Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / fe7cd2122ef131c19c9db15672594fd4f0232496^! / . / src / ssl / tls13_both.cc
commitfe7cd2122ef131c19c9db15672594fd4f0232496[log] [tgz]
authorRobert Sloan <varomodt@google.com>Mon Aug 07 09:03:39 2017 -0700
committerRobert Sloan <varomodt@google.com>Mon Aug 07 09:05:18 2017 -0700
tree5767e1d34655e6208282919746d8e936fb6ac1f7
parentb6d070c5081ba0ca11545eb50870817d6d72d926 [diff] [blame]
external/boringssl: Sync to 9bbdf5832de8a2d395303c669b594fc61c791f4d.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/c642aca28feb7e18f244658559f4042286aed0c8..9bbdf5832de8a2d395303c669b594fc61c791f4d

Test: BoringSSL CTS Presubmits.
Change-Id: Ieb6fcfee99c4cc496b2f6e1d3e6597784bd80189

diff --git a/src/ssl/tls13_both.cc b/src/ssl/tls13_both.cc
index 338975b..1c2e7f7 100644
--- a/src/ssl/tls13_both.cc
+++ b/src/ssl/tls13_both.cc

@@ -55,7 +55,6 @@
         if (hs->wait != ssl_hs_flush_and_read_message) {
           break;
         }
-        ssl->method->expect_flight(ssl);
         hs->wait = ssl_hs_read_message;
         SSL_FALLTHROUGH;
       }
@@ -196,7 +195,9 @@
   CBS cbs, context, certificate_list;
   CBS_init(&cbs, ssl->init_msg, ssl->init_num);
   if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
-      CBS_len(&context) != 0) {
+      CBS_len(&context) != 0 ||
+      !CBS_get_u24_length_prefixed(&cbs, &certificate_list) ||
+      CBS_len(&cbs) != 0) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
     return 0;
@@ -209,12 +210,6 @@
     return 0;
   }
 
-  if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list)) {
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    return 0;
-  }
-
   const bool retain_sha256 =
       ssl->server && ssl->retain_only_sha256_of_client_certs;
   UniquePtr<EVP_PKEY> pkey;
@@ -249,11 +244,10 @@
       }
     }
 
-    CRYPTO_BUFFER *buf =
-        CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool);
-    if (buf == NULL ||
-        !sk_CRYPTO_BUFFER_push(certs.get(), buf)) {
-      CRYPTO_BUFFER_free(buf);
+    UniquePtr<CRYPTO_BUFFER> buf(
+        CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool));
+    if (!buf ||
+        !PushToStack(certs.get(), std::move(buf))) {
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       return 0;
@@ -326,10 +320,10 @@
     }
   }
 
-  if (CBS_len(&cbs) != 0) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
-    return 0;
+  /* Store a null certificate list rather than an empty one if the peer didn't
+   * send certificates. */
+  if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
+    certs.reset();
   }
 
   hs->peer_pubkey = std::move(pkey);