| commit | bf7ce2396482e2dbc810dfbf15210ada191117b2 | [log] [tgz] |
|---|---|---|
| author | Piotr Sikora <piotrsikora@google.com> | Tue Nov 29 20:48:58 2016 -0800 |
| committer | Piotr Sikora <piotrsikora@google.com> | Wed Dec 07 19:00:58 2016 +0000 |
| tree | 6ce1088de34460ae0ac88abab1f2fcd4d8f6ee69 | |
| parent | 622f62c0a63bfa9e1c054e0db7369dc2f5319945 [diff] |
Bazel: update BoringSSL to 5fa2538 / a94639d (master-with-bazel). This update includes the following changes: 5fa2538 Clean up the GHASH init function a little. abd36dd Set needed defines for UINT64_C in gcm_test.cc. 64a8659 Rename BSWAP[48] to CRYPTO_bswap[48] and always define them. 48891ad Simplify BoGo's TLS 1.3 key derivation. 0d1faef Also add util/bot/golang to .gitignore. c629e8b Split CRYPTO_ghash_init from CRYPTO_gcm128_init. a00cafc Drop H (the key) from the GCM context. e8bbc6c Assume little-endian in GCM code. 0ec5639 Don't extract archives if unchanged. 65241cf Add util/bot files to .gitignore. f18ad08 tool: don't generate negative serial numbers. d8a2682 Simplify rotate_offset computation in EVP_tls_cbc_copy_mac. a4ddb6e Remove unnecessary constant-time operation. 029cce5 Tidy up EVP_tls_cbc_copy_mac a little. aedf303 Parse the entire PSK extension. bf48364 Support setting per-connection default session lifetime value 15073af Adding a fuzzer for Sessions a4ee74d Skipping early data on 0RTT rejection. 8f820b4 Clean up resumption secret "derivation" step. ce1f62c Make `bssl server` generate a self-signed cert if none is provided. 509889d Sync with upstream's version of sha256-armv4.pl. f086df9 signed char => int8_t. e4a9dbc Minor formatting fixups. bfe5f08 Rewrite EC_window_bits_for_scalar_size into a function. c6d09e8 Check for BN_lshift failure in BN_sqrt. 1c68eff Fix error code for unreduced x. 14ebb4f Don't compute the Kronecker symbol in ec_GFp_simple_set_compressed_coordinates. bd69175 Test that BN_mod_sqrt detects quadratic non-residues. 55a1ecc Don't allow BN_mod_sqrt(0) to return P in tests. 3d622e5 Add missing bounds check in tls13_derive_resumption_secret. 68f37b7 Run TestOneSidedShutdown at all versions. 0fef305 Add a ForEachVersion function to ssl_test. 9b885c5 Don't allow invalid SCT lists to be set. 6f5f49f Flush TLS 1.3 certificate extensions. cfa08c3 Enforce basic sanity of SCT lists. b5172a7 Make tls1_setup_key_block static. 7da8ea7 Add forward declaration to avoid a compiler warning fbbef12 Don't put a colon in the extra error message. d7b9002 Define BORINGSSL_SHARED_LIBRARY when building tests with Bazel. 5f04b6b Add ppc64le vector implementation of SHA-1. 35598ae Remove ext_alpn_init. e7f60a2 Fix alert on tls1_process_alert failure. 12d6baf Make ssl_ext_pre_shared_key_add_clienthello static. 2aaaa16 Depend all_tests on p256-x86_64_test. bbaf367 Add |SSL_set_retain_only_sha256_of_client_certs|. a933c38 Test setting session ID context in early or SNI callback. f01f42a Negotiate ciphers before resumption. 34202b9 Call cert_cb before resolving resumption. 4eb95cc Parse ClientHello extensions before deciding on resumption. 8d3f130 tool: print client's SNI value, if any. 4008c7a Fix some more negative zeros and add tests for each case. ca0b603 Remove unnecessary BN_is_negative check in p256-x86_64_test. dc16f38 ec/ecp_nistz256: harmonize is_infinity with ec_GFp_simple_is_at_infinity. e1cc35e Tolerate cipher changes on TLS 1.3 resumption as a client. 2b02f4b Loosen TLS 1.3 session/cipher matching in BoGo. d0d532f Select TLS 1.3 cipher before resumption in BoGo. 6929f27 Fix return values for TLS 1.3 state machine code. 71186e8 Move ExpectTicketAge out of AcceptAnySession. 0b8f85e Fix AcceptAnyVersion bug. ba28dfc Add a -repeat-until-failure flag to runner. 53210cb Do not send unsolicited SCTs in TLS 1.3. ea80f9d obfuscated_ticket_age must also be reset when comparing. 75f9914 Align TLS 1.2 and 1.3 server session validity checks. 1e21e99 More flexible detection of arm processors to fix cmake errors on armv6l and armv7l devices bca451e Remove bssl::Main wrapper in ec_test. e36888d Rename and document ecp_nistz256_mod_inverse. dde19c6 Fix booth_recode_w5 comment. 4a9313a Add low-level p256-x86_64 tests. 28d1dc8 Perform stricter reduction in p256-x86_64-asm.pl. c5665c9 Remove out-of-date BoGo earlyDataContext parsing bits. b8d74f5 Add tests for failing cert_cb. d5ff2f9 Refresh TLS fuzzer corpora. fd06601 Add a script to refresh fuzzer corpora. 9b63f29 Fix run_tests on fuzzer-mode builds. dfb4138 Update suppressions for fuzzer mode. ffb1107 Add a helper function for parsing extensions blocks. 32b47a5 Allow PSK binder mismatches in fuzzer mode. a833c35 Update to TLS 1.3 draft 18. ced9479 Replace hash_current_message with get_current_message. e8b554d Fix Android bots. 2c51645 Add runner tests which send intermediate certificates. e6f2221 Enforce record-layer version numbers. 49b5038 Speculative fix to Android bots. eab773a Add missing PSK identity comment. 076ade5 Update pinned revisions in util/bot. 78476f6 Move tlsext_ticket_expected to SSL_HANDSHAKE. ba1660b Tidy up finish_message logic. 5eead16 Splitting finish_message to finish_message/queue_message. 8499621 Check for i2d_name_canon failures in x509_name_canon. a380f9d Always assume little-endian in Poly1305 reference code. e4f96d6 Align the non-vector Poly1305 structure. 45c844a aes/asm/aesp8-ppc.pl: improve [backward] portability. 231a475 Test bad records at all cipher suites. 126fa27 Don't leak memory on ASN1_GENERALIZEDTIME_adj() error path 7f2ee35 bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (not affected). 14c7e8d BORINGSSL_UNSAFE_FUZZER_MODE implies BORINGSSL_UNSAFE_DETERMINISTIC_MODE. c5ac2b6 Rename X.509 members in |SSL_SESSION| and |CERT|. a983b4c Set SSL_MODE_NO_AUTO_CHAIN by default. b348897 Correctness fixes for NaCl and other platforms. da4789e Fix BoGo HelloVerifyRequest version handling. 4e41926 Move key_block into SSL_HANDSHAKE. 54955fe Allow building on MIPS. ec978dd Add corpora for fuzzers with fuzzer mode disabled. da86360 Expose SSL_max_seal_overhead. 864c887 Add STACK_OF(CRYPTO_BUFFER). d50f1c8 Address review comments from https://boringssl-review.googlesource.com/#/c/11920/2 123db57 Measure session->timeout from ticket issuance. e75cc27 Fix ssl3_send_new_session_ticket error-handling. 0a011fc Flush TLS 1.3 NewSessionTicket messages together. 8e816eb Treat sessions as expired on the boundary second. 5b7b09c Remove weird special-cases around times in SSL_SESSION. 0f31ac7 Don't serialize negative times and timeouts. 11a7b3c Trim ssl_create_cipher_list slightly. 3c51d9b Test that session renewals interact with lifetimes correctly. c034e2d Add ED25519_keypair_from_seed. dda85e8 Remove the last of BIO_print_errors. d2cb1c1 Remove cipher_list_by_id. 9ec3798 Don't access SSL internals in bssl_shim. abbbee1 Detach TLS 1.3 cipher configuration from the cipher language. fb73e97 Test that version is available in the ALPN callback. 7bb1d29 Forbid using exporters during a renego. 4199b0d Add tests which modify the shim ticket. 7bb88bb Fix comment on session version field. 9ef31f0 Negotiate the cipher suite before ALPN. b2e2e32 Test that client and server enforce session timeouts. 997c706 Remove no-op loops in curve25519.c. 4898331 Add d2i_X509_from_buffer. 1e5ac5d Fix more clang-tidy warnings. af3b8a9 Fix multiple PSK identity parsing. 70aba26 Skip ec_point_format if min_version >= TLS 1.3. af3b3d3 Only resolve which cipher list to use once. 74df74b Remove ssl_any_ec_cipher_suites_enabled check. f85d323 TLS: Choose the max version supported by the client, not first. 6f73379 Add X25519 length constants. cec45b7 Update links to Bazel's site. 4b0d0e4 Validate input iv/mac sizes in SSL_AEAD_CTX_new. ea213d1 Add missing include. b917909 Move a few more types out of ssl.h. 8b17671 Test that SNI is accessible from the SNI callback. d547f55 Remove superfluous const from CRYPTO_BUFFER_len. 0d211bd Clarify the scope & initialization of |data_len| in |aead_tls_open|. 305e6fb Revise ssl_cipher_get_evp_aead. 5e393fe Test getrandom(2) on Linux if available 9ef99d5 Add CRYPTO_BUFFER and CRYPTO_BUFFER_POOL. 1b22f85 Reject tickets from the future. b6b6ff3 Verifying resumption cipher validity with current configuration. 3a322f5 Revise signing preferences. 9415a14 Fix SSL_CTX_set1_curves fuzzer. a1bbaca Record kCRLTestRoot's private key in the source. 351af19 Remove a clang-cl workaround that's no longer needed. c6722cd Check SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER before touching wpend_buf. Change-Id: I0a507eced3eb316ea350ba6bb6c85a75604ac308 Signed-off-by: Piotr Sikora <piotrsikora@google.com> Reviewed-on: https://nginx-review.googlesource.com/2642 Reviewed-by: Gurgen Hrachyan <gugo@google.com>
To build nginx binary with Bazel:
$ bazel build :nginx
To build Debian package:
$ bazel build :nginx-google.deb
This repository is currently maintained by Google developers.
Any code changes should be submitted to upstream NGINX.
Copyright (C) 2002-2016 Igor Sysoev Copyright (C) 2011-2016 Nginx, Inc. Copyright (C) 2015-2016 Google Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This is not an official Google product.