external/boringssl: Sync to 8ca0b41.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/9d908ba519f2cfe5e21561bdee3e224b94d14a89..8ca0b4127da11d766067ea6ec4122017ba0edb0e
Change-Id: I732653bc8fcba70707c615f8731ca75397a08736
diff --git a/src/ssl/s3_srvr.c b/src/ssl/s3_srvr.c
index f06ee56..50007eb 100644
--- a/src/ssl/s3_srvr.c
+++ b/src/ssl/s3_srvr.c
@@ -208,7 +208,7 @@
if (ssl->init_buf == NULL) {
buf = BUF_MEM_new();
- if (!buf || !BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
+ if (!buf || !BUF_MEM_reserve(buf, SSL3_RT_MAX_PLAIN_LENGTH)) {
ret = -1;
goto end;
}
@@ -219,7 +219,7 @@
/* Enable a write buffer. This groups handshake messages within a flight
* into a single write. */
- if (!ssl_init_wbio_buffer(ssl, 1)) {
+ if (!ssl_init_wbio_buffer(ssl)) {
ret = -1;
goto end;
}
@@ -257,14 +257,11 @@
case SSL3_ST_SR_CLNT_HELLO_A:
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
- case SSL3_ST_SR_CLNT_HELLO_D:
- ssl->shutdown = 0;
ret = ssl3_get_client_hello(ssl);
if (ret <= 0) {
goto end;
}
ssl->state = SSL3_ST_SW_SRVR_HELLO_A;
- ssl->init_num = 0;
break;
case SSL3_ST_SW_SRVR_HELLO_A:
@@ -282,12 +279,11 @@
} else {
ssl->state = SSL3_ST_SW_CERT_A;
}
- ssl->init_num = 0;
break;
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
- if (ssl_cipher_has_server_public_key(ssl->s3->tmp.new_cipher)) {
+ if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
ret = ssl3_send_server_certificate(ssl);
if (ret <= 0) {
goto end;
@@ -301,7 +297,6 @@
skip = 1;
ssl->state = SSL3_ST_SW_KEY_EXCH_A;
}
- ssl->init_num = 0;
break;
case SSL3_ST_SW_CERT_STATUS_A:
@@ -311,7 +306,6 @@
goto end;
}
ssl->state = SSL3_ST_SW_KEY_EXCH_A;
- ssl->init_num = 0;
break;
case SSL3_ST_SW_KEY_EXCH_A:
@@ -337,7 +331,6 @@
}
ssl->state = SSL3_ST_SW_CERT_REQ_A;
- ssl->init_num = 0;
break;
case SSL3_ST_SW_CERT_REQ_A:
@@ -351,7 +344,6 @@
skip = 1;
}
ssl->state = SSL3_ST_SW_SRVR_DONE_A;
- ssl->init_num = 0;
break;
case SSL3_ST_SW_SRVR_DONE_A:
@@ -362,7 +354,6 @@
}
ssl->s3->tmp.next_state = SSL3_ST_SR_CERT_A;
ssl->state = SSL3_ST_SW_FLUSH;
- ssl->init_num = 0;
break;
case SSL3_ST_SW_FLUSH:
@@ -381,37 +372,31 @@
break;
case SSL3_ST_SR_CERT_A:
- case SSL3_ST_SR_CERT_B:
if (ssl->s3->tmp.cert_request) {
ret = ssl3_get_client_certificate(ssl);
if (ret <= 0) {
goto end;
}
}
- ssl->init_num = 0;
ssl->state = SSL3_ST_SR_KEY_EXCH_A;
break;
case SSL3_ST_SR_KEY_EXCH_A:
case SSL3_ST_SR_KEY_EXCH_B:
- case SSL3_ST_SR_KEY_EXCH_C:
ret = ssl3_get_client_key_exchange(ssl);
if (ret <= 0) {
goto end;
}
ssl->state = SSL3_ST_SR_CERT_VRFY_A;
- ssl->init_num = 0;
break;
case SSL3_ST_SR_CERT_VRFY_A:
- case SSL3_ST_SR_CERT_VRFY_B:
ret = ssl3_get_cert_verify(ssl);
if (ret <= 0) {
goto end;
}
ssl->state = SSL3_ST_SR_CHANGE;
- ssl->init_num = 0;
break;
case SSL3_ST_SR_CHANGE:
@@ -435,12 +420,10 @@
break;
case SSL3_ST_SR_NEXT_PROTO_A:
- case SSL3_ST_SR_NEXT_PROTO_B:
ret = ssl3_get_next_proto(ssl);
if (ret <= 0) {
goto end;
}
- ssl->init_num = 0;
if (ssl->s3->tlsext_channel_id_valid) {
ssl->state = SSL3_ST_SR_CHANNEL_ID_A;
} else {
@@ -449,19 +432,15 @@
break;
case SSL3_ST_SR_CHANNEL_ID_A:
- case SSL3_ST_SR_CHANNEL_ID_B:
ret = ssl3_get_channel_id(ssl);
if (ret <= 0) {
goto end;
}
- ssl->init_num = 0;
ssl->state = SSL3_ST_SR_FINISHED_A;
break;
case SSL3_ST_SR_FINISHED_A:
- case SSL3_ST_SR_FINISHED_B:
- ret = ssl3_get_finished(ssl, SSL3_ST_SR_FINISHED_A,
- SSL3_ST_SR_FINISHED_B);
+ ret = ssl3_get_finished(ssl);
if (ret <= 0) {
goto end;
}
@@ -482,7 +461,6 @@
goto end;
}
}
- ssl->init_num = 0;
break;
case SSL3_ST_SW_SESSION_TICKET_A:
@@ -492,7 +470,6 @@
goto end;
}
ssl->state = SSL3_ST_SW_CHANGE_A;
- ssl->init_num = 0;
break;
case SSL3_ST_SW_CHANGE_A:
@@ -503,7 +480,6 @@
goto end;
}
ssl->state = SSL3_ST_SW_FINISHED_A;
- ssl->init_num = 0;
if (!tls1_change_cipher_state(ssl, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
ret = -1;
@@ -524,7 +500,6 @@
} else {
ssl->s3->tmp.next_state = SSL_ST_OK;
}
- ssl->init_num = 0;
break;
case SSL_ST_OK:
@@ -533,11 +508,11 @@
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;
+ ssl->init_num = 0;
/* remove buffering on output */
ssl_free_wbio_buffer(ssl);
- ssl->init_num = 0;
/* If we aren't retaining peer certificates then we can discard it
* now. */
@@ -626,7 +601,7 @@
const uint8_t *p;
int ret;
CBS v2_client_hello, cipher_specs, session_id, challenge;
- size_t msg_length, rand_len, len;
+ size_t msg_length, rand_len;
uint8_t msg_type;
uint16_t version, cipher_spec_length, session_id_length, challenge_length;
CBB client_hello, hello_body, cipher_suites;
@@ -731,7 +706,7 @@
/* Add the null compression scheme and finish. */
if (!CBB_add_u8(&hello_body, 1) || !CBB_add_u8(&hello_body, 0) ||
- !CBB_finish(&client_hello, NULL, &len)) {
+ !CBB_finish(&client_hello, NULL, &ssl->init_buf->length)) {
CBB_cleanup(&client_hello);
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
@@ -740,8 +715,7 @@
/* Mark the message for "re"-use by the version-specific method. */
ssl->s3->tmp.reuse_message = 1;
ssl->s3->tmp.message_type = SSL3_MT_CLIENT_HELLO;
- /* The handshake message header is 4 bytes. */
- ssl->s3->tmp.message_size = len - 4;
+ ssl->s3->tmp.message_complete = 1;
/* Consume and discard the V2ClientHello. */
ssl_read_buffer_consume(ssl, 2 + msg_length);
@@ -767,20 +741,17 @@
* SSLv3, even if prompted with TLSv1. */
switch (ssl->state) {
case SSL3_ST_SR_CLNT_HELLO_A:
- case SSL3_ST_SR_CLNT_HELLO_B:
- n = ssl->method->ssl_get_message(
- ssl, SSL3_ST_SR_CLNT_HELLO_A, SSL3_ST_SR_CLNT_HELLO_B,
- SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH,
- ssl_hash_message, &ok);
+ n = ssl->method->ssl_get_message(ssl, SSL3_MT_CLIENT_HELLO,
+ ssl_hash_message, &ok);
if (!ok) {
return n;
}
- ssl->state = SSL3_ST_SR_CLNT_HELLO_C;
+ ssl->state = SSL3_ST_SR_CLNT_HELLO_B;
/* fallthrough */
+ case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
- case SSL3_ST_SR_CLNT_HELLO_D:
/* We have previously parsed the ClientHello message, and can't call
* ssl_get_message again without hashing the message into the Finished
* digest again. */
@@ -796,9 +767,9 @@
goto f_err;
}
- if (ssl->state == SSL3_ST_SR_CLNT_HELLO_C &&
+ if (ssl->state == SSL3_ST_SR_CLNT_HELLO_B &&
ssl->ctx->select_certificate_cb != NULL) {
- ssl->state = SSL3_ST_SR_CLNT_HELLO_D;
+ ssl->state = SSL3_ST_SR_CLNT_HELLO_C;
switch (ssl->ctx->select_certificate_cb(&early_ctx)) {
case 0:
ssl->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
@@ -814,7 +785,7 @@
/* fallthrough */;
}
}
- ssl->state = SSL3_ST_SR_CLNT_HELLO_D;
+ ssl->state = SSL3_ST_SR_CLNT_HELLO_C;
break;
default:
@@ -1053,8 +1024,8 @@
ssl->s3->tlsext_channel_id_valid) {
ssl->s3->tmp.cert_request = 0;
}
- /* Plain PSK forbids Certificate and CertificateRequest. */
- if (ssl->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) {
+ /* CertificateRequest may only be sent in certificate-based ciphers. */
+ if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
ssl->s3->tmp.cert_request = 0;
}
} else {
@@ -1239,25 +1210,31 @@
!CBB_add_u16_length_prefixed(&cbb, &child) ||
!BN_bn2cbb_padded(&child, BN_num_bytes(params->g), params->g) ||
!CBB_add_u16_length_prefixed(&cbb, &child) ||
- !SSL_ECDH_CTX_generate_keypair(&ssl->s3->tmp.ecdh_ctx, &child)) {
+ !SSL_ECDH_CTX_offer(&ssl->s3->tmp.ecdh_ctx, &child)) {
goto err;
}
} else if (alg_k & SSL_kECDHE) {
- /* Determine the curve to use. */
- uint16_t curve_id;
- if (!tls1_get_shared_curve(ssl, &curve_id)) {
+ /* Determine the group to use. */
+ uint16_t group_id;
+ if (!tls1_get_shared_group(ssl, &group_id)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_TMP_ECDH_KEY);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
goto err;
}
- ssl->session->key_exchange_info = curve_id;
+ ssl->session->key_exchange_info = group_id;
/* Set up ECDH, generate a key, and emit the public half. */
- if (!SSL_ECDH_CTX_init(&ssl->s3->tmp.ecdh_ctx, curve_id) ||
+ if (!SSL_ECDH_CTX_init(&ssl->s3->tmp.ecdh_ctx, group_id) ||
!CBB_add_u8(&cbb, NAMED_CURVE_TYPE) ||
- !CBB_add_u16(&cbb, curve_id) ||
+ !CBB_add_u16(&cbb, group_id) ||
!CBB_add_u8_length_prefixed(&cbb, &child) ||
- !SSL_ECDH_CTX_generate_keypair(&ssl->s3->tmp.ecdh_ctx, &child)) {
+ !SSL_ECDH_CTX_offer(&ssl->s3->tmp.ecdh_ctx, &child)) {
+ goto err;
+ }
+ } else if (alg_k & SSL_kCECPQ1) {
+ if (!SSL_ECDH_CTX_init(&ssl->s3->tmp.ecdh_ctx, SSL_GROUP_CECPQ1) ||
+ !CBB_add_u16_length_prefixed(&cbb, &child) ||
+ !SSL_ECDH_CTX_offer(&ssl->s3->tmp.ecdh_ctx, &child)) {
goto err;
}
} else {
@@ -1272,7 +1249,7 @@
}
/* Add a signature. */
- if (ssl_cipher_has_server_public_key(ssl->s3->tmp.new_cipher)) {
+ if (ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
if (!ssl_has_private_key(ssl)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
@@ -1449,12 +1426,10 @@
unsigned psk_len = 0;
uint8_t psk[PSK_MAX_PSK_LEN];
- if (ssl->state == SSL3_ST_SR_KEY_EXCH_A ||
- ssl->state == SSL3_ST_SR_KEY_EXCH_B) {
+ if (ssl->state == SSL3_ST_SR_KEY_EXCH_A) {
int ok;
const long n = ssl->method->ssl_get_message(
- ssl, SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B,
- SSL3_MT_CLIENT_KEY_EXCHANGE, 2048 /* ??? */, ssl_hash_message, &ok);
+ ssl, SSL3_MT_CLIENT_KEY_EXCHANGE, ssl_hash_message, &ok);
if (!ok) {
return n;
}
@@ -1524,7 +1499,7 @@
enum ssl_private_key_result_t decrypt_result;
size_t decrypt_len;
- if (ssl->state == SSL3_ST_SR_KEY_EXCH_B) {
+ if (ssl->state == SSL3_ST_SR_KEY_EXCH_A) {
if (!ssl_has_private_key(ssl) ||
ssl_private_key_type(ssl) != EVP_PKEY_RSA) {
al = SSL_AD_HANDSHAKE_FAILURE;
@@ -1552,7 +1527,7 @@
CBS_data(&encrypted_premaster_secret),
CBS_len(&encrypted_premaster_secret));
} else {
- assert(ssl->state == SSL3_ST_SR_KEY_EXCH_C);
+ assert(ssl->state == SSL3_ST_SR_KEY_EXCH_B);
/* Complete async decrypt. */
decrypt_result = ssl_private_key_decrypt_complete(
ssl, decrypt_buf, &decrypt_len, rsa_size);
@@ -1565,7 +1540,7 @@
goto err;
case ssl_private_key_retry:
ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
- ssl->state = SSL3_ST_SR_KEY_EXCH_C;
+ ssl->state = SSL3_ST_SR_KEY_EXCH_B;
goto err;
}
@@ -1621,19 +1596,12 @@
OPENSSL_free(decrypt_buf);
decrypt_buf = NULL;
- } else if (alg_k & (SSL_kECDHE|SSL_kDHE)) {
- /* Parse the ClientKeyExchange. ECDHE uses a u8 length prefix while DHE uses
- * u16. */
+ } else if (alg_k & (SSL_kECDHE|SSL_kDHE|SSL_kCECPQ1)) {
+ /* Parse the ClientKeyExchange. */
CBS peer_key;
- int peer_key_ok;
- if (alg_k & SSL_kECDHE) {
- peer_key_ok = CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key);
- } else {
- peer_key_ok =
- CBS_get_u16_length_prefixed(&client_key_exchange, &peer_key);
- }
-
- if (!peer_key_ok || CBS_len(&client_key_exchange) != 0) {
+ if (!SSL_ECDH_CTX_get_key(&ssl->s3->tmp.ecdh_ctx, &client_key_exchange,
+ &peer_key) ||
+ CBS_len(&client_key_exchange) != 0) {
al = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
goto f_err;
@@ -1641,9 +1609,9 @@
/* Compute the premaster. */
uint8_t alert;
- if (!SSL_ECDH_CTX_compute_secret(&ssl->s3->tmp.ecdh_ctx, &premaster_secret,
- &premaster_secret_len, &alert,
- CBS_data(&peer_key), CBS_len(&peer_key))) {
+ if (!SSL_ECDH_CTX_finish(&ssl->s3->tmp.ecdh_ctx, &premaster_secret,
+ &premaster_secret_len, &alert, CBS_data(&peer_key),
+ CBS_len(&peer_key))) {
al = alert;
goto f_err;
}
@@ -1734,10 +1702,8 @@
return 1;
}
- n = ssl->method->ssl_get_message(
- ssl, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B,
- SSL3_MT_CERTIFICATE_VERIFY, SSL3_RT_MAX_PLAIN_LENGTH,
- ssl_dont_hash_message, &ok);
+ n = ssl->method->ssl_get_message(ssl, SSL3_MT_CERTIFICATE_VERIFY,
+ ssl_dont_hash_message, &ok);
if (!ok) {
return n;
@@ -1833,9 +1799,7 @@
int is_first_certificate = 1;
assert(ssl->s3->tmp.cert_request);
- n = ssl->method->ssl_get_message(ssl, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B,
- -1, (long)ssl->max_cert_list,
- ssl_hash_message, &ok);
+ n = ssl->method->ssl_get_message(ssl, -1, ssl_hash_message, &ok);
if (!ok) {
return n;
@@ -2023,7 +1987,7 @@
p += placeholder_len;
len = p - ssl_handshake_start(ssl);
- if (!ssl_set_handshake_header(ssl, SSL3_MT_NEWSESSION_TICKET, len)) {
+ if (!ssl_set_handshake_header(ssl, SSL3_MT_NEW_SESSION_TICKET, len)) {
goto err;
}
ssl->state = SSL3_ST_SW_SESSION_TICKET_B;
@@ -2092,7 +2056,7 @@
/* Skip ticket lifetime hint */
p = ssl_handshake_start(ssl) + 4;
s2n(len - 6, p);
- if (!ssl_set_handshake_header(ssl, SSL3_MT_NEWSESSION_TICKET, len)) {
+ if (!ssl_set_handshake_header(ssl, SSL3_MT_NEW_SESSION_TICKET, len)) {
goto err;
}
ssl->state = SSL3_ST_SW_SESSION_TICKET_B;
@@ -2122,10 +2086,8 @@
return -1;
}
- n = ssl->method->ssl_get_message(ssl, SSL3_ST_SR_NEXT_PROTO_A,
- SSL3_ST_SR_NEXT_PROTO_B, SSL3_MT_NEXT_PROTO,
- 514, /* See the payload format below */
- ssl_hash_message, &ok);
+ n = ssl->method->ssl_get_message(ssl, SSL3_MT_NEXT_PROTO, ssl_hash_message,
+ &ok);
if (!ok) {
return n;
@@ -2164,10 +2126,8 @@
BIGNUM x, y;
CBS encrypted_extensions, extension;
- n = ssl->method->ssl_get_message(
- ssl, SSL3_ST_SR_CHANNEL_ID_A, SSL3_ST_SR_CHANNEL_ID_B,
- SSL3_MT_ENCRYPTED_EXTENSIONS, 2 + 2 + TLSEXT_CHANNEL_ID_SIZE,
- ssl_dont_hash_message, &ok);
+ n = ssl->method->ssl_get_message(ssl, SSL3_MT_CHANNEL_ID_ENCRYPTED_EXTENSIONS,
+ ssl_dont_hash_message, &ok);
if (!ok) {
return n;