external/boringssl: Sync to b2ff2623a88a65fd4db42d3820f3d8c64e8ab180.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/6d50f475e319de153a43e1dba5a1beca95948c63..b2ff2623a88a65fd4db42d3820f3d8c64e8ab180
Change-Id: I649281e093369d99e863b4882a2ff6a5ad8a64d1
Test: ATP's cts/libcore/gce-net (go/gce-net)
diff --git a/src/ssl/handshake_server.c b/src/ssl/handshake_server.c
index a4396f4..7b66cf2 100644
--- a/src/ssl/handshake_server.c
+++ b/src/ssl/handshake_server.c
@@ -185,6 +185,17 @@
static int ssl3_get_channel_id(SSL_HANDSHAKE *hs);
static int ssl3_send_new_session_ticket(SSL_HANDSHAKE *hs);
+static struct CRYPTO_STATIC_MUTEX g_v2clienthello_lock =
+ CRYPTO_STATIC_MUTEX_INIT;
+static uint64_t g_v2clienthello_count = 0;
+
+uint64_t SSL_get_v2clienthello_count(void) {
+ CRYPTO_STATIC_MUTEX_lock_read(&g_v2clienthello_lock);
+ uint64_t ret = g_v2clienthello_count;
+ CRYPTO_STATIC_MUTEX_unlock_read(&g_v2clienthello_lock);
+ return ret;
+}
+
int ssl3_accept(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
uint32_t alg_a;
@@ -206,13 +217,6 @@
case SSL_ST_ACCEPT:
ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
- /* Enable a write buffer. This groups handshake messages within a flight
- * into a single write. */
- if (!ssl_init_wbio_buffer(ssl)) {
- ret = -1;
- goto end;
- }
-
if (!ssl3_init_handshake_buffer(ssl)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
ret = -1;
@@ -226,7 +230,6 @@
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
case SSL3_ST_SR_CLNT_HELLO_D:
- case SSL3_ST_SR_CLNT_HELLO_E:
ret = ssl3_get_client_hello(hs);
if (hs->state == SSL_ST_TLS13) {
break;
@@ -239,7 +242,6 @@
break;
case SSL3_ST_SW_SRVR_HELLO_A:
- case SSL3_ST_SW_SRVR_HELLO_B:
ret = ssl3_send_server_hello(hs);
if (ret <= 0) {
goto end;
@@ -252,7 +254,6 @@
break;
case SSL3_ST_SW_CERT_A:
- case SSL3_ST_SW_CERT_B:
if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
ret = ssl3_send_server_certificate(hs);
if (ret <= 0) {
@@ -265,7 +266,6 @@
break;
case SSL3_ST_SW_CERT_STATUS_A:
- case SSL3_ST_SW_CERT_STATUS_B:
if (hs->certificate_status_expected) {
ret = ssl3_send_certificate_status(hs);
if (ret <= 0) {
@@ -279,7 +279,6 @@
case SSL3_ST_SW_KEY_EXCH_A:
case SSL3_ST_SW_KEY_EXCH_B:
- case SSL3_ST_SW_KEY_EXCH_C:
alg_a = ssl->s3->tmp.new_cipher->algorithm_auth;
/* PSK ciphers send ServerKeyExchange if there is an identity hint. */
@@ -297,7 +296,6 @@
break;
case SSL3_ST_SW_CERT_REQ_A:
- case SSL3_ST_SW_CERT_REQ_B:
if (hs->cert_request) {
ret = ssl3_send_certificate_request(hs);
if (ret <= 0) {
@@ -310,7 +308,6 @@
break;
case SSL3_ST_SW_SRVR_DONE_A:
- case SSL3_ST_SW_SRVR_DONE_B:
ret = ssl3_send_server_hello_done(hs);
if (ret <= 0) {
goto end;
@@ -410,7 +407,6 @@
break;
case SSL3_ST_SW_SESSION_TICKET_A:
- case SSL3_ST_SW_SESSION_TICKET_B:
if (hs->ticket_expected) {
ret = ssl3_send_new_session_ticket(hs);
if (ret <= 0) {
@@ -423,22 +419,17 @@
break;
case SSL3_ST_SW_CHANGE:
- ret = ssl->method->send_change_cipher_spec(ssl);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_SW_FINISHED_A;
-
- if (!tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
+ if (!ssl->method->add_change_cipher_spec(ssl) ||
+ !tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
ret = -1;
goto end;
}
+
+ hs->state = SSL3_ST_SW_FINISHED_A;
break;
case SSL3_ST_SW_FINISHED_A:
- case SSL3_ST_SW_FINISHED_B:
- ret = ssl3_send_finished(hs, SSL3_ST_SW_FINISHED_A,
- SSL3_ST_SW_FINISHED_B);
+ ret = ssl3_send_finished(hs);
if (ret <= 0) {
goto end;
}
@@ -493,8 +484,11 @@
ssl->s3->new_session = NULL;
}
- /* remove buffering on output */
- ssl_free_wbio_buffer(ssl);
+ if (hs->v2_clienthello) {
+ CRYPTO_STATIC_MUTEX_lock_write(&g_v2clienthello_lock);
+ g_v2clienthello_count++;
+ CRYPTO_STATIC_MUTEX_unlock_write(&g_v2clienthello_lock);
+ }
ssl->s3->initial_handshake_complete = 1;
ssl_update_cache(hs, SSL_SESS_CACHE_SERVER);
@@ -546,6 +540,7 @@
static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
const SSL_CLIENT_HELLO *client_hello) {
SSL *const ssl = hs->ssl;
+ assert(!ssl->s3->have_version);
uint16_t min_version, max_version;
if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
*out_alert = SSL_AD_PROTOCOL_VERSION;
@@ -703,7 +698,7 @@
uint32_t mask_k = 0;
uint32_t mask_a = 0;
- if (ssl->cert->x509_leaf != NULL && ssl_has_private_key(ssl)) {
+ if (ssl_has_certificate(ssl)) {
int type = ssl_private_key_type(ssl);
if (type == NID_rsaEncryption) {
mask_k |= SSL_kRSA;
@@ -820,12 +815,15 @@
if (hs->state == SSL3_ST_SR_CLNT_HELLO_A) {
/* The first time around, read the ClientHello. */
- int msg_ret = ssl->method->ssl_get_message(ssl, SSL3_MT_CLIENT_HELLO,
- ssl_hash_message);
+ int msg_ret = ssl->method->ssl_get_message(ssl);
if (msg_ret <= 0) {
return msg_ret;
}
+ if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
+ return -1;
+ }
+
hs->state = SSL3_ST_SR_CLNT_HELLO_B;
}
@@ -855,23 +853,11 @@
/* fallthrough */;
}
}
- hs->state = SSL3_ST_SR_CLNT_HELLO_C;
- }
- /* Negotiate the protocol version if we have not done so yet. */
- if (!ssl->s3->have_version) {
if (!negotiate_version(hs, &al, &client_hello)) {
goto f_err;
}
- if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
- hs->state = SSL_ST_TLS13;
- hs->do_tls13_handshake = tls13_server_handshake;
- return 1;
- }
- }
-
- if (hs->state == SSL3_ST_SR_CLNT_HELLO_C) {
/* Load the client random. */
if (client_hello.random_len != SSL3_RANDOM_SIZE) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -880,11 +866,14 @@
OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,
client_hello.random_len);
- /* Only null compression is supported. */
+ /* Only null compression is supported. TLS 1.3 further requires the peer
+ * advertise no other compression. */
if (OPENSSL_memchr(client_hello.compression_methods, 0,
- client_hello.compression_methods_len) == NULL) {
+ client_hello.compression_methods_len) == NULL ||
+ (ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
+ client_hello.compression_methods_len != 1)) {
al = SSL_AD_ILLEGAL_PARAMETER;
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMPRESSION_SPECIFIED);
+ OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
goto f_err;
}
@@ -894,10 +883,10 @@
goto err;
}
- hs->state = SSL3_ST_SR_CLNT_HELLO_D;
+ hs->state = SSL3_ST_SR_CLNT_HELLO_C;
}
- if (hs->state == SSL3_ST_SR_CLNT_HELLO_D) {
+ if (hs->state == SSL3_ST_SR_CLNT_HELLO_C) {
/* Call |cert_cb| to update server certificates if required. */
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
@@ -916,6 +905,13 @@
goto err;
}
+ if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+ /* Jump to the TLS 1.3 state machine. */
+ hs->state = SSL_ST_TLS13;
+ hs->do_tls13_handshake = tls13_server_handshake;
+ return 1;
+ }
+
/* Negotiate the cipher suite. This must be done after |cert_cb| so the
* certificate is finalized. */
ssl->s3->tmp.new_cipher =
@@ -926,10 +922,10 @@
goto f_err;
}
- hs->state = SSL3_ST_SR_CLNT_HELLO_E;
+ hs->state = SSL3_ST_SR_CLNT_HELLO_D;
}
- assert(hs->state == SSL3_ST_SR_CLNT_HELLO_E);
+ assert(hs->state == SSL3_ST_SR_CLNT_HELLO_D);
/* Determine whether we are doing session resumption. */
int tickets_supported = 0, renew_ticket = 0;
@@ -1028,8 +1024,10 @@
goto f_err;
}
- /* Now that all parameters are known, initialize the handshake hash. */
- if (!ssl3_init_handshake_hash(ssl)) {
+ /* Now that all parameters are known, initialize the handshake hash and hash
+ * the ClientHello. */
+ if (!ssl3_init_handshake_hash(ssl) ||
+ !ssl_hash_current_message(ssl)) {
goto f_err;
}
@@ -1052,11 +1050,6 @@
static int ssl3_send_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (hs->state == SSL3_ST_SW_SRVR_HELLO_B) {
- return ssl->method->write_message(ssl);
- }
-
- assert(hs->state == SSL3_ST_SW_SRVR_HELLO_A);
/* We only accept ChannelIDs on connections with ECDHE in order to avoid a
* known attack while we fix ChannelID itself. */
@@ -1101,40 +1094,30 @@
!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
!CBB_add_u8(&body, 0 /* no compression */) ||
!ssl_add_serverhello_tlsext(hs, &body) ||
- !ssl_complete_message(ssl, &cbb)) {
+ !ssl_add_message_cbb(ssl, &cbb)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
CBB_cleanup(&cbb);
return -1;
}
- hs->state = SSL3_ST_SW_SRVR_HELLO_B;
- return ssl->method->write_message(ssl);
+ return 1;
}
static int ssl3_send_server_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (hs->state == SSL3_ST_SW_CERT_B) {
- return ssl->method->write_message(ssl);
- }
-
if (!ssl_has_certificate(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
- return 0;
+ return -1;
}
if (!ssl3_output_cert_chain(ssl)) {
- return 0;
+ return -1;
}
- hs->state = SSL3_ST_SW_CERT_B;
- return ssl->method->write_message(ssl);
+ return 1;
}
static int ssl3_send_certificate_status(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (hs->state == SSL3_ST_SW_CERT_STATUS_B) {
- return ssl->method->write_message(ssl);
- }
-
CBB cbb, body, ocsp_response;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_CERTIFICATE_STATUS) ||
@@ -1142,22 +1125,17 @@
!CBB_add_u24_length_prefixed(&body, &ocsp_response) ||
!CBB_add_bytes(&ocsp_response, CRYPTO_BUFFER_data(ssl->ocsp_response),
CRYPTO_BUFFER_len(ssl->ocsp_response)) ||
- !ssl_complete_message(ssl, &cbb)) {
+ !ssl_add_message_cbb(ssl, &cbb)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
CBB_cleanup(&cbb);
return -1;
}
- hs->state = SSL3_ST_SW_CERT_STATUS_B;
- return ssl->method->write_message(ssl);
+ return 1;
}
static int ssl3_send_server_key_exchange(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (hs->state == SSL3_ST_SW_KEY_EXCH_C) {
- return ssl->method->write_message(ssl);
- }
-
CBB cbb, child;
CBB_zero(&cbb);
@@ -1317,7 +1295,7 @@
}
}
- if (!ssl_complete_message(ssl, &cbb)) {
+ if (!ssl_add_message_cbb(ssl, &cbb)) {
goto err;
}
@@ -1325,8 +1303,7 @@
hs->server_params = NULL;
hs->server_params_len = 0;
- hs->state = SSL3_ST_SW_KEY_EXCH_C;
- return ssl->method->write_message(ssl);
+ return 1;
err:
CBB_cleanup(&cbb);
@@ -1373,10 +1350,6 @@
static int ssl3_send_certificate_request(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (hs->state == SSL3_ST_SW_CERT_REQ_B) {
- return ssl->method->write_message(ssl);
- }
-
CBB cbb, body, cert_types, sigalgs_cbb;
if (!ssl->method->init_message(ssl, &cbb, &body,
SSL3_MT_CERTIFICATE_REQUEST) ||
@@ -1400,12 +1373,11 @@
}
if (!ssl_add_client_CA_list(ssl, &body) ||
- !ssl_complete_message(ssl, &cbb)) {
+ !ssl_add_message_cbb(ssl, &cbb)) {
goto err;
}
- hs->state = SSL3_ST_SW_CERT_REQ_B;
- return ssl->method->write_message(ssl);
+ return 1;
err:
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1415,27 +1387,22 @@
static int ssl3_send_server_hello_done(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (hs->state == SSL3_ST_SW_SRVR_DONE_B) {
- return ssl->method->write_message(ssl);
- }
-
CBB cbb, body;
if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO_DONE) ||
- !ssl_complete_message(ssl, &cbb)) {
+ !ssl_add_message_cbb(ssl, &cbb)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
CBB_cleanup(&cbb);
return -1;
}
- hs->state = SSL3_ST_SW_SRVR_DONE_B;
- return ssl->method->write_message(ssl);
+ return 1;
}
static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
assert(hs->cert_request);
- int msg_ret = ssl->method->ssl_get_message(ssl, -1, ssl_hash_message);
+ int msg_ret = ssl->method->ssl_get_message(ssl);
if (msg_ret <= 0) {
return msg_ret;
}
@@ -1463,6 +1430,10 @@
return -1;
}
+ if (!ssl_hash_current_message(ssl)) {
+ return -1;
+ }
+
CBS certificate_msg;
CBS_init(&certificate_msg, ssl->init_msg, ssl->init_num);
@@ -1539,11 +1510,15 @@
uint8_t psk[PSK_MAX_PSK_LEN];
if (hs->state == SSL3_ST_SR_KEY_EXCH_A) {
- int ret = ssl->method->ssl_get_message(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE,
- ssl_hash_message);
+ int ret = ssl->method->ssl_get_message(ssl);
if (ret <= 0) {
return ret;
}
+
+ if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_KEY_EXCHANGE) ||
+ !ssl_hash_current_message(ssl)) {
+ return -1;
+ }
}
CBS_init(&client_key_exchange, ssl->init_msg, ssl->init_num);
@@ -1807,12 +1782,15 @@
return 1;
}
- int msg_ret = ssl->method->ssl_get_message(ssl, SSL3_MT_CERTIFICATE_VERIFY,
- ssl_dont_hash_message);
+ int msg_ret = ssl->method->ssl_get_message(ssl);
if (msg_ret <= 0) {
return msg_ret;
}
+ if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY)) {
+ return -1;
+ }
+
CBS_init(&certificate_verify, ssl->init_msg, ssl->init_num);
/* Determine the digest type if needbe. */
@@ -1900,12 +1878,16 @@
* sets the next_proto member in s if found */
static int ssl3_get_next_proto(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- int ret =
- ssl->method->ssl_get_message(ssl, SSL3_MT_NEXT_PROTO, ssl_hash_message);
+ int ret = ssl->method->ssl_get_message(ssl);
if (ret <= 0) {
return ret;
}
+ if (!ssl_check_message_type(ssl, SSL3_MT_NEXT_PROTO) ||
+ !ssl_hash_current_message(ssl)) {
+ return -1;
+ }
+
CBS next_protocol, selected_protocol, padding;
CBS_init(&next_protocol, ssl->init_msg, ssl->init_num);
if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||
@@ -1927,13 +1909,13 @@
/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
static int ssl3_get_channel_id(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- int msg_ret = ssl->method->ssl_get_message(ssl, SSL3_MT_CHANNEL_ID,
- ssl_dont_hash_message);
+ int msg_ret = ssl->method->ssl_get_message(ssl);
if (msg_ret <= 0) {
return msg_ret;
}
- if (!tls1_verify_channel_id(ssl) ||
+ if (!ssl_check_message_type(ssl, SSL3_MT_CHANNEL_ID) ||
+ !tls1_verify_channel_id(ssl) ||
!ssl_hash_current_message(ssl)) {
return -1;
}
@@ -1942,15 +1924,11 @@
static int ssl3_send_new_session_ticket(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (hs->state == SSL3_ST_SW_SESSION_TICKET_B) {
- return ssl->method->write_message(ssl);
- }
-
const SSL_SESSION *session;
SSL_SESSION *session_copy = NULL;
if (ssl->session == NULL) {
/* Fix the timeout to measure from the ticket issuance time. */
- ssl_session_refresh_time(ssl, ssl->s3->new_session);
+ ssl_session_rebase_time(ssl, ssl->s3->new_session);
session = ssl->s3->new_session;
} else {
/* We are renewing an existing session. Duplicate the session to adjust the
@@ -1960,7 +1938,7 @@
return -1;
}
- ssl_session_refresh_time(ssl, session_copy);
+ ssl_session_rebase_time(ssl, session_copy);
session = session_copy;
}
@@ -1970,7 +1948,7 @@
CBB_add_u32(&body, session->timeout) &&
CBB_add_u16_length_prefixed(&body, &ticket) &&
ssl_encrypt_ticket(ssl, &ticket, session) &&
- ssl_complete_message(ssl, &cbb);
+ ssl_add_message_cbb(ssl, &cbb);
SSL_SESSION_free(session_copy);
CBB_cleanup(&cbb);
@@ -1979,6 +1957,5 @@
return -1;
}
- hs->state = SSL3_ST_SW_SESSION_TICKET_B;
- return ssl->method->write_message(ssl);
+ return 1;
}