external/boringssl: Sync to 9d908ba5.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/d18cb77864dcc4b5c7cb08c2331008c01165f34f..9d908ba519f2cfe5e21561bdee3e224b94d14a89
Change-Id: I24455a28ea316890cd2107a98a5c18d51c6861b7
diff --git a/BORINGSSL_REVISION b/BORINGSSL_REVISION
index 87ea6cc..cd7af4b 100644
--- a/BORINGSSL_REVISION
+++ b/BORINGSSL_REVISION
@@ -1 +1 @@
-d18cb77864dcc4b5c7cb08c2331008c01165f34f
+9d908ba519f2cfe5e21561bdee3e224b94d14a89
diff --git a/err_data.c b/err_data.c
index f66cb28..2d5fed6 100644
--- a/err_data.c
+++ b/err_data.c
@@ -195,22 +195,23 @@
0x2c3a285b,
0x2c3aa86f,
0x2c3b2880,
- 0x2c3ba891,
- 0x2c3c28a5,
- 0x2c3ca8bb,
- 0x2c3d28d4,
- 0x2c3da8f1,
- 0x2c3e2902,
- 0x2c3ea910,
- 0x2c3f2928,
- 0x2c3fa940,
- 0x2c40294d,
+ 0x2c3ba89f,
+ 0x2c3c28b3,
+ 0x2c3ca8c9,
+ 0x2c3d28e2,
+ 0x2c3da8ff,
+ 0x2c3e2910,
+ 0x2c3ea91e,
+ 0x2c3f2936,
+ 0x2c3fa94e,
+ 0x2c40295b,
0x2c4090d6,
- 0x2c41295e,
- 0x2c41a971,
+ 0x2c41296c,
+ 0x2c41a97f,
0x2c4210af,
- 0x2c42a982,
+ 0x2c42a990,
0x2c430720,
+ 0x2c43a891,
0x30320000,
0x30328015,
0x3033001f,
@@ -563,69 +564,69 @@
0x4c3d135c,
0x4c3d936b,
0x4c3e1378,
- 0x50322994,
- 0x5032a9a3,
- 0x503329ae,
- 0x5033a9be,
- 0x503429d7,
- 0x5034a9f1,
- 0x503529ff,
- 0x5035aa15,
- 0x50362a27,
- 0x5036aa3d,
- 0x50372a56,
- 0x5037aa69,
- 0x50382a81,
- 0x5038aa92,
- 0x50392aa7,
- 0x5039aabb,
- 0x503a2adb,
- 0x503aaaf1,
- 0x503b2b09,
- 0x503bab1b,
- 0x503c2b37,
- 0x503cab4e,
- 0x503d2b67,
- 0x503dab7d,
- 0x503e2b8a,
- 0x503eaba0,
- 0x503f2bb2,
+ 0x503229a2,
+ 0x5032a9b1,
+ 0x503329bc,
+ 0x5033a9cc,
+ 0x503429e5,
+ 0x5034a9ff,
+ 0x50352a0d,
+ 0x5035aa23,
+ 0x50362a35,
+ 0x5036aa4b,
+ 0x50372a64,
+ 0x5037aa77,
+ 0x50382a8f,
+ 0x5038aaa0,
+ 0x50392ab5,
+ 0x5039aac9,
+ 0x503a2ae9,
+ 0x503aaaff,
+ 0x503b2b17,
+ 0x503bab29,
+ 0x503c2b45,
+ 0x503cab5c,
+ 0x503d2b75,
+ 0x503dab8b,
+ 0x503e2b98,
+ 0x503eabae,
+ 0x503f2bc0,
0x503f8382,
- 0x50402bc5,
- 0x5040abd5,
- 0x50412bef,
- 0x5041abfe,
- 0x50422c18,
- 0x5042ac35,
- 0x50432c45,
- 0x5043ac55,
- 0x50442c64,
+ 0x50402bd3,
+ 0x5040abe3,
+ 0x50412bfd,
+ 0x5041ac0c,
+ 0x50422c26,
+ 0x5042ac43,
+ 0x50432c53,
+ 0x5043ac63,
+ 0x50442c72,
0x5044843f,
- 0x50452c78,
- 0x5045ac96,
- 0x50462ca9,
- 0x5046acbf,
- 0x50472cd1,
- 0x5047ace6,
- 0x50482d0c,
- 0x5048ad1a,
- 0x50492d2d,
- 0x5049ad42,
- 0x504a2d58,
- 0x504aad68,
- 0x504b2d88,
- 0x504bad9b,
- 0x504c2dbe,
- 0x504cadec,
- 0x504d2dfe,
- 0x504dae1b,
- 0x504e2e36,
- 0x504eae52,
- 0x504f2e64,
- 0x504fae7b,
- 0x50502e8a,
+ 0x50452c86,
+ 0x5045aca4,
+ 0x50462cb7,
+ 0x5046accd,
+ 0x50472cdf,
+ 0x5047acf4,
+ 0x50482d1a,
+ 0x5048ad28,
+ 0x50492d3b,
+ 0x5049ad50,
+ 0x504a2d66,
+ 0x504aad76,
+ 0x504b2d96,
+ 0x504bada9,
+ 0x504c2dcc,
+ 0x504cadfa,
+ 0x504d2e0c,
+ 0x504dae29,
+ 0x504e2e44,
+ 0x504eae60,
+ 0x504f2e72,
+ 0x504fae89,
+ 0x50502e98,
0x505086ef,
- 0x50512e9d,
+ 0x50512eab,
0x58320eb8,
0x68320e7a,
0x68328c25,
@@ -1157,6 +1158,7 @@
"KEY_VALUES_MISMATCH\0"
"LOADING_CERT_DIR\0"
"LOADING_DEFAULTS\0"
+ "NAME_TOO_LONG\0"
"NEWER_CRL_NOT_NEWER\0"
"NOT_PKCS7_SIGNED_DATA\0"
"NO_CERTIFICATES_INCLUDED\0"
diff --git a/src/BUILDING.md b/src/BUILDING.md
index e111310..33ad87a 100644
--- a/src/BUILDING.md
+++ b/src/BUILDING.md
@@ -24,7 +24,7 @@
by CMake, it may be configured explicitly by setting
`CMAKE_ASM_NASM_COMPILER`.
- * A C compiler is required. On Windows, MSVC 12 (Visual Studio 2013) or later
+ * A C compiler is required. On Windows, MSVC 14 (Visual Studio 2015) or later
with Platform SDK 8.1 or later are supported. Recent versions of GCC (4.8+)
and Clang should work on non-Windows platforms, and maybe on Windows too.
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index adf2021..f36cd38 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -51,6 +51,7 @@
"C4365" # '=' : conversion from 'size_t' to 'int',
# signed/unsigned mismatch
"C4389" # '!=' : signed/unsigned mismatch
+ "C4464" # relative include path contains '..'
"C4510" # 'argument' : default constructor could not be generated
"C4512" # 'argument' : assignment operator could not be generated
"C4514" # 'function': unreferenced inline function has been removed
@@ -58,6 +59,7 @@
# side-effect" caused by FD_* macros.
"C4610" # struct 'argument' can never be instantiated - user defined
# constructor required.
+ "C4623" # default constructor was implicitly defined as deleted
"C4625" # copy constructor could not be generated because a base class
# copy constructor is inaccessible or deleted
"C4626" # assignment operator could not be generated because a base class
@@ -70,24 +72,16 @@
"C4820" # 'bytes' bytes padding added after construct 'member_name'
"C4996" # 'read': The POSIX name for this item is deprecated. Instead,
# use the ISO C++ conformant name: _read.
- )
- if(NOT(CMAKE_C_COMPILER_VERSION VERSION_LESS "19.0.23506"))
- # MSVC 2015 Update 1.
- set(MSVC_DISABLED_WARNINGS_LIST
- ${MSVC_DISABLED_WARNINGS_LIST}
- "C4464" # relative include path contains '..'
- "C4623" # default constructor was implicitly defined as deleted
- "C5027" # move assignment operator was implicitly defined as deleted
- )
- set(MSVC_LEVEL4_WARNINGS_LIST
- # See https://connect.microsoft.com/VisualStudio/feedback/details/1217660/warning-c4265-when-using-functional-header
- "C4265" # class has virtual functions, but destructor is not virtual
- )
- string(REPLACE "C" " -w4" MSVC_LEVEL4_WARNINGS_STR
- ${MSVC_LEVEL4_WARNINGS_LIST})
- endif()
+ "C5027" # move assignment operator was implicitly defined as deleted
+ )
+ set(MSVC_LEVEL4_WARNINGS_LIST
+ # See https://connect.microsoft.com/VisualStudio/feedback/details/1217660/warning-c4265-when-using-functional-header
+ "C4265" # class has virtual functions, but destructor is not virtual
+ )
string(REPLACE "C" " -wd" MSVC_DISABLED_WARNINGS_STR
${MSVC_DISABLED_WARNINGS_LIST})
+ string(REPLACE "C" " -w4" MSVC_LEVEL4_WARNINGS_STR
+ ${MSVC_LEVEL4_WARNINGS_LIST})
set(CMAKE_C_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
set(CMAKE_CXX_FLAGS "-Wall -WX ${MSVC_DISABLED_WARNINGS_STR} ${MSVC_LEVEL4_WARNINGS_STR}")
add_definitions(-D_HAS_EXCEPTIONS=0)
diff --git a/src/crypto/asn1/a_bytes.c b/src/crypto/asn1/a_bytes.c
index 7e2f85d..e6b2f2e 100644
--- a/src/crypto/asn1/a_bytes.c
+++ b/src/crypto/asn1/a_bytes.c
@@ -202,13 +202,13 @@
} else {
if (len != 0) {
if ((ret->length < len) || (ret->data == NULL)) {
- if (ret->data != NULL)
- OPENSSL_free(ret->data);
s = (unsigned char *)OPENSSL_malloc((int)len + 1);
if (s == NULL) {
i = ERR_R_MALLOC_FAILURE;
goto err;
}
+ if (ret->data != NULL)
+ OPENSSL_free(ret->data);
} else
s = ret->data;
memcpy(s, p, (int)len);
diff --git a/src/crypto/asn1/a_type.c b/src/crypto/asn1/a_type.c
index ecd4734..734ff8b 100644
--- a/src/crypto/asn1/a_type.c
+++ b/src/crypto/asn1/a_type.c
@@ -122,9 +122,7 @@
result = a->value.boolean - b->value.boolean;
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
diff --git a/src/crypto/asn1/tasn_dec.c b/src/crypto/asn1/tasn_dec.c
index 40d575d..616b587 100644
--- a/src/crypto/asn1/tasn_dec.c
+++ b/src/crypto/asn1/tasn_dec.c
@@ -894,9 +894,7 @@
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
diff --git a/src/crypto/asn1/tasn_enc.c b/src/crypto/asn1/tasn_enc.c
index a56d08e..409d138 100644
--- a/src/crypto/asn1/tasn_enc.c
+++ b/src/crypto/asn1/tasn_enc.c
@@ -609,9 +609,7 @@
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/*
* These are all have the same content format as ASN1_INTEGER
*/
diff --git a/src/crypto/base64/base64.c b/src/crypto/base64/base64.c
index 4822fb8..61f79cd 100644
--- a/src/crypto/base64/base64.c
+++ b/src/crypto/base64/base64.c
@@ -119,8 +119,7 @@
void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len,
const uint8_t *in, size_t in_len) {
- unsigned i, j;
- unsigned total = 0;
+ size_t total = 0;
*out_len = 0;
if (in_len == 0) {
@@ -128,33 +127,37 @@
}
assert(ctx->length <= sizeof(ctx->enc_data));
+ assert(ctx->num < ctx->length);
- if (ctx->num + in_len < ctx->length) {
+ if (ctx->length - ctx->num > in_len) {
memcpy(&ctx->enc_data[ctx->num], in, in_len);
ctx->num += in_len;
return;
}
+
if (ctx->num != 0) {
- i = ctx->length - ctx->num;
- memcpy(&ctx->enc_data[ctx->num], in, i);
- in += i;
- in_len -= i;
- j = EVP_EncodeBlock(out, ctx->enc_data, ctx->length);
+ size_t todo = ctx->length - ctx->num;
+ memcpy(&ctx->enc_data[ctx->num], in, todo);
+ in += todo;
+ in_len -= todo;
+ size_t encoded = EVP_EncodeBlock(out, ctx->enc_data, ctx->length);
ctx->num = 0;
- out += j;
+ out += encoded;
*(out++) = '\n';
*out = '\0';
- total = j + 1;
+ total = encoded + 1;
}
+
while (in_len >= ctx->length) {
- j = EVP_EncodeBlock(out, in, ctx->length);
+ size_t encoded = EVP_EncodeBlock(out, in, ctx->length);
in += ctx->length;
in_len -= ctx->length;
- out += j;
+ out += encoded;
*(out++) = '\n';
*out = '\0';
- total += j + 1;
+ total += encoded + 1;
}
+
if (in_len != 0) {
memcpy(&ctx->enc_data[0], in, in_len);
}
diff --git a/src/crypto/bn/cmp.c b/src/crypto/bn/cmp.c
index fce7233..121c894 100644
--- a/src/crypto/bn/cmp.c
+++ b/src/crypto/bn/cmp.c
@@ -56,6 +56,8 @@
#include <openssl/bn.h>
+#include <openssl/mem.h>
+
#include "internal.h"
@@ -198,3 +200,15 @@
int BN_is_odd(const BIGNUM *bn) {
return bn->top > 0 && (bn->d[0] & 1) == 1;
}
+
+int BN_equal_consttime(const BIGNUM *a, const BIGNUM *b) {
+ if (a->top != b->top) {
+ return 0;
+ }
+
+ int limbs_are_equal =
+ CRYPTO_memcmp(a->d, b->d, (size_t)a->top * sizeof(a->d[0])) == 0;
+
+ return constant_time_select_int(constant_time_eq_int(a->neg, b->neg),
+ limbs_are_equal, 0);
+}
diff --git a/src/crypto/cipher/cipher.c b/src/crypto/cipher/cipher.c
index 341516a..f61c59f 100644
--- a/src/crypto/cipher/cipher.c
+++ b/src/crypto/cipher/cipher.c
@@ -284,7 +284,7 @@
bl = ctx->cipher->block_size;
assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) {
- if (i + in_len < bl) {
+ if (bl - i > in_len) {
memcpy(&ctx->buf[i], in, in_len);
ctx->buf_len += in_len;
*out_len = 0;
diff --git a/src/crypto/cipher/tls_cbc.c b/src/crypto/cipher/tls_cbc.c
index 510b4c7..fbc93fa 100644
--- a/src/crypto/cipher/tls_cbc.c
+++ b/src/crypto/cipher/tls_cbc.c
@@ -177,6 +177,45 @@
* + md_size = 256 + 48 (since SHA-384 is the largest hash) = 304. */
assert(rotate_offset <= 304);
+ /* Below is an SMT-LIB2 verification that the Barrett reductions below are
+ * correct within this range:
+ *
+ * (define-fun barrett (
+ * (x (_ BitVec 32))
+ * (mul (_ BitVec 32))
+ * (shift (_ BitVec 32))
+ * (divisor (_ BitVec 32)) ) (_ BitVec 32)
+ * (let ((q (bvsub x (bvmul divisor (bvlshr (bvmul x mul) shift))) ))
+ * (ite (bvuge q divisor)
+ * (bvsub q divisor)
+ * q)))
+ *
+ * (declare-fun x () (_ BitVec 32))
+ *
+ * (assert (or
+ * (let (
+ * (divisor (_ bv20 32))
+ * (mul (_ bv25 32))
+ * (shift (_ bv9 32))
+ * (limit (_ bv853 32)))
+ *
+ * (and (bvule x limit) (not (= (bvurem x divisor)
+ * (barrett x mul shift divisor)))))
+ *
+ * (let (
+ * (divisor (_ bv48 32))
+ * (mul (_ bv10 32))
+ * (shift (_ bv9 32))
+ * (limit (_ bv768 32)))
+ *
+ * (and (bvule x limit) (not (= (bvurem x divisor)
+ * (barrett x mul shift divisor)))))
+ * ))
+ *
+ * (check-sat)
+ * (get-model)
+ */
+
if (md_size == 16) {
rotate_offset &= 15;
} else if (md_size == 20) {
diff --git a/src/crypto/crypto.c b/src/crypto/crypto.c
index 89b0bd1..e98e249 100644
--- a/src/crypto/crypto.c
+++ b/src/crypto/crypto.c
@@ -123,6 +123,14 @@
#endif
}
+int CRYPTO_is_confidential_build(void) {
+#if defined(BORINGSSL_CONFIDENTIAL)
+ return 1;
+#else
+ return 0;
+#endif
+}
+
const char *SSLeay_version(int unused) {
return "BoringSSL";
}
diff --git a/src/crypto/err/x509.errordata b/src/crypto/err/x509.errordata
index a1d49b7..5687c30 100644
--- a/src/crypto/err/x509.errordata
+++ b/src/crypto/err/x509.errordata
@@ -17,6 +17,7 @@
X509,116,KEY_VALUES_MISMATCH
X509,117,LOADING_CERT_DIR
X509,118,LOADING_DEFAULTS
+X509,135,NAME_TOO_LONG
X509,119,NEWER_CRL_NOT_NEWER
X509,120,NOT_PKCS7_SIGNED_DATA
X509,121,NO_CERTIFICATES_INCLUDED
diff --git a/src/crypto/hkdf/hkdf_test.c b/src/crypto/hkdf/hkdf_test.c
index b11061a..53c0c5b 100644
--- a/src/crypto/hkdf/hkdf_test.c
+++ b/src/crypto/hkdf/hkdf_test.c
@@ -228,9 +228,8 @@
return 1;
}
if (memcmp(buf, test->out, test->out_len) != 0) {
- fprintf(stderr, "%" OPENSSL_PR_SIZE_T
- ": Resulting key material does not match test vector\n",
- i);
+ fprintf(stderr,
+ "%zu: Resulting key material does not match test vector\n", i);
return 1;
}
}
diff --git a/src/crypto/modes/gcm_test.c b/src/crypto/modes/gcm_test.c
index 56639e6..19c295b 100644
--- a/src/crypto/modes/gcm_test.c
+++ b/src/crypto/modes/gcm_test.c
@@ -282,9 +282,7 @@
uint8_t v, v2;
if (!from_hex(&v, in[i]) ||
!from_hex(&v2, in[i+1])) {
- fprintf(stderr,
- "%u: invalid hex digit in %s around offset %" OPENSSL_PR_SIZE_T
- ".\n",
+ fprintf(stderr, "%u: invalid hex digit in %s around offset %zu.\n",
test_num, description, i);
goto err;
}
diff --git a/src/crypto/pem/pem_lib.c b/src/crypto/pem/pem_lib.c
index 6e928a6..e53abf8 100644
--- a/src/crypto/pem/pem_lib.c
+++ b/src/crypto/pem/pem_lib.c
@@ -262,7 +262,7 @@
if (enc != NULL) {
objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
- if (objstr == NULL) {
+ if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0) {
OPENSSL_PUT_ERROR(PEM, PEM_R_UNSUPPORTED_CIPHER);
goto err;
}
diff --git a/src/crypto/rsa/rsa_impl.c b/src/crypto/rsa/rsa_impl.c
index 3e30d89..548c535 100644
--- a/src/crypto/rsa/rsa_impl.c
+++ b/src/crypto/rsa/rsa_impl.c
@@ -556,7 +556,18 @@
goto err;
}
- if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
+ if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
+ /* We cannot do blinding or verification without |e|, and continuing without
+ * those countermeasures is dangerous. However, the Java/Android RSA API
+ * requires support for keys where only |d| and |n| (and not |e|) are known.
+ * The callers that require that bad behavior set |RSA_FLAG_NO_BLINDING|. */
+ int disable_security = (rsa->flags & RSA_FLAG_NO_BLINDING) && rsa->e == NULL;
+
+ if (!disable_security) {
/* Keys without public exponents must have blinding explicitly disabled to
* be used. */
if (rsa->e == NULL) {
@@ -564,11 +575,6 @@
goto err;
}
- if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx)) {
- OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
blinding = rsa_blinding_get(rsa, &blinding_index, ctx);
if (blinding == NULL) {
OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
@@ -592,13 +598,29 @@
d = &local_d;
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- if (!BN_MONT_CTX_set_locked(&rsa->mont_n, &rsa->lock, rsa->n, ctx) ||
- !BN_mod_exp_mont_consttime(result, f, d, rsa->n, ctx, rsa->mont_n)) {
+ if (!BN_mod_exp_mont_consttime(result, f, d, rsa->n, ctx, rsa->mont_n)) {
goto err;
}
}
- if (blinding) {
+ /* Verify the result to protect against fault attacks as described in the
+ * 1997 paper "On the Importance of Checking Cryptographic Protocols for
+ * Faults" by Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. Some
+ * implementations do this only when the CRT is used, but we do it in all
+ * cases. Section 6 of the aforementioned paper describes an attack that
+ * works when the CRT isn't used. That attack is much less likely to succeed
+ * than the CRT attack, but there have likely been improvements since 1997.
+ *
+ * This check is cheap assuming |e| is small; it almost always is. */
+ if (!disable_security) {
+ BIGNUM *vrfy = BN_CTX_get(ctx);
+ if (vrfy == NULL ||
+ !BN_mod_exp_mont(vrfy, result, rsa->e, rsa->n, ctx, rsa->mont_n) ||
+ !BN_equal_consttime(vrfy, f)) {
+ OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
if (!BN_BLINDING_invert(result, blinding, rsa->mont_n, ctx)) {
goto err;
}
@@ -780,37 +802,6 @@
}
}
- if (!BN_mod_exp_mont(vrfy, r0, rsa->e, rsa->n, ctx, rsa->mont_n)) {
- goto err;
- }
- /* If 'I' was greater than (or equal to) rsa->n, the operation will be
- * equivalent to using 'I mod n'. However, the result of the verify will
- * *always* be less than 'n' so we don't check for absolute equality, just
- * congruency. */
- if (!BN_sub(vrfy, vrfy, I)) {
- goto err;
- }
- if (!BN_mod(vrfy, vrfy, rsa->n, ctx)) {
- goto err;
- }
- if (BN_is_negative(vrfy)) {
- if (!BN_add(vrfy, vrfy, rsa->n)) {
- goto err;
- }
- }
- if (!BN_is_zero(vrfy)) {
- /* 'I' and 'vrfy' aren't congruent mod n. Don't leak miscalculated CRT
- * output, just do a raw (slower) mod_exp and return that instead. */
-
- BIGNUM local_d;
- BIGNUM *d = NULL;
-
- d = &local_d;
- BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- if (!BN_mod_exp_mont_consttime(r0, I, d, rsa->n, ctx, rsa->mont_n)) {
- goto err;
- }
- }
ret = 1;
err:
diff --git a/src/crypto/test/test_util.h b/src/crypto/test/test_util.h
index 89e70c6..972e206 100644
--- a/src/crypto/test/test_util.h
+++ b/src/crypto/test/test_util.h
@@ -28,14 +28,6 @@
void hexdump(FILE *fp, const char *msg, const void *in, size_t len);
-#if defined(_MSC_VER) && _MSC_VER < 1900
-/* https://msdn.microsoft.com/en-us/library/tcxf1dw6(v=vs.120).aspx */
-#define OPENSSL_PR_SIZE_T "Iu"
-#else
-#define OPENSSL_PR_SIZE_T "zu"
-#endif
-
-
#if defined(__cplusplus)
}
#endif
diff --git a/src/crypto/x509/pkcs7_test.c b/src/crypto/x509/pkcs7_test.c
index 2dfeb5e..bebcbd9 100644
--- a/src/crypto/x509/pkcs7_test.c
+++ b/src/crypto/x509/pkcs7_test.c
@@ -506,7 +506,7 @@
X509 *b = sk_X509_value(certs2, i);
if (X509_cmp(a, b) != 0) {
- fprintf(stderr, "Certificate %" OPENSSL_PR_SIZE_T " differs.\n", i);
+ fprintf(stderr, "Certificate %zu differs.\n", i);
return 0;
}
}
@@ -570,7 +570,7 @@
X509_CRL *b = sk_X509_CRL_value(crls2, i);
if (X509_CRL_cmp(a, b) != 0) {
- fprintf(stderr, "CRL %" OPENSSL_PR_SIZE_T " differs.\n", i);
+ fprintf(stderr, "CRL %zu differs.\n", i);
return 0;
}
}
@@ -608,8 +608,7 @@
if (sk_X509_num(certs) != 1) {
fprintf(stderr,
- "Bad number of certificates from PKCS7_get_PEM_certificates: "
- "%" OPENSSL_PR_SIZE_T "\n",
+ "Bad number of certificates from PKCS7_get_PEM_certificates: %zu\n",
sk_X509_num(certs));
return 0;
}
@@ -630,9 +629,7 @@
}
if (sk_X509_CRL_num(crls) != 1) {
- fprintf(stderr,
- "Bad number of CRLs from PKCS7_get_PEM_CRLs: %" OPENSSL_PR_SIZE_T
- "\n",
+ fprintf(stderr, "Bad number of CRLs from PKCS7_get_PEM_CRLs: %zu\n",
sk_X509_CRL_num(crls));
return 0;
}
diff --git a/src/crypto/x509/x509_obj.c b/src/crypto/x509/x509_obj.c
index 641e308..a7f31e0 100644
--- a/src/crypto/x509/x509_obj.c
+++ b/src/crypto/x509/x509_obj.c
@@ -64,6 +64,13 @@
#include <openssl/obj.h>
#include <openssl/x509.h>
+/*
+ * Limit to ensure we don't overflow: much greater than
+ * anything enountered in practice.
+ */
+
+#define NAME_ONELINE_MAX (1024 * 1024)
+
char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
{
X509_NAME_ENTRY *ne;
@@ -84,6 +91,8 @@
goto err;
b->data[0] = '\0';
len = 200;
+ } else if (len <= 0) {
+ return NULL;
}
if (a == NULL) {
if (b) {
@@ -108,6 +117,10 @@
type = ne->value->type;
num = ne->value->length;
+ if (num > NAME_ONELINE_MAX) {
+ OPENSSL_PUT_ERROR(X509, X509_R_NAME_TOO_LONG);
+ goto end;
+ }
q = ne->value->data;
if ((type == V_ASN1_GENERALSTRING) && ((num % 4) == 0)) {
@@ -135,6 +148,10 @@
lold = l;
l += 1 + l1 + 1 + l2;
+ if (l > NAME_ONELINE_MAX) {
+ OPENSSL_PUT_ERROR(X509, X509_R_NAME_TOO_LONG);
+ goto end;
+ }
if (b != NULL) {
if (!BUF_MEM_grow(b, l + 1))
goto err;
@@ -174,7 +191,7 @@
return (p);
err:
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
- if (b != NULL)
- BUF_MEM_free(b);
+ end:
+ BUF_MEM_free(b);
return (NULL);
}
diff --git a/src/crypto/x509/x_name.c b/src/crypto/x509/x_name.c
index 226e76d..9972843 100644
--- a/src/crypto/x509/x_name.c
+++ b/src/crypto/x509/x_name.c
@@ -71,6 +71,13 @@
typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
+/*
+ * Maximum length of X509_NAME: much larger than anything we should
+ * ever see in practice.
+ */
+
+#define X509_NAME_MAX (1024 * 1024)
+
static int x509_name_ex_d2i(ASN1_VALUE **val,
const unsigned char **in, long len,
const ASN1_ITEM *it,
@@ -208,6 +215,10 @@
int ret;
STACK_OF(X509_NAME_ENTRY) *entries;
X509_NAME_ENTRY *entry;
+ /* Bound the size of an X509_NAME we are willing to parse. */
+ if (len > X509_NAME_MAX) {
+ len = X509_NAME_MAX;
+ }
q = p;
/* Get internal representation of Name */
diff --git a/src/crypto/x509/x_x509.c b/src/crypto/x509/x_x509.c
index f12140f..15af177 100644
--- a/src/crypto/x509/x_x509.c
+++ b/src/crypto/x509/x_x509.c
@@ -207,6 +207,7 @@
int i2d_X509_AUX(X509 *a, unsigned char **pp)
{
int length, tmplen;
+ unsigned char *start = pp != NULL ? *pp : NULL;
length = i2d_X509(a, pp);
if (length < 0 || a == NULL) {
return length;
@@ -214,6 +215,8 @@
tmplen = i2d_X509_CERT_AUX(a->aux, pp);
if (tmplen < 0) {
+ if (start != NULL)
+ *pp = start;
return tmplen;
}
length += tmplen;
diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h
index 2211920..d4a4eac 100644
--- a/src/include/openssl/base.h
+++ b/src/include/openssl/base.h
@@ -117,6 +117,16 @@
#define OPENSSL_VERSION_NUMBER 0x10002000
#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
+/* BORINGSSL_API_VERSION is a positive integer that increments as BoringSSL
+ * changes over time. The value itself is not meaningful. It will be incremented
+ * whenever is convenient to coordinate an API change with consumers. This will
+ * not denote any special point in development.
+ *
+ * A consumer may use this symbol in the preprocessor to temporarily build
+ * against multiple revisions of BoringSSL at the same time. It is not
+ * recommended to do so for longer than is necessary. */
+#define BORINGSSL_API_VERSION 1
+
#if defined(BORINGSSL_SHARED_LIBRARY)
#if defined(OPENSSL_WINDOWS)
diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h
index 1dea3c5..c66f887 100644
--- a/src/include/openssl/bn.h
+++ b/src/include/openssl/bn.h
@@ -441,6 +441,11 @@
* value of |b|, respectively. */
OPENSSL_EXPORT int BN_ucmp(const BIGNUM *a, const BIGNUM *b);
+/* BN_equal_consttime returns one if |a| is equal to |b|, and zero otherwise.
+ * It takes an amount of time dependent on the sizes of |a| and |b|, but
+ * independent of the contents (including the signs) of |a| and |b|. */
+OPENSSL_EXPORT int BN_equal_consttime(const BIGNUM *a, const BIGNUM *b);
+
/* BN_abs_is_word returns one if the absolute value of |bn| equals |w| and zero
* otherwise. */
OPENSSL_EXPORT int BN_abs_is_word(const BIGNUM *bn, BN_ULONG w);
diff --git a/src/include/openssl/crypto.h b/src/include/openssl/crypto.h
index b52bcf8..3fd299f 100644
--- a/src/include/openssl/crypto.h
+++ b/src/include/openssl/crypto.h
@@ -43,6 +43,13 @@
* should be called before entering a sandbox. */
OPENSSL_EXPORT void CRYPTO_library_init(void);
+/* CRYPTO_is_confidential_build returns one if the linked version of BoringSSL
+ * has been built with the BORINGSSL_CONFIDENTIAL define and zero otherwise.
+ *
+ * This is used by some consumers to identify whether they are using an
+ * internal version of BoringSSL. */
+OPENSSL_EXPORT int CRYPTO_is_confidential_build(void);
+
/* Deprecated functions. */
diff --git a/src/include/openssl/rsa.h b/src/include/openssl/rsa.h
index 83fdf16..063d2e8 100644
--- a/src/include/openssl/rsa.h
+++ b/src/include/openssl/rsa.h
@@ -417,7 +417,8 @@
#define RSA_FLAG_CACHE_PRIVATE 4
/* RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a
- * dangerous thing to do. It is deprecated and may be ignored in the future.
+ * dangerous thing to do. It is deprecated and should not be used. It will
+ * be ignored whenever possible.
*
* This flag must be used if a key without the public exponent |e| is used for
* private key operations; avoid using such keys whenever possible. */
diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h
index 4b977b9..bbc263e 100644
--- a/src/include/openssl/x509.h
+++ b/src/include/openssl/x509.h
@@ -1262,5 +1262,6 @@
#define X509_R_UNSUPPORTED_ALGORITHM 132
#define X509_R_WRONG_LOOKUP_TYPE 133
#define X509_R_WRONG_TYPE 134
+#define X509_R_NAME_TOO_LONG 135
#endif
diff --git a/src/ssl/ssl_lib.c b/src/ssl/ssl_lib.c
index d62cdae..84047b2 100644
--- a/src/ssl/ssl_lib.c
+++ b/src/ssl/ssl_lib.c
@@ -1701,52 +1701,33 @@
void ssl_get_compatible_server_ciphers(SSL *ssl, uint32_t *out_mask_k,
uint32_t *out_mask_a) {
- CERT *c = ssl->cert;
- int have_rsa_cert = 0, dh_tmp;
- uint32_t mask_k, mask_a;
- int have_ecc_cert = 0, ecdsa_ok;
- X509 *x;
-
- dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL);
+ uint32_t mask_k = 0;
+ uint32_t mask_a = 0;
if (ssl->cert->x509 != NULL && ssl_has_private_key(ssl)) {
if (ssl_private_key_type(ssl) == EVP_PKEY_RSA) {
- have_rsa_cert = 1;
+ mask_k |= SSL_kRSA;
+ mask_a |= SSL_aRSA;
} else if (ssl_private_key_type(ssl) == EVP_PKEY_EC) {
- have_ecc_cert = 1;
+ /* An ECC certificate may be usable for ECDSA cipher suites depending on
+ * the key usage extension and on the client's curve preferences. */
+ X509 *x = ssl->cert->x509;
+ /* This call populates extension flags (ex_flags). */
+ X509_check_purpose(x, -1, 0);
+ int ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE)
+ ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)
+ : 1;
+ if (ecdsa_ok && tls1_check_ec_cert(ssl, x)) {
+ mask_a |= SSL_aECDSA;
+ }
}
}
- mask_k = 0;
- mask_a = 0;
-
- if (dh_tmp) {
+ if (ssl->cert->dh_tmp != NULL || ssl->cert->dh_tmp_cb != NULL) {
mask_k |= SSL_kDHE;
}
- if (have_rsa_cert) {
- mask_k |= SSL_kRSA;
- mask_a |= SSL_aRSA;
- }
- /* An ECC certificate may be usable for ECDSA cipher suites depending on the
- * key usage extension and on the client's curve preferences. */
- if (have_ecc_cert) {
- x = c->x509;
- /* This call populates extension flags (ex_flags). */
- X509_check_purpose(x, -1, 0);
- ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE)
- ? (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)
- : 1;
- if (!tls1_check_ec_cert(ssl, x)) {
- ecdsa_ok = 0;
- }
- if (ecdsa_ok) {
- mask_a |= SSL_aECDSA;
- }
- }
-
- /* If we are considering an ECC cipher suite that uses an ephemeral EC
- * key, check for a shared curve. */
+ /* Check for a shared curve to consider ECDHE ciphers. */
uint16_t unused;
if (tls1_get_shared_curve(ssl, &unused)) {
mask_k |= SSL_kECDHE;
diff --git a/src/util/bot/DEPS b/src/util/bot/DEPS
index 0a4de21..862c93a 100644
--- a/src/util/bot/DEPS
+++ b/src/util/bot/DEPS
@@ -18,7 +18,7 @@
deps = {
'boringssl/util/bot/gyp':
- Var('chromium_git') + '/external/gyp.git' + '@' + '61259d585ce99d9de8b35188cd0025bdbcb58411',
+ Var('chromium_git') + '/external/gyp.git' + '@' + '4cf07e8d616739f6484e46c9359b2a35196b2585',
}
hooks = [
diff --git a/src/util/bot/UPDATING b/src/util/bot/UPDATING
index 4e16c6d..543daf0 100644
--- a/src/util/bot/UPDATING
+++ b/src/util/bot/UPDATING
@@ -12,10 +12,11 @@
Chromium, found at
https://chromium.googlesource.com/chromium/src/+/master/tools/clang/scripts/update.py
-vs_toolchain.py: Set the hash in _GetDesiredVsToolchainHashes to the toolchain
- used in Chromium, found at
+vs_toolchain.py: Set the hash in TOOLCHAIN_HASH to the toolchain
+ used in Chromium, found at _GetDesiredVsToolchainHashes
https://chromium.googlesource.com/chromium/src/+/master/build/vs_toolchain.py
- This may require taking other updates to that file.
+ This may require taking other updates to that file. If updating MSVS
+ version, also update TOOLCHAIN_VERSION accordingly.
The .sha1 files correspond to files downloaded from Google Cloud Storage. To
update, place the updated files in their intended location and run:
diff --git a/src/util/bot/go/bootstrap.py b/src/util/bot/go/bootstrap.py
index 28aa13d..8d08cc3 100755
--- a/src/util/bot/go/bootstrap.py
+++ b/src/util/bot/go/bootstrap.py
@@ -45,7 +45,7 @@
EXE_SFX = '.exe' if sys.platform == 'win32' else ''
# Pinned version of Go toolset to download.
-TOOLSET_VERSION = 'go1.6'
+TOOLSET_VERSION = 'go1.6.2'
# Platform dependent portion of a download URL. See http://golang.org/dl/.
TOOLSET_VARIANTS = {
diff --git a/src/util/bot/update_clang.py b/src/util/bot/update_clang.py
index 48d0d9b..e48a287 100644
--- a/src/util/bot/update_clang.py
+++ b/src/util/bot/update_clang.py
@@ -22,7 +22,7 @@
# CLANG_REVISION and CLANG_SUB_REVISION determine the build of clang
# to use. These should be synced with tools/clang/scripts/update.py in
# Chromium.
-CLANG_REVISION = "261368"
+CLANG_REVISION = "267383"
CLANG_SUB_REVISION = "1"
PACKAGE_VERSION = "%s-%s" % (CLANG_REVISION, CLANG_SUB_REVISION)
diff --git a/src/util/bot/vs_toolchain.py b/src/util/bot/vs_toolchain.py
index 175502e..f90bb46 100644
--- a/src/util/bot/vs_toolchain.py
+++ b/src/util/bot/vs_toolchain.py
@@ -18,12 +18,16 @@
import gyp
+TOOLCHAIN_VERSION = '2015'
+TOOLCHAIN_HASH = '95ddda401ec5678f15eeed01d2bee08fcbc5ee97'
+
+
def SetEnvironmentAndGetRuntimeDllDirs():
"""Sets up os.environ to use the depot_tools VS toolchain with gyp, and
returns the location of the VS runtime DLLs so they can be copied into
the output directory after gyp generation.
"""
- vs2013_runtime_dll_dirs = None
+ vs_runtime_dll_dirs = None
depot_tools_win_toolchain = \
bool(int(os.environ.get('DEPOT_TOOLS_WIN_TOOLCHAIN', '1')))
if sys.platform in ('win32', 'cygwin') and depot_tools_win_toolchain:
@@ -41,7 +45,7 @@
# TODO(scottmg): The order unfortunately matters in these. They should be
# split into separate keys for x86 and x64. (See CopyVsRuntimeDlls call
# below). http://crbug.com/345992
- vs2013_runtime_dll_dirs = toolchain_data['runtime_dirs']
+ vs_runtime_dll_dirs = toolchain_data['runtime_dirs']
os.environ['GYP_MSVS_OVERRIDE_PATH'] = toolchain
os.environ['GYP_MSVS_VERSION'] = version
@@ -56,16 +60,9 @@
os.environ['WINDOWSSDKDIR'] = win_sdk
os.environ['WDK_DIR'] = wdk
# Include the VS runtime in the PATH in case it's not machine-installed.
- runtime_path = ';'.join(vs2013_runtime_dll_dirs)
+ runtime_path = ';'.join(vs_runtime_dll_dirs)
os.environ['PATH'] = runtime_path + ';' + os.environ['PATH']
- return vs2013_runtime_dll_dirs
-
-
-def _GetDesiredVsToolchainHashes():
- """Load a list of SHA1s corresponding to the toolchains that we want installed
- to build with."""
- # Use Chromium's VS2013.
- return ['4087e065abebdca6dbd0caca2910c6718d2ec67f']
+ return vs_runtime_dll_dirs
def FindDepotTools():
@@ -85,13 +82,16 @@
bool(int(os.environ.get('DEPOT_TOOLS_WIN_TOOLCHAIN', '1')))
if sys.platform in ('win32', 'cygwin') and depot_tools_win_toolchain:
depot_tools_path = FindDepotTools()
+ # Necessary so that get_toolchain_if_necessary.py will put the VS toolkit
+ # in the correct directory.
+ os.environ['GYP_MSVS_VERSION'] = TOOLCHAIN_VERSION
get_toolchain_args = [
sys.executable,
os.path.join(depot_tools_path,
'win_toolchain',
'get_toolchain_if_necessary.py'),
- '--output-json', json_data_file,
- ] + _GetDesiredVsToolchainHashes()
+ '--output-json', json_data_file, TOOLCHAIN_HASH,
+ ]
subprocess.check_call(get_toolchain_args)
return 0