes one of the two build issues triggered by the curve25519 assembly. The new curve25519 assembly is one file that works for both ELF and Apple targets. This is handy, but breaks the naive concatenation logic for making the generated file lists. Fix the generation to deduplicate first. Convincing Starlark in Bazel to deduplicate is annoyingly difficult, so we'll just generate both lists. This results in some duplication in the generated files, but they're generated so this is fine. Hopefully we can, in time, just remove the per-platform lists when everyone is migrated over. To that end, this CL adds the combined output to GN so I can migrate Chromium. This CL is not sufficient to unbreak the Bazel build. The next change is also needed. Bug: 542 Change-Id: Ibe76ff557fc43f7b4d984ccdf298f13c20f3b50c Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60565 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for aaf771e - Browse repository at this point
Copy the full SHA aaf771eView commit details
Commits on Jun 8, 2023
-
Remove a layer of indirection from fiat curve25519 assembly
This fixes the generated Bazel build. Bazel is strict about having all dependencies declared, which includes files that are #included into other files. (It also is not particularly pleased about textual headers and wants them declared in a separate place.) The new fiat curve25519 assembly is currently split into a BoringSSL half, and a more generic fiat half. For now, just move the BoringSSL customizations directly into the fiat half. This isn't ideal, as we'd, long term, like something where the fiat code can be made standalone. But, to fix the build, just patch in the changes now and we can ponder how to do this better later. (Build tools and conventions for assembly are much less clear than C, sadly.) Also add the .note.GNU-stack bit at the end. Change-Id: I04aa733eabf8562dba42dee63a8fd25c86a59db9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60566 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 3f680b0 - Browse repository at this point
Copy the full SHA 3f680b0View commit details -
Avoid another NULL+0 in BIO_s_mem
That NULL+0 is forbidden is still an awful language bug in C (fixed in C++), but this particular instance could have been written without pointer arithmetic. While I'm here, tidy pointers a bit: - No need to cast pointers to char* when we're writing to void* anyway - BIO_C_GET_BUF_MEM_PTR is technically a strict aliasing violation. The pointer points to a BUF_MEM*, not a char*, so we should not write to it as a char**. - C casts from void* freely and we've usually omitted the cast in that case. (Though if we ever move libcrypto to C++, that'll all have to change.) Bug: b:286384999 Change-Id: I16d7da675d61f726f259fc9a3cc4a6fce2d6d1fd Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60605 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 8e16c04 - Browse repository at this point
Copy the full SHA 8e16c04View commit details -
Tidy bssl-crypto documentation
This probably needs a few iterations, but fix the stuff I noticed on a first pass: - I don't think it's useful to say this is the BoringSSL implementation of something. That's all implicit from this crate anyway. - Rust seems to prefer "Returns ..." rather than "Return ..." - Algorithm names like "hkdf" or "hmac" should be written "HKDF" or "HMAC" when referring to the algorithms. Also BoringSSL is styled "BoringSSL" rather than "boringssl". - Given Rust overall doesn't try to handle allocation failure, let's just write that we don't believe in allocation failure once in the README rather than marking which functions do and don't panic. Change-Id: I48501717dd0b063a2fa4106c4c140d76a7ef69a9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60546 Reviewed-by: Nabil Wadih <nwadih@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 2a72f97 - Browse repository at this point
Copy the full SHA 2a72f97View commit details -
Const-correct a few X509_PURPOSE and X509_TRUST functions
These bits need more work (and possibly some removal) as they're very, very far from thread-safe, but rust-openssl relies on them being const-correct when targetting OpenSSL 1.1.x. Change-Id: I60531c7e90dbdbcb79c09fc440bd7c6b474172df Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60607 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for cbb96b4 - Browse repository at this point
Copy the full SHA cbb96b4View commit details -
Add SSL_CIPHER_get_handshake_digest
We added SSL_CIPHER_get_prf_nid to match the other SSL_CIPHER_get_*_nid functions, but OpenSSL went with returning the EVP_MD instead. rust-openssl uses this function, and all the callers of SSL_CIPHER_get_prf_nid then call EVP_get_digestbynid anyway, so this version is preferable. Update-Note: This change is backwards-compatible, but we should update the QUIC code to use this new function when OPENSSL_API_VERSION is high enough. It has the benefit of not pulling in random other hash functions like MD4. Change-Id: Ied66a6f0adbd5d7d86257d9349c40a2830e3c7e8 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60606 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 556a973 - Browse repository at this point
Copy the full SHA 556a973View commit details -
Don't allow timezone offsets in ASN1_UTCTIME_set_string
We had to allow this when parsing certs to remain compatible with some misissued certificates, but there's no reason to allow it when making new values. Update-Note: ASN1_UTCTIME_set_string and ASN1_TIME_set_string will no longer accept times with timezone offsets, which is forbidden by RFC 5280. These functions are used when minting new certificates, rather than parsing them. The parsing behavior is unchanged by this CL. Change-Id: I0860deb44a49e99ce477f8cde847d20edfd29ed9 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60608 Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Bob Beck <bbe@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 1ca5723 - Browse repository at this point
Copy the full SHA 1ca5723View commit details -
rust-openssl uses this function when targetting OpenSSL 1.1.x. Change-Id: Ifeb1b65be9976358f9ee636ed23c1a931e03b275 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60609 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 761c3ed - Browse repository at this point
Copy the full SHA 761c3edView commit details -
Add target attributes to curve25519_64_adx.h
__builtin_ia32_addcarryx_u64 is, strictly speaking, an ADX intrinsic. GCC and newer Clang seem to actually implement it without ADX, but Clang 7 and older will actually try to generate ADX code with it. But since the caller is not marked target("adx"), this fails to build. Manually add ADX and BMI2 target attributes to all these functions. The compiler should be free to use those instructions as these functions all call into an ADX+BMI2 assembly function anyway. (Though it doesn't do much with this.) Note we cannot just annotate fiat_addcarryx_u64. Clang and GCC won't inline across incompatible targets, so if we tag fiat_addcarryx_u64, we need to tag the callers up the chain until we're willing to stop inlining. Change-Id: I855bb88fea666d92997984836e664292d90df5be Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60612 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for 23ed9d3 - Browse repository at this point
Copy the full SHA 23ed9d3View commit details
Commits on Jun 9, 2023
-
Three years of updating calling code are finally complete! Update-Note: Accessing the RSA struct directly is no longer supported. Use accessors instead. Bug: 316, 325 Change-Id: I27b4c9899cb96f5807075b8fe351eaf72a9a9d44 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60610 Reviewed-by: Adam Langley <agl@google.com> Reviewed-by: Bob Beck <bbe@google.com> Auto-Submit: David Benjamin <davidben@google.com> Commit-Queue: Adam Langley <agl@google.com>
Configuration menu - View commit details
-
Copy full SHA for d4553e0 - Browse repository at this point
Copy the full SHA d4553e0View commit details -
Remove CRYPTO_MUTEX from public headers
We no longer need to define CRYPTO_MUTEX in public headers. This simplifies a pile of things. First, we can now use pthread_rwlock_t without any fuss, rather than trying to guess the size on glibc. As a result, CRYPTO_MUTEX and CRYPTO_STATIC_MUTEX can be merged into one type. We can almost do this to CRYPTO_refcount_t too. BIO is the one straggler remaining. Fixed: 325 Change-Id: Ie93c9f553c0f02ce594b959c041b00fc15ba51d2 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60611 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 04c3d40 - Browse repository at this point
Copy the full SHA 04c3d40View commit details -
Add memcmp binding to bssl-crypto
Bug: 285222580 Change-Id: I14715c50c3b5b0425443c191f4bf2e3ef7d665ae Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60266 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Maurice Lam authored and Boringssl LUCI CQ committedJun 9, 2023 Configuration menu - View commit details
-
Copy full SHA for 5159ae6 - Browse repository at this point
Copy the full SHA 5159ae6View commit details -
Don't expose EVP_PKEY internal representation through EVP_PKEY_assign
While EVP_PKEY_RSA, EVP_PKEY_DSA, and EVP_PKEY_EC have publicly-exposed internaly representations, other EVP_PKEY types to not. EVP_PKEY_assign should not allow callers to manipulate those representations. As part of this, teach EVP_PKEY_assign_RSA, etc. to find their method tables directly, rather than indirecting through an integer. This makes those EVP APIs static-linker-friendly. Bug: 618, 497 Change-Id: Ic45a7514e9a3adc505759f2327129f13faf03a65 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60645 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
Configuration menu - View commit details
-
Copy full SHA for 754bcf6 - Browse repository at this point
Copy the full SHA 754bcf6View commit details
Commits on Jun 10, 2023
-
Fix fiat asm .private_extern declaration on Apple platforms
Chromium actually has a checker for unexpected exported symbols, which caught this. Change-Id: If1af4c26a3326eea185725f9e84c17f5d9f0f58e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60665 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com>
Configuration menu - View commit details
-
Copy full SHA for ae88f19 - Browse repository at this point
Copy the full SHA ae88f19View commit details
Commits on Jun 12, 2023
-
Raytonne committed
Jun 12, 2023 Configuration menu - View commit details
-
Copy full SHA for 49a32a9 - Browse repository at this point
Copy the full SHA 49a32a9View commit details
Commits on Jun 15, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 636f6c3 - Browse repository at this point
Copy the full SHA 636f6c3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 78ceb4a - Browse repository at this point
Copy the full SHA 78ceb4aView commit details
Commits on Jun 16, 2023
-
Configuration menu - View commit details
-
Copy full SHA for b2af519 - Browse repository at this point
Copy the full SHA b2af519View commit details