external/boringssl: Sync to e34bcc91.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/0e9138d295cd556e830dc8b3be735e808680f4bd..e34bcc91c07c0bf65ecc53a814d51f5246007150
This also removes BORINGSSL_ENABLE_RC4_TLS and android_compat_hacks.c as
they are no longer needed.
Test: Built tree, phone boots. Ran cts-tradefed run cts -m CtsLibcoreTestCases
Change-Id: I86df196e1856c338bbf72c60e2e47dd1b74ae537
diff --git a/src/ssl/handshake_server.c b/src/ssl/handshake_server.c
index f041129..d57735a 100644
--- a/src/ssl/handshake_server.c
+++ b/src/ssl/handshake_server.c
@@ -197,6 +197,11 @@
state = ssl->state;
switch (ssl->state) {
+ case SSL_ST_INIT:
+ ssl->state = SSL_ST_ACCEPT;
+ skip = 1;
+ break;
+
case SSL_ST_ACCEPT:
ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
@@ -559,12 +564,30 @@
return 0;
}
- uint16_t client_version =
- ssl->method->version_from_wire(client_hello->version);
- ssl->client_version = client_hello->version;
+ /* For TLS versions which use ClientHello.version, convert it to a version we
+ * are aware of. */
+ uint16_t version = 0;
+ if (SSL_is_dtls(ssl)) {
+ if (client_hello->version <= DTLS1_2_VERSION) {
+ version = TLS1_2_VERSION;
+ } else if (client_hello->version <= DTLS1_VERSION) {
+ version = TLS1_1_VERSION;
+ }
+ } else {
+ if (client_hello->version >= TLS1_3_VERSION) {
+ version = TLS1_3_VERSION;
+ } else if (client_hello->version >= TLS1_2_VERSION) {
+ version = TLS1_2_VERSION;
+ } else if (client_hello->version >= TLS1_1_VERSION) {
+ version = TLS1_1_VERSION;
+ } else if (client_hello->version >= TLS1_VERSION) {
+ version = TLS1_VERSION;
+ } else if (client_hello->version >= SSL3_VERSION) {
+ version = SSL3_VERSION;
+ }
+ }
- /* Select the version to use. */
- uint16_t version = client_version;
+ /* Apply our minimum and maximum version. */
if (version > max_version) {
version = max_version;
}
@@ -584,6 +607,7 @@
return 0;
}
+ ssl->client_version = client_hello->version;
ssl->version = ssl->method->version_to_wire(version);
ssl->s3->enc_method = ssl3_get_enc_method(version);
assert(ssl->s3->enc_method != NULL);
@@ -632,7 +656,7 @@
case -1:
/* Connection rejected. */
- al = SSL_AD_ACCESS_DENIED;
+ al = SSL_AD_HANDSHAKE_FAILURE;
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
goto f_err;
@@ -714,7 +738,7 @@
session = NULL;
ssl->s3->session_reused = 1;
} else {
- SSL_set_session(ssl, NULL);
+ ssl_set_session(ssl, NULL);
if (!ssl_get_new_session(ssl, 1 /* server */)) {
goto err;
}
@@ -728,7 +752,7 @@
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
/* Connection rejected for DOS reasons. */
- al = SSL_AD_ACCESS_DENIED;
+ al = SSL_AD_INTERNAL_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
goto f_err;
}
@@ -870,20 +894,8 @@
return -1;
}
- /* Fill in the TLS 1.2 downgrade signal. See draft-ietf-tls-tls13-14.
- *
- * TODO(davidben): Also implement the TLS 1.1 sentinel when things have
- * settled down. */
- uint16_t min_version, max_version;
- if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
- return -1;
- }
- if (max_version >= TLS1_3_VERSION &&
- ssl3_protocol_version(ssl) <= TLS1_2_VERSION) {
- static const uint8_t kDowngradeTLS12[8] = {0x44, 0x4f, 0x57, 0x4e,
- 0x47, 0x52, 0x44, 0x01};
- memcpy(ssl->s3->server_random + SSL3_RANDOM_SIZE - 8, kDowngradeTLS12, 8);
- }
+ /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
+ * 1.3 is finalized and we are not implementing a draft version. */
const SSL_SESSION *session = ssl->s3->new_session;
if (ssl->session != NULL) {
@@ -1146,8 +1158,7 @@
int have_ecdsa_sign = 0;
const uint16_t *sig_algs;
size_t sig_algs_len = tls12_get_psigalgs(ssl, &sig_algs);
- size_t i;
- for (i = 0; i < sig_algs_len; i++) {
+ for (size_t i = 0; i < sig_algs_len; i++) {
switch (sig_algs[i]) {
case SSL_SIGN_RSA_PKCS1_SHA512:
case SSL_SIGN_RSA_PKCS1_SHA384:
@@ -1495,8 +1506,7 @@
size_t padding_len = decrypt_len - premaster_secret_len;
uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &
constant_time_eq_int_8(decrypt_buf[1], 2);
- size_t i;
- for (i = 2; i < padding_len - 1; i++) {
+ for (size_t i = 2; i < padding_len - 1; i++) {
good &= ~constant_time_is_zero_8(decrypt_buf[i]);
}
good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);
@@ -1510,7 +1520,7 @@
/* Select, in constant time, either the decrypted premaster or the random
* premaster based on |good|. */
- for (i = 0; i < premaster_secret_len; i++) {
+ for (size_t i = 0; i < premaster_secret_len; i++) {
premaster_secret[i] = constant_time_select_8(
good, decrypt_buf[padding_len + i], premaster_secret[i]);
}
@@ -1733,8 +1743,13 @@
CBS_init(&next_protocol, ssl->init_msg, ssl->init_num);
if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||
!CBS_get_u8_length_prefixed(&next_protocol, &padding) ||
- CBS_len(&next_protocol) != 0 ||
- !CBS_stow(&selected_protocol, &ssl->s3->next_proto_negotiated,
+ CBS_len(&next_protocol) != 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+ return 0;
+ }
+
+ if (!CBS_stow(&selected_protocol, &ssl->s3->next_proto_negotiated,
&ssl->s3->next_proto_negotiated_len)) {
return 0;
}
@@ -1783,7 +1798,8 @@
CBS_len(&encrypted_extensions) != 0 ||
extension_type != TLSEXT_TYPE_channel_id ||
CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_MESSAGE);
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return -1;
}