external/boringssl: Sync to f8de2af7e319f83ba88579fbf127ba5fafc26c71.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/73ffb74b9e36a93a3e593010a367a610105da9a1..f8de2af7e319f83ba88579fbf127ba5fafc26c71
Change-Id: Iab4fb4fde30c1f26ad2b98160abca366bdea1da4
Test: BoringSSL CTS Presubmits.
diff --git a/src/include/openssl/buf.h b/src/include/openssl/buf.h
index d4c3e22..3f961b8 100644
--- a/src/include/openssl/buf.h
+++ b/src/include/openssl/buf.h
@@ -89,10 +89,14 @@
// zeros. It returns the length of |buf|, or zero if there's an error.
OPENSSL_EXPORT size_t BUF_MEM_grow(BUF_MEM *buf, size_t len);
-// BUF_MEM_grow_clean acts the same as |BUF_MEM_grow|, but clears the previous
-// contents of memory if reallocing.
+// BUF_MEM_grow_clean calls |BUF_MEM_grow|. BoringSSL always zeros memory
+// allocated memory on free.
OPENSSL_EXPORT size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len);
+// BUF_MEM_append appends |in| to |buf|. It returns one on success and zero on
+// error.
+OPENSSL_EXPORT int BUF_MEM_append(BUF_MEM *buf, const void *in, size_t len);
+
// BUF_strdup returns an allocated, duplicate of |str|.
OPENSSL_EXPORT char *BUF_strdup(const char *str);
diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h
index 66f6204..6d355b5 100644
--- a/src/include/openssl/bytestring.h
+++ b/src/include/openssl/bytestring.h
@@ -41,10 +41,16 @@
size_t len;
#if !defined(BORINGSSL_NO_CXX)
- // Allow implicit conversions to bssl::Span<const uint8_t>.
+ // Allow implicit conversions to and from bssl::Span<const uint8_t>.
+ cbs_st(bssl::Span<const uint8_t> span)
+ : data(span.data()), len(span.size()) {}
operator bssl::Span<const uint8_t>() const {
return bssl::MakeConstSpan(data, len);
}
+
+ // Defining any constructors requires we explicitly default the others.
+ cbs_st() = default;
+ cbs_st(const cbs_st &) = default;
#endif
};
diff --git a/src/include/openssl/chacha.h b/src/include/openssl/chacha.h
index 61deb8e..684fc5b 100644
--- a/src/include/openssl/chacha.h
+++ b/src/include/openssl/chacha.h
@@ -17,10 +17,14 @@
#include <openssl/base.h>
-#ifdef __cplusplus
+#if defined(__cplusplus)
extern "C" {
#endif
+// ChaCha20.
+//
+// ChaCha20 is a stream cipher. See https://tools.ietf.org/html/rfc7539.
+
// CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
// nonce and writes the result to |out|. If |in| and |out| alias, they must be
diff --git a/src/include/openssl/err.h b/src/include/openssl/err.h
index 5de3cbd..9a65ffb 100644
--- a/src/include/openssl/err.h
+++ b/src/include/openssl/err.h
@@ -436,39 +436,10 @@
OPENSSL_EXPORT void ERR_add_error_dataf(const char *format, ...)
OPENSSL_PRINTF_FORMAT_FUNC(1, 2);
-struct err_error_st {
- // file contains the filename where the error occurred.
- const char *file;
- // data contains a NUL-terminated string with optional data. It must be freed
- // with |OPENSSL_free|.
- char *data;
- // packed contains the error library and reason, as packed by ERR_PACK.
- uint32_t packed;
- // line contains the line number where the error occurred.
- uint16_t line;
- // mark indicates a reversion point in the queue. See |ERR_pop_to_mark|.
- unsigned mark : 1;
-};
-
-// ERR_NUM_ERRORS is the limit of the number of errors in the queue.
+// ERR_NUM_ERRORS is one more than the limit of the number of errors in the
+// queue.
#define ERR_NUM_ERRORS 16
-// err_state_st (aka |ERR_STATE|) contains the per-thread, error queue.
-typedef struct err_state_st {
- // errors contains the ERR_NUM_ERRORS most recent errors, organised as a ring
- // buffer.
- struct err_error_st errors[ERR_NUM_ERRORS];
- // top contains the index one past the most recent error. If |top| equals
- // |bottom| then the queue is empty.
- unsigned top;
- // bottom contains the index of the last error in the queue.
- unsigned bottom;
-
- // to_free, if not NULL, contains a pointer owned by this structure that was
- // previously a |data| pointer of one of the elements of |errors|.
- void *to_free;
-} ERR_STATE;
-
#define ERR_PACK(lib, reason) \
(((((uint32_t)(lib)) & 0xff) << 24) | ((((uint32_t)(reason)) & 0xfff)))
diff --git a/src/include/openssl/span.h b/src/include/openssl/span.h
index 3109036..3a629f7 100644
--- a/src/include/openssl/span.h
+++ b/src/include/openssl/span.h
@@ -22,6 +22,7 @@
extern "C++" {
#include <algorithm>
+#include <cassert>
#include <cstdlib>
#include <type_traits>
@@ -134,6 +135,15 @@
T *end() const { return data_ + size_; };
const T *cend() const { return end(); };
+ T &front() const {
+ assert(size_ != 0);
+ return data_[0];
+ }
+ T &back() const {
+ assert(size_ != 0);
+ return data_[size_ - 1];
+ }
+
T &operator[](size_t i) const { return data_[i]; }
T &at(size_t i) const { return data_[i]; }
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index 6b4bf81..a2d3ce7 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -146,7 +146,6 @@
#include <openssl/bio.h>
#include <openssl/buf.h>
-#include <openssl/lhash.h>
#include <openssl/pem.h>
#include <openssl/span.h>
#include <openssl/ssl3.h>
@@ -158,6 +157,11 @@
#include <sys/time.h>
#endif
+// NGINX needs this #include. Consider revisiting this after NGINX 1.14.0 has
+// been out for a year or so (assuming that they fix it in that release.) See
+// https://boringssl-review.googlesource.com/c/boringssl/+/21664.
+#include <openssl/hmac.h>
+
// Forward-declare struct timeval. On Windows, it is defined in winsock2.h and
// Windows headers define too many macros to be included in public headers.
// However, only a forward declaration is needed.
@@ -1042,8 +1046,8 @@
// |type| parameter is one of the |SSL_FILETYPE_*| values and determines whether
// the file's contents are read as PEM or DER.
-#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1
-#define SSL_FILETYPE_PEM X509_FILETYPE_PEM
+#define SSL_FILETYPE_PEM 1
+#define SSL_FILETYPE_ASN1 2
OPENSSL_EXPORT int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx,
const char *file,
@@ -1635,7 +1639,6 @@
// established, an |SSL_SESSION| may be shared by multiple |SSL| objects on
// different threads and must not be modified.
-DECLARE_LHASH_OF(SSL_SESSION)
DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
// SSL_SESSION_new returns a newly-allocated blank |SSL_SESSION| or NULL on
@@ -2023,7 +2026,7 @@
// 1) One can simply set the keys with |SSL_CTX_set_tlsext_ticket_keys|.
// 2) One can configure an |EVP_CIPHER_CTX| and |HMAC_CTX| directly for
// encryption and authentication.
-// 3) One can configure an |SSL_TICKET_ENCRYPTION_METHOD| to have more control
+// 3) One can configure an |SSL_TICKET_AEAD_METHOD| to have more control
// and the option of asynchronous decryption.
//
// An attacker that compromises a server's session ticket key can impersonate
@@ -2100,8 +2103,8 @@
ssl_ticket_aead_error,
};
-// ssl_ticket_aead_method_st (aka |SSL_TICKET_ENCRYPTION_METHOD|) contains
-// methods for encrypting and decrypting session tickets.
+// ssl_ticket_aead_method_st (aka |SSL_TICKET_AEAD_METHOD|) contains methods
+// for encrypting and decrypting session tickets.
struct ssl_ticket_aead_method_st {
// max_overhead returns the maximum number of bytes of overhead that |seal|
// may add.
@@ -4042,13 +4045,9 @@
// This structures are exposed for historical reasons, but access to them is
// deprecated.
-// TODO(davidben): Opaquify most or all of |SSL_CTX| and |SSL_SESSION| so these
-// forward declarations are not needed.
-typedef struct ssl_protocol_method_st SSL_PROTOCOL_METHOD;
+// TODO(davidben): Remove this forward declaration when |SSL_SESSION| is opaque.
typedef struct ssl_x509_method_st SSL_X509_METHOD;
-DECLARE_STACK_OF(SSL_CUSTOM_EXTENSION)
-
#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
#define SSL_MAX_SID_CTX_LENGTH 32
#define SSL_MAX_MASTER_KEY_LENGTH 48
@@ -4177,319 +4176,6 @@
unsigned is_server:1;
};
-// ssl_cipher_preference_list_st contains a list of SSL_CIPHERs with
-// equal-preference groups. For TLS clients, the groups are moot because the
-// server picks the cipher and groups cannot be expressed on the wire. However,
-// for servers, the equal-preference groups allow the client's preferences to
-// be partially respected. (This only has an effect with
-// SSL_OP_CIPHER_SERVER_PREFERENCE).
-//
-// The equal-preference groups are expressed by grouping SSL_CIPHERs together.
-// All elements of a group have the same priority: no ordering is expressed
-// within a group.
-//
-// The values in |ciphers| are in one-to-one correspondence with
-// |in_group_flags|. (That is, sk_SSL_CIPHER_num(ciphers) is the number of
-// bytes in |in_group_flags|.) The bytes in |in_group_flags| are either 1, to
-// indicate that the corresponding SSL_CIPHER is not the last element of a
-// group, or 0 to indicate that it is.
-//
-// For example, if |in_group_flags| contains all zeros then that indicates a
-// traditional, fully-ordered preference. Every SSL_CIPHER is the last element
-// of the group (i.e. they are all in a one-element group).
-//
-// For a more complex example, consider:
-// ciphers: A B C D E F
-// in_group_flags: 1 1 0 0 1 0
-//
-// That would express the following, order:
-//
-// A E
-// B -> D -> F
-// C
-struct ssl_cipher_preference_list_st {
- STACK_OF(SSL_CIPHER) *ciphers;
- uint8_t *in_group_flags;
-};
-
-struct tlsext_ticket_key {
- uint8_t name[SSL_TICKET_KEY_NAME_LEN];
- uint8_t hmac_key[16];
- uint8_t aes_key[16];
- // next_rotation_tv_sec is the time (in seconds from the epoch) when the
- // current key should be superseded by a new key, or the time when a previous
- // key should be dropped. If zero, then the key should not be automatically
- // rotated.
- uint64_t next_rotation_tv_sec;
-};
-
-// ssl_ctx_st (aka |SSL_CTX|) contains configuration common to several SSL
-// connections.
-struct ssl_ctx_st {
- const SSL_PROTOCOL_METHOD *method;
- const SSL_X509_METHOD *x509_method;
-
- // lock is used to protect various operations on this object.
- CRYPTO_MUTEX lock;
-
- // conf_max_version is the maximum acceptable protocol version configured by
- // |SSL_CTX_set_max_proto_version|. Note this version is normalized in DTLS
- // and is further constrainted by |SSL_OP_NO_*|.
- uint16_t conf_max_version;
-
- // conf_min_version is the minimum acceptable protocol version configured by
- // |SSL_CTX_set_min_proto_version|. Note this version is normalized in DTLS
- // and is further constrainted by |SSL_OP_NO_*|.
- uint16_t conf_min_version;
-
- // tls13_variant is the variant of TLS 1.3 we are using for this
- // configuration.
- enum tls13_variant_t tls13_variant;
-
- struct ssl_cipher_preference_list_st *cipher_list;
-
- X509_STORE *cert_store;
- LHASH_OF(SSL_SESSION) *sessions;
- // Most session-ids that will be cached, default is
- // SSL_SESSION_CACHE_MAX_SIZE_DEFAULT. 0 is unlimited.
- unsigned long session_cache_size;
- SSL_SESSION *session_cache_head;
- SSL_SESSION *session_cache_tail;
-
- // handshakes_since_cache_flush is the number of successful handshakes since
- // the last cache flush.
- int handshakes_since_cache_flush;
-
- // This can have one of 2 values, ored together,
- // SSL_SESS_CACHE_CLIENT,
- // SSL_SESS_CACHE_SERVER,
- // Default is SSL_SESSION_CACHE_SERVER, which means only
- // SSL_accept which cache SSL_SESSIONS.
- int session_cache_mode;
-
- // session_timeout is the default lifetime for new sessions in TLS 1.2 and
- // earlier, in seconds.
- uint32_t session_timeout;
-
- // session_psk_dhe_timeout is the default lifetime for new sessions in TLS
- // 1.3, in seconds.
- uint32_t session_psk_dhe_timeout;
-
- // If this callback is not null, it will be called each time a session id is
- // added to the cache. If this function returns 1, it means that the
- // callback will do a SSL_SESSION_free() when it has finished using it.
- // Otherwise, on 0, it means the callback has finished with it. If
- // remove_session_cb is not null, it will be called when a session-id is
- // removed from the cache. After the call, OpenSSL will SSL_SESSION_free()
- // it.
- int (*new_session_cb)(SSL *ssl, SSL_SESSION *sess);
- void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *sess);
- SSL_SESSION *(*get_session_cb)(SSL *ssl, const uint8_t *data, int len,
- int *copy);
- SSL_SESSION *(*get_session_cb_legacy)(SSL *ssl, uint8_t *data, int len,
- int *copy);
-
- CRYPTO_refcount_t references;
-
- // if defined, these override the X509_verify_cert() calls
- int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg);
- void *app_verify_arg;
-
- enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl,
- uint8_t *out_alert);
-
- // Default password callback.
- pem_password_cb *default_passwd_callback;
-
- // Default password callback user data.
- void *default_passwd_callback_userdata;
-
- // get client cert callback
- int (*client_cert_cb)(SSL *ssl, X509 **out_x509, EVP_PKEY **out_pkey);
-
- // get channel id callback
- void (*channel_id_cb)(SSL *ssl, EVP_PKEY **out_pkey);
-
- CRYPTO_EX_DATA ex_data;
-
- // custom_*_extensions stores any callback sets for custom extensions. Note
- // that these pointers will be NULL if the stack would otherwise be empty.
- STACK_OF(SSL_CUSTOM_EXTENSION) *client_custom_extensions;
- STACK_OF(SSL_CUSTOM_EXTENSION) *server_custom_extensions;
-
- // Default values used when no per-SSL value is defined follow
-
- void (*info_callback)(const SSL *ssl, int type, int value);
-
- // what we put in client cert requests
- STACK_OF(CRYPTO_BUFFER) *client_CA;
-
- // cached_x509_client_CA is a cache of parsed versions of the elements of
- // |client_CA|.
- STACK_OF(X509_NAME) *cached_x509_client_CA;
-
-
- // Default values to use in SSL structures follow (these are copied by
- // SSL_new)
-
- uint32_t options;
- uint32_t mode;
- uint32_t max_cert_list;
-
- struct cert_st *cert;
-
- // callback that allows applications to peek at protocol messages
- void (*msg_callback)(int write_p, int version, int content_type,
- const void *buf, size_t len, SSL *ssl, void *arg);
- void *msg_callback_arg;
-
- int verify_mode;
- int (*default_verify_callback)(
- int ok, X509_STORE_CTX *ctx); // called 'verify_callback' in the SSL
-
- X509_VERIFY_PARAM *param;
-
- // select_certificate_cb is called before most ClientHello processing and
- // before the decision whether to resume a session is made. See
- // |ssl_select_cert_result_t| for details of the return values.
- enum ssl_select_cert_result_t (*select_certificate_cb)(
- const SSL_CLIENT_HELLO *);
-
- // dos_protection_cb is called once the resumption decision for a ClientHello
- // has been made. It returns one to continue the handshake or zero to
- // abort.
- int (*dos_protection_cb) (const SSL_CLIENT_HELLO *);
-
- // Maximum amount of data to send in one fragment. actual record size can be
- // more than this due to padding and MAC overheads.
- uint16_t max_send_fragment;
-
- // TLS extensions servername callback
- int (*tlsext_servername_callback)(SSL *, int *, void *);
- void *tlsext_servername_arg;
-
- // RFC 4507 session ticket keys. |tlsext_ticket_key_current| may be NULL
- // before the first handshake and |tlsext_ticket_key_prev| may be NULL at any
- // time. Automatically generated ticket keys are rotated as needed at
- // handshake time. Hence, all access must be synchronized through |lock|.
- struct tlsext_ticket_key *tlsext_ticket_key_current;
- struct tlsext_ticket_key *tlsext_ticket_key_prev;
-
- // Callback to support customisation of ticket key setting
- int (*tlsext_ticket_key_cb)(SSL *ssl, uint8_t *name, uint8_t *iv,
- EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
-
- // Server-only: psk_identity_hint is the default identity hint to send in
- // PSK-based key exchanges.
- char *psk_identity_hint;
-
- unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
- char *identity,
- unsigned int max_identity_len,
- uint8_t *psk, unsigned int max_psk_len);
- unsigned int (*psk_server_callback)(SSL *ssl, const char *identity,
- uint8_t *psk, unsigned int max_psk_len);
-
-
- // retain_only_sha256_of_client_certs is true if we should compute the SHA256
- // hash of the peer's certificate and then discard it to save memory and
- // session space. Only effective on the server side.
- char retain_only_sha256_of_client_certs;
-
- // Next protocol negotiation information
- // (for experimental NPN extension).
-
- // For a server, this contains a callback function by which the set of
- // advertised protocols can be provided.
- int (*next_protos_advertised_cb)(SSL *ssl, const uint8_t **out,
- unsigned *out_len, void *arg);
- void *next_protos_advertised_cb_arg;
- // For a client, this contains a callback function that selects the
- // next protocol from the list provided by the server.
- int (*next_proto_select_cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
- const uint8_t *in, unsigned in_len, void *arg);
- void *next_proto_select_cb_arg;
-
- // ALPN information
- // (we are in the process of transitioning from NPN to ALPN.)
-
- // For a server, this contains a callback function that allows the
- // server to select the protocol for the connection.
- // out: on successful return, this must point to the raw protocol
- // name (without the length prefix).
- // outlen: on successful return, this contains the length of |*out|.
- // in: points to the client's list of supported protocols in
- // wire-format.
- // inlen: the length of |in|.
- int (*alpn_select_cb)(SSL *ssl, const uint8_t **out, uint8_t *out_len,
- const uint8_t *in, unsigned in_len, void *arg);
- void *alpn_select_cb_arg;
-
- // For a client, this contains the list of supported protocols in wire
- // format.
- uint8_t *alpn_client_proto_list;
- unsigned alpn_client_proto_list_len;
-
- // SRTP profiles we are willing to do from RFC 5764
- STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
-
- // Supported group values inherited by SSL structure
- size_t supported_group_list_len;
- uint16_t *supported_group_list;
-
- // The client's Channel ID private key.
- EVP_PKEY *tlsext_channel_id_private;
-
- // keylog_callback, if not NULL, is the key logging callback. See
- // |SSL_CTX_set_keylog_callback|.
- void (*keylog_callback)(const SSL *ssl, const char *line);
-
- // current_time_cb, if not NULL, is the function to use to get the current
- // time. It sets |*out_clock| to the current time. The |ssl| argument is
- // always NULL. See |SSL_CTX_set_current_time_cb|.
- void (*current_time_cb)(const SSL *ssl, struct timeval *out_clock);
-
- // pool is used for all |CRYPTO_BUFFER|s in case we wish to share certificate
- // memory.
- CRYPTO_BUFFER_POOL *pool;
-
- // ticket_aead_method contains function pointers for opening and sealing
- // session tickets.
- const SSL_TICKET_AEAD_METHOD *ticket_aead_method;
-
- // verify_sigalgs, if not empty, is the set of signature algorithms
- // accepted from the peer in decreasing order of preference.
- uint16_t *verify_sigalgs;
- size_t num_verify_sigalgs;
-
- // quiet_shutdown is true if the connection should not send a close_notify on
- // shutdown.
- unsigned quiet_shutdown:1;
-
- // ocsp_stapling_enabled is only used by client connections and indicates
- // whether OCSP stapling will be requested.
- unsigned ocsp_stapling_enabled:1;
-
- // If true, a client will request certificate timestamps.
- unsigned signed_cert_timestamps_enabled:1;
-
- // tlsext_channel_id_enabled is one if Channel ID is enabled and zero
- // otherwise. For a server, means that we'll accept Channel IDs from clients.
- // For a client, means that we'll advertise support.
- unsigned tlsext_channel_id_enabled:1;
-
- // grease_enabled is one if draft-davidben-tls-grease-01 is enabled and zero
- // otherwise.
- unsigned grease_enabled:1;
-
- // allow_unknown_alpn_protos is one if the client allows unsolicited ALPN
- // protocols from the peer.
- unsigned allow_unknown_alpn_protos:1;
-
- // ed25519_enabled is one if Ed25519 is advertised in the handshake.
- unsigned ed25519_enabled:1;
-};
-
// Nodejs compatibility section (hidden).
//
@@ -4644,14 +4330,12 @@
BORINGSSL_MAKE_DELETER(SSL, SSL_free)
BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free)
BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free)
-BORINGSSL_MAKE_DELETER(tlsext_ticket_key, OPENSSL_free);
enum class OpenRecordResult {
kOK,
kDiscard,
kIncompleteRecord,
kAlertCloseNotify,
- kAlertFatal,
kError,
};
@@ -4665,9 +4349,8 @@
// - kIncompleteRecord if |in| did not contain a complete record.
// - kAlertCloseNotify if a record was successfully processed but is a
// close_notify alert.
-// - kAlertFatal if a record was successfully processed but is a fatal alert.
// - kError if an error occurred or the record is invalid. |*out_alert| will be
-// set to an alert to emit.
+// set to an alert to emit, or zero if no alert should be emitted.
OPENSSL_EXPORT OpenRecordResult OpenRecord(SSL *ssl, Span<uint8_t> *out,
size_t *out_record_len,
uint8_t *out_alert,