That's the last of it! Change-Id: I93d1f5ab7e95b2ad105c34b24297a0bf77625263 Reviewed-on: https://boringssl-review.googlesource.com/19784 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>kris/onging/CECPQ3_patch15
@@ -47,9 +47,9 @@ static const SSL_CUSTOM_EXTENSION *custom_ext_find( | |||
return NULL; | |||
} | |||
/* default_add_callback is used as the |add_callback| when the user doesn't | |||
* provide one. For servers, it does nothing while, for clients, it causes an | |||
* empty extension to be included. */ | |||
// default_add_callback is used as the |add_callback| when the user doesn't | |||
// provide one. For servers, it does nothing while, for clients, it causes an | |||
// empty extension to be included. | |||
static int default_add_callback(SSL *ssl, unsigned extension_value, | |||
const uint8_t **out, size_t *out_len, | |||
int *out_alert_value, void *add_arg) { | |||
@@ -76,7 +76,7 @@ static int custom_ext_add_hello(SSL_HANDSHAKE *hs, CBB *extensions) { | |||
if (ssl->server && | |||
!(hs->custom_extensions.received & (1u << i))) { | |||
/* Servers cannot echo extensions that the client didn't send. */ | |||
// Servers cannot echo extensions that the client didn't send. | |||
continue; | |||
} | |||
@@ -135,9 +135,9 @@ int custom_ext_parse_serverhello(SSL_HANDSHAKE *hs, int *out_alert, | |||
const SSL_CUSTOM_EXTENSION *ext = | |||
custom_ext_find(ssl->ctx->client_custom_extensions, &index, value); | |||
if (/* Unknown extensions are not allowed in a ServerHello. */ | |||
if (// Unknown extensions are not allowed in a ServerHello. | |||
ext == NULL || | |||
/* Also, if we didn't send the extension, that's also unacceptable. */ | |||
// Also, if we didn't send the extension, that's also unacceptable. | |||
!(hs->custom_extensions.sent & (1u << index))) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); | |||
ERR_add_error_dataf("extension %u", (unsigned)value); | |||
@@ -185,9 +185,9 @@ int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions) { | |||
return custom_ext_add_hello(hs, extensions); | |||
} | |||
/* MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that | |||
* can be set on an |SSL_CTX|. It's determined by the size of the bitset used | |||
* to track when an extension has been sent. */ | |||
// MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that | |||
// can be set on an |SSL_CTX|. It's determined by the size of the bitset used | |||
// to track when an extension has been sent. | |||
#define MAX_NUM_CUSTOM_EXTENSIONS \ | |||
(sizeof(((SSL_HANDSHAKE *)NULL)->custom_extensions.sent) * 8) | |||
@@ -200,8 +200,8 @@ static int custom_ext_append(STACK_OF(SSL_CUSTOM_EXTENSION) **stack, | |||
if (add_cb == NULL || | |||
0xffff < extension_value || | |||
SSL_extension_supported(extension_value) || | |||
/* Specifying a free callback without an add callback is nonsensical | |||
* and an error. */ | |||
// Specifying a free callback without an add callback is nonsensical | |||
// and an error. | |||
(*stack != NULL && | |||
(MAX_NUM_CUSTOM_EXTENSIONS <= sk_SSL_CUSTOM_EXTENSION_num(*stack) || | |||
custom_ext_find(*stack, NULL, extension_value) != NULL))) { | |||
@@ -129,20 +129,20 @@ | |||
namespace bssl { | |||
/* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable | |||
* for these values? Notably, why is kMinMTU a function of the transport | |||
* protocol's overhead rather than, say, what's needed to hold a minimally-sized | |||
* handshake fragment plus protocol overhead. */ | |||
// TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable | |||
// for these values? Notably, why is kMinMTU a function of the transport | |||
// protocol's overhead rather than, say, what's needed to hold a minimally-sized | |||
// handshake fragment plus protocol overhead. | |||
/* kMinMTU is the minimum acceptable MTU value. */ | |||
// kMinMTU is the minimum acceptable MTU value. | |||
static const unsigned int kMinMTU = 256 - 28; | |||
/* kDefaultMTU is the default MTU value to use if neither the user nor | |||
* the underlying BIO supplies one. */ | |||
// kDefaultMTU is the default MTU value to use if neither the user nor | |||
// the underlying BIO supplies one. | |||
static const unsigned int kDefaultMTU = 1500 - 28; | |||
/* Receiving handshake messages. */ | |||
// Receiving handshake messages. | |||
static void dtls1_hm_fragment_free(hm_fragment *frag) { | |||
if (frag == NULL) { | |||
@@ -165,7 +165,7 @@ static hm_fragment *dtls1_hm_fragment_new(const struct hm_header_st *msg_hdr) { | |||
frag->seq = msg_hdr->seq; | |||
frag->msg_len = msg_hdr->msg_len; | |||
/* Allocate space for the reassembled message and fill in the header. */ | |||
// Allocate space for the reassembled message and fill in the header. | |||
frag->data = | |||
(uint8_t *)OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len); | |||
if (frag->data == NULL) { | |||
@@ -184,9 +184,9 @@ static hm_fragment *dtls1_hm_fragment_new(const struct hm_header_st *msg_hdr) { | |||
goto err; | |||
} | |||
/* If the handshake message is empty, |frag->reassembly| is NULL. */ | |||
// If the handshake message is empty, |frag->reassembly| is NULL. | |||
if (msg_hdr->msg_len > 0) { | |||
/* Initialize reassembly bitmask. */ | |||
// Initialize reassembly bitmask. | |||
if (msg_hdr->msg_len + 7 < msg_hdr->msg_len) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); | |||
goto err; | |||
@@ -207,16 +207,16 @@ err: | |||
return NULL; | |||
} | |||
/* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|, | |||
* exclusive, set. */ | |||
// bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|, | |||
// exclusive, set. | |||
static uint8_t bit_range(size_t start, size_t end) { | |||
return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1)); | |||
} | |||
/* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive, | |||
* as received in |frag|. If |frag| becomes complete, it clears | |||
* |frag->reassembly|. The range must be within the bounds of |frag|'s message | |||
* and |frag->reassembly| must not be NULL. */ | |||
// dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive, | |||
// as received in |frag|. If |frag| becomes complete, it clears | |||
// |frag->reassembly|. The range must be within the bounds of |frag|'s message | |||
// and |frag->reassembly| must not be NULL. | |||
static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, | |||
size_t end) { | |||
size_t msg_len = frag->msg_len; | |||
@@ -225,7 +225,7 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, | |||
assert(0); | |||
return; | |||
} | |||
/* A zero-length message will never have a pending reassembly. */ | |||
// A zero-length message will never have a pending reassembly. | |||
assert(msg_len > 0); | |||
if ((start >> 3) == (end >> 3)) { | |||
@@ -240,7 +240,7 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, | |||
} | |||
} | |||
/* Check if the fragment is complete. */ | |||
// Check if the fragment is complete. | |||
for (size_t i = 0; i < (msg_len >> 3); i++) { | |||
if (frag->reassembly[i] != 0xff) { | |||
return; | |||
@@ -255,18 +255,18 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start, | |||
frag->reassembly = NULL; | |||
} | |||
/* dtls1_is_current_message_complete returns one if the current handshake | |||
* message is complete and zero otherwise. */ | |||
// dtls1_is_current_message_complete returns one if the current handshake | |||
// message is complete and zero otherwise. | |||
static int dtls1_is_current_message_complete(const SSL *ssl) { | |||
hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq % | |||
SSL_MAX_HANDSHAKE_FLIGHT]; | |||
return frag != NULL && frag->reassembly == NULL; | |||
} | |||
/* dtls1_get_incoming_message returns the incoming message corresponding to | |||
* |msg_hdr|. If none exists, it creates a new one and inserts it in the | |||
* queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It | |||
* returns NULL on failure. The caller does not take ownership of the result. */ | |||
// dtls1_get_incoming_message returns the incoming message corresponding to | |||
// |msg_hdr|. If none exists, it creates a new one and inserts it in the | |||
// queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It | |||
// returns NULL on failure. The caller does not take ownership of the result. | |||
static hm_fragment *dtls1_get_incoming_message( | |||
SSL *ssl, const struct hm_header_st *msg_hdr) { | |||
if (msg_hdr->seq < ssl->d1->handshake_read_seq || | |||
@@ -278,8 +278,8 @@ static hm_fragment *dtls1_get_incoming_message( | |||
hm_fragment *frag = ssl->d1->incoming_messages[idx]; | |||
if (frag != NULL) { | |||
assert(frag->seq == msg_hdr->seq); | |||
/* The new fragment must be compatible with the previous fragments from this | |||
* message. */ | |||
// The new fragment must be compatible with the previous fragments from this | |||
// message. | |||
if (frag->type != msg_hdr->type || | |||
frag->msg_len != msg_hdr->msg_len) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH); | |||
@@ -289,7 +289,7 @@ static hm_fragment *dtls1_get_incoming_message( | |||
return frag; | |||
} | |||
/* This is the first fragment from this message. */ | |||
// This is the first fragment from this message. | |||
frag = dtls1_hm_fragment_new(msg_hdr); | |||
if (frag == NULL) { | |||
return NULL; | |||
@@ -309,22 +309,22 @@ int dtls1_read_message(SSL *ssl) { | |||
switch (rr->type) { | |||
case SSL3_RT_APPLICATION_DATA: | |||
/* Unencrypted application data records are always illegal. */ | |||
// Unencrypted application data records are always illegal. | |||
if (ssl->s3->aead_read_ctx->is_null_cipher()) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); | |||
return -1; | |||
} | |||
/* Out-of-order application data may be received between ChangeCipherSpec | |||
* and finished. Discard it. */ | |||
// Out-of-order application data may be received between ChangeCipherSpec | |||
// and finished. Discard it. | |||
rr->length = 0; | |||
ssl_read_buffer_discard(ssl); | |||
return 1; | |||
case SSL3_RT_CHANGE_CIPHER_SPEC: | |||
/* We do not support renegotiation, so encrypted ChangeCipherSpec records | |||
* are illegal. */ | |||
// We do not support renegotiation, so encrypted ChangeCipherSpec records | |||
// are illegal. | |||
if (!ssl->s3->aead_read_ctx->is_null_cipher()) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); | |||
@@ -337,7 +337,7 @@ int dtls1_read_message(SSL *ssl) { | |||
return -1; | |||
} | |||
/* Flag the ChangeCipherSpec for later. */ | |||
// Flag the ChangeCipherSpec for later. | |||
ssl->d1->has_change_cipher_spec = true; | |||
ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC, | |||
rr->data, rr->length); | |||
@@ -347,7 +347,7 @@ int dtls1_read_message(SSL *ssl) { | |||
return 1; | |||
case SSL3_RT_HANDSHAKE: | |||
/* Break out to main processing. */ | |||
// Break out to main processing. | |||
break; | |||
default: | |||
@@ -360,7 +360,7 @@ int dtls1_read_message(SSL *ssl) { | |||
CBS_init(&cbs, rr->data, rr->length); | |||
while (CBS_len(&cbs) > 0) { | |||
/* Read a handshake fragment. */ | |||
// Read a handshake fragment. | |||
struct hm_header_st msg_hdr; | |||
CBS body; | |||
if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) { | |||
@@ -380,7 +380,7 @@ int dtls1_read_message(SSL *ssl) { | |||
return -1; | |||
} | |||
/* The encrypted epoch in DTLS has only one handshake message. */ | |||
// The encrypted epoch in DTLS has only one handshake message. | |||
if (ssl->d1->r_epoch == 1 && msg_hdr.seq != ssl->d1->handshake_read_seq) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | |||
@@ -390,7 +390,7 @@ int dtls1_read_message(SSL *ssl) { | |||
if (msg_hdr.seq < ssl->d1->handshake_read_seq || | |||
msg_hdr.seq > | |||
(unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) { | |||
/* Ignore fragments from the past, or ones too far in the future. */ | |||
// Ignore fragments from the past, or ones too far in the future. | |||
continue; | |||
} | |||
@@ -401,12 +401,12 @@ int dtls1_read_message(SSL *ssl) { | |||
assert(frag->msg_len == msg_len); | |||
if (frag->reassembly == NULL) { | |||
/* The message is already assembled. */ | |||
// The message is already assembled. | |||
continue; | |||
} | |||
assert(msg_len > 0); | |||
/* Copy the body into the fragment. */ | |||
// Copy the body into the fragment. | |||
OPENSSL_memcpy(frag->data + DTLS1_HM_HEADER_LENGTH + frag_off, | |||
CBS_data(&body), CBS_len(&body)); | |||
dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len); | |||
@@ -444,8 +444,8 @@ void dtls1_next_message(SSL *ssl) { | |||
ssl->d1->incoming_messages[index] = NULL; | |||
ssl->d1->handshake_read_seq++; | |||
ssl->s3->has_message = 0; | |||
/* If we previously sent a flight, mark it as having a reply, so | |||
* |on_handshake_complete| can manage post-handshake retransmission. */ | |||
// If we previously sent a flight, mark it as having a reply, so | |||
// |on_handshake_complete| can manage post-handshake retransmission. | |||
if (ssl->d1->outgoing_messages_complete) { | |||
ssl->d1->flight_has_reply = true; | |||
} | |||
@@ -461,7 +461,7 @@ void dtls_clear_incoming_messages(SSL *ssl) { | |||
int dtls_has_incoming_messages(const SSL *ssl) { | |||
size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT; | |||
for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) { | |||
/* Skip the current message. */ | |||
// Skip the current message. | |||
if (ssl->s3->has_message && i == current) { | |||
assert(dtls1_is_current_message_complete(ssl)); | |||
continue; | |||
@@ -490,7 +490,7 @@ int dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr, | |||
} | |||
int dtls1_read_change_cipher_spec(SSL *ssl) { | |||
/* Process handshake records until there is a ChangeCipherSpec. */ | |||
// Process handshake records until there is a ChangeCipherSpec. | |||
while (!ssl->d1->has_change_cipher_spec) { | |||
int ret = dtls1_read_message(ssl); | |||
if (ret <= 0) { | |||
@@ -503,7 +503,7 @@ int dtls1_read_change_cipher_spec(SSL *ssl) { | |||
} | |||
/* Sending handshake messages. */ | |||
// Sending handshake messages. | |||
void dtls_clear_outgoing_messages(SSL *ssl) { | |||
for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) { | |||
@@ -518,7 +518,7 @@ void dtls_clear_outgoing_messages(SSL *ssl) { | |||
} | |||
int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) { | |||
/* Pick a modest size hint to save most of the |realloc| calls. */ | |||
// Pick a modest size hint to save most of the |realloc| calls. | |||
if (!CBB_init(cbb, 64) || | |||
!CBB_add_u8(cbb, type) || | |||
!CBB_add_u24(cbb, 0 /* length (filled in later) */) || | |||
@@ -541,20 +541,20 @@ int dtls1_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, | |||
return 0; | |||
} | |||
/* Fix up the header. Copy the fragment length into the total message | |||
* length. */ | |||
// Fix up the header. Copy the fragment length into the total message | |||
// length. | |||
OPENSSL_memcpy(*out_msg + 1, *out_msg + DTLS1_HM_HEADER_LENGTH - 3, 3); | |||
return 1; | |||
} | |||
/* add_outgoing adds a new handshake message or ChangeCipherSpec to the current | |||
* outgoing flight. It returns one on success and zero on error. In both cases, | |||
* it takes ownership of |data| and releases it with |OPENSSL_free| when | |||
* done. */ | |||
// add_outgoing adds a new handshake message or ChangeCipherSpec to the current | |||
// outgoing flight. It returns one on success and zero on error. In both cases, | |||
// it takes ownership of |data| and releases it with |OPENSSL_free| when | |||
// done. | |||
static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) { | |||
if (ssl->d1->outgoing_messages_complete) { | |||
/* If we've begun writing a new flight, we received the peer flight. Discard | |||
* the timer and the our flight. */ | |||
// If we've begun writing a new flight, we received the peer flight. Discard | |||
// the timer and the our flight. | |||
dtls1_stop_timer(ssl); | |||
dtls_clear_outgoing_messages(ssl); | |||
} | |||
@@ -570,8 +570,8 @@ static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) { | |||
} | |||
if (!is_ccs) { | |||
/* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript | |||
* on hs. */ | |||
// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript | |||
// on hs. | |||
if (ssl->s3->hs != NULL && | |||
!ssl->s3->hs->transcript.Update(data, len)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
@@ -601,20 +601,20 @@ int dtls1_add_change_cipher_spec(SSL *ssl) { | |||
} | |||
int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc) { | |||
/* The |add_alert| path is only used for warning alerts for now, which DTLS | |||
* never sends. This will be implemented later once closure alerts are | |||
* converted. */ | |||
// The |add_alert| path is only used for warning alerts for now, which DTLS | |||
// never sends. This will be implemented later once closure alerts are | |||
// converted. | |||
assert(0); | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return 0; | |||
} | |||
/* dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above | |||
* the minimum. */ | |||
// dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above | |||
// the minimum. | |||
static void dtls1_update_mtu(SSL *ssl) { | |||
/* TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the | |||
* only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use | |||
* |SSL_set_mtu|. Does this need to be so complex? */ | |||
// TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the | |||
// only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use | |||
// |SSL_set_mtu|. Does this need to be so complex? | |||
if (ssl->d1->mtu < dtls1_min_mtu() && | |||
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { | |||
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL); | |||
@@ -626,7 +626,7 @@ static void dtls1_update_mtu(SSL *ssl) { | |||
} | |||
} | |||
/* The MTU should be above the minimum now. */ | |||
// The MTU should be above the minimum now. | |||
assert(ssl->d1->mtu >= dtls1_min_mtu()); | |||
} | |||
@@ -637,9 +637,9 @@ enum seal_result_t { | |||
seal_success, | |||
}; | |||
/* seal_next_message seals |msg|, which must be the next message, to |out|. If | |||
* progress was made, it returns |seal_partial| or |seal_success| and sets | |||
* |*out_len| to the number of bytes written. */ | |||
// seal_next_message seals |msg|, which must be the next message, to |out|. If | |||
// progress was made, it returns |seal_partial| or |seal_success| and sets | |||
// |*out_len| to the number of bytes written. | |||
static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, | |||
size_t *out_len, size_t max_out, | |||
const DTLS_OUTGOING_MESSAGE *msg) { | |||
@@ -658,7 +658,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, | |||
size_t prefix = dtls_seal_prefix_len(ssl, use_epoch); | |||
if (msg->is_ccs) { | |||
/* Check there is room for the ChangeCipherSpec. */ | |||
// Check there is room for the ChangeCipherSpec. | |||
static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS}; | |||
if (max_out < sizeof(kChangeCipherSpec) + overhead) { | |||
return seal_no_progress; | |||
@@ -675,7 +675,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, | |||
return seal_success; | |||
} | |||
/* DTLS messages are serialized as a single fragment in |msg|. */ | |||
// DTLS messages are serialized as a single fragment in |msg|. | |||
CBS cbs, body; | |||
struct hm_header_st hdr; | |||
CBS_init(&cbs, msg->data, msg->len); | |||
@@ -689,7 +689,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, | |||
return seal_error; | |||
} | |||
/* Determine how much progress can be made. */ | |||
// Determine how much progress can be made. | |||
if (max_out < DTLS1_HM_HEADER_LENGTH + 1 + overhead || max_out < prefix) { | |||
return seal_no_progress; | |||
} | |||
@@ -698,7 +698,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, | |||
todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead; | |||
} | |||
/* Assemble a fragment, to be sealed in-place. */ | |||
// Assemble a fragment, to be sealed in-place. | |||
ScopedCBB cbb; | |||
uint8_t *frag = out + prefix; | |||
size_t max_frag = max_out - prefix, frag_len; | |||
@@ -722,7 +722,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, | |||
} | |||
if (todo == CBS_len(&body)) { | |||
/* The next message is complete. */ | |||
// The next message is complete. | |||
ssl->d1->outgoing_offset = 0; | |||
return seal_success; | |||
} | |||
@@ -731,9 +731,9 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, | |||
return seal_partial; | |||
} | |||
/* seal_next_packet writes as much of the next flight as possible to |out| and | |||
* advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as | |||
* appropriate. */ | |||
// seal_next_packet writes as much of the next flight as possible to |out| and | |||
// advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as | |||
// appropriate. | |||
static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len, | |||
size_t max_out) { | |||
int made_progress = 0; | |||
@@ -767,7 +767,7 @@ static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len, | |||
} | |||
packet_full: | |||
/* The MTU was too small to make any progress. */ | |||
// The MTU was too small to make any progress. | |||
if (!made_progress) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL); | |||
return 0; | |||
@@ -798,7 +798,7 @@ static int send_flight(SSL *ssl) { | |||
int bio_ret = BIO_write(ssl->wbio, packet, packet_len); | |||
if (bio_ret <= 0) { | |||
/* Retry this packet the next time around. */ | |||
// Retry this packet the next time around. | |||
ssl->d1->outgoing_written = old_written; | |||
ssl->d1->outgoing_offset = old_offset; | |||
ssl->rwstate = SSL_WRITING; | |||
@@ -821,16 +821,16 @@ err: | |||
int dtls1_flush_flight(SSL *ssl) { | |||
ssl->d1->outgoing_messages_complete = true; | |||
/* Start the retransmission timer for the next flight (if any). */ | |||
// Start the retransmission timer for the next flight (if any). | |||
dtls1_start_timer(ssl); | |||
return send_flight(ssl); | |||
} | |||
int dtls1_retransmit_outgoing_messages(SSL *ssl) { | |||
/* Rewind to the start of the flight and write it again. | |||
* | |||
* TODO(davidben): This does not allow retransmits to be resumed on | |||
* non-blocking write. */ | |||
// Rewind to the start of the flight and write it again. | |||
// | |||
// TODO(davidben): This does not allow retransmits to be resumed on | |||
// non-blocking write. | |||
ssl->d1->outgoing_written = 0; | |||
ssl->d1->outgoing_offset = 0; | |||
@@ -70,12 +70,12 @@ | |||
namespace bssl { | |||
/* DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire | |||
* before starting to decrease the MTU. */ | |||
// DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire | |||
// before starting to decrease the MTU. | |||
#define DTLS1_MTU_TIMEOUTS 2 | |||
/* DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire | |||
* before failing the DTLS handshake. */ | |||
// DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire | |||
// before failing the DTLS handshake. | |||
#define DTLS1_MAX_TIMEOUTS 12 | |||
int dtls1_new(SSL *ssl) { | |||
@@ -91,11 +91,11 @@ int dtls1_new(SSL *ssl) { | |||
ssl->d1 = d1; | |||
/* Set the version to the highest supported version. | |||
* | |||
* TODO(davidben): Move this field into |s3|, have it store the normalized | |||
* protocol version, and implement this pre-negotiation quirk in |SSL_version| | |||
* at the API boundary rather than in internal state. */ | |||
// Set the version to the highest supported version. | |||
// | |||
// TODO(davidben): Move this field into |s3|, have it store the normalized | |||
// protocol version, and implement this pre-negotiation quirk in |SSL_version| | |||
// at the API boundary rather than in internal state. | |||
ssl->version = DTLS1_2_VERSION; | |||
return 1; | |||
} | |||
@@ -116,15 +116,15 @@ void dtls1_free(SSL *ssl) { | |||
} | |||
void dtls1_start_timer(SSL *ssl) { | |||
/* If timer is not set, initialize duration (by default, 1 second) */ | |||
// If timer is not set, initialize duration (by default, 1 second) | |||
if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) { | |||
ssl->d1->timeout_duration_ms = ssl->initial_timeout_duration_ms; | |||
} | |||
/* Set timeout to current time */ | |||
// Set timeout to current time | |||
ssl_get_current_time(ssl, &ssl->d1->next_timeout); | |||
/* Add duration to current time */ | |||
// Add duration to current time | |||
ssl->d1->next_timeout.tv_sec += ssl->d1->timeout_duration_ms / 1000; | |||
ssl->d1->next_timeout.tv_usec += (ssl->d1->timeout_duration_ms % 1000) * 1000; | |||
if (ssl->d1->next_timeout.tv_usec >= 1000000) { | |||
@@ -136,17 +136,17 @@ void dtls1_start_timer(SSL *ssl) { | |||
int dtls1_is_timer_expired(SSL *ssl) { | |||
struct timeval timeleft; | |||
/* Get time left until timeout, return false if no timer running */ | |||
// Get time left until timeout, return false if no timer running | |||
if (!DTLSv1_get_timeout(ssl, &timeleft)) { | |||
return 0; | |||
} | |||
/* Return false if timer is not expired yet */ | |||
// Return false if timer is not expired yet | |||
if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) { | |||
return 0; | |||
} | |||
/* Timer expired, so return true */ | |||
// Timer expired, so return true | |||
return 1; | |||
} | |||
@@ -166,7 +166,7 @@ void dtls1_stop_timer(SSL *ssl) { | |||
int dtls1_check_timeout_num(SSL *ssl) { | |||
ssl->d1->num_timeouts++; | |||
/* Reduce MTU after 2 unsuccessful retransmissions */ | |||
// Reduce MTU after 2 unsuccessful retransmissions | |||
if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS && | |||
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) { | |||
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL); | |||
@@ -176,7 +176,7 @@ int dtls1_check_timeout_num(SSL *ssl) { | |||
} | |||
if (ssl->d1->num_timeouts > DTLS1_MAX_TIMEOUTS) { | |||
/* fail the connection, enough alerts have been sent */ | |||
// fail the connection, enough alerts have been sent | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_READ_TIMEOUT_EXPIRED); | |||
return 0; | |||
} | |||
@@ -197,7 +197,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) { | |||
return 0; | |||
} | |||
/* If no timeout is set, just return 0. */ | |||
// If no timeout is set, just return 0. | |||
if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) { | |||
return 0; | |||
} | |||
@@ -205,7 +205,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) { | |||
struct OPENSSL_timeval timenow; | |||
ssl_get_current_time(ssl, &timenow); | |||
/* If timer already expired, set remaining time to 0. */ | |||
// If timer already expired, set remaining time to 0. | |||
if (ssl->d1->next_timeout.tv_sec < timenow.tv_sec || | |||
(ssl->d1->next_timeout.tv_sec == timenow.tv_sec && | |||
ssl->d1->next_timeout.tv_usec <= timenow.tv_usec)) { | |||
@@ -213,7 +213,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) { | |||
return 1; | |||
} | |||
/* Calculate time left until timer expires. */ | |||
// Calculate time left until timer expires. | |||
struct OPENSSL_timeval ret; | |||
OPENSSL_memcpy(&ret, &ssl->d1->next_timeout, sizeof(ret)); | |||
ret.tv_sec -= timenow.tv_sec; | |||
@@ -224,13 +224,13 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) { | |||
ret.tv_sec--; | |||
} | |||
/* If remaining time is less than 15 ms, set it to 0 to prevent issues | |||
* because of small divergences with socket timeouts. */ | |||
// If remaining time is less than 15 ms, set it to 0 to prevent issues | |||
// because of small divergences with socket timeouts. | |||
if (ret.tv_sec == 0 && ret.tv_usec < 15000) { | |||
OPENSSL_memset(&ret, 0, sizeof(ret)); | |||
} | |||
/* Clamp the result in case of overflow. */ | |||
// Clamp the result in case of overflow. | |||
if (ret.tv_sec > INT_MAX) { | |||
assert(0); | |||
out->tv_sec = INT_MAX; | |||
@@ -250,7 +250,7 @@ int DTLSv1_handle_timeout(SSL *ssl) { | |||
return -1; | |||
} | |||
/* If no timer is expired, don't do anything. */ | |||
// If no timer is expired, don't do anything. | |||
if (!dtls1_is_timer_expired(ssl)) { | |||
return 0; | |||
} | |||
@@ -140,15 +140,15 @@ again: | |||
return 0; | |||
} | |||
/* Read a new packet if there is no unconsumed one. */ | |||
// Read a new packet if there is no unconsumed one. | |||
if (ssl_read_buffer_len(ssl) == 0) { | |||
int read_ret = ssl_read_buffer_extend_to(ssl, 0 /* unused */); | |||
if (read_ret < 0 && dtls1_is_timer_expired(ssl)) { | |||
/* Historically, timeouts were handled implicitly if the caller did not | |||
* handle them. | |||
* | |||
* TODO(davidben): This was to support blocking sockets but affected | |||
* non-blocking sockets. Can it be removed? */ | |||
// Historically, timeouts were handled implicitly if the caller did not | |||
// handle them. | |||
// | |||
// TODO(davidben): This was to support blocking sockets but affected | |||
// non-blocking sockets. Can it be removed? | |||
int timeout_ret = DTLSv1_handle_timeout(ssl); | |||
if (timeout_ret <= 0) { | |||
return timeout_ret; | |||
@@ -170,7 +170,7 @@ again: | |||
ssl_read_buffer_consume(ssl, consumed); | |||
switch (open_ret) { | |||
case ssl_open_record_partial: | |||
/* Impossible in DTLS. */ | |||
// Impossible in DTLS. | |||
break; | |||
case ssl_open_record_success: { | |||
@@ -221,9 +221,9 @@ again: | |||
} | |||
if (rr->type == SSL3_RT_HANDSHAKE) { | |||
/* Parse the first fragment header to determine if this is a pre-CCS or | |||
* post-CCS handshake record. DTLS resets handshake message numbers on each | |||
* handshake, so renegotiations and retransmissions are ambiguous. */ | |||
// Parse the first fragment header to determine if this is a pre-CCS or | |||
// post-CCS handshake record. DTLS resets handshake message numbers on each | |||
// handshake, so renegotiations and retransmissions are ambiguous. | |||
CBS cbs, body; | |||
struct hm_header_st msg_hdr; | |||
CBS_init(&cbs, rr->data, rr->length); | |||
@@ -236,9 +236,9 @@ again: | |||
if (msg_hdr.type == SSL3_MT_FINISHED && | |||
msg_hdr.seq == ssl->d1->handshake_read_seq - 1) { | |||
if (msg_hdr.frag_off == 0) { | |||
/* Retransmit our last flight of messages. If the peer sends the second | |||
* Finished, they may not have received ours. Only do this for the | |||
* first fragment, in case the Finished was fragmented. */ | |||
// Retransmit our last flight of messages. If the peer sends the second | |||
// Finished, they may not have received ours. Only do this for the | |||
// first fragment, in case the Finished was fragmented. | |||
if (!dtls1_check_timeout_num(ssl)) { | |||
return -1; | |||
} | |||
@@ -250,8 +250,8 @@ again: | |||
goto again; | |||
} | |||
/* Otherwise, this is a pre-CCS handshake message from an unsupported | |||
* renegotiation attempt. Fall through to the error path. */ | |||
// Otherwise, this is a pre-CCS handshake message from an unsupported | |||
// renegotiation attempt. Fall through to the error path. | |||
} | |||
if (rr->type != SSL3_RT_APPLICATION_DATA) { | |||
@@ -260,7 +260,7 @@ again: | |||
return -1; | |||
} | |||
/* Discard empty records. */ | |||
// Discard empty records. | |||
if (rr->length == 0) { | |||
goto again; | |||
} | |||
@@ -275,12 +275,12 @@ again: | |||
OPENSSL_memcpy(buf, rr->data, len); | |||
if (!peek) { | |||
/* TODO(davidben): Should the record be truncated instead? This is a | |||
* datagram transport. See https://crbug.com/boringssl/65. */ | |||
// TODO(davidben): Should the record be truncated instead? This is a | |||
// datagram transport. See https://crbug.com/boringssl/65. | |||
rr->length -= len; | |||
rr->data += len; | |||
if (rr->length == 0) { | |||
/* The record has been consumed, so we may now clear the buffer. */ | |||
// The record has been consumed, so we may now clear the buffer. | |||
ssl_read_buffer_discard(ssl); | |||
} | |||
} | |||
@@ -289,10 +289,10 @@ again: | |||
} | |||
void dtls1_read_close_notify(SSL *ssl) { | |||
/* Bidirectional shutdown doesn't make sense for an unordered transport. DTLS | |||
* alerts also aren't delivered reliably, so we may even time out because the | |||
* peer never received our close_notify. Report to the caller that the channel | |||
* has fully shut down. */ | |||
// Bidirectional shutdown doesn't make sense for an unordered transport. DTLS | |||
// alerts also aren't delivered reliably, so we may even time out because the | |||
// peer never received our close_notify. Report to the caller that the channel | |||
// has fully shut down. | |||
if (ssl->s3->recv_shutdown == ssl_shutdown_none) { | |||
ssl->s3->recv_shutdown = ssl_shutdown_close_notify; | |||
} | |||
@@ -328,9 +328,9 @@ int dtls1_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf, | |||
int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len, | |||
enum dtls1_use_epoch_t use_epoch) { | |||
assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); | |||
/* There should never be a pending write buffer in DTLS. One can't write half | |||
* a datagram, so the write buffer is always dropped in | |||
* |ssl_write_buffer_flush|. */ | |||
// There should never be a pending write buffer in DTLS. One can't write half | |||
// a datagram, so the write buffer is always dropped in | |||
// |ssl_write_buffer_flush|. | |||
assert(!ssl_write_buffer_is_pending(ssl)); | |||
if (len > SSL3_RT_MAX_PLAIN_LENGTH) { | |||
@@ -364,7 +364,7 @@ int dtls1_dispatch_alert(SSL *ssl) { | |||
} | |||
ssl->s3->alert_dispatch = 0; | |||
/* If the alert is fatal, flush the BIO now. */ | |||
// If the alert is fatal, flush the BIO now. | |||
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) { | |||
BIO_flush(ssl->wbio); | |||
} | |||
@@ -226,11 +226,11 @@ const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *ssl) { | |||
} | |||
int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) { | |||
/* This API inverts its return value. */ | |||
// This API inverts its return value. | |||
return !SSL_CTX_set_srtp_profiles(ctx, profiles); | |||
} | |||
int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles) { | |||
/* This API inverts its return value. */ | |||
// This API inverts its return value. | |||
return !SSL_set_srtp_profiles(ssl, profiles); | |||
} |
@@ -73,17 +73,17 @@ static int dtls1_supports_cipher(const SSL_CIPHER *cipher) { | |||
} | |||
static void dtls1_on_handshake_complete(SSL *ssl) { | |||
/* Stop the reply timer left by the last flight we sent. */ | |||
// Stop the reply timer left by the last flight we sent. | |||
dtls1_stop_timer(ssl); | |||
/* If the final flight had a reply, we know the peer has received it. If not, | |||
* we must leave the flight around for post-handshake retransmission. */ | |||
// If the final flight had a reply, we know the peer has received it. If not, | |||
// we must leave the flight around for post-handshake retransmission. | |||
if (ssl->d1->flight_has_reply) { | |||
dtls_clear_outgoing_messages(ssl); | |||
} | |||
} | |||
static int dtls1_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) { | |||
/* Cipher changes are illegal when there are buffered incoming messages. */ | |||
// Cipher changes are illegal when there are buffered incoming messages. | |||
if (dtls_has_incoming_messages(ssl) || ssl->d1->has_change_cipher_spec) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | |||
@@ -153,7 +153,7 @@ const SSL_METHOD *DTLS_with_buffers_method(void) { | |||
return &kMethod; | |||
} | |||
/* Legacy version-locked methods. */ | |||
// Legacy version-locked methods. | |||
const SSL_METHOD *DTLSv1_2_method(void) { | |||
static const SSL_METHOD kMethod = { | |||
@@ -173,7 +173,7 @@ const SSL_METHOD *DTLSv1_method(void) { | |||
return &kMethod; | |||
} | |||
/* Legacy side-specific methods. */ | |||
// Legacy side-specific methods. | |||
const SSL_METHOD *DTLSv1_2_server_method(void) { | |||
return DTLSv1_2_method(); | |||
@@ -123,8 +123,8 @@ | |||
namespace bssl { | |||
/* to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as | |||
* a |uint64_t|. */ | |||
// to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as | |||
// a |uint64_t|. | |||
static uint64_t to_u64_be(const uint8_t in[8]) { | |||
uint64_t ret = 0; | |||
unsigned i; | |||
@@ -135,8 +135,8 @@ static uint64_t to_u64_be(const uint8_t in[8]) { | |||
return ret; | |||
} | |||
/* dtls1_bitmap_should_discard returns one if |seq_num| has been seen in |bitmap| | |||
* or is stale. Otherwise it returns zero. */ | |||
// dtls1_bitmap_should_discard returns one if |seq_num| has been seen in | |||
// |bitmap| or is stale. Otherwise it returns zero. | |||
static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap, | |||
const uint8_t seq_num[8]) { | |||
const unsigned kWindowSize = sizeof(bitmap->map) * 8; | |||
@@ -149,15 +149,15 @@ static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap, | |||
return idx >= kWindowSize || (bitmap->map & (((uint64_t)1) << idx)); | |||
} | |||
/* dtls1_bitmap_record updates |bitmap| to record receipt of sequence number | |||
* |seq_num|. It slides the window forward if needed. It is an error to call | |||
* this function on a stale sequence number. */ | |||
// dtls1_bitmap_record updates |bitmap| to record receipt of sequence number | |||
// |seq_num|. It slides the window forward if needed. It is an error to call | |||
// this function on a stale sequence number. | |||
static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap, | |||
const uint8_t seq_num[8]) { | |||
const unsigned kWindowSize = sizeof(bitmap->map) * 8; | |||
uint64_t seq_num_u = to_u64_be(seq_num); | |||
/* Shift the window if necessary. */ | |||
// Shift the window if necessary. | |||
if (seq_num_u > bitmap->max_seq_num) { | |||
uint64_t shift = seq_num_u - bitmap->max_seq_num; | |||
if (shift >= kWindowSize) { | |||
@@ -183,7 +183,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
CBS cbs; | |||
CBS_init(&cbs, in, in_len); | |||
/* Decode the record. */ | |||
// Decode the record. | |||
uint8_t type; | |||
uint16_t version; | |||
uint8_t sequence[8]; | |||
@@ -195,7 +195,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
(ssl->s3->have_version && version != ssl->version) || | |||
(version >> 8) != DTLS1_VERSION_MAJOR || | |||
CBS_len(&body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |||
/* The record header was incomplete or malformed. Drop the entire packet. */ | |||
// The record header was incomplete or malformed. Drop the entire packet. | |||
*out_consumed = in_len; | |||
return ssl_open_record_discard; | |||
} | |||
@@ -206,31 +206,31 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
uint16_t epoch = (((uint16_t)sequence[0]) << 8) | sequence[1]; | |||
if (epoch != ssl->d1->r_epoch || | |||
dtls1_bitmap_should_discard(&ssl->d1->bitmap, sequence)) { | |||
/* Drop this record. It's from the wrong epoch or is a replay. Note that if | |||
* |epoch| is the next epoch, the record could be buffered for later. For | |||
* simplicity, drop it and expect retransmit to handle it later; DTLS must | |||
* handle packet loss anyway. */ | |||
// Drop this record. It's from the wrong epoch or is a replay. Note that if | |||
// |epoch| is the next epoch, the record could be buffered for later. For | |||
// simplicity, drop it and expect retransmit to handle it later; DTLS must | |||
// handle packet loss anyway. | |||
*out_consumed = in_len - CBS_len(&cbs); | |||
return ssl_open_record_discard; | |||
} | |||
/* Decrypt the body in-place. */ | |||
// Decrypt the body in-place. | |||
if (!ssl->s3->aead_read_ctx->Open(out, type, version, sequence, | |||
(uint8_t *)CBS_data(&body), | |||
CBS_len(&body))) { | |||
/* Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347. | |||
* Clear the error queue of any errors decryption may have added. Drop the | |||
* entire packet as it must not have come from the peer. | |||
* | |||
* TODO(davidben): This doesn't distinguish malloc failures from encryption | |||
* failures. */ | |||
// Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347. | |||
// Clear the error queue of any errors decryption may have added. Drop the | |||
// entire packet as it must not have come from the peer. | |||
// | |||
// TODO(davidben): This doesn't distinguish malloc failures from encryption | |||
// failures. | |||
ERR_clear_error(); | |||
*out_consumed = in_len - CBS_len(&cbs); | |||
return ssl_open_record_discard; | |||
} | |||
*out_consumed = in_len - CBS_len(&cbs); | |||
/* Check the plaintext length. */ | |||
// Check the plaintext length. | |||
if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); | |||
*out_alert = SSL_AD_RECORD_OVERFLOW; | |||
@@ -239,8 +239,8 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
dtls1_bitmap_record(&ssl->d1->bitmap, sequence); | |||
/* TODO(davidben): Limit the number of empty records as in TLS? This is only | |||
* useful if we also limit discarded packets. */ | |||
// TODO(davidben): Limit the number of empty records as in TLS? This is only | |||
// useful if we also limit discarded packets. | |||
if (type == SSL3_RT_ALERT) { | |||
return ssl_process_alert(ssl, out_alert, CBS_data(out), CBS_len(out)); | |||
@@ -282,7 +282,7 @@ int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, | |||
return 0; | |||
} | |||
/* Determine the parameters for the current epoch. */ | |||
// Determine the parameters for the current epoch. | |||
uint16_t epoch = ssl->d1->w_epoch; | |||
SSLAEADContext *aead = ssl->s3->aead_write_ctx; | |||
uint8_t *seq = ssl->s3->write_sequence; | |||
@@ -199,8 +199,8 @@ int ssl_add_message_cbb(SSL *ssl, CBB *cbb) { | |||
} | |||
size_t ssl_max_handshake_message_len(const SSL *ssl) { | |||
/* kMaxMessageLen is the default maximum message size for handshakes which do | |||
* not accept peer certificate chains. */ | |||
// kMaxMessageLen is the default maximum message size for handshakes which do | |||
// not accept peer certificate chains. | |||
static const size_t kMaxMessageLen = 16384; | |||
if (SSL_in_init(ssl)) { | |||
@@ -212,24 +212,24 @@ size_t ssl_max_handshake_message_len(const SSL *ssl) { | |||
} | |||
if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { | |||
/* In TLS 1.2 and below, the largest acceptable post-handshake message is | |||
* a HelloRequest. */ | |||
// In TLS 1.2 and below, the largest acceptable post-handshake message is | |||
// a HelloRequest. | |||
return 0; | |||
} | |||
if (ssl->server) { | |||
/* The largest acceptable post-handshake message for a server is a | |||
* KeyUpdate. We will never initiate post-handshake auth. */ | |||
// The largest acceptable post-handshake message for a server is a | |||
// KeyUpdate. We will never initiate post-handshake auth. | |||
return 1; | |||
} | |||
/* Clients must accept NewSessionTicket and CertificateRequest, so allow the | |||
* default size. */ | |||
// Clients must accept NewSessionTicket and CertificateRequest, so allow the | |||
// default size. | |||
return kMaxMessageLen; | |||
} | |||
bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) { | |||
/* V2ClientHello messages are pre-hashed. */ | |||
// V2ClientHello messages are pre-hashed. | |||
if (msg.is_v2_hello) { | |||
return true; | |||
} | |||
@@ -240,7 +240,7 @@ bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) { | |||
int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, | |||
const SSL_EXTENSION_TYPE *ext_types, | |||
size_t num_ext_types, int ignore_unknown) { | |||
/* Reset everything. */ | |||
// Reset everything. | |||
for (size_t i = 0; i < num_ext_types; i++) { | |||
*ext_types[i].out_present = 0; | |||
CBS_init(ext_types[i].out_data, NULL, 0); | |||
@@ -274,7 +274,7 @@ int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, | |||
return 0; | |||
} | |||
/* Duplicate ext_types are forbidden. */ | |||
// Duplicate ext_types are forbidden. | |||
if (*ext_type->out_present) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION); | |||
*out_alert = SSL_AD_ILLEGAL_PARAMETER; | |||
@@ -289,8 +289,8 @@ int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, | |||
} | |||
static void set_crypto_buffer(CRYPTO_BUFFER **dest, CRYPTO_BUFFER *src) { | |||
/* TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr| | |||
* and |UniquePtr| has up_ref helpers. */ | |||
// TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr| | |||
// and |UniquePtr| has up_ref helpers. | |||
CRYPTO_BUFFER_free(*dest); | |||
*dest = src; | |||
if (src != nullptr) { | |||
@@ -302,10 +302,10 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
const SSL_SESSION *prev_session = ssl->s3->established_session; | |||
if (prev_session != NULL) { | |||
/* If renegotiating, the server must not change the server certificate. See | |||
* https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation, | |||
* so this check is sufficient to ensure the reported peer certificate never | |||
* changes on renegotiation. */ | |||
// If renegotiating, the server must not change the server certificate. See | |||
// https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation, | |||
// so this check is sufficient to ensure the reported peer certificate never | |||
// changes on renegotiation. | |||
assert(!ssl->server); | |||
if (sk_CRYPTO_BUFFER_num(prev_session->certs) != | |||
sk_CRYPTO_BUFFER_num(hs->new_session->certs)) { | |||
@@ -329,10 +329,10 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* The certificate is identical, so we may skip re-verifying the | |||
* certificate. Since we only authenticated the previous one, copy other | |||
* authentication from the established session and ignore what was newly | |||
* received. */ | |||
// The certificate is identical, so we may skip re-verifying the | |||
// certificate. Since we only authenticated the previous one, copy other | |||
// authentication from the established session and ignore what was newly | |||
// received. | |||
set_crypto_buffer(&hs->new_session->ocsp_response, | |||
prev_session->ocsp_response); | |||
set_crypto_buffer(&hs->new_session->signed_cert_timestamp_list, | |||
@@ -371,17 +371,17 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) { | |||
} | |||
uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index) { | |||
/* Use the client_random or server_random for entropy. This both avoids | |||
* calling |RAND_bytes| on a single byte repeatedly and ensures the values are | |||
* deterministic. This allows the same ClientHello be sent twice for a | |||
* HelloRetryRequest or the same group be advertised in both supported_groups | |||
* and key_shares. */ | |||
// Use the client_random or server_random for entropy. This both avoids | |||
// calling |RAND_bytes| on a single byte repeatedly and ensures the values are | |||
// deterministic. This allows the same ClientHello be sent twice for a | |||
// HelloRetryRequest or the same group be advertised in both supported_groups | |||
// and key_shares. | |||
uint16_t ret = ssl->server ? ssl->s3->server_random[index] | |||
: ssl->s3->client_random[index]; | |||
/* The first four bytes of server_random are a timestamp prior to TLS 1.3, but | |||
* servers have no fields to GREASE until TLS 1.3. */ | |||
// The first four bytes of server_random are a timestamp prior to TLS 1.3, but | |||
// servers have no fields to GREASE until TLS 1.3. | |||
assert(!ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION); | |||
/* This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. */ | |||
// This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. | |||
ret = (ret & 0xf0) | 0x0a; | |||
ret |= ret << 8; | |||
return ret; | |||
@@ -398,7 +398,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Snapshot the finished hash before incorporating the new message. */ | |||
// Snapshot the finished hash before incorporating the new message. | |||
uint8_t finished[EVP_MAX_MD_SIZE]; | |||
size_t finished_len; | |||
if (!hs->transcript.GetFinishedMAC(finished, &finished_len, | |||
@@ -418,7 +418,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Copy the Finished so we can use it for renegotiation checks. */ | |||
// Copy the Finished so we can use it for renegotiation checks. | |||
if (ssl->version != SSL3_VERSION) { | |||
if (finished_len > sizeof(ssl->s3->previous_client_finished) || | |||
finished_len > sizeof(ssl->s3->previous_server_finished)) { | |||
@@ -442,7 +442,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) { | |||
int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { | |||
SSL *const ssl = hs->ssl; | |||
for (;;) { | |||
/* Resolve the operation the handshake was waiting on. */ | |||
// Resolve the operation the handshake was waiting on. | |||
switch (hs->wait) { | |||
case ssl_hs_error: | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); | |||
@@ -464,13 +464,13 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { | |||
if (hs->wait == ssl_hs_read_server_hello && | |||
ERR_GET_LIB(err) == ERR_LIB_SSL && | |||
ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) { | |||
/* Add a dedicated error code to the queue for a handshake_failure | |||
* alert in response to ClientHello. This matches NSS's client | |||
* behavior and gives a better error on a (probable) failure to | |||
* negotiate initial parameters. Note: this error code comes after | |||
* the original one. | |||
* | |||
* See https://crbug.com/446505. */ | |||
// Add a dedicated error code to the queue for a handshake_failure | |||
// alert in response to ClientHello. This matches NSS's client | |||
// behavior and gives a better error on a (probable) failure to | |||
// negotiate initial parameters. Note: this error code comes after | |||
// the original one. | |||
// | |||
// See https://crbug.com/446505. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO); | |||
} | |||
return ret; | |||
@@ -488,7 +488,7 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { | |||
case ssl_hs_read_end_of_early_data: { | |||
if (ssl->s3->hs->can_early_read) { | |||
/* While we are processing early data, the handshake returns early. */ | |||
// While we are processing early data, the handshake returns early. | |||
*out_early_return = 1; | |||
return 1; | |||
} | |||
@@ -533,7 +533,7 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { | |||
case ssl_hs_early_data_rejected: | |||
ssl->rwstate = SSL_EARLY_DATA_REJECTED; | |||
/* Cause |SSL_write| to start failing immediately. */ | |||
// Cause |SSL_write| to start failing immediately. | |||
hs->can_early_write = 0; | |||
return -1; | |||
@@ -546,20 +546,20 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { | |||
break; | |||
} | |||
/* Run the state machine again. */ | |||
// Run the state machine again. | |||
hs->wait = ssl->do_handshake(hs); | |||
if (hs->wait == ssl_hs_error) { | |||
/* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the | |||
* first time around. */ | |||
// Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the | |||
// first time around. | |||
return -1; | |||
} | |||
if (hs->wait == ssl_hs_ok) { | |||
/* The handshake has completed. */ | |||
// The handshake has completed. | |||
return 1; | |||
} | |||
/* Otherwise, loop to the beginning and resolve what was blocking the | |||
* handshake. */ | |||
// Otherwise, loop to the beginning and resolve what was blocking the | |||
// handshake. | |||
} | |||
} | |||
@@ -199,14 +199,14 @@ enum ssl_client_hs_state_t { | |||
state_done, | |||
}; | |||
/* ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of | |||
* disabled algorithms. */ | |||
// ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of | |||
// disabled algorithms. | |||
static void ssl_get_client_disabled(SSL *ssl, uint32_t *out_mask_a, | |||
uint32_t *out_mask_k) { | |||
*out_mask_a = 0; | |||
*out_mask_k = 0; | |||
/* PSK requires a client callback. */ | |||
// PSK requires a client callback. | |||
if (ssl->psk_client_callback == NULL) { | |||
*out_mask_a |= SSL_aPSK; | |||
*out_mask_k |= SSL_kPSK; | |||
@@ -223,14 +223,14 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) { | |||
return 0; | |||
} | |||
/* Add a fake cipher suite. See draft-davidben-tls-grease-01. */ | |||
// Add a fake cipher suite. See draft-davidben-tls-grease-01. | |||
if (ssl->ctx->grease_enabled && | |||
!CBB_add_u16(&child, ssl_get_grease_value(ssl, ssl_grease_cipher))) { | |||
return 0; | |||
} | |||
/* Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on | |||
* hardware support. */ | |||
// Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on | |||
// hardware support. | |||
if (hs->max_version >= TLS1_3_VERSION) { | |||
if (!EVP_has_aes_hardware() && | |||
!CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) { | |||
@@ -249,7 +249,7 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) { | |||
if (hs->min_version < TLS1_3_VERSION) { | |||
int any_enabled = 0; | |||
for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) { | |||
/* Skip disabled ciphers */ | |||
// Skip disabled ciphers | |||
if ((cipher->algorithm_mkey & mask_k) || | |||
(cipher->algorithm_auth & mask_a)) { | |||
continue; | |||
@@ -264,15 +264,15 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) { | |||
} | |||
} | |||
/* If all ciphers were disabled, return the error to the caller. */ | |||
// If all ciphers were disabled, return the error to the caller. | |||
if (!any_enabled && hs->max_version < TLS1_3_VERSION) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE); | |||
return 0; | |||
} | |||
} | |||
/* For SSLv3, the SCSV is added. Otherwise the renegotiation extension is | |||
* added. */ | |||
// For SSLv3, the SCSV is added. Otherwise the renegotiation extension is | |||
// added. | |||
if (hs->max_version == SSL3_VERSION && | |||
!ssl->s3->initial_handshake_complete) { | |||
if (!CBB_add_u16(&child, SSL3_CK_SCSV & 0xffff)) { | |||
@@ -297,7 +297,7 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) { | |||
return 0; | |||
} | |||
/* Renegotiations do not participate in session resumption. */ | |||
// Renegotiations do not participate in session resumption. | |||
int has_session_id = ssl->session != NULL && | |||
!ssl->s3->initial_handshake_complete && | |||
ssl->session->session_id_length > 0; | |||
@@ -315,8 +315,8 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) { | |||
return 0; | |||
} | |||
} else { | |||
/* In TLS 1.3 experimental encodings, send a fake placeholder session ID | |||
* when we do not otherwise have one to send. */ | |||
// In TLS 1.3 experimental encodings, send a fake placeholder session ID | |||
// when we do not otherwise have one to send. | |||
if (hs->max_version >= TLS1_3_VERSION && | |||
ssl->tls13_variant == tls13_experiment && | |||
!CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) { | |||
@@ -346,8 +346,8 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) { | |||
return 0; | |||
} | |||
/* Now that the length prefixes have been computed, fill in the placeholder | |||
* PSK binder. */ | |||
// Now that the length prefixes have been computed, fill in the placeholder | |||
// PSK binder. | |||
if (hs->needs_psk_binder && | |||
!tls13_write_psk_binder(hs, msg, len)) { | |||
OPENSSL_free(msg); | |||
@@ -374,8 +374,8 @@ static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out, | |||
return 0; | |||
} | |||
/* The server version may also be in the supported_versions extension if | |||
* applicable. */ | |||
// The server version may also be in the supported_versions extension if | |||
// applicable. | |||
if (msg.type != SSL3_MT_SERVER_HELLO || *out != TLS1_2_VERSION) { | |||
return 1; | |||
} | |||
@@ -390,7 +390,7 @@ static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out, | |||
return 0; | |||
} | |||
/* The extensions block may not be present. */ | |||
// The extensions block may not be present. | |||
if (CBS_len(&server_hello) == 0) { | |||
return 1; | |||
} | |||
@@ -433,14 +433,14 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { | |||
ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1); | |||
/* Freeze the version range. */ | |||
// Freeze the version range. | |||
if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) { | |||
return ssl_hs_error; | |||
} | |||
/* Always advertise the ClientHello version from the original maximum version, | |||
* even on renegotiation. The static RSA key exchange uses this field, and | |||
* some servers fail when it changes across handshakes. */ | |||
// Always advertise the ClientHello version from the original maximum version, | |||
// even on renegotiation. The static RSA key exchange uses this field, and | |||
// some servers fail when it changes across handshakes. | |||
if (SSL_is_dtls(hs->ssl)) { | |||
hs->client_version = | |||
hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION; | |||
@@ -449,8 +449,8 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { | |||
hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version; | |||
} | |||
/* If the configured session has expired or was created at a disabled | |||
* version, drop it. */ | |||
// If the configured session has expired or was created at a disabled | |||
// version, drop it. | |||
if (ssl->session != NULL) { | |||
if (ssl->session->is_server || | |||
!ssl_supports_version(hs, ssl->session->ssl_version) || | |||
@@ -466,8 +466,8 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Initialize a random session ID for the experimental TLS 1.3 variant | |||
* requiring a session id. */ | |||
// Initialize a random session ID for the experimental TLS 1.3 variant | |||
// requiring a session id. | |||
if (ssl->tls13_variant == tls13_experiment) { | |||
hs->session_id_len = sizeof(hs->session_id); | |||
if (!RAND_bytes(hs->session_id, hs->session_id_len)) { | |||
@@ -505,8 +505,8 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Stash the early data session, so connection properties may be queried out | |||
* of it. */ | |||
// Stash the early data session, so connection properties may be queried out | |||
// of it. | |||
hs->in_early_data = 1; | |||
SSL_SESSION_up_ref(ssl->session); | |||
hs->early_session.reset(ssl->session); | |||
@@ -547,7 +547,7 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) { | |||
ssl->method->next_message(ssl); | |||
/* DTLS resets the handshake buffer after HelloVerifyRequest. */ | |||
// DTLS resets the handshake buffer after HelloVerifyRequest. | |||
if (!hs->transcript.Init()) { | |||
return ssl_hs_error; | |||
} | |||
@@ -581,8 +581,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete); | |||
if (!ssl->s3->have_version) { | |||
ssl->version = server_version; | |||
/* At this point, the connection's version is known and ssl->version is | |||
* fixed. Begin enforcing the record-layer version. */ | |||
// At this point, the connection's version is known and ssl->version is | |||
// fixed. Begin enforcing the record-layer version. | |||
ssl->s3->have_version = 1; | |||
} else if (server_version != ssl->version) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); | |||
@@ -621,12 +621,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Copy over the server random. */ | |||
// Copy over the server random. | |||
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random), | |||
SSL3_RANDOM_SIZE); | |||
/* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS | |||
* 1.3 is finalized and we are not implementing a draft version. */ | |||
// TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS | |||
// 1.3 is finalized and we are not implementing a draft version. | |||
if (!ssl->s3->initial_handshake_complete && ssl->session != NULL && | |||
ssl->session->session_id_length != 0 && | |||
@@ -634,14 +634,14 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
ssl->session->session_id_length)) { | |||
ssl->s3->session_reused = 1; | |||
} else { | |||
/* The session wasn't resumed. Create a fresh SSL_SESSION to | |||
* fill out. */ | |||
// The session wasn't resumed. Create a fresh SSL_SESSION to | |||
// fill out. | |||
ssl_set_session(ssl, NULL); | |||
if (!ssl_get_new_session(hs, 0 /* client */)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
} | |||
/* Note: session_id could be empty. */ | |||
// Note: session_id could be empty. | |||
hs->new_session->session_id_length = CBS_len(&session_id); | |||
OPENSSL_memcpy(hs->new_session->session_id, CBS_data(&session_id), | |||
CBS_len(&session_id)); | |||
@@ -649,13 +649,13 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite); | |||
if (cipher == NULL) { | |||
/* unknown cipher */ | |||
// unknown cipher | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
return ssl_hs_error; | |||
} | |||
/* The cipher must be allowed in the selected version and enabled. */ | |||
// The cipher must be allowed in the selected version and enabled. | |||
uint32_t mask_a, mask_k; | |||
ssl_get_client_disabled(ssl, &mask_a, &mask_k); | |||
if ((cipher->algorithm_mkey & mask_k) || (cipher->algorithm_auth & mask_a) || | |||
@@ -679,7 +679,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
if (!ssl_session_is_context_valid(ssl, ssl->session)) { | |||
/* This is actually a client application bug. */ | |||
// This is actually a client application bug. | |||
OPENSSL_PUT_ERROR(SSL, | |||
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
@@ -690,38 +690,38 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
hs->new_cipher = cipher; | |||
/* Now that the cipher is known, initialize the handshake hash and hash the | |||
* ServerHello. */ | |||
// Now that the cipher is known, initialize the handshake hash and hash the | |||
// ServerHello. | |||
if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) || | |||
!ssl_hash_message(hs, msg)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
} | |||
/* If doing a full handshake, the server may request a client certificate | |||
* which requires hashing the handshake transcript. Otherwise, the handshake | |||
* buffer may be released. */ | |||
// If doing a full handshake, the server may request a client certificate | |||
// which requires hashing the handshake transcript. Otherwise, the handshake | |||
// buffer may be released. | |||
if (ssl->session != NULL || | |||
!ssl_cipher_uses_certificate_auth(hs->new_cipher)) { | |||
hs->transcript.FreeBuffer(); | |||
} | |||
/* Only the NULL compression algorithm is supported. */ | |||
// Only the NULL compression algorithm is supported. | |||
if (compression_method != 0) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
return ssl_hs_error; | |||
} | |||
/* TLS extensions */ | |||
// TLS extensions | |||
if (!ssl_parse_serverhello_tlsext(hs, &server_hello)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); | |||
return ssl_hs_error; | |||
} | |||
/* There should be nothing left over in the record. */ | |||
// There should be nothing left over in the record. | |||
if (CBS_len(&server_hello) != 0) { | |||
/* wrong packet length */ | |||
// wrong packet length | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); | |||
return ssl_hs_error; | |||
@@ -823,8 +823,8 @@ static enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) { | |||
} | |||
if (msg.type != SSL3_MT_CERTIFICATE_STATUS) { | |||
/* A server may send status_request in ServerHello and then change | |||
* its mind about sending CertificateStatus. */ | |||
// A server may send status_request in ServerHello and then change its mind | |||
// about sending CertificateStatus. | |||
hs->state = state_verify_server_certificate; | |||
return ssl_hs_ok; | |||
} | |||
@@ -887,7 +887,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
} | |||
if (msg.type != SSL3_MT_SERVER_KEY_EXCHANGE) { | |||
/* Some ciphers (pure PSK) have an optional ServerKeyExchange message. */ | |||
// Some ciphers (pure PSK) have an optional ServerKeyExchange message. | |||
if (ssl_cipher_requires_server_key_exchange(hs->new_cipher)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | |||
@@ -908,7 +908,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
if (alg_a & SSL_aPSK) { | |||
CBS psk_identity_hint; | |||
/* Each of the PSK key exchanges begins with a psk_identity_hint. */ | |||
// Each of the PSK key exchanges begins with a psk_identity_hint. | |||
if (!CBS_get_u16_length_prefixed(&server_key_exchange, | |||
&psk_identity_hint)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); | |||
@@ -916,13 +916,13 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Store PSK identity hint for later use, hint is used in | |||
* ssl3_send_client_key_exchange. Assume that the maximum length of a PSK | |||
* identity hint can be as long as the maximum length of a PSK identity. | |||
* Also do not allow NULL characters; identities are saved as C strings. | |||
* | |||
* TODO(davidben): Should invalid hints be ignored? It's a hint rather than | |||
* a specific identity. */ | |||
// Store PSK identity hint for later use, hint is used in | |||
// ssl3_send_client_key_exchange. Assume that the maximum length of a PSK | |||
// identity hint can be as long as the maximum length of a PSK identity. | |||
// Also do not allow NULL characters; identities are saved as C strings. | |||
// | |||
// TODO(davidben): Should invalid hints be ignored? It's a hint rather than | |||
// a specific identity. | |||
if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN || | |||
CBS_contains_zero_byte(&psk_identity_hint)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); | |||
@@ -930,11 +930,11 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Save non-empty identity hints as a C string. Empty identity hints we | |||
* treat as missing. Plain PSK makes it possible to send either no hint | |||
* (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell | |||
* empty hint. Having different capabilities is odd, so we interpret empty | |||
* and missing as identical. */ | |||
// Save non-empty identity hints as a C string. Empty identity hints we | |||
// treat as missing. Plain PSK makes it possible to send either no hint | |||
// (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell | |||
// empty hint. Having different capabilities is odd, so we interpret empty | |||
// and missing as identical. | |||
char *raw = nullptr; | |||
if (CBS_len(&psk_identity_hint) != 0 && | |||
!CBS_strdup(&psk_identity_hint, &raw)) { | |||
@@ -946,7 +946,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
} | |||
if (alg_k & SSL_kECDHE) { | |||
/* Parse the server parameters. */ | |||
// Parse the server parameters. | |||
uint8_t group_type; | |||
uint16_t group_id; | |||
CBS point; | |||
@@ -960,14 +960,14 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
} | |||
hs->new_session->group_id = group_id; | |||
/* Ensure the group is consistent with preferences. */ | |||
// Ensure the group is consistent with preferences. | |||
if (!tls1_check_group_id(ssl, group_id)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
return ssl_hs_error; | |||
} | |||
/* Initialize ECDH and save the peer public key for later. */ | |||
// Initialize ECDH and save the peer public key for later. | |||
hs->key_share = SSLKeyShare::Create(group_id); | |||
if (!hs->key_share || | |||
!CBS_stow(&point, &hs->peer_key, &hs->peer_key_len)) { | |||
@@ -979,14 +979,14 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* At this point, |server_key_exchange| contains the signature, if any, while | |||
* |msg.body| contains the entire message. From that, derive a CBS containing | |||
* just the parameter. */ | |||
// At this point, |server_key_exchange| contains the signature, if any, while | |||
// |msg.body| contains the entire message. From that, derive a CBS containing | |||
// just the parameter. | |||
CBS parameter; | |||
CBS_init(¶meter, CBS_data(&msg.body), | |||
CBS_len(&msg.body) - CBS_len(&server_key_exchange)); | |||
/* ServerKeyExchange should be signed by the server's public key. */ | |||
// ServerKeyExchange should be signed by the server's public key. | |||
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { | |||
uint16_t signature_algorithm = 0; | |||
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { | |||
@@ -1008,7 +1008,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* The last field in |server_key_exchange| is the signature. */ | |||
// The last field in |server_key_exchange| is the signature. | |||
CBS signature; | |||
if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) || | |||
CBS_len(&server_key_exchange) != 0) { | |||
@@ -1044,13 +1044,13 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
ERR_clear_error(); | |||
#endif | |||
if (!sig_ok) { | |||
/* bad signature */ | |||
// bad signature | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); | |||
return ssl_hs_error; | |||
} | |||
} else { | |||
/* PSK ciphers are the only supported certificate-less ciphers. */ | |||
// PSK ciphers are the only supported certificate-less ciphers. | |||
assert(alg_a == SSL_aPSK); | |||
if (CBS_len(&server_key_exchange) > 0) { | |||
@@ -1079,8 +1079,8 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { | |||
} | |||
if (msg.type == SSL3_MT_SERVER_HELLO_DONE) { | |||
/* If we get here we don't need the handshake buffer as we won't be doing | |||
* client auth. */ | |||
// If we get here we don't need the handshake buffer as we won't be doing | |||
// client auth. | |||
hs->transcript.FreeBuffer(); | |||
hs->state = state_read_server_hello_done; | |||
return ssl_hs_ok; | |||
@@ -1091,7 +1091,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Get the certificate types. */ | |||
// Get the certificate types. | |||
CBS body = msg.body, certificate_types; | |||
if (!CBS_get_u8_length_prefixed(&body, &certificate_types)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); | |||
@@ -1150,7 +1150,7 @@ static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* ServerHelloDone is empty. */ | |||
// ServerHelloDone is empty. | |||
if (CBS_len(&msg.body) != 0) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); | |||
@@ -1165,13 +1165,13 @@ static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* The peer didn't request a certificate. */ | |||
// The peer didn't request a certificate. | |||
if (!hs->cert_request) { | |||
hs->state = state_send_client_key_exchange; | |||
return ssl_hs_ok; | |||
} | |||
/* Call cert_cb to update the certificate. */ | |||
// Call cert_cb to update the certificate. | |||
if (ssl->cert->cert_cb != NULL) { | |||
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); | |||
if (rv == 0) { | |||
@@ -1186,10 +1186,10 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { | |||
} | |||
if (!ssl_has_certificate(ssl)) { | |||
/* Without a client certificate, the handshake buffer may be released. */ | |||
// Without a client certificate, the handshake buffer may be released. | |||
hs->transcript.FreeBuffer(); | |||
/* In SSL 3.0, the Certificate message is replaced with a warning alert. */ | |||
// In SSL 3.0, the Certificate message is replaced with a warning alert. | |||
if (ssl->version == SSL3_VERSION) { | |||
if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING, | |||
SSL_AD_NO_CERTIFICATE)) { | |||
@@ -1227,7 +1227,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
uint32_t alg_k = hs->new_cipher->algorithm_mkey; | |||
uint32_t alg_a = hs->new_cipher->algorithm_auth; | |||
/* If using a PSK key exchange, prepare the pre-shared key. */ | |||
// If using a PSK key exchange, prepare the pre-shared key. | |||
unsigned psk_len = 0; | |||
uint8_t psk[PSK_MAX_PSK_LEN]; | |||
if (alg_a & SSL_aPSK) { | |||
@@ -1255,7 +1255,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* Write out psk_identity. */ | |||
// Write out psk_identity. | |||
CBB child; | |||
if (!CBB_add_u16_length_prefixed(&body, &child) || | |||
!CBB_add_bytes(&child, (const uint8_t *)identity, | |||
@@ -1265,7 +1265,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Depending on the key exchange method, compute |pms| and |pms_len|. */ | |||
// Depending on the key exchange method, compute |pms| and |pms_len|. | |||
if (alg_k & SSL_kRSA) { | |||
pms_len = SSL_MAX_MASTER_KEY_LENGTH; | |||
pms = (uint8_t *)OPENSSL_malloc(pms_len); | |||
@@ -1288,7 +1288,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
CBB child, *enc_pms = &body; | |||
size_t enc_pms_len; | |||
/* In TLS, there is a length prefix. */ | |||
// In TLS, there is a length prefix. | |||
if (ssl->version > SSL3_VERSION) { | |||
if (!CBB_add_u16_length_prefixed(&body, &child)) { | |||
goto err; | |||
@@ -1305,13 +1305,13 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
} else if (alg_k & SSL_kECDHE) { | |||
/* Generate a keypair and serialize the public half. */ | |||
// Generate a keypair and serialize the public half. | |||
CBB child; | |||
if (!CBB_add_u8_length_prefixed(&body, &child)) { | |||
goto err; | |||
} | |||
/* Compute the premaster. */ | |||
// Compute the premaster. | |||
uint8_t alert = SSL_AD_DECODE_ERROR; | |||
if (!hs->key_share->Accept(&child, &pms, &pms_len, &alert, hs->peer_key, | |||
hs->peer_key_len)) { | |||
@@ -1322,14 +1322,14 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* The key exchange state may now be discarded. */ | |||
// The key exchange state may now be discarded. | |||
hs->key_share.reset(); | |||
OPENSSL_free(hs->peer_key); | |||
hs->peer_key = NULL; | |||
hs->peer_key_len = 0; | |||
} else if (alg_k & SSL_kPSK) { | |||
/* For plain PSK, other_secret is a block of 0s with the same length as | |||
* the pre-shared key. */ | |||
// For plain PSK, other_secret is a block of 0s with the same length as | |||
// the pre-shared key. | |||
pms_len = psk_len; | |||
pms = (uint8_t *)OPENSSL_malloc(pms_len); | |||
if (pms == NULL) { | |||
@@ -1343,8 +1343,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* For a PSK cipher suite, other_secret is combined with the pre-shared | |||
* key. */ | |||
// For a PSK cipher suite, other_secret is combined with the pre-shared | |||
// key. | |||
if (alg_a & SSL_aPSK) { | |||
ScopedCBB pms_cbb; | |||
CBB child; | |||
@@ -1366,8 +1366,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
pms_len = new_pms_len; | |||
} | |||
/* The message must be added to the finished hash before calculating the | |||
* master secret. */ | |||
// The message must be added to the finished hash before calculating the | |||
// master secret. | |||
if (!ssl_add_message_cbb(ssl, cbb.get())) { | |||
goto err; | |||
} | |||
@@ -1414,14 +1414,14 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { | |||
/* Write out the digest type in TLS 1.2. */ | |||
// Write out the digest type in TLS 1.2. | |||
if (!CBB_add_u16(&body, signature_algorithm)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
} | |||
} | |||
/* Set aside space for the signature. */ | |||
// Set aside space for the signature. | |||
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); | |||
uint8_t *ptr; | |||
if (!CBB_add_u16_length_prefixed(&body, &child) || | |||
@@ -1430,8 +1430,8 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
} | |||
size_t sig_len = max_sig_len; | |||
/* The SSL3 construction for CertificateVerify does not decompose into a | |||
* single final digest and signature, and must be special-cased. */ | |||
// The SSL3 construction for CertificateVerify does not decompose into a | |||
// single final digest and signature, and must be special-cased. | |||
if (ssl3_protocol_version(ssl) == SSL3_VERSION) { | |||
if (ssl->cert->key_method != NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY); | |||
@@ -1470,7 +1470,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* The handshake buffer is no longer necessary. */ | |||
// The handshake buffer is no longer necessary. | |||
hs->transcript.FreeBuffer(); | |||
hs->state = state_send_second_client_flight; | |||
@@ -1553,9 +1553,9 @@ static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_ok; | |||
} | |||
/* This is a full handshake. If it involves ChannelID, then record the | |||
* handshake hashes at this point in the session so that any resumption of | |||
* this session with ChannelID can sign those hashes. */ | |||
// This is a full handshake. If it involves ChannelID, then record the | |||
// handshake hashes at this point in the session so that any resumption of | |||
// this session with ChannelID can sign those hashes. | |||
if (!tls1_record_handshake_hashes_for_channel_id(hs)) { | |||
return ssl_hs_error; | |||
} | |||
@@ -1564,8 +1564,7 @@ static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) { | |||
if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) && | |||
ssl3_can_false_start(ssl) && | |||
/* No False Start on renegotiation (would complicate the state | |||
* machine). */ | |||
// No False Start on renegotiation (would complicate the state machine). | |||
!ssl->s3->initial_handshake_complete) { | |||
hs->in_false_start = 1; | |||
hs->can_early_write = 1; | |||
@@ -1604,9 +1603,9 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { | |||
} | |||
if (CBS_len(&ticket) == 0) { | |||
/* RFC 5077 allows a server to change its mind and send no ticket after | |||
* negotiating the extension. The value of |ticket_expected| is checked in | |||
* |ssl_update_cache| so is cleared here to avoid an unnecessary update. */ | |||
// RFC 5077 allows a server to change its mind and send no ticket after | |||
// negotiating the extension. The value of |ticket_expected| is checked in | |||
// |ssl_update_cache| so is cleared here to avoid an unnecessary update. | |||
hs->ticket_expected = 0; | |||
ssl->method->next_message(ssl); | |||
hs->state = state_process_change_cipher_spec; | |||
@@ -1616,20 +1615,20 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { | |||
SSL_SESSION *session = hs->new_session.get(); | |||
UniquePtr<SSL_SESSION> renewed_session; | |||
if (ssl->session != NULL) { | |||
/* The server is sending a new ticket for an existing session. Sessions are | |||
* immutable once established, so duplicate all but the ticket of the | |||
* existing session. */ | |||
// The server is sending a new ticket for an existing session. Sessions are | |||
// immutable once established, so duplicate all but the ticket of the | |||
// existing session. | |||
renewed_session = | |||
SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH); | |||
if (!renewed_session) { | |||
/* This should never happen. */ | |||
// This should never happen. | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
} | |||
session = renewed_session.get(); | |||
} | |||
/* |tlsext_tick_lifetime_hint| is measured from when the ticket was issued. */ | |||
// |tlsext_tick_lifetime_hint| is measured from when the ticket was issued. | |||
ssl_session_rebase_time(ssl, session); | |||
if (!CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen)) { | |||
@@ -1638,9 +1637,9 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { | |||
} | |||
session->tlsext_tick_lifetime_hint = tlsext_tick_lifetime_hint; | |||
/* Generate a session ID for this session based on the session ticket. We use | |||
* the session ID mechanism for detecting ticket resumption. This also fits in | |||
* with assumptions elsewhere in OpenSSL.*/ | |||
// Generate a session ID for this session based on the session ticket. We use | |||
// the session ID mechanism for detecting ticket resumption. This also fits in | |||
// with assumptions elsewhere in OpenSSL. | |||
if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), | |||
session->session_id, &session->session_id_length, | |||
EVP_sha256(), NULL)) { | |||
@@ -1693,16 +1692,16 @@ static enum ssl_hs_wait_t do_finish_client_handshake(SSL_HANDSHAKE *hs) { | |||
SSL_SESSION_up_ref(ssl->session); | |||
ssl->s3->established_session = ssl->session; | |||
} else { | |||
/* We make a copy of the session in order to maintain the immutability | |||
* of the new established_session due to False Start. The caller may | |||
* have taken a reference to the temporary session. */ | |||
// We make a copy of the session in order to maintain the immutability | |||
// of the new established_session due to False Start. The caller may | |||
// have taken a reference to the temporary session. | |||
ssl->s3->established_session = | |||
SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_DUP_ALL) | |||
.release(); | |||
if (ssl->s3->established_session == NULL) { | |||
return ssl_hs_error; | |||
} | |||
/* Renegotiations do not participate in session resumption. */ | |||
// Renegotiations do not participate in session resumption. | |||
if (!ssl->s3->initial_handshake_complete) { | |||
ssl->s3->established_session->not_resumable = 0; | |||
} | |||
@@ -231,18 +231,18 @@ static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, | |||
return 0; | |||
} | |||
} else { | |||
/* Convert the ClientHello version to an equivalent supported_versions | |||
* extension. */ | |||
// Convert the ClientHello version to an equivalent supported_versions | |||
// extension. | |||
static const uint8_t kTLSVersions[] = { | |||
0x03, 0x03, /* TLS 1.2 */ | |||
0x03, 0x02, /* TLS 1.1 */ | |||
0x03, 0x01, /* TLS 1 */ | |||
0x03, 0x00, /* SSL 3 */ | |||
0x03, 0x03, // TLS 1.2 | |||
0x03, 0x02, // TLS 1.1 | |||
0x03, 0x01, // TLS 1 | |||
0x03, 0x00, // SSL 3 | |||
}; | |||
static const uint8_t kDTLSVersions[] = { | |||
0xfe, 0xfd, /* DTLS 1.2 */ | |||
0xfe, 0xff, /* DTLS 1.0 */ | |||
0xfe, 0xfd, // DTLS 1.2 | |||
0xfe, 0xff, // DTLS 1.0 | |||
}; | |||
size_t versions_len = 0; | |||
@@ -273,11 +273,11 @@ static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, | |||
return 0; | |||
} | |||
/* At this point, the connection's version is known and |ssl->version| is | |||
* fixed. Begin enforcing the record-layer version. */ | |||
// At this point, the connection's version is known and |ssl->version| is | |||
// fixed. Begin enforcing the record-layer version. | |||
ssl->s3->have_version = 1; | |||
/* Handle FALLBACK_SCSV. */ | |||
// Handle FALLBACK_SCSV. | |||
if (ssl_client_cipher_list_contains_cipher(client_hello, | |||
SSL3_CK_FALLBACK_SCSV & 0xffff) && | |||
ssl3_protocol_version(ssl) < hs->max_version) { | |||
@@ -319,10 +319,10 @@ static UniquePtr<STACK_OF(SSL_CIPHER)> ssl_parse_client_cipher_list( | |||
return sk; | |||
} | |||
/* ssl_get_compatible_server_ciphers determines the key exchange and | |||
* authentication cipher suite masks compatible with the server configuration | |||
* and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key | |||
* exchange mask and |*out_mask_a| to the authentication mask. */ | |||
// ssl_get_compatible_server_ciphers determines the key exchange and | |||
// authentication cipher suite masks compatible with the server configuration | |||
// and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key | |||
// exchange mask and |*out_mask_a| to the authentication mask. | |||
static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs, | |||
uint32_t *out_mask_k, | |||
uint32_t *out_mask_a) { | |||
@@ -337,13 +337,13 @@ static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs, | |||
} | |||
} | |||
/* Check for a shared group to consider ECDHE ciphers. */ | |||
// Check for a shared group to consider ECDHE ciphers. | |||
uint16_t unused; | |||
if (tls1_get_shared_group(hs, &unused)) { | |||
mask_k |= SSL_kECDHE; | |||
} | |||
/* PSK requires a server callback. */ | |||
// PSK requires a server callback. | |||
if (ssl->psk_server_callback != NULL) { | |||
mask_k |= SSL_kPSK; | |||
mask_a |= SSL_aPSK; | |||
@@ -358,13 +358,13 @@ static const SSL_CIPHER *ssl3_choose_cipher( | |||
const struct ssl_cipher_preference_list_st *server_pref) { | |||
SSL *const ssl = hs->ssl; | |||
STACK_OF(SSL_CIPHER) *prio, *allow; | |||
/* in_group_flags will either be NULL, or will point to an array of bytes | |||
* which indicate equal-preference groups in the |prio| stack. See the | |||
* comment about |in_group_flags| in the |ssl_cipher_preference_list_st| | |||
* struct. */ | |||
// in_group_flags will either be NULL, or will point to an array of bytes | |||
// which indicate equal-preference groups in the |prio| stack. See the | |||
// comment about |in_group_flags| in the |ssl_cipher_preference_list_st| | |||
// struct. | |||
const uint8_t *in_group_flags; | |||
/* group_min contains the minimal index so far found in a group, or -1 if no | |||
* such value exists yet. */ | |||
// group_min contains the minimal index so far found in a group, or -1 if no | |||
// such value exists yet. | |||
int group_min = -1; | |||
UniquePtr<STACK_OF(SSL_CIPHER)> client_pref = | |||
@@ -390,17 +390,17 @@ static const SSL_CIPHER *ssl3_choose_cipher( | |||
const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i); | |||
size_t cipher_index; | |||
if (/* Check if the cipher is supported for the current version. */ | |||
if (// Check if the cipher is supported for the current version. | |||
SSL_CIPHER_get_min_version(c) <= ssl3_protocol_version(ssl) && | |||
ssl3_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) && | |||
/* Check the cipher is supported for the server configuration. */ | |||
// Check the cipher is supported for the server configuration. | |||
(c->algorithm_mkey & mask_k) && | |||
(c->algorithm_auth & mask_a) && | |||
/* Check the cipher is in the |allow| list. */ | |||
// Check the cipher is in the |allow| list. | |||
sk_SSL_CIPHER_find(allow, &cipher_index, c)) { | |||
if (in_group_flags != NULL && in_group_flags[i] == 1) { | |||
/* This element of |prio| is in a group. Update the minimum index found | |||
* so far and continue looking. */ | |||
// This element of |prio| is in a group. Update the minimum index found | |||
// so far and continue looking. | |||
if (group_min == -1 || (size_t)group_min > cipher_index) { | |||
group_min = cipher_index; | |||
} | |||
@@ -413,8 +413,8 @@ static const SSL_CIPHER *ssl3_choose_cipher( | |||
} | |||
if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) { | |||
/* We are about to leave a group, but we found a match in it, so that's | |||
* our answer. */ | |||
// We are about to leave a group, but we found a match in it, so that's | |||
// our answer. | |||
return sk_SSL_CIPHER_value(allow, group_min); | |||
} | |||
} | |||
@@ -447,14 +447,14 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Run the early callback. */ | |||
// Run the early callback. | |||
if (ssl->ctx->select_certificate_cb != NULL) { | |||
switch (ssl->ctx->select_certificate_cb(&client_hello)) { | |||
case ssl_select_cert_retry: | |||
return ssl_hs_certificate_selection_pending; | |||
case ssl_select_cert_error: | |||
/* Connection rejected. */ | |||
// Connection rejected. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); | |||
return ssl_hs_error; | |||
@@ -464,7 +464,7 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Freeze the version range after the early callback. */ | |||
// Freeze the version range after the early callback. | |||
if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) { | |||
return ssl_hs_error; | |||
} | |||
@@ -483,8 +483,8 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { | |||
OPENSSL_memcpy(ssl->s3->client_random, client_hello.random, | |||
client_hello.random_len); | |||
/* Only null compression is supported. TLS 1.3 further requires the peer | |||
* advertise no other compression. */ | |||
// Only null compression is supported. TLS 1.3 further requires the peer | |||
// advertise no other compression. | |||
if (OPENSSL_memchr(client_hello.compression_methods, 0, | |||
client_hello.compression_methods_len) == NULL || | |||
(ssl3_protocol_version(ssl) >= TLS1_3_VERSION && | |||
@@ -494,7 +494,7 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* TLS extensions. */ | |||
// TLS extensions. | |||
if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); | |||
return ssl_hs_error; | |||
@@ -512,7 +512,7 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_read_message; | |||
} | |||
/* Call |cert_cb| to update server certificates if required. */ | |||
// Call |cert_cb| to update server certificates if required. | |||
if (ssl->cert->cert_cb != NULL) { | |||
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); | |||
if (rv == 0) { | |||
@@ -530,7 +530,7 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { | |||
} | |||
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { | |||
/* Jump to the TLS 1.3 state machine. */ | |||
// Jump to the TLS 1.3 state machine. | |||
hs->state = state_tls13; | |||
return ssl_hs_ok; | |||
} | |||
@@ -540,8 +540,8 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Negotiate the cipher suite. This must be done after |cert_cb| so the | |||
* certificate is finalized. */ | |||
// Negotiate the cipher suite. This must be done after |cert_cb| so the | |||
// certificate is finalized. | |||
hs->new_cipher = | |||
ssl3_choose_cipher(hs, &client_hello, ssl_get_cipher_preferences(ssl)); | |||
if (hs->new_cipher == NULL) { | |||
@@ -577,7 +577,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Determine whether we are doing session resumption. */ | |||
// Determine whether we are doing session resumption. | |||
UniquePtr<SSL_SESSION> session; | |||
int tickets_supported = 0, renew_ticket = 0; | |||
enum ssl_hs_wait_t wait = ssl_get_prev_session( | |||
@@ -588,23 +588,23 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
if (session) { | |||
if (session->extended_master_secret && !hs->extended_master_secret) { | |||
/* A ClientHello without EMS that attempts to resume a session with EMS | |||
* is fatal to the connection. */ | |||
// A ClientHello without EMS that attempts to resume a session with EMS | |||
// is fatal to the connection. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); | |||
return ssl_hs_error; | |||
} | |||
if (!ssl_session_is_resumable(hs, session.get()) || | |||
/* If the client offers the EMS extension, but the previous session | |||
* didn't use it, then negotiate a new session. */ | |||
// If the client offers the EMS extension, but the previous session | |||
// didn't use it, then negotiate a new session. | |||
hs->extended_master_secret != session->extended_master_secret) { | |||
session.reset(); | |||
} | |||
} | |||
if (session) { | |||
/* Use the old session. */ | |||
// Use the old session. | |||
hs->ticket_expected = renew_ticket; | |||
ssl->session = session.release(); | |||
ssl->s3->session_reused = 1; | |||
@@ -615,7 +615,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Clear the session ID if we want the session to be single-use. */ | |||
// Clear the session ID if we want the session to be single-use. | |||
if (!(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) { | |||
hs->new_session->session_id_length = 0; | |||
} | |||
@@ -623,7 +623,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
if (ssl->ctx->dos_protection_cb != NULL && | |||
ssl->ctx->dos_protection_cb(&client_hello) == 0) { | |||
/* Connection rejected for DOS reasons. */ | |||
// Connection rejected for DOS reasons. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
@@ -632,7 +632,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
if (ssl->session == NULL) { | |||
hs->new_session->cipher = hs->new_cipher; | |||
/* On new sessions, stash the SNI value in the session. */ | |||
// On new sessions, stash the SNI value in the session. | |||
if (hs->hostname != NULL) { | |||
OPENSSL_free(hs->new_session->tlsext_hostname); | |||
hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname.get()); | |||
@@ -642,42 +642,42 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Determine whether to request a client certificate. */ | |||
// Determine whether to request a client certificate. | |||
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); | |||
/* Only request a certificate if Channel ID isn't negotiated. */ | |||
// Only request a certificate if Channel ID isn't negotiated. | |||
if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) && | |||
ssl->s3->tlsext_channel_id_valid) { | |||
hs->cert_request = 0; | |||
} | |||
/* CertificateRequest may only be sent in certificate-based ciphers. */ | |||
// CertificateRequest may only be sent in certificate-based ciphers. | |||
if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) { | |||
hs->cert_request = 0; | |||
} | |||
if (!hs->cert_request) { | |||
/* OpenSSL returns X509_V_OK when no certificates are requested. This is | |||
* classed by them as a bug, but it's assumed by at least NGINX. */ | |||
// OpenSSL returns X509_V_OK when no certificates are requested. This is | |||
// classed by them as a bug, but it's assumed by at least NGINX. | |||
hs->new_session->verify_result = X509_V_OK; | |||
} | |||
} | |||
/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was | |||
* deferred. Complete it now. */ | |||
// HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was | |||
// deferred. Complete it now. | |||
uint8_t alert = SSL_AD_DECODE_ERROR; | |||
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); | |||
return ssl_hs_error; | |||
} | |||
/* Now that all parameters are known, initialize the handshake hash and hash | |||
* the ClientHello. */ | |||
// Now that all parameters are known, initialize the handshake hash and hash | |||
// the ClientHello. | |||
if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) || | |||
!ssl_hash_message(hs, msg)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
} | |||
/* Release the handshake buffer if client authentication isn't required. */ | |||
// Release the handshake buffer if client authentication isn't required. | |||
if (!hs->cert_request) { | |||
hs->transcript.FreeBuffer(); | |||
} | |||
@@ -691,16 +691,16 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* We only accept ChannelIDs on connections with ECDHE in order to avoid a | |||
* known attack while we fix ChannelID itself. */ | |||
// We only accept ChannelIDs on connections with ECDHE in order to avoid a | |||
// known attack while we fix ChannelID itself. | |||
if (ssl->s3->tlsext_channel_id_valid && | |||
(hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) { | |||
ssl->s3->tlsext_channel_id_valid = 0; | |||
} | |||
/* If this is a resumption and the original handshake didn't support | |||
* ChannelID then we didn't record the original handshake hashes in the | |||
* session and so cannot resume with ChannelIDs. */ | |||
// If this is a resumption and the original handshake didn't support | |||
// ChannelID then we didn't record the original handshake hashes in the | |||
// session and so cannot resume with ChannelIDs. | |||
if (ssl->session != NULL && | |||
ssl->session->original_handshake_hash_len == 0) { | |||
ssl->s3->tlsext_channel_id_valid = 0; | |||
@@ -716,8 +716,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS | |||
* 1.3 is finalized and we are not implementing a draft version. */ | |||
// TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS | |||
// 1.3 is finalized and we are not implementing a draft version. | |||
const SSL_SESSION *session = hs->new_session.get(); | |||
if (ssl->session != NULL) { | |||
@@ -778,14 +778,14 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Assemble ServerKeyExchange parameters if needed. */ | |||
// Assemble ServerKeyExchange parameters if needed. | |||
uint32_t alg_k = hs->new_cipher->algorithm_mkey; | |||
uint32_t alg_a = hs->new_cipher->algorithm_auth; | |||
if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) || | |||
((alg_a & SSL_aPSK) && ssl->psk_identity_hint)) { | |||
/* Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend | |||
* the client and server randoms for the signing transcript. */ | |||
// Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend | |||
// the client and server randoms for the signing transcript. | |||
CBB child; | |||
if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) || | |||
!CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) || | |||
@@ -793,7 +793,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* PSK ciphers begin with an identity hint. */ | |||
// PSK ciphers begin with an identity hint. | |||
if (alg_a & SSL_aPSK) { | |||
size_t len = | |||
(ssl->psk_identity_hint == NULL) ? 0 : strlen(ssl->psk_identity_hint); | |||
@@ -805,7 +805,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { | |||
} | |||
if (alg_k & SSL_kECDHE) { | |||
/* Determine the group to use. */ | |||
// Determine the group to use. | |||
uint16_t group_id; | |||
if (!tls1_get_shared_group(hs, &group_id)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
@@ -814,7 +814,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { | |||
} | |||
hs->new_session->group_id = group_id; | |||
/* Set up ECDH, generate a key, and emit the public half. */ | |||
// Set up ECDH, generate a key, and emit the public half. | |||
hs->key_share = SSLKeyShare::Create(group_id); | |||
if (!hs->key_share || | |||
!CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || | |||
@@ -848,21 +848,21 @@ static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
CBB body, child; | |||
if (!ssl->method->init_message(ssl, cbb.get(), &body, | |||
SSL3_MT_SERVER_KEY_EXCHANGE) || | |||
/* |hs->server_params| contains a prefix for signing. */ | |||
// |hs->server_params| contains a prefix for signing. | |||
hs->server_params_len < 2 * SSL3_RANDOM_SIZE || | |||
!CBB_add_bytes(&body, hs->server_params + 2 * SSL3_RANDOM_SIZE, | |||
hs->server_params_len - 2 * SSL3_RANDOM_SIZE)) { | |||
return ssl_hs_error; | |||
} | |||
/* Add a signature. */ | |||
// Add a signature. | |||
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { | |||
if (!ssl_has_private_key(ssl)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
} | |||
/* Determine the signature algorithm. */ | |||
// Determine the signature algorithm. | |||
uint16_t signature_algorithm; | |||
if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) { | |||
return ssl_hs_error; | |||
@@ -875,7 +875,7 @@ static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Add space for the signature. */ | |||
// Add space for the signature. | |||
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); | |||
uint8_t *ptr; | |||
if (!CBB_add_u16_length_prefixed(&body, &child) || | |||
@@ -962,16 +962,16 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { | |||
if (msg.type != SSL3_MT_CERTIFICATE) { | |||
if (ssl->version == SSL3_VERSION && | |||
msg.type == SSL3_MT_CLIENT_KEY_EXCHANGE) { | |||
/* In SSL 3.0, the Certificate message is omitted to signal no | |||
* certificate. */ | |||
// In SSL 3.0, the Certificate message is omitted to signal no | |||
// certificate. | |||
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); | |||
return ssl_hs_error; | |||
} | |||
/* OpenSSL returns X509_V_OK when no certificates are received. This is | |||
* classed by them as a bug, but it's assumed by at least NGINX. */ | |||
// OpenSSL returns X509_V_OK when no certificates are received. This is | |||
// classed by them as a bug, but it's assumed by at least NGINX. | |||
hs->new_session->verify_result = X509_V_OK; | |||
hs->state = state_verify_client_certificate; | |||
return ssl_hs_ok; | |||
@@ -1008,11 +1008,11 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { | |||
} | |||
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) { | |||
/* No client certificate so the handshake buffer may be discarded. */ | |||
// No client certificate so the handshake buffer may be discarded. | |||
hs->transcript.FreeBuffer(); | |||
/* In SSL 3.0, sending no certificate is signaled by omitting the | |||
* Certificate message. */ | |||
// In SSL 3.0, sending no certificate is signaled by omitting the | |||
// Certificate message. | |||
if (ssl->version == SSL3_VERSION) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); | |||
@@ -1020,17 +1020,17 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { | |||
} | |||
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { | |||
/* Fail for TLS only if we required a certificate */ | |||
// Fail for TLS only if we required a certificate | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); | |||
return ssl_hs_error; | |||
} | |||
/* OpenSSL returns X509_V_OK when no certificates are received. This is | |||
* classed by them as a bug, but it's assumed by at least NGINX. */ | |||
// OpenSSL returns X509_V_OK when no certificates are received. This is | |||
// classed by them as a bug, but it's assumed by at least NGINX. | |||
hs->new_session->verify_result = X509_V_OK; | |||
} else if (ssl->retain_only_sha256_of_client_certs) { | |||
/* The hash will have been filled in. */ | |||
// The hash will have been filled in. | |||
hs->new_session->peer_sha256_valid = 1; | |||
} | |||
@@ -1076,12 +1076,12 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
uint32_t alg_k = hs->new_cipher->algorithm_mkey; | |||
uint32_t alg_a = hs->new_cipher->algorithm_auth; | |||
/* If using a PSK key exchange, parse the PSK identity. */ | |||
// If using a PSK key exchange, parse the PSK identity. | |||
if (alg_a & SSL_aPSK) { | |||
CBS psk_identity; | |||
/* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK, | |||
* then this is the only field in the message. */ | |||
// If using PSK, the ClientKeyExchange contains a psk_identity. If PSK, | |||
// then this is the only field in the message. | |||
if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) || | |||
((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); | |||
@@ -1103,8 +1103,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Depending on the key exchange method, compute |premaster_secret| and | |||
* |premaster_secret_len|. */ | |||
// Depending on the key exchange method, compute |premaster_secret| and | |||
// |premaster_secret_len|. | |||
if (alg_k & SSL_kRSA) { | |||
CBS encrypted_premaster_secret; | |||
if (ssl->version > SSL3_VERSION) { | |||
@@ -1119,7 +1119,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
encrypted_premaster_secret = client_key_exchange; | |||
} | |||
/* Allocate a buffer large enough for an RSA decryption. */ | |||
// Allocate a buffer large enough for an RSA decryption. | |||
const size_t rsa_size = EVP_PKEY_size(hs->local_pubkey.get()); | |||
decrypt_buf = (uint8_t *)OPENSSL_malloc(rsa_size); | |||
if (decrypt_buf == NULL) { | |||
@@ -1127,8 +1127,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* Decrypt with no padding. PKCS#1 padding will be removed as part of the | |||
* timing-sensitive code below. */ | |||
// Decrypt with no padding. PKCS#1 padding will be removed as part of the | |||
// timing-sensitive code below. | |||
size_t decrypt_len; | |||
switch (ssl_private_key_decrypt(hs, decrypt_buf, &decrypt_len, rsa_size, | |||
CBS_data(&encrypted_premaster_secret), | |||
@@ -1148,8 +1148,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* Prepare a random premaster, to be used on invalid padding. See RFC 5246, | |||
* section 7.4.7.1. */ | |||
// Prepare a random premaster, to be used on invalid padding. See RFC 5246, | |||
// section 7.4.7.1. | |||
premaster_secret_len = SSL_MAX_MASTER_KEY_LENGTH; | |||
premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len); | |||
if (premaster_secret == NULL) { | |||
@@ -1160,15 +1160,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* The smallest padded premaster is 11 bytes of overhead. Small keys are | |||
* publicly invalid. */ | |||
// The smallest padded premaster is 11 bytes of overhead. Small keys are | |||
// publicly invalid. | |||
if (decrypt_len < 11 + premaster_secret_len) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); | |||
goto err; | |||
} | |||
/* Check the padding. See RFC 3447, section 7.2.2. */ | |||
// Check the padding. See RFC 3447, section 7.2.2. | |||
size_t padding_len = decrypt_len - premaster_secret_len; | |||
uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) & | |||
constant_time_eq_int_8(decrypt_buf[1], 2); | |||
@@ -1177,15 +1177,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
} | |||
good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]); | |||
/* The premaster secret must begin with |client_version|. This too must be | |||
* checked in constant time (http://eprint.iacr.org/2003/052/). */ | |||
// The premaster secret must begin with |client_version|. This too must be | |||
// checked in constant time (http://eprint.iacr.org/2003/052/). | |||
good &= constant_time_eq_8(decrypt_buf[padding_len], | |||
(unsigned)(hs->client_version >> 8)); | |||
good &= constant_time_eq_8(decrypt_buf[padding_len + 1], | |||
(unsigned)(hs->client_version & 0xff)); | |||
/* Select, in constant time, either the decrypted premaster or the random | |||
* premaster based on |good|. */ | |||
// Select, in constant time, either the decrypted premaster or the random | |||
// premaster based on |good|. | |||
for (size_t i = 0; i < premaster_secret_len; i++) { | |||
premaster_secret[i] = constant_time_select_8( | |||
good, decrypt_buf[padding_len + i], premaster_secret[i]); | |||
@@ -1194,7 +1194,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
OPENSSL_free(decrypt_buf); | |||
decrypt_buf = NULL; | |||
} else if (alg_k & SSL_kECDHE) { | |||
/* Parse the ClientKeyExchange. */ | |||
// Parse the ClientKeyExchange. | |||
CBS peer_key; | |||
if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) || | |||
CBS_len(&client_key_exchange) != 0) { | |||
@@ -1203,7 +1203,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* Compute the premaster. */ | |||
// Compute the premaster. | |||
uint8_t alert = SSL_AD_DECODE_ERROR; | |||
if (!hs->key_share->Finish(&premaster_secret, &premaster_secret_len, &alert, | |||
CBS_data(&peer_key), CBS_len(&peer_key))) { | |||
@@ -1211,7 +1211,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* The key exchange state may now be discarded. */ | |||
// The key exchange state may now be discarded. | |||
hs->key_share.reset(); | |||
} else if (!(alg_k & SSL_kPSK)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
@@ -1219,8 +1219,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* For a PSK cipher suite, the actual pre-master secret is combined with the | |||
* pre-shared key. */ | |||
// For a PSK cipher suite, the actual pre-master secret is combined with the | |||
// pre-shared key. | |||
if (alg_a & SSL_aPSK) { | |||
if (ssl->psk_server_callback == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
@@ -1228,7 +1228,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* Look up the key for the identity. */ | |||
// Look up the key for the identity. | |||
uint8_t psk[PSK_MAX_PSK_LEN]; | |||
unsigned psk_len = ssl->psk_server_callback( | |||
ssl, hs->new_session->psk_identity, psk, sizeof(psk)); | |||
@@ -1237,15 +1237,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
goto err; | |||
} else if (psk_len == 0) { | |||
/* PSK related to the given identity not found */ | |||
// PSK related to the given identity not found. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY); | |||
goto err; | |||
} | |||
if (alg_k & SSL_kPSK) { | |||
/* In plain PSK, other_secret is a block of 0s with the same length as the | |||
* pre-shared key. */ | |||
// In plain PSK, other_secret is a block of 0s with the same length as the | |||
// pre-shared key. | |||
premaster_secret_len = psk_len; | |||
premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len); | |||
if (premaster_secret == NULL) { | |||
@@ -1280,7 +1280,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { | |||
goto err; | |||
} | |||
/* Compute the master secret */ | |||
// Compute the master secret. | |||
hs->new_session->master_key_length = tls1_generate_master_secret( | |||
hs, hs->new_session->master_key, premaster_secret, premaster_secret_len); | |||
if (hs->new_session->master_key_length == 0) { | |||
@@ -1306,9 +1306,8 @@ err: | |||
static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* Only RSA and ECDSA client certificates are supported, so a | |||
* CertificateVerify is required if and only if there's a client certificate. | |||
* */ | |||
// Only RSA and ECDSA client certificates are supported, so a | |||
// CertificateVerify is required if and only if there's a client certificate. | |||
if (!hs->peer_pubkey) { | |||
hs->transcript.FreeBuffer(); | |||
hs->state = state_read_change_cipher_spec; | |||
@@ -1326,7 +1325,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
CBS certificate_verify = msg.body, signature; | |||
/* Determine the signature algorithm. */ | |||
// Determine the signature algorithm. | |||
uint16_t signature_algorithm = 0; | |||
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) { | |||
if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) { | |||
@@ -1347,7 +1346,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Parse and verify the signature. */ | |||
// Parse and verify the signature. | |||
if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) || | |||
CBS_len(&certificate_verify) != 0) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); | |||
@@ -1356,8 +1355,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
} | |||
int sig_ok; | |||
/* The SSL3 construction for CertificateVerify does not decompose into a | |||
* single final digest and signature, and must be special-cased. */ | |||
// The SSL3 construction for CertificateVerify does not decompose into a | |||
// single final digest and signature, and must be special-cased. | |||
if (ssl3_protocol_version(ssl) == SSL3_VERSION) { | |||
uint8_t digest[EVP_MAX_MD_SIZE]; | |||
size_t digest_len; | |||
@@ -1389,8 +1388,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* The handshake buffer is no longer necessary, and we may hash the current | |||
* message.*/ | |||
// The handshake buffer is no longer necessary, and we may hash the current | |||
// message. | |||
hs->transcript.FreeBuffer(); | |||
if (!ssl_hash_message(hs, msg)) { | |||
return ssl_hs_error; | |||
@@ -1489,9 +1488,9 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { | |||
hs->state = state_send_server_finished; | |||
} | |||
/* If this is a full handshake with ChannelID then record the handshake | |||
* hashes in |hs->new_session| in case we need them to verify a | |||
* ChannelID signature on a resumption of this session in the future. */ | |||
// If this is a full handshake with ChannelID then record the handshake | |||
// hashes in |hs->new_session| in case we need them to verify a | |||
// ChannelID signature on a resumption of this session in the future. | |||
if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid && | |||
!tls1_record_handshake_hashes_for_channel_id(hs)) { | |||
return ssl_hs_error; | |||
@@ -1507,12 +1506,12 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { | |||
const SSL_SESSION *session; | |||
UniquePtr<SSL_SESSION> session_copy; | |||
if (ssl->session == NULL) { | |||
/* Fix the timeout to measure from the ticket issuance time. */ | |||
// Fix the timeout to measure from the ticket issuance time. | |||
ssl_session_rebase_time(ssl, hs->new_session.get()); | |||
session = hs->new_session.get(); | |||
} else { | |||
/* We are renewing an existing session. Duplicate the session to adjust | |||
* the timeout. */ | |||
// We are renewing an existing session. Duplicate the session to adjust | |||
// the timeout. | |||
session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH); | |||
if (!session_copy) { | |||
return ssl_hs_error; | |||
@@ -1553,8 +1552,7 @@ static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) { | |||
ssl->method->on_handshake_complete(ssl); | |||
/* If we aren't retaining peer certificates then we can discard it | |||
* now. */ | |||
// If we aren't retaining peer certificates then we can discard it now. | |||
if (hs->new_session != NULL && ssl->retain_only_sha256_of_client_certs) { | |||
sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free); | |||
hs->new_session->certs = NULL; | |||
@@ -134,7 +134,7 @@ namespace bssl { | |||
static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in, | |||
size_t in_len) { | |||
/* We'll never add a flight while in the process of writing it out. */ | |||
// We'll never add a flight while in the process of writing it out. | |||
assert(ssl->s3->pending_flight_offset == 0); | |||
if (ssl->s3->pending_flight == NULL) { | |||
@@ -164,7 +164,7 @@ static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in, | |||
} | |||
int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) { | |||
/* Pick a modest size hint to save most of the |realloc| calls. */ | |||
// Pick a modest size hint to save most of the |realloc| calls. | |||
if (!CBB_init(cbb, 64) || | |||
!CBB_add_u8(cbb, type) || | |||
!CBB_add_u24_length_prefixed(cbb, body)) { | |||
@@ -187,8 +187,8 @@ int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, | |||
} | |||
int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) { | |||
/* Add the message to the current flight, splitting into several records if | |||
* needed. */ | |||
// Add the message to the current flight, splitting into several records if | |||
// needed. | |||
int ret = 0; | |||
size_t added = 0; | |||
do { | |||
@@ -212,8 +212,8 @@ int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) { | |||
} while (added < len); | |||
ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len); | |||
/* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on | |||
* hs. */ | |||
// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on | |||
// hs. | |||
if (ssl->s3->hs != NULL && | |||
!ssl->s3->hs->transcript.Update(msg, len)) { | |||
goto err; | |||
@@ -260,8 +260,8 @@ int ssl3_flush_flight(SSL *ssl) { | |||
return -1; | |||
} | |||
/* If there is pending data in the write buffer, it must be flushed out before | |||
* any new data in pending_flight. */ | |||
// If there is pending data in the write buffer, it must be flushed out before | |||
// any new data in pending_flight. | |||
if (ssl_write_buffer_is_pending(ssl)) { | |||
int ret = ssl_write_buffer_flush(ssl); | |||
if (ret <= 0) { | |||
@@ -270,7 +270,7 @@ int ssl3_flush_flight(SSL *ssl) { | |||
} | |||
} | |||
/* Write the pending flight. */ | |||
// Write the pending flight. | |||
while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) { | |||
int ret = BIO_write( | |||
ssl->wbio, | |||
@@ -306,14 +306,14 @@ int ssl3_send_finished(SSL_HANDSHAKE *hs) { | |||
return 0; | |||
} | |||
/* Log the master secret, if logging is enabled. */ | |||
// Log the master secret, if logging is enabled. | |||
if (!ssl_log_secret(ssl, "CLIENT_RANDOM", | |||
session->master_key, | |||
session->master_key_length)) { | |||
return 0; | |||
} | |||
/* Copy the Finished so we can use it for renegotiation checks. */ | |||
// Copy the Finished so we can use it for renegotiation checks. | |||
if (ssl->version != SSL3_VERSION) { | |||
if (finished_len > sizeof(ssl->s3->previous_client_finished) || | |||
finished_len > sizeof(ssl->s3->previous_server_finished)) { | |||
@@ -372,18 +372,18 @@ static int extend_handshake_buffer(SSL *ssl, size_t length) { | |||
} | |||
static int read_v2_client_hello(SSL *ssl) { | |||
/* Read the first 5 bytes, the size of the TLS record header. This is | |||
* sufficient to detect a V2ClientHello and ensures that we never read beyond | |||
* the first record. */ | |||
// Read the first 5 bytes, the size of the TLS record header. This is | |||
// sufficient to detect a V2ClientHello and ensures that we never read beyond | |||
// the first record. | |||
int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH); | |||
if (ret <= 0) { | |||
return ret; | |||
} | |||
const uint8_t *p = ssl_read_buffer(ssl); | |||
/* Some dedicated error codes for protocol mixups should the application wish | |||
* to interpret them differently. (These do not overlap with ClientHello or | |||
* V2ClientHello.) */ | |||
// Some dedicated error codes for protocol mixups should the application wish | |||
// to interpret them differently. (These do not overlap with ClientHello or | |||
// V2ClientHello.) | |||
if (strncmp("GET ", (const char *)p, 4) == 0 || | |||
strncmp("POST ", (const char *)p, 5) == 0 || | |||
strncmp("HEAD ", (const char *)p, 5) == 0 || | |||
@@ -398,25 +398,25 @@ static int read_v2_client_hello(SSL *ssl) { | |||
if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO || | |||
p[3] != SSL3_VERSION_MAJOR) { | |||
/* Not a V2ClientHello. */ | |||
// Not a V2ClientHello. | |||
return 1; | |||
} | |||
/* Determine the length of the V2ClientHello. */ | |||
// Determine the length of the V2ClientHello. | |||
size_t msg_length = ((p[0] & 0x7f) << 8) | p[1]; | |||
if (msg_length > (1024 * 4)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); | |||
return -1; | |||
} | |||
if (msg_length < SSL3_RT_HEADER_LENGTH - 2) { | |||
/* Reject lengths that are too short early. We have already read | |||
* |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an | |||
* (invalid) V2ClientHello which would be shorter than that. */ | |||
// Reject lengths that are too short early. We have already read | |||
// |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an | |||
// (invalid) V2ClientHello which would be shorter than that. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH); | |||
return -1; | |||
} | |||
/* Read the remainder of the V2ClientHello. */ | |||
// Read the remainder of the V2ClientHello. | |||
ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length); | |||
if (ret <= 0) { | |||
return ret; | |||
@@ -425,9 +425,9 @@ static int read_v2_client_hello(SSL *ssl) { | |||
CBS v2_client_hello; | |||
CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length); | |||
/* The V2ClientHello without the length is incorporated into the handshake | |||
* hash. This is only ever called at the start of the handshake, so hs is | |||
* guaranteed to be non-NULL. */ | |||
// The V2ClientHello without the length is incorporated into the handshake | |||
// hash. This is only ever called at the start of the handshake, so hs is | |||
// guaranteed to be non-NULL. | |||
if (!ssl->s3->hs->transcript.Update(CBS_data(&v2_client_hello), | |||
CBS_len(&v2_client_hello))) { | |||
return -1; | |||
@@ -452,11 +452,11 @@ static int read_v2_client_hello(SSL *ssl) { | |||
return -1; | |||
} | |||
/* msg_type has already been checked. */ | |||
// msg_type has already been checked. | |||
assert(msg_type == SSL2_MT_CLIENT_HELLO); | |||
/* The client_random is the V2ClientHello challenge. Truncate or | |||
* left-pad with zeros as needed. */ | |||
// The client_random is the V2ClientHello challenge. Truncate or left-pad with | |||
// zeros as needed. | |||
size_t rand_len = CBS_len(&challenge); | |||
if (rand_len > SSL3_RANDOM_SIZE) { | |||
rand_len = SSL3_RANDOM_SIZE; | |||
@@ -466,7 +466,7 @@ static int read_v2_client_hello(SSL *ssl) { | |||
OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge), | |||
rand_len); | |||
/* Write out an equivalent SSLv3 ClientHello. */ | |||
// Write out an equivalent SSLv3 ClientHello. | |||
size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ + | |||
SSL3_RANDOM_SIZE + 1 /* session ID length */ + | |||
2 /* cipher list length */ + | |||
@@ -481,14 +481,14 @@ static int read_v2_client_hello(SSL *ssl) { | |||
!CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) || | |||
!CBB_add_u16(&hello_body, version) || | |||
!CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) || | |||
/* No session id. */ | |||
// No session id. | |||
!CBB_add_u8(&hello_body, 0) || | |||
!CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
return -1; | |||
} | |||
/* Copy the cipher suites. */ | |||
// Copy the cipher suites. | |||
while (CBS_len(&cipher_specs) > 0) { | |||
uint32_t cipher_spec; | |||
if (!CBS_get_u24(&cipher_specs, &cipher_spec)) { | |||
@@ -496,7 +496,7 @@ static int read_v2_client_hello(SSL *ssl) { | |||
return -1; | |||
} | |||
/* Skip SSLv2 ciphers. */ | |||
// Skip SSLv2 ciphers. | |||
if ((cipher_spec & 0xff0000) != 0) { | |||
continue; | |||
} | |||
@@ -506,7 +506,7 @@ static int read_v2_client_hello(SSL *ssl) { | |||
} | |||
} | |||
/* Add the null compression scheme and finish. */ | |||
// Add the null compression scheme and finish. | |||
if (!CBB_add_u8(&hello_body, 1) || | |||
!CBB_add_u8(&hello_body, 0) || | |||
!CBB_finish(client_hello.get(), NULL, &ssl->init_buf->length)) { | |||
@@ -514,7 +514,7 @@ static int read_v2_client_hello(SSL *ssl) { | |||
return -1; | |||
} | |||
/* Consume and discard the V2ClientHello. */ | |||
// Consume and discard the V2ClientHello. | |||
ssl_read_buffer_consume(ssl, 2 + msg_length); | |||
ssl_read_buffer_discard(ssl); | |||
@@ -522,8 +522,8 @@ static int read_v2_client_hello(SSL *ssl) { | |||
return 1; | |||
} | |||
/* TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message| | |||
* when the entire record is copied into |init_buf|. */ | |||
// TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message| | |||
// when the entire record is copied into |init_buf|. | |||
static bool parse_message(SSL *ssl, SSLMessage *out, size_t *out_bytes_needed) { | |||
if (ssl->init_buf == NULL) { | |||
*out_bytes_needed = 4; | |||
@@ -571,14 +571,14 @@ int ssl3_read_message(SSL *ssl) { | |||
return -1; | |||
} | |||
/* Enforce the limit so the peer cannot force us to buffer 16MB. */ | |||
// Enforce the limit so the peer cannot force us to buffer 16MB. | |||
if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE); | |||
return -1; | |||
} | |||
/* Re-create the handshake buffer if needed. */ | |||
// Re-create the handshake buffer if needed. | |||
if (ssl->init_buf == NULL) { | |||
ssl->init_buf = BUF_MEM_new(); | |||
if (ssl->init_buf == NULL) { | |||
@@ -586,7 +586,7 @@ int ssl3_read_message(SSL *ssl) { | |||
} | |||
} | |||
/* Bypass the record layer for the first message to handle V2ClientHello. */ | |||
// Bypass the record layer for the first message to handle V2ClientHello. | |||
if (ssl->server && !ssl->s3->v2_hello_done) { | |||
int ret = read_v2_client_hello(ssl); | |||
if (ret > 0) { | |||
@@ -613,8 +613,8 @@ void ssl3_next_message(SSL *ssl) { | |||
ssl->s3->is_v2_hello = 0; | |||
ssl->s3->has_message = 0; | |||
/* Post-handshake messages are rare, so release the buffer after every | |||
* message. During the handshake, |on_handshake_complete| will release it. */ | |||
// Post-handshake messages are rare, so release the buffer after every | |||
// message. During the handshake, |on_handshake_complete| will release it. | |||
if (!SSL_in_init(ssl) && ssl->init_buf->length == 0) { | |||
BUF_MEM_free(ssl->init_buf); | |||
ssl->init_buf = NULL; | |||
@@ -187,11 +187,11 @@ int ssl3_new(SSL *ssl) { | |||
s3->aead_write_ctx = aead_write_ctx.release(); | |||
ssl->s3 = s3; | |||
/* Set the version to the highest supported version. | |||
* | |||
* TODO(davidben): Move this field into |s3|, have it store the normalized | |||
* protocol version, and implement this pre-negotiation quirk in |SSL_version| | |||
* at the API boundary rather than in internal state. */ | |||
// Set the version to the highest supported version. | |||
// | |||
// TODO(davidben): Move this field into |s3|, have it store the normalized | |||
// protocol version, and implement this pre-negotiation quirk in |SSL_version| | |||
// at the API boundary rather than in internal state. | |||
ssl->version = TLS1_2_VERSION; | |||
return 1; | |||
} | |||
@@ -126,9 +126,9 @@ namespace bssl { | |||
static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len); | |||
/* ssl3_get_record reads a new input record. On success, it places it in | |||
* |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if | |||
* more data is needed. */ | |||
// ssl3_get_record reads a new input record. On success, it places it in | |||
// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if | |||
// more data is needed. | |||
static int ssl3_get_record(SSL *ssl) { | |||
again: | |||
switch (ssl->s3->recv_shutdown) { | |||
@@ -204,13 +204,13 @@ int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf, | |||
tot = ssl->s3->wnum; | |||
ssl->s3->wnum = 0; | |||
/* Ensure that if we end up with a smaller value of data to write out than | |||
* the the original len from a write which didn't complete for non-blocking | |||
* I/O and also somehow ended up avoiding the check for this in | |||
* ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to | |||
* end up with (len-tot) as a large number that will then promptly send | |||
* beyond the end of the users buffer ... so we trap and report the error in | |||
* a way the user will notice. */ | |||
// Ensure that if we end up with a smaller value of data to write out than | |||
// the the original len from a write which didn't complete for non-blocking | |||
// I/O and also somehow ended up avoiding the check for this in | |||
// ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to | |||
// end up with (len-tot) as a large number that will then promptly send | |||
// beyond the end of the users buffer ... so we trap and report the error in | |||
// a way the user will notice. | |||
if (len < 0 || (size_t)len < tot) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH); | |||
return -1; | |||
@@ -221,8 +221,7 @@ int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf, | |||
n = len - tot; | |||
for (;;) { | |||
/* max contains the maximum number of bytes that we can put into a | |||
* record. */ | |||
// max contains the maximum number of bytes that we can put into a record. | |||
unsigned max = ssl->max_send_fragment; | |||
if (is_early_data_write && max > ssl->session->ticket_max_early_data - | |||
ssl->s3->hs->early_data_written) { | |||
@@ -278,9 +277,9 @@ static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *buf, | |||
return ssl->s3->wpend_ret; | |||
} | |||
/* do_ssl3_write writes an SSL record of the given type. */ | |||
// do_ssl3_write writes an SSL record of the given type. | |||
static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) { | |||
/* If there is still data from the previous record, flush it. */ | |||
// If there is still data from the previous record, flush it. | |||
if (ssl->s3->wpend_pending) { | |||
return ssl3_write_pending(ssl, type, buf, len); | |||
} | |||
@@ -313,10 +312,10 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) { | |||
return -1; | |||
} | |||
/* Add any unflushed handshake data as a prefix. This may be a KeyUpdate | |||
* acknowledgment or 0-RTT key change messages. |pending_flight| must be clear | |||
* when data is added to |write_buffer| or it will be written in the wrong | |||
* order. */ | |||
// Add any unflushed handshake data as a prefix. This may be a KeyUpdate | |||
// acknowledgment or 0-RTT key change messages. |pending_flight| must be clear | |||
// when data is added to |write_buffer| or it will be written in the wrong | |||
// order. | |||
if (ssl->s3->pending_flight != NULL) { | |||
OPENSSL_memcpy( | |||
out, ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset, | |||
@@ -332,19 +331,19 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) { | |||
} | |||
ssl_write_buffer_set_len(ssl, flight_len + ciphertext_len); | |||
/* Now that we've made progress on the connection, uncork KeyUpdate | |||
* acknowledgments. */ | |||
// Now that we've made progress on the connection, uncork KeyUpdate | |||
// acknowledgments. | |||
ssl->s3->key_update_pending = 0; | |||
/* memorize arguments so that ssl3_write_pending can detect bad write retries | |||
* later */ | |||
// Memorize arguments so that ssl3_write_pending can detect bad write retries | |||
// later. | |||
ssl->s3->wpend_tot = len; | |||
ssl->s3->wpend_buf = buf; | |||
ssl->s3->wpend_type = type; | |||
ssl->s3->wpend_ret = len; | |||
ssl->s3->wpend_pending = 1; | |||
/* we now just need to write the buffer */ | |||
// We now just need to write the buffer. | |||
return ssl3_write_pending(ssl, type, buf, len); | |||
} | |||
@@ -364,7 +363,7 @@ static int consume_record(SSL *ssl, uint8_t *out, int len, int peek) { | |||
rr->length -= len; | |||
rr->data += len; | |||
if (rr->length == 0) { | |||
/* The record has been consumed, so we may now clear the buffer. */ | |||
// The record has been consumed, so we may now clear the buffer. | |||
ssl_read_buffer_discard(ssl); | |||
} | |||
} | |||
@@ -380,11 +379,11 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, | |||
SSL3_RECORD *rr = &ssl->s3->rrec; | |||
for (;;) { | |||
/* A previous iteration may have read a partial handshake message. Do not | |||
* allow more app data in that case. */ | |||
// A previous iteration may have read a partial handshake message. Do not | |||
// allow more app data in that case. | |||
int has_hs_data = ssl->init_buf != NULL && ssl->init_buf->length > 0; | |||
/* Get new packet if necessary. */ | |||
// Get new packet if necessary. | |||
if (rr->length == 0 && !has_hs_data) { | |||
int ret = ssl3_get_record(ssl); | |||
if (ret <= 0) { | |||
@@ -393,24 +392,24 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, | |||
} | |||
if (has_hs_data || rr->type == SSL3_RT_HANDSHAKE) { | |||
/* If reading 0-RTT data, reject handshake data. 0-RTT data is terminated | |||
* by an alert. */ | |||
// If reading 0-RTT data, reject handshake data. 0-RTT data is terminated | |||
// by an alert. | |||
if (SSL_in_init(ssl)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | |||
return -1; | |||
} | |||
/* Post-handshake data prior to TLS 1.3 is always renegotiation, which we | |||
* never accept as a server. Otherwise |ssl3_get_message| will send | |||
* |SSL_R_EXCESSIVE_MESSAGE_SIZE|. */ | |||
// Post-handshake data prior to TLS 1.3 is always renegotiation, which we | |||
// never accept as a server. Otherwise |ssl3_get_message| will send | |||
// |SSL_R_EXCESSIVE_MESSAGE_SIZE|. | |||
if (ssl->server && ssl3_protocol_version(ssl) < TLS1_3_VERSION) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION); | |||
return -1; | |||
} | |||
/* Parse post-handshake handshake messages. */ | |||
// Parse post-handshake handshake messages. | |||
int ret = ssl3_read_message(ssl); | |||
if (ret <= 0) { | |||
return ret; | |||
@@ -424,16 +423,16 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, | |||
ssl->s3->hs->can_early_read && | |||
ssl3_protocol_version(ssl) >= TLS1_3_VERSION; | |||
/* Handle the end_of_early_data alert. */ | |||
// Handle the end_of_early_data alert. | |||
if (rr->type == SSL3_RT_ALERT && | |||
rr->length == 2 && | |||
rr->data[0] == SSL3_AL_WARNING && | |||
rr->data[1] == TLS1_AD_END_OF_EARLY_DATA && | |||
is_early_data_read) { | |||
/* Consume the record. */ | |||
// Consume the record. | |||
rr->length = 0; | |||
ssl_read_buffer_discard(ssl); | |||
/* Stop accepting early data. */ | |||
// Stop accepting early data. | |||
ssl->s3->hs->can_early_read = 0; | |||
*out_got_handshake = 1; | |||
return -1; | |||
@@ -459,7 +458,7 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len, | |||
return consume_record(ssl, buf, len, peek); | |||
} | |||
/* Discard empty records and loop again. */ | |||
// Discard empty records and loop again. | |||
} | |||
} | |||
@@ -494,7 +493,7 @@ int ssl3_read_change_cipher_spec(SSL *ssl) { | |||
} | |||
void ssl3_read_close_notify(SSL *ssl) { | |||
/* Read records until an error or close_notify. */ | |||
// Read records until an error or close_notify. | |||
while (ssl3_get_record(ssl) > 0) { | |||
; | |||
} | |||
@@ -504,7 +503,7 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) { | |||
SSL3_RECORD *rr = &ssl->s3->rrec; | |||
for (;;) { | |||
/* Get new packet if necessary. */ | |||
// Get new packet if necessary. | |||
if (rr->length == 0) { | |||
int ret = ssl3_get_record(ssl); | |||
if (ret <= 0) { | |||
@@ -512,10 +511,10 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) { | |||
} | |||
} | |||
/* WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the | |||
* ServerHello and send the remaining encrypted application data records | |||
* as-is. This manifests as an application data record when we expect | |||
* handshake. Report a dedicated error code for this case. */ | |||
// WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the | |||
// ServerHello and send the remaining encrypted application data records | |||
// as-is. This manifests as an application data record when we expect | |||
// handshake. Report a dedicated error code for this case. | |||
if (!ssl->server && rr->type == SSL3_RT_APPLICATION_DATA && | |||
ssl->s3->aead_read_ctx->is_null_cipher()) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE); | |||
@@ -523,8 +522,8 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) { | |||
return -1; | |||
} | |||
/* Accept server_plaintext_handshake records when the content type TLS 1.3 | |||
* variant is enabled. */ | |||
// Accept server_plaintext_handshake records when the content type TLS 1.3 | |||
// variant is enabled. | |||
if (rr->type != SSL3_RT_HANDSHAKE && | |||
!(!ssl->server && | |||
ssl->tls13_variant == tls13_record_type_experiment && | |||
@@ -539,12 +538,12 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) { | |||
return consume_record(ssl, buf, len, 0 /* consume data */); | |||
} | |||
/* Discard empty records and loop again. */ | |||
// Discard empty records and loop again. | |||
} | |||
} | |||
int ssl3_send_alert(SSL *ssl, int level, int desc) { | |||
/* It is illegal to send an alert when we've already sent a closing one. */ | |||
// It is illegal to send an alert when we've already sent a closing one. | |||
if (ssl->s3->send_shutdown != ssl_shutdown_none) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); | |||
return -1; | |||
@@ -561,12 +560,12 @@ int ssl3_send_alert(SSL *ssl, int level, int desc) { | |||
ssl->s3->send_alert[0] = level; | |||
ssl->s3->send_alert[1] = desc; | |||
if (!ssl_write_buffer_is_pending(ssl)) { | |||
/* Nothing is being written out, so the alert may be dispatched | |||
* immediately. */ | |||
// Nothing is being written out, so the alert may be dispatched | |||
// immediately. | |||
return ssl->method->dispatch_alert(ssl); | |||
} | |||
/* The alert will be dispatched later. */ | |||
// The alert will be dispatched later. | |||
return -1; | |||
} | |||
@@ -577,7 +576,7 @@ int ssl3_dispatch_alert(SSL *ssl) { | |||
} | |||
ssl->s3->alert_dispatch = 0; | |||
/* If the alert is fatal, flush the BIO now. */ | |||
// If the alert is fatal, flush the BIO now. | |||
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) { | |||
BIO_flush(ssl->wbio); | |||
} | |||
@@ -62,7 +62,7 @@ UniquePtr<SSLAEADContext> SSLAEADContext::Create( | |||
if (!ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len, | |||
&expected_fixed_iv_len, cipher, version, | |||
is_dtls) || | |||
/* Ensure the caller returned correct key sizes. */ | |||
// Ensure the caller returned correct key sizes. | |||
expected_fixed_iv_len != fixed_iv_len || | |||
expected_mac_key_len != mac_key_len) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
@@ -71,8 +71,8 @@ UniquePtr<SSLAEADContext> SSLAEADContext::Create( | |||
uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH]; | |||
if (mac_key_len > 0) { | |||
/* This is a "stateful" AEAD (for compatibility with pre-AEAD cipher | |||
* suites). */ | |||
// This is a "stateful" AEAD (for compatibility with pre-AEAD cipher | |||
// suites). | |||
if (mac_key_len + enc_key_len + fixed_iv_len > sizeof(merged_key)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return nullptr; | |||
@@ -109,22 +109,22 @@ UniquePtr<SSLAEADContext> SSLAEADContext::Create( | |||
aead_ctx->fixed_nonce_len_ = fixed_iv_len; | |||
if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) { | |||
/* The fixed nonce into the actual nonce (the sequence number). */ | |||
// The fixed nonce into the actual nonce (the sequence number). | |||
aead_ctx->xor_fixed_nonce_ = true; | |||
aead_ctx->variable_nonce_len_ = 8; | |||
} else { | |||
/* The fixed IV is prepended to the nonce. */ | |||
// The fixed IV is prepended to the nonce. | |||
assert(fixed_iv_len <= aead_ctx->variable_nonce_len_); | |||
aead_ctx->variable_nonce_len_ -= fixed_iv_len; | |||
} | |||
/* AES-GCM uses an explicit nonce. */ | |||
// AES-GCM uses an explicit nonce. | |||
if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) { | |||
aead_ctx->variable_nonce_included_in_record_ = true; | |||
} | |||
/* The TLS 1.3 construction XORs the fixed nonce into the sequence number | |||
* and omits the additional data. */ | |||
// The TLS 1.3 construction XORs the fixed nonce into the sequence number | |||
// and omits the additional data. | |||
if (version >= TLS1_3_VERSION) { | |||
aead_ctx->xor_fixed_nonce_ = true; | |||
aead_ctx->variable_nonce_len_ = 8; | |||
@@ -192,18 +192,18 @@ size_t SSLAEADContext::GetAdditionalData(uint8_t out[13], uint8_t type, | |||
bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, | |||
const uint8_t seqnum[8], uint8_t *in, size_t in_len) { | |||
if (is_null_cipher() || FUZZER_MODE) { | |||
/* Handle the initial NULL cipher. */ | |||
// Handle the initial NULL cipher. | |||
CBS_init(out, in, in_len); | |||
return true; | |||
} | |||
/* TLS 1.2 AEADs include the length in the AD and are assumed to have fixed | |||
* overhead. Otherwise the parameter is unused. */ | |||
// TLS 1.2 AEADs include the length in the AD and are assumed to have fixed | |||
// overhead. Otherwise the parameter is unused. | |||
size_t plaintext_len = 0; | |||
if (!omit_length_in_ad_) { | |||
size_t overhead = MaxOverhead(); | |||
if (in_len < overhead) { | |||
/* Publicly invalid. */ | |||
// Publicly invalid. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH); | |||
return false; | |||
} | |||
@@ -213,11 +213,11 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, | |||
size_t ad_len = | |||
GetAdditionalData(ad, type, wire_version, seqnum, plaintext_len); | |||
/* Assemble the nonce. */ | |||
// Assemble the nonce. | |||
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; | |||
size_t nonce_len = 0; | |||
/* Prepend the fixed nonce, or left-pad with zeros if XORing. */ | |||
// Prepend the fixed nonce, or left-pad with zeros if XORing. | |||
if (xor_fixed_nonce_) { | |||
nonce_len = fixed_nonce_len_ - variable_nonce_len_; | |||
OPENSSL_memset(nonce, 0, nonce_len); | |||
@@ -226,10 +226,10 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, | |||
nonce_len += fixed_nonce_len_; | |||
} | |||
/* Add the variable nonce. */ | |||
// Add the variable nonce. | |||
if (variable_nonce_included_in_record_) { | |||
if (in_len < variable_nonce_len_) { | |||
/* Publicly invalid. */ | |||
// Publicly invalid. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH); | |||
return false; | |||
} | |||
@@ -242,7 +242,7 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, | |||
} | |||
nonce_len += variable_nonce_len_; | |||
/* XOR the fixed nonce, if necessary. */ | |||
// XOR the fixed nonce, if necessary. | |||
if (xor_fixed_nonce_) { | |||
assert(nonce_len == fixed_nonce_len_); | |||
for (size_t i = 0; i < fixed_nonce_len_; i++) { | |||
@@ -250,7 +250,7 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version, | |||
} | |||
} | |||
/* Decrypt in-place. */ | |||
// Decrypt in-place. | |||
size_t len; | |||
if (!EVP_AEAD_CTX_open(ctx_.get(), in, &len, in_len, nonce, nonce_len, in, | |||
in_len, ad, ad_len)) { | |||
@@ -279,7 +279,7 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, | |||
} | |||
if (is_null_cipher() || FUZZER_MODE) { | |||
/* Handle the initial NULL cipher. */ | |||
// Handle the initial NULL cipher. | |||
OPENSSL_memmove(out, in, in_len); | |||
OPENSSL_memmove(out_suffix, extra_in, extra_in_len); | |||
return true; | |||
@@ -288,11 +288,11 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, | |||
uint8_t ad[13]; | |||
size_t ad_len = GetAdditionalData(ad, type, wire_version, seqnum, in_len); | |||
/* Assemble the nonce. */ | |||
// Assemble the nonce. | |||
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH]; | |||
size_t nonce_len = 0; | |||
/* Prepend the fixed nonce, or left-pad with zeros if XORing. */ | |||
// Prepend the fixed nonce, or left-pad with zeros if XORing. | |||
if (xor_fixed_nonce_) { | |||
nonce_len = fixed_nonce_len_ - variable_nonce_len_; | |||
OPENSSL_memset(nonce, 0, nonce_len); | |||
@@ -301,21 +301,21 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, | |||
nonce_len += fixed_nonce_len_; | |||
} | |||
/* Select the variable nonce. */ | |||
// Select the variable nonce. | |||
if (random_variable_nonce_) { | |||
assert(variable_nonce_included_in_record_); | |||
if (!RAND_bytes(nonce + nonce_len, variable_nonce_len_)) { | |||
return false; | |||
} | |||
} else { | |||
/* When sending we use the sequence number as the variable part of the | |||
* nonce. */ | |||
// When sending we use the sequence number as the variable part of the | |||
// nonce. | |||
assert(variable_nonce_len_ == 8); | |||
OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_); | |||
} | |||
nonce_len += variable_nonce_len_; | |||
/* Emit the variable nonce if included in the record. */ | |||
// Emit the variable nonce if included in the record. | |||
if (variable_nonce_included_in_record_) { | |||
assert(!xor_fixed_nonce_); | |||
if (buffers_alias(in, in_len, out_prefix, variable_nonce_len_)) { | |||
@@ -326,7 +326,7 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, | |||
variable_nonce_len_); | |||
} | |||
/* XOR the fixed nonce, if necessary. */ | |||
// XOR the fixed nonce, if necessary. | |||
if (xor_fixed_nonce_) { | |||
assert(nonce_len == fixed_nonce_len_); | |||
for (size_t i = 0; i < fixed_nonce_len_; i++) { | |||
@@ -80,9 +80,9 @@ | |||
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR | |||
* OTHERWISE. */ | |||
/* Per C99, various stdint.h macros are unavailable in C++ unless some macros | |||
* are defined. C++11 overruled this decision, but older Android NDKs still | |||
* require it. */ | |||
// Per C99, various stdint.h macros are unavailable in C++ unless some macros | |||
// are defined. C++11 overruled this decision, but older Android NDKs still | |||
// require it. | |||
#if !defined(__STDC_LIMIT_MACROS) | |||
#define __STDC_LIMIT_MACROS | |||
#endif | |||
@@ -106,50 +106,49 @@ | |||
namespace bssl { | |||
/* An SSL_SESSION is serialized as the following ASN.1 structure: | |||
* | |||
* SSLSession ::= SEQUENCE { | |||
* version INTEGER (1), -- session structure version | |||
* sslVersion INTEGER, -- protocol version number | |||
* cipher OCTET STRING, -- two bytes long | |||
* sessionID OCTET STRING, | |||
* masterKey OCTET STRING, | |||
* time [1] INTEGER, -- seconds since UNIX epoch | |||
* timeout [2] INTEGER, -- in seconds | |||
* peer [3] Certificate OPTIONAL, | |||
* sessionIDContext [4] OCTET STRING OPTIONAL, | |||
* verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes | |||
* hostName [6] OCTET STRING OPTIONAL, | |||
* -- from server_name extension | |||
* pskIdentity [8] OCTET STRING OPTIONAL, | |||
* ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only | |||
* ticket [10] OCTET STRING OPTIONAL, -- client-only | |||
* peerSHA256 [13] OCTET STRING OPTIONAL, | |||
* originalHandshakeHash [14] OCTET STRING OPTIONAL, | |||
* signedCertTimestampList [15] OCTET STRING OPTIONAL, | |||
* -- contents of SCT extension | |||
* ocspResponse [16] OCTET STRING OPTIONAL, | |||
* -- stapled OCSP response from the server | |||
* extendedMasterSecret [17] BOOLEAN OPTIONAL, | |||
* groupID [18] INTEGER OPTIONAL, | |||
* certChain [19] SEQUENCE OF Certificate OPTIONAL, | |||
* ticketAgeAdd [21] OCTET STRING OPTIONAL, | |||
* isServer [22] BOOLEAN DEFAULT TRUE, | |||
* peerSignatureAlgorithm [23] INTEGER OPTIONAL, | |||
* ticketMaxEarlyData [24] INTEGER OPTIONAL, | |||
* authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout | |||
* earlyALPN [26] OCTET STRING OPTIONAL, | |||
* } | |||
* | |||
* Note: historically this serialization has included other optional | |||
* fields. Their presence is currently treated as a parse error: | |||
* | |||
* keyArg [0] IMPLICIT OCTET STRING OPTIONAL, | |||
* pskIdentityHint [7] OCTET STRING OPTIONAL, | |||
* compressionMethod [11] OCTET STRING OPTIONAL, | |||
* srpUsername [12] OCTET STRING OPTIONAL, | |||
* ticketFlags [20] INTEGER OPTIONAL, | |||
*/ | |||
// An SSL_SESSION is serialized as the following ASN.1 structure: | |||
// | |||
// SSLSession ::= SEQUENCE { | |||
// version INTEGER (1), -- session structure version | |||
// sslVersion INTEGER, -- protocol version number | |||
// cipher OCTET STRING, -- two bytes long | |||
// sessionID OCTET STRING, | |||
// masterKey OCTET STRING, | |||
// time [1] INTEGER, -- seconds since UNIX epoch | |||
// timeout [2] INTEGER, -- in seconds | |||
// peer [3] Certificate OPTIONAL, | |||
// sessionIDContext [4] OCTET STRING OPTIONAL, | |||
// verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes | |||
// hostName [6] OCTET STRING OPTIONAL, | |||
// -- from server_name extension | |||
// pskIdentity [8] OCTET STRING OPTIONAL, | |||
// ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only | |||
// ticket [10] OCTET STRING OPTIONAL, -- client-only | |||
// peerSHA256 [13] OCTET STRING OPTIONAL, | |||
// originalHandshakeHash [14] OCTET STRING OPTIONAL, | |||
// signedCertTimestampList [15] OCTET STRING OPTIONAL, | |||
// -- contents of SCT extension | |||
// ocspResponse [16] OCTET STRING OPTIONAL, | |||
// -- stapled OCSP response from the server | |||
// extendedMasterSecret [17] BOOLEAN OPTIONAL, | |||
// groupID [18] INTEGER OPTIONAL, | |||
// certChain [19] SEQUENCE OF Certificate OPTIONAL, | |||
// ticketAgeAdd [21] OCTET STRING OPTIONAL, | |||
// isServer [22] BOOLEAN DEFAULT TRUE, | |||
// peerSignatureAlgorithm [23] INTEGER OPTIONAL, | |||
// ticketMaxEarlyData [24] INTEGER OPTIONAL, | |||
// authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout | |||
// earlyALPN [26] OCTET STRING OPTIONAL, | |||
// } | |||
// | |||
// Note: historically this serialization has included other optional | |||
// fields. Their presence is currently treated as a parse error: | |||
// | |||
// keyArg [0] IMPLICIT OCTET STRING OPTIONAL, | |||
// pskIdentityHint [7] OCTET STRING OPTIONAL, | |||
// compressionMethod [11] OCTET STRING OPTIONAL, | |||
// srpUsername [12] OCTET STRING OPTIONAL, | |||
// ticketFlags [20] INTEGER OPTIONAL, | |||
static const unsigned kVersion = 1; | |||
@@ -213,7 +212,7 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, | |||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || | |||
!CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) || | |||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || | |||
/* The session ID is irrelevant for a session ticket. */ | |||
// The session ID is irrelevant for a session ticket. | |||
!CBB_add_bytes(&child, in->session_id, | |||
for_ticket ? 0 : in->session_id_length) || | |||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || | |||
@@ -226,8 +225,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, | |||
return 0; | |||
} | |||
/* The peer certificate is only serialized if the SHA-256 isn't | |||
* serialized instead. */ | |||
// The peer certificate is only serialized if the SHA-256 isn't | |||
// serialized instead. | |||
if (sk_CRYPTO_BUFFER_num(in->certs) > 0 && !in->peer_sha256_valid) { | |||
const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, 0); | |||
if (!CBB_add_asn1(&session, &child, kPeerTag) || | |||
@@ -238,8 +237,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, | |||
} | |||
} | |||
/* Although it is OPTIONAL and usually empty, OpenSSL has | |||
* historically always encoded the sid_ctx. */ | |||
// Although it is OPTIONAL and usually empty, OpenSSL has | |||
// historically always encoded the sid_ctx. | |||
if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) || | |||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) || | |||
!CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) { | |||
@@ -348,8 +347,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, | |||
return 0; | |||
} | |||
/* The certificate chain is only serialized if the leaf's SHA-256 isn't | |||
* serialized instead. */ | |||
// The certificate chain is only serialized if the leaf's SHA-256 isn't | |||
// serialized instead. | |||
if (in->certs != NULL && | |||
!in->peer_sha256_valid && | |||
sk_CRYPTO_BUFFER_num(in->certs) >= 2) { | |||
@@ -423,12 +422,12 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data, | |||
return 1; | |||
} | |||
/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING | |||
* explicitly tagged with |tag| from |cbs| and saves it in |*out|. On | |||
* entry, if |*out| is not NULL, it frees the existing contents. If | |||
* the element was not found, it sets |*out| to NULL. It returns one | |||
* on success, whether or not the element was found, and zero on | |||
* decode error. */ | |||
// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING | |||
// explicitly tagged with |tag| from |cbs| and saves it in |*out|. On | |||
// entry, if |*out| is not NULL, it frees the existing contents. If | |||
// the element was not found, it sets |*out| to NULL. It returns one | |||
// on success, whether or not the element was found, and zero on | |||
// decode error. | |||
static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) { | |||
CBS value; | |||
int present; | |||
@@ -452,12 +451,12 @@ static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) { | |||
return 1; | |||
} | |||
/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING | |||
* explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr| | |||
* and |*out_len|. If |*out_ptr| is not NULL, it frees the existing | |||
* contents. On entry, if the element was not found, it sets | |||
* |*out_ptr| to NULL. It returns one on success, whether or not the | |||
* element was found, and zero on decode error. */ | |||
// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING | |||
// explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr| | |||
// and |*out_len|. If |*out_ptr| is not NULL, it frees the existing | |||
// contents. On entry, if the element was not found, it sets | |||
// |*out_ptr| to NULL. It returns one on success, whether or not the | |||
// element was found, and zero on decode error. | |||
static int SSL_SESSION_parse_octet_string(CBS *cbs, uint8_t **out_ptr, | |||
size_t *out_len, unsigned tag) { | |||
CBS value; | |||
@@ -495,8 +494,8 @@ static int SSL_SESSION_parse_crypto_buffer(CBS *cbs, CRYPTO_BUFFER **out, | |||
return 1; | |||
} | |||
/* SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING | |||
* explicitly tagged with |tag| of size at most |max_out|. */ | |||
// SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING | |||
// explicitly tagged with |tag| of size at most |max_out|. | |||
static int SSL_SESSION_parse_bounded_octet_string( | |||
CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) { | |||
CBS value; | |||
@@ -564,10 +563,10 @@ UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs, | |||
!CBS_get_asn1_uint64(&session, &version) || | |||
version != kVersion || | |||
!CBS_get_asn1_uint64(&session, &ssl_version) || | |||
/* Require sessions have versions valid in either TLS or DTLS. The session | |||
* will not be used by the handshake if not applicable, but, for | |||
* simplicity, never parse a session that does not pass | |||
* |ssl_protocol_version_from_wire|. */ | |||
// Require sessions have versions valid in either TLS or DTLS. The session | |||
// will not be used by the handshake if not applicable, but, for | |||
// simplicity, never parse a session that does not pass | |||
// |ssl_protocol_version_from_wire|. | |||
ssl_version > UINT16_MAX || | |||
!ssl_protocol_version_from_wire(&unused, ssl_version)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); | |||
@@ -622,7 +621,7 @@ UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs, | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); | |||
return nullptr; | |||
} | |||
/* |peer| is processed with the certificate chain. */ | |||
// |peer| is processed with the certificate chain. | |||
if (!SSL_SESSION_parse_bounded_octet_string( | |||
&session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx), | |||
@@ -779,10 +778,10 @@ using namespace bssl; | |||
int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data, | |||
size_t *out_len) { | |||
if (in->not_resumable) { | |||
/* If the caller has an unresumable session, e.g. if |SSL_get_session| were | |||
* called on a TLS 1.3 or False Started connection, serialize with a | |||
* placeholder value so it is not accidentally deserialized into a resumable | |||
* one. */ | |||
// If the caller has an unresumable session, e.g. if |SSL_get_session| were | |||
// called on a TLS 1.3 or False Started connection, serialize with a | |||
// placeholder value so it is not accidentally deserialized into a resumable | |||
// one. | |||
static const char kNotResumableSession[] = "NOT RESUMABLE"; | |||
*out_len = strlen(kNotResumableSession); | |||
@@ -29,16 +29,16 @@ | |||
namespace bssl { | |||
/* BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will | |||
* not overflow. */ | |||
// BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will | |||
// not overflow. | |||
static_assert(0xffff <= INT_MAX, "uint16_t does not fit in int"); | |||
static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0, | |||
"SSL3_ALIGN_PAYLOAD must be a power of 2"); | |||
/* ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that | |||
* data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte | |||
* boundary. It returns one on success and zero on error. */ | |||
// ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that | |||
// data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte | |||
// boundary. It returns one on success and zero on error. | |||
static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) { | |||
if (cap > 0xffff) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
@@ -49,14 +49,14 @@ static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) { | |||
return 1; | |||
} | |||
/* Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment. */ | |||
// Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment. | |||
uint8_t *new_buf = (uint8_t *)OPENSSL_malloc(cap + SSL3_ALIGN_PAYLOAD - 1); | |||
if (new_buf == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
return 0; | |||
} | |||
/* Offset the buffer such that the record body is aligned. */ | |||
// Offset the buffer such that the record body is aligned. | |||
size_t new_offset = | |||
(0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1); | |||
@@ -97,19 +97,19 @@ static int dtls_read_buffer_next_packet(SSL *ssl) { | |||
SSL3_BUFFER *buf = &ssl->s3->read_buffer; | |||
if (buf->len > 0) { | |||
/* It is an error to call |dtls_read_buffer_extend| when the read buffer is | |||
* not empty. */ | |||
// It is an error to call |dtls_read_buffer_extend| when the read buffer is | |||
// not empty. | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return -1; | |||
} | |||
/* Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int. */ | |||
// Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int. | |||
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset, (int)buf->cap); | |||
if (ret <= 0) { | |||
ssl->rwstate = SSL_READING; | |||
return ret; | |||
} | |||
/* |BIO_read| was bound by |buf->cap|, so this cannot overflow. */ | |||
// |BIO_read| was bound by |buf->cap|, so this cannot overflow. | |||
buf->len = (uint16_t)ret; | |||
return 1; | |||
} | |||
@@ -122,18 +122,18 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) { | |||
return -1; | |||
} | |||
/* Read until the target length is reached. */ | |||
// Read until the target length is reached. | |||
while (buf->len < len) { | |||
/* The amount of data to read is bounded by |buf->cap|, which must fit in an | |||
* int. */ | |||
// The amount of data to read is bounded by |buf->cap|, which must fit in an | |||
// int. | |||
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset + buf->len, | |||
(int)(len - buf->len)); | |||
if (ret <= 0) { | |||
ssl->rwstate = SSL_READING; | |||
return ret; | |||
} | |||
/* |BIO_read| was bound by |buf->cap - buf->len|, so this cannot | |||
* overflow. */ | |||
// |BIO_read| was bound by |buf->cap - buf->len|, so this cannot | |||
// overflow. | |||
buf->len += (uint16_t)ret; | |||
} | |||
@@ -141,7 +141,7 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) { | |||
} | |||
int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { | |||
/* |ssl_read_buffer_extend_to| implicitly discards any consumed data. */ | |||
// |ssl_read_buffer_extend_to| implicitly discards any consumed data. | |||
ssl_read_buffer_discard(ssl); | |||
if (SSL_is_dtls(ssl)) { | |||
@@ -149,7 +149,7 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { | |||
DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff, | |||
"DTLS read buffer is too large"); | |||
/* The |len| parameter is ignored in DTLS. */ | |||
// The |len| parameter is ignored in DTLS. | |||
len = DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; | |||
} | |||
@@ -164,15 +164,15 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { | |||
int ret; | |||
if (SSL_is_dtls(ssl)) { | |||
/* |len| is ignored for a datagram transport. */ | |||
// |len| is ignored for a datagram transport. | |||
ret = dtls_read_buffer_next_packet(ssl); | |||
} else { | |||
ret = tls_read_buffer_extend_to(ssl, len); | |||
} | |||
if (ret <= 0) { | |||
/* If the buffer was empty originally and remained empty after attempting to | |||
* extend it, release the buffer until the next attempt. */ | |||
// If the buffer was empty originally and remained empty after attempting to | |||
// extend it, release the buffer until the next attempt. | |||
ssl_read_buffer_discard(ssl); | |||
} | |||
return ret; | |||
@@ -183,11 +183,11 @@ void ssl_read_buffer_consume(SSL *ssl, size_t len) { | |||
consume_buffer(buf, len); | |||
/* The TLS stack never reads beyond the current record, so there will never be | |||
* unconsumed data. If read-ahead is ever reimplemented, | |||
* |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back | |||
* to the front of the buffer, to ensure there is enough space for the next | |||
* record. */ | |||
// The TLS stack never reads beyond the current record, so there will never be | |||
// unconsumed data. If read-ahead is ever reimplemented, | |||
// |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back | |||
// to the front of the buffer, to ensure there is enough space for the next | |||
// record. | |||
assert(SSL_is_dtls(ssl) || len == 0 || buf->len == 0); | |||
} | |||
@@ -265,9 +265,9 @@ static int dtls_write_buffer_flush(SSL *ssl) { | |||
int ret = BIO_write(ssl->wbio, buf->buf + buf->offset, buf->len); | |||
if (ret <= 0) { | |||
ssl->rwstate = SSL_WRITING; | |||
/* If the write failed, drop the write buffer anyway. Datagram transports | |||
* can't write half a packet, so the caller is expected to retry from the | |||
* top. */ | |||
// If the write failed, drop the write buffer anyway. Datagram transports | |||
// can't write half a packet, so the caller is expected to retry from the | |||
// top. | |||
ssl_write_buffer_clear(ssl); | |||
return ret; | |||
} | |||
@@ -207,7 +207,7 @@ err: | |||
return NULL; | |||
} | |||
/* Free up and clear all certificates and chains */ | |||
// Free up and clear all certificates and chains | |||
void ssl_cert_clear_certs(CERT *cert) { | |||
if (cert == NULL) { | |||
return; | |||
@@ -248,12 +248,12 @@ enum leaf_cert_and_privkey_result_t { | |||
leaf_cert_and_privkey_mismatch, | |||
}; | |||
/* check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer| | |||
* and the private key in |privkey| are suitable and coherent. It returns | |||
* |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is | |||
* found. If the certificate and private key are valid, but incoherent, it | |||
* returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns | |||
* |leaf_cert_and_privkey_ok|. */ | |||
// check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer| | |||
// and the private key in |privkey| are suitable and coherent. It returns | |||
// |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is | |||
// found. If the certificate and private key are valid, but incoherent, it | |||
// returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns | |||
// |leaf_cert_and_privkey_ok|. | |||
static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey( | |||
CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) { | |||
CBS cert_cbs; | |||
@@ -269,8 +269,8 @@ static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey( | |||
return leaf_cert_and_privkey_error; | |||
} | |||
/* An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA | |||
* certificates, so sanity-check the key usage extension. */ | |||
// An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA | |||
// certificates, so sanity-check the key usage extension. | |||
if (pubkey->type == EVP_PKEY_EC && | |||
!ssl_cert_check_digital_signature_key_usage(&cert_cbs)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); | |||
@@ -278,7 +278,7 @@ static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey( | |||
} | |||
if (privkey != NULL && | |||
/* Sanity-check that the private key and the certificate match. */ | |||
// Sanity-check that the private key and the certificate match. | |||
!ssl_compare_public_and_private_key(pubkey.get(), privkey)) { | |||
ERR_clear_error(); | |||
return leaf_cert_and_privkey_mismatch; | |||
@@ -342,9 +342,9 @@ int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) { | |||
case leaf_cert_and_privkey_error: | |||
return 0; | |||
case leaf_cert_and_privkey_mismatch: | |||
/* don't fail for a cert/key mismatch, just free current private key | |||
* (when switching to a different cert & key, first this function should | |||
* be used, then |ssl_set_pkey|. */ | |||
// don't fail for a cert/key mismatch, just free current private key | |||
// (when switching to a different cert & key, first this function should | |||
// be used, then |ssl_set_pkey|. | |||
EVP_PKEY_free(cert->privatekey); | |||
cert->privatekey = NULL; | |||
break; | |||
@@ -423,7 +423,7 @@ bool ssl_parse_cert_chain(uint8_t *out_alert, | |||
return false; | |||
} | |||
/* Retain the hash of the leaf certificate if requested. */ | |||
// Retain the hash of the leaf certificate if requested. | |||
if (out_leaf_sha256 != NULL) { | |||
SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256); | |||
} | |||
@@ -471,9 +471,9 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) { | |||
return CBB_flush(cbb); | |||
} | |||
/* ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and | |||
* positions |*out_tbs_cert| to cover the TBSCertificate, starting at the | |||
* subjectPublicKeyInfo. */ | |||
// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and | |||
// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the | |||
// subjectPublicKeyInfo. | |||
static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) { | |||
/* From RFC 5280, section 4.1 | |||
* Certificate ::= SEQUENCE { | |||
@@ -496,19 +496,19 @@ static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) { | |||
if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) || | |||
CBS_len(&buf) != 0 || | |||
!CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) || | |||
/* version */ | |||
// version | |||
!CBS_get_optional_asn1( | |||
out_tbs_cert, NULL, NULL, | |||
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) || | |||
/* serialNumber */ | |||
// serialNumber | |||
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) || | |||
/* signature algorithm */ | |||
// signature algorithm | |||
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) || | |||
/* issuer */ | |||
// issuer | |||
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) || | |||
/* validity */ | |||
// validity | |||
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) || | |||
/* subject */ | |||
// subject | |||
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) { | |||
return 0; | |||
} | |||
@@ -529,8 +529,8 @@ UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in) { | |||
int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey, | |||
const EVP_PKEY *privkey) { | |||
if (EVP_PKEY_is_opaque(privkey)) { | |||
/* We cannot check an opaque private key and have to trust that it | |||
* matches. */ | |||
// We cannot check an opaque private key and have to trust that it | |||
// matches. | |||
return 1; | |||
} | |||
@@ -586,13 +586,13 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) { | |||
CBS tbs_cert, outer_extensions; | |||
int has_extensions; | |||
if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) || | |||
/* subjectPublicKeyInfo */ | |||
// subjectPublicKeyInfo | |||
!CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) || | |||
/* issuerUniqueID */ | |||
// issuerUniqueID | |||
!CBS_get_optional_asn1( | |||
&tbs_cert, NULL, NULL, | |||
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) || | |||
/* subjectUniqueID */ | |||
// subjectUniqueID | |||
!CBS_get_optional_asn1( | |||
&tbs_cert, NULL, NULL, | |||
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) || | |||
@@ -635,8 +635,8 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) { | |||
goto parse_err; | |||
} | |||
/* This is the KeyUsage extension. See | |||
* https://tools.ietf.org/html/rfc5280#section-4.2.1.3 */ | |||
// This is the KeyUsage extension. See | |||
// https://tools.ietf.org/html/rfc5280#section-4.2.1.3 | |||
if (!CBS_is_valid_asn1_bitstring(&bit_string)) { | |||
goto parse_err; | |||
} | |||
@@ -649,7 +649,7 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) { | |||
return 1; | |||
} | |||
/* No KeyUsage extension found. */ | |||
// No KeyUsage extension found. | |||
return 1; | |||
parse_err: | |||
@@ -733,18 +733,18 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, | |||
SSL *const ssl = hs->ssl; | |||
assert(ssl3_protocol_version(ssl) < TLS1_3_VERSION); | |||
/* Check the certificate's type matches the cipher. */ | |||
// Check the certificate's type matches the cipher. | |||
if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE); | |||
return 0; | |||
} | |||
/* Check key usages for all key types but RSA. This is needed to distinguish | |||
* ECDH certificates, which we do not support, from ECDSA certificates. In | |||
* principle, we should check RSA key usages based on cipher, but this breaks | |||
* buggy antivirus deployments. Other key types are always used for signing. | |||
* | |||
* TODO(davidben): Get more recent data on RSA key usages. */ | |||
// Check key usages for all key types but RSA. This is needed to distinguish | |||
// ECDH certificates, which we do not support, from ECDSA certificates. In | |||
// principle, we should check RSA key usages based on cipher, but this breaks | |||
// buggy antivirus deployments. Other key types are always used for signing. | |||
// | |||
// TODO(davidben): Get more recent data on RSA key usages. | |||
if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) { | |||
CBS leaf_cbs; | |||
CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf)); | |||
@@ -754,7 +754,7 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, | |||
} | |||
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { | |||
/* Check the key's group and point format are acceptable. */ | |||
// Check the key's group and point format are acceptable. | |||
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); | |||
uint16_t group_id; | |||
if (!ssl_nid_to_group_id( | |||
@@ -772,7 +772,7 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, | |||
int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
if (!ssl_has_certificate(ssl)) { | |||
/* Nothing to do. */ | |||
// Nothing to do. | |||
return 1; | |||
} | |||
@@ -156,10 +156,10 @@ | |||
namespace bssl { | |||
/* kCiphers is an array of all supported ciphers, sorted by id. */ | |||
// kCiphers is an array of all supported ciphers, sorted by id. | |||
static const SSL_CIPHER kCiphers[] = { | |||
/* The RSA ciphers */ | |||
/* Cipher 02 */ | |||
// The RSA ciphers | |||
// Cipher 02 | |||
{ | |||
SSL3_TXT_RSA_NULL_SHA, | |||
"TLS_RSA_WITH_NULL_SHA", | |||
@@ -171,7 +171,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* Cipher 0A */ | |||
// Cipher 0A | |||
{ | |||
SSL3_TXT_RSA_DES_192_CBC3_SHA, | |||
"TLS_RSA_WITH_3DES_EDE_CBC_SHA", | |||
@@ -184,9 +184,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
}, | |||
/* New AES ciphersuites */ | |||
// New AES ciphersuites | |||
/* Cipher 2F */ | |||
// Cipher 2F | |||
{ | |||
TLS1_TXT_RSA_WITH_AES_128_SHA, | |||
"TLS_RSA_WITH_AES_128_CBC_SHA", | |||
@@ -198,7 +198,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* Cipher 35 */ | |||
// Cipher 35 | |||
{ | |||
TLS1_TXT_RSA_WITH_AES_256_SHA, | |||
"TLS_RSA_WITH_AES_256_CBC_SHA", | |||
@@ -211,9 +211,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
}, | |||
/* TLS v1.2 ciphersuites */ | |||
// TLS v1.2 ciphersuites | |||
/* Cipher 3C */ | |||
// Cipher 3C | |||
{ | |||
TLS1_TXT_RSA_WITH_AES_128_SHA256, | |||
"TLS_RSA_WITH_AES_128_CBC_SHA256", | |||
@@ -225,7 +225,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher 3D */ | |||
// Cipher 3D | |||
{ | |||
TLS1_TXT_RSA_WITH_AES_256_SHA256, | |||
"TLS_RSA_WITH_AES_256_CBC_SHA256", | |||
@@ -237,9 +237,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* PSK cipher suites. */ | |||
// PSK cipher suites. | |||
/* Cipher 8C */ | |||
// Cipher 8C | |||
{ | |||
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA, | |||
"TLS_PSK_WITH_AES_128_CBC_SHA", | |||
@@ -251,7 +251,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* Cipher 8D */ | |||
// Cipher 8D | |||
{ | |||
TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, | |||
"TLS_PSK_WITH_AES_256_CBC_SHA", | |||
@@ -263,9 +263,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* GCM ciphersuites from RFC5288 */ | |||
// GCM ciphersuites from RFC5288 | |||
/* Cipher 9C */ | |||
// Cipher 9C | |||
{ | |||
TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256, | |||
"TLS_RSA_WITH_AES_128_GCM_SHA256", | |||
@@ -277,7 +277,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher 9D */ | |||
// Cipher 9D | |||
{ | |||
TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384, | |||
"TLS_RSA_WITH_AES_256_GCM_SHA384", | |||
@@ -289,9 +289,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA384, | |||
}, | |||
/* TLS 1.3 suites. */ | |||
// TLS 1.3 suites. | |||
/* Cipher 1301 */ | |||
// Cipher 1301 | |||
{ | |||
TLS1_TXT_AES_128_GCM_SHA256, | |||
"TLS_AES_128_GCM_SHA256", | |||
@@ -303,7 +303,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher 1302 */ | |||
// Cipher 1302 | |||
{ | |||
TLS1_TXT_AES_256_GCM_SHA384, | |||
"TLS_AES_256_GCM_SHA384", | |||
@@ -315,7 +315,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA384, | |||
}, | |||
/* Cipher 1303 */ | |||
// Cipher 1303 | |||
{ | |||
TLS1_TXT_CHACHA20_POLY1305_SHA256, | |||
"TLS_CHACHA20_POLY1305_SHA256", | |||
@@ -327,7 +327,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher C009 */ | |||
// Cipher C009 | |||
{ | |||
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, | |||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", | |||
@@ -339,7 +339,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* Cipher C00A */ | |||
// Cipher C00A | |||
{ | |||
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, | |||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", | |||
@@ -351,7 +351,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* Cipher C013 */ | |||
// Cipher C013 | |||
{ | |||
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA, | |||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", | |||
@@ -363,7 +363,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* Cipher C014 */ | |||
// Cipher C014 | |||
{ | |||
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA, | |||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", | |||
@@ -376,9 +376,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
}, | |||
/* HMAC based TLS v1.2 ciphersuites from RFC5289 */ | |||
// HMAC based TLS v1.2 ciphersuites from RFC5289 | |||
/* Cipher C023 */ | |||
// Cipher C023 | |||
{ | |||
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256, | |||
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", | |||
@@ -390,7 +390,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher C024 */ | |||
// Cipher C024 | |||
{ | |||
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384, | |||
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", | |||
@@ -402,7 +402,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA384, | |||
}, | |||
/* Cipher C027 */ | |||
// Cipher C027 | |||
{ | |||
TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, | |||
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", | |||
@@ -414,7 +414,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher C028 */ | |||
// Cipher C028 | |||
{ | |||
TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, | |||
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", | |||
@@ -427,9 +427,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
}, | |||
/* GCM based TLS v1.2 ciphersuites from RFC5289 */ | |||
// GCM based TLS v1.2 ciphersuites from RFC5289 | |||
/* Cipher C02B */ | |||
// Cipher C02B | |||
{ | |||
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, | |||
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", | |||
@@ -441,7 +441,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher C02C */ | |||
// Cipher C02C | |||
{ | |||
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, | |||
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", | |||
@@ -453,7 +453,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA384, | |||
}, | |||
/* Cipher C02F */ | |||
// Cipher C02F | |||
{ | |||
TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256, | |||
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", | |||
@@ -465,7 +465,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher C030 */ | |||
// Cipher C030 | |||
{ | |||
TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384, | |||
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", | |||
@@ -477,9 +477,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA384, | |||
}, | |||
/* ECDHE-PSK cipher suites. */ | |||
// ECDHE-PSK cipher suites. | |||
/* Cipher C035 */ | |||
// Cipher C035 | |||
{ | |||
TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA, | |||
"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA", | |||
@@ -491,7 +491,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* Cipher C036 */ | |||
// Cipher C036 | |||
{ | |||
TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA, | |||
"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA", | |||
@@ -503,9 +503,9 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_DEFAULT, | |||
}, | |||
/* ChaCha20-Poly1305 cipher suites. */ | |||
// ChaCha20-Poly1305 cipher suites. | |||
/* Cipher CCA8 */ | |||
// Cipher CCA8 | |||
{ | |||
TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, | |||
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", | |||
@@ -517,7 +517,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher CCA9 */ | |||
// Cipher CCA9 | |||
{ | |||
TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, | |||
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", | |||
@@ -529,7 +529,7 @@ static const SSL_CIPHER kCiphers[] = { | |||
SSL_HANDSHAKE_MAC_SHA256, | |||
}, | |||
/* Cipher CCAB */ | |||
// Cipher CCAB | |||
{ | |||
TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256, | |||
"TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256", | |||
@@ -559,32 +559,32 @@ typedef struct cipher_order_st { | |||
} CIPHER_ORDER; | |||
typedef struct cipher_alias_st { | |||
/* name is the name of the cipher alias. */ | |||
// name is the name of the cipher alias. | |||
const char *name; | |||
/* The following fields are bitmasks for the corresponding fields on | |||
* |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the | |||
* bit corresponding to the cipher's value is set to 1. If any bitmask is | |||
* all zeroes, the alias matches nothing. Use |~0u| for the default value. */ | |||
// The following fields are bitmasks for the corresponding fields on | |||
// |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the | |||
// bit corresponding to the cipher's value is set to 1. If any bitmask is | |||
// all zeroes, the alias matches nothing. Use |~0u| for the default value. | |||
uint32_t algorithm_mkey; | |||
uint32_t algorithm_auth; | |||
uint32_t algorithm_enc; | |||
uint32_t algorithm_mac; | |||
/* min_version, if non-zero, matches all ciphers which were added in that | |||
* particular protocol version. */ | |||
// min_version, if non-zero, matches all ciphers which were added in that | |||
// particular protocol version. | |||
uint16_t min_version; | |||
} CIPHER_ALIAS; | |||
static const CIPHER_ALIAS kCipherAliases[] = { | |||
/* "ALL" doesn't include eNULL. It must be explicitly enabled. */ | |||
// "ALL" doesn't include eNULL. It must be explicitly enabled. | |||
{"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, | |||
/* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */ | |||
// The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. | |||
/* key exchange aliases | |||
* (some of those using only a single bit here combine | |||
* multiple key exchange algs according to the RFCs. */ | |||
// key exchange aliases | |||
// (some of those using only a single bit here combine | |||
// multiple key exchange algs according to the RFCs. | |||
{"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0}, | |||
{"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, | |||
@@ -593,19 +593,19 @@ static const CIPHER_ALIAS kCipherAliases[] = { | |||
{"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0}, | |||
/* server authentication aliases */ | |||
// server authentication aliases | |||
{"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, | |||
{"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, | |||
{"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, | |||
{"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0}, | |||
/* aliases combining key exchange and server authentication */ | |||
// aliases combining key exchange and server authentication | |||
{"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, | |||
{"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, | |||
{"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0}, | |||
{"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0}, | |||
/* symmetric encryption aliases */ | |||
// symmetric encryption aliases | |||
{"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0}, | |||
{"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0}, | |||
{"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0}, | |||
@@ -613,19 +613,19 @@ static const CIPHER_ALIAS kCipherAliases[] = { | |||
{"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0}, | |||
{"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0}, | |||
/* MAC aliases */ | |||
// MAC aliases | |||
{"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, | |||
{"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0}, | |||
{"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, | |||
{"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0}, | |||
/* Legacy protocol minimum version aliases. "TLSv1" is intentionally the | |||
* same as "SSLv3". */ | |||
// Legacy protocol minimum version aliases. "TLSv1" is intentionally the | |||
// same as "SSLv3". | |||
{"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, | |||
{"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION}, | |||
{"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION}, | |||
/* Legacy strength classes. */ | |||
// Legacy strength classes. | |||
{"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, | |||
{"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0}, | |||
}; | |||
@@ -671,8 +671,8 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, | |||
return 0; | |||
} | |||
/* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code | |||
* above computes the TLS 1.2 construction. */ | |||
// In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code | |||
// above computes the TLS 1.2 construction. | |||
if (version >= TLS1_3_VERSION) { | |||
*out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead); | |||
} | |||
@@ -764,10 +764,10 @@ static bool is_cipher_list_separator(char c, int is_strict) { | |||
return !is_strict && (c == ' ' || c == ';' || c == ','); | |||
} | |||
/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the | |||
* |buf_len| bytes at |buf|. */ | |||
// rule_equals returns one iff the NUL-terminated string |rule| is equal to the | |||
// |buf_len| bytes at |buf|. | |||
static int rule_equals(const char *rule, const char *buf, size_t buf_len) { | |||
/* |strncmp| alone only checks that |buf| is a prefix of |rule|. */ | |||
// |strncmp| alone only checks that |buf| is a prefix of |rule|. | |||
return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0'; | |||
} | |||
@@ -815,13 +815,13 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, | |||
CIPHER_ORDER *co_list, | |||
CIPHER_ORDER **head_p, | |||
CIPHER_ORDER **tail_p) { | |||
/* The set of ciphers is static, but some subset may be unsupported by | |||
* |ssl_method|, so the list may be smaller. */ | |||
// The set of ciphers is static, but some subset may be unsupported by | |||
// |ssl_method|, so the list may be smaller. | |||
size_t co_list_num = 0; | |||
for (size_t i = 0; i < kCiphersLen; i++) { | |||
const SSL_CIPHER *cipher = &kCiphers[i]; | |||
if (ssl_method->supports_cipher(cipher) && | |||
/* TLS 1.3 ciphers do not participate in this mechanism. */ | |||
// TLS 1.3 ciphers do not participate in this mechanism. | |||
cipher->algorithm_mkey != SSL_kGENERIC) { | |||
co_list[co_list_num].cipher = cipher; | |||
co_list[co_list_num].next = NULL; | |||
@@ -832,7 +832,7 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, | |||
} | |||
} | |||
/* Prepare linked list from list entries. */ | |||
// Prepare linked list from list entries. | |||
if (co_list_num > 0) { | |||
co_list[0].prev = NULL; | |||
@@ -854,15 +854,15 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method, | |||
} | |||
} | |||
/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its | |||
* parameters in the linked list from |*head_p| to |*tail_p|. It writes the new | |||
* head and tail of the list to |*head_p| and |*tail_p|, respectively. | |||
* | |||
* - If |cipher_id| is non-zero, only that cipher is selected. | |||
* - Otherwise, if |strength_bits| is non-negative, it selects ciphers | |||
* of that strength. | |||
* - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and | |||
* |min_version|. */ | |||
// ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its | |||
// parameters in the linked list from |*head_p| to |*tail_p|. It writes the new | |||
// head and tail of the list to |*head_p| and |*tail_p|, respectively. | |||
// | |||
// - If |cipher_id| is non-zero, only that cipher is selected. | |||
// - Otherwise, if |strength_bits| is non-negative, it selects ciphers | |||
// of that strength. | |||
// - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and | |||
// |min_version|. | |||
static void ssl_cipher_apply_rule( | |||
uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth, | |||
uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule, | |||
@@ -874,12 +874,12 @@ static void ssl_cipher_apply_rule( | |||
if (cipher_id == 0 && strength_bits == -1 && min_version == 0 && | |||
(alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) { | |||
/* The rule matches nothing, so bail early. */ | |||
// The rule matches nothing, so bail early. | |||
return; | |||
} | |||
if (rule == CIPHER_DEL) { | |||
/* needed to maintain sorting between currently deleted ciphers */ | |||
// needed to maintain sorting between currently deleted ciphers | |||
reverse = 1; | |||
} | |||
@@ -908,8 +908,8 @@ static void ssl_cipher_apply_rule( | |||
next = reverse ? curr->prev : curr->next; | |||
cp = curr->cipher; | |||
/* Selection criteria is either a specific cipher, the value of | |||
* |strength_bits|, or the algorithms used. */ | |||
// Selection criteria is either a specific cipher, the value of | |||
// |strength_bits|, or the algorithms used. | |||
if (cipher_id != 0) { | |||
if (cipher_id != cp->id) { | |||
continue; | |||
@@ -928,9 +928,9 @@ static void ssl_cipher_apply_rule( | |||
} | |||
} | |||
/* add the cipher if it has not been added yet. */ | |||
// add the cipher if it has not been added yet. | |||
if (rule == CIPHER_ADD) { | |||
/* reverse == 0 */ | |||
// reverse == 0 | |||
if (!curr->active) { | |||
ll_append_tail(&head, curr, &tail); | |||
curr->active = 1; | |||
@@ -938,25 +938,25 @@ static void ssl_cipher_apply_rule( | |||
} | |||
} | |||
/* Move the added cipher to this location */ | |||
// Move the added cipher to this location | |||
else if (rule == CIPHER_ORD) { | |||
/* reverse == 0 */ | |||
// reverse == 0 | |||
if (curr->active) { | |||
ll_append_tail(&head, curr, &tail); | |||
curr->in_group = 0; | |||
} | |||
} else if (rule == CIPHER_DEL) { | |||
/* reverse == 1 */ | |||
// reverse == 1 | |||
if (curr->active) { | |||
/* most recently deleted ciphersuites get best positions | |||
* for any future CIPHER_ADD (note that the CIPHER_DEL loop | |||
* works in reverse to maintain the order) */ | |||
// most recently deleted ciphersuites get best positions | |||
// for any future CIPHER_ADD (note that the CIPHER_DEL loop | |||
// works in reverse to maintain the order) | |||
ll_append_head(&head, curr, &tail); | |||
curr->active = 0; | |||
curr->in_group = 0; | |||
} | |||
} else if (rule == CIPHER_KILL) { | |||
/* reverse == 0 */ | |||
// reverse == 0 | |||
if (head == curr) { | |||
head = curr->next; | |||
} else { | |||
@@ -987,9 +987,9 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, | |||
int max_strength_bits, i, *number_uses; | |||
CIPHER_ORDER *curr; | |||
/* This routine sorts the ciphers with descending strength. The sorting must | |||
* keep the pre-sorted sequence, so we apply the normal sorting routine as | |||
* '+' movement to the end of the list. */ | |||
// This routine sorts the ciphers with descending strength. The sorting must | |||
// keep the pre-sorted sequence, so we apply the normal sorting routine as | |||
// '+' movement to the end of the list. | |||
max_strength_bits = 0; | |||
curr = *head_p; | |||
while (curr != NULL) { | |||
@@ -1007,7 +1007,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, | |||
} | |||
OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int)); | |||
/* Now find the strength_bits values actually used. */ | |||
// Now find the strength_bits values actually used. | |||
curr = *head_p; | |||
while (curr != NULL) { | |||
if (curr->active) { | |||
@@ -1016,7 +1016,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, | |||
curr = curr->next; | |||
} | |||
/* Go through the list of used strength_bits values in descending order. */ | |||
// Go through the list of used strength_bits values in descending order. | |||
for (i = max_strength_bits; i >= 0; i--) { | |||
if (number_uses[i] > 0) { | |||
ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p); | |||
@@ -1044,7 +1044,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, | |||
ch = *l; | |||
if (ch == '\0') { | |||
break; /* done */ | |||
break; // done | |||
} | |||
if (in_group) { | |||
@@ -1090,8 +1090,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, | |||
rule = CIPHER_ADD; | |||
} | |||
/* If preference groups are enabled, the only legal operator is +. | |||
* Otherwise the in_group bits will get mixed up. */ | |||
// If preference groups are enabled, the only legal operator is +. | |||
// Otherwise the in_group bits will get mixed up. | |||
if (has_group && rule != CIPHER_ADD) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS); | |||
return 0; | |||
@@ -1122,8 +1122,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, | |||
} | |||
if (buf_len == 0) { | |||
/* We hit something we cannot deal with, it is no command or separator | |||
* nor alphanumeric, so we call this an error. */ | |||
// We hit something we cannot deal with, it is no command or separator | |||
// nor alphanumeric, so we call this an error. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); | |||
return 0; | |||
} | |||
@@ -1132,8 +1132,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, | |||
break; | |||
} | |||
/* Look for a matching exact cipher. These aren't allowed in multipart | |||
* rules. */ | |||
// Look for a matching exact cipher. These aren't allowed in multipart | |||
// rules. | |||
if (!multi && ch != '+') { | |||
for (j = 0; j < kCiphersLen; j++) { | |||
const SSL_CIPHER *cipher = &kCiphers[j]; | |||
@@ -1145,7 +1145,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, | |||
} | |||
} | |||
if (cipher_id == 0) { | |||
/* If not an exact cipher, look for a matching cipher alias. */ | |||
// If not an exact cipher, look for a matching cipher alias. | |||
for (j = 0; j < kCipherAliasesLen; j++) { | |||
if (rule_equals(kCipherAliases[j].name, buf, buf_len)) { | |||
alg_mkey &= kCipherAliases[j].algorithm_mkey; | |||
@@ -1171,7 +1171,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, | |||
} | |||
} | |||
/* Check for a multipart rule. */ | |||
// Check for a multipart rule. | |||
if (ch != '+') { | |||
break; | |||
} | |||
@@ -1179,7 +1179,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, | |||
multi = 1; | |||
} | |||
/* Ok, we have the rule, now apply it. */ | |||
// Ok, we have the rule, now apply it. | |||
if (rule == CIPHER_SPECIAL) { | |||
if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND); | |||
@@ -1189,8 +1189,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method, | |||
return 0; | |||
} | |||
/* We do not support any "multi" options together with "@", so throw away | |||
* the rest of the command, if any left, until end or ':' is found. */ | |||
// We do not support any "multi" options together with "@", so throw away | |||
// the rest of the command, if any left, until end or ':' is found. | |||
while (*l != '\0' && !is_cipher_list_separator(*l, strict)) { | |||
l++; | |||
} | |||
@@ -1218,14 +1218,14 @@ int ssl_create_cipher_list( | |||
unsigned int num_in_group_flags = 0; | |||
struct ssl_cipher_preference_list_st *pref_list = NULL; | |||
/* Return with error if nothing to do. */ | |||
// Return with error if nothing to do. | |||
if (rule_str == NULL || out_cipher_list == NULL) { | |||
return 0; | |||
} | |||
/* Now we have to collect the available ciphers from the compiled in ciphers. | |||
* We cannot get more than the number compiled in, so it is used for | |||
* allocation. */ | |||
// Now we have to collect the available ciphers from the compiled in ciphers. | |||
// We cannot get more than the number compiled in, so it is used for | |||
// allocation. | |||
co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen); | |||
if (co_list == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); | |||
@@ -1234,11 +1234,11 @@ int ssl_create_cipher_list( | |||
ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail); | |||
/* Now arrange all ciphers by preference: | |||
* TODO(davidben): Compute this order once and copy it. */ | |||
// Now arrange all ciphers by preference: | |||
// TODO(davidben): Compute this order once and copy it. | |||
/* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other | |||
* key exchange mechanisms */ | |||
// Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other | |||
// key exchange mechanisms | |||
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1, | |||
0, &head, &tail); | |||
ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, | |||
@@ -1246,10 +1246,10 @@ int ssl_create_cipher_list( | |||
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head, | |||
&tail); | |||
/* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer | |||
* CHACHA20 unless there is hardware support for fast and constant-time | |||
* AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the | |||
* old one. */ | |||
// Order the bulk ciphers. First the preferred AEAD ciphers. We prefer | |||
// CHACHA20 unless there is hardware support for fast and constant-time | |||
// AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the | |||
// old one. | |||
if (EVP_has_aes_hardware()) { | |||
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0, | |||
&head, &tail); | |||
@@ -1266,8 +1266,8 @@ int ssl_create_cipher_list( | |||
&head, &tail); | |||
} | |||
/* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC, | |||
* 3DES_EDE_CBC_SHA. */ | |||
// Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC, | |||
// 3DES_EDE_CBC_SHA. | |||
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0, | |||
&head, &tail); | |||
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0, | |||
@@ -1275,20 +1275,20 @@ int ssl_create_cipher_list( | |||
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head, | |||
&tail); | |||
/* Temporarily enable everything else for sorting */ | |||
// Temporarily enable everything else for sorting | |||
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head, | |||
&tail); | |||
/* Move ciphers without forward secrecy to the end. */ | |||
// Move ciphers without forward secrecy to the end. | |||
ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0, | |||
CIPHER_ORD, -1, 0, &head, &tail); | |||
/* Now disable everything (maintaining the ordering!) */ | |||
// Now disable everything (maintaining the ordering!) | |||
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head, | |||
&tail); | |||
/* If the rule_string begins with DEFAULT, apply the default rule before | |||
* using the (possibly available) additional rules. */ | |||
// If the rule_string begins with DEFAULT, apply the default rule before | |||
// using the (possibly available) additional rules. | |||
const char *rule_p = rule_str; | |||
if (strncmp(rule_str, "DEFAULT", 7) == 0) { | |||
if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head, | |||
@@ -1306,8 +1306,8 @@ int ssl_create_cipher_list( | |||
goto err; | |||
} | |||
/* Allocate new "cipherstack" for the result, return with error | |||
* if we cannot get one. */ | |||
// Allocate new "cipherstack" for the result, return with error | |||
// if we cannot get one. | |||
cipherstack = sk_SSL_CIPHER_new_null(); | |||
if (cipherstack == NULL) { | |||
goto err; | |||
@@ -1318,8 +1318,8 @@ int ssl_create_cipher_list( | |||
goto err; | |||
} | |||
/* The cipher selection for the list is done. The ciphers are added | |||
* to the resulting precedence to the STACK_OF(SSL_CIPHER). */ | |||
// The cipher selection for the list is done. The ciphers are added | |||
// to the resulting precedence to the STACK_OF(SSL_CIPHER). | |||
for (curr = head; curr != NULL; curr = curr->next) { | |||
if (curr->active) { | |||
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { | |||
@@ -1328,7 +1328,7 @@ int ssl_create_cipher_list( | |||
in_group_flags[num_in_group_flags++] = curr->in_group; | |||
} | |||
} | |||
OPENSSL_free(co_list); /* Not needed any longer */ | |||
OPENSSL_free(co_list); // Not needed any longer | |||
co_list = NULL; | |||
pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc( | |||
@@ -1350,8 +1350,8 @@ int ssl_create_cipher_list( | |||
*out_cipher_list = pref_list; | |||
pref_list = NULL; | |||
/* Configuring an empty cipher list is an error but still updates the | |||
* output. */ | |||
// Configuring an empty cipher list is an error but still updates the | |||
// output. | |||
if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH); | |||
return 0; | |||
@@ -1372,7 +1372,7 @@ err: | |||
uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) { | |||
uint32_t id = cipher->id; | |||
/* All ciphers are SSLv3. */ | |||
// All ciphers are SSLv3. | |||
assert((id & 0xff000000) == 0x03000000); | |||
return id & 0xffff; | |||
} | |||
@@ -1383,7 +1383,7 @@ uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) { | |||
return SSL_aRSA; | |||
case EVP_PKEY_EC: | |||
case EVP_PKEY_ED25519: | |||
/* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */ | |||
// Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. | |||
return SSL_aECDSA; | |||
default: | |||
return 0; | |||
@@ -1395,12 +1395,12 @@ int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) { | |||
} | |||
int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) { | |||
/* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */ | |||
// Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. | |||
if (cipher->algorithm_mkey & SSL_kECDHE) { | |||
return 1; | |||
} | |||
/* It is optional in all others. */ | |||
// It is optional in all others. | |||
return 0; | |||
} | |||
@@ -1418,7 +1418,7 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) { | |||
return 0; | |||
} | |||
/* All supported TLS 1.0 ciphers use SHA-1. */ | |||
// All supported TLS 1.0 ciphers use SHA-1. | |||
assert(cipher->algorithm_mac == SSL_SHA1); | |||
size_t ret = 1 + SHA_DIGEST_LENGTH; | |||
ret += block_size - (ret % block_size); | |||
@@ -1521,8 +1521,8 @@ uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) { | |||
} | |||
if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) { | |||
/* Cipher suites before TLS 1.2 use the default PRF, while all those added | |||
* afterwards specify a particular hash. */ | |||
// Cipher suites before TLS 1.2 use the default PRF, while all those added | |||
// afterwards specify a particular hash. | |||
return TLS1_2_VERSION; | |||
} | |||
return SSL3_VERSION; | |||
@@ -1536,7 +1536,7 @@ uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) { | |||
return TLS1_2_VERSION; | |||
} | |||
/* return the actual cipher being used */ | |||
// return the actual cipher being used | |||
const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) { | |||
if (cipher != NULL) { | |||
return cipher->name; | |||
@@ -128,8 +128,8 @@ static int xname_cmp(const X509_NAME **a, const X509_NAME **b) { | |||
return X509_NAME_cmp(*a, *b); | |||
} | |||
/* TODO(davidben): Is there any reason this doesn't call | |||
* |SSL_add_file_cert_subjects_to_stack|? */ | |||
// TODO(davidben): Is there any reason this doesn't call | |||
// |SSL_add_file_cert_subjects_to_stack|? | |||
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { | |||
BIO *in; | |||
X509 *x = NULL; | |||
@@ -164,7 +164,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { | |||
goto err; | |||
} | |||
/* Check for duplicates. */ | |||
// Check for duplicates. | |||
if (sk_X509_NAME_find(sk, NULL, xn)) { | |||
continue; | |||
} | |||
@@ -222,7 +222,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, | |||
goto err; | |||
} | |||
/* Check for duplicates. */ | |||
// Check for duplicates. | |||
if (sk_X509_NAME_find(stack, NULL, xn)) { | |||
continue; | |||
} | |||
@@ -493,15 +493,15 @@ end: | |||
return ret; | |||
} | |||
/* Read a file that contains our certificate in "PEM" format, possibly followed | |||
* by a sequence of CA certificates that should be sent to the peer in the | |||
* Certificate message. */ | |||
// Read a file that contains our certificate in "PEM" format, possibly followed | |||
// by a sequence of CA certificates that should be sent to the peer in the | |||
// Certificate message. | |||
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) { | |||
BIO *in; | |||
int ret = 0; | |||
X509 *x = NULL; | |||
ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ | |||
ERR_clear_error(); // clear error stack for SSL_CTX_use_certificate() | |||
in = BIO_new(BIO_s_file()); | |||
if (in == NULL) { | |||
@@ -524,12 +524,12 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) { | |||
ret = SSL_CTX_use_certificate(ctx, x); | |||
if (ERR_peek_error() != 0) { | |||
ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ | |||
ret = 0; // Key/certificate mismatch doesn't imply ret==0 ... | |||
} | |||
if (ret) { | |||
/* If we could set up our certificate, now proceed to the CA | |||
* certificates. */ | |||
// If we could set up our certificate, now proceed to the CA | |||
// certificates. | |||
X509 *ca; | |||
int r; | |||
uint32_t err; | |||
@@ -545,18 +545,18 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) { | |||
ret = 0; | |||
goto end; | |||
} | |||
/* Note that we must not free r if it was successfully added to the chain | |||
* (while we must free the main certificate, since its reference count is | |||
* increased by SSL_CTX_use_certificate). */ | |||
// Note that we must not free r if it was successfully added to the chain | |||
// (while we must free the main certificate, since its reference count is | |||
// increased by SSL_CTX_use_certificate). | |||
} | |||
/* When the while loop ends, it's usually just EOF. */ | |||
// When the while loop ends, it's usually just EOF. | |||
err = ERR_peek_last_error(); | |||
if (ERR_GET_LIB(err) == ERR_LIB_PEM && | |||
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { | |||
ERR_clear_error(); | |||
} else { | |||
ret = 0; /* some real error */ | |||
ret = 0; // some real error | |||
} | |||
} | |||
@@ -42,14 +42,14 @@ class ECKeyShare : public SSLKeyShare { | |||
bool Offer(CBB *out) override { | |||
assert(!private_key_); | |||
/* Set up a shared |BN_CTX| for all operations. */ | |||
// Set up a shared |BN_CTX| for all operations. | |||
UniquePtr<BN_CTX> bn_ctx(BN_CTX_new()); | |||
if (!bn_ctx) { | |||
return false; | |||
} | |||
BN_CTXScope scope(bn_ctx.get()); | |||
/* Generate a private key. */ | |||
// Generate a private key. | |||
UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_)); | |||
private_key_.reset(BN_new()); | |||
if (!group || !private_key_ || | |||
@@ -58,7 +58,7 @@ class ECKeyShare : public SSLKeyShare { | |||
return false; | |||
} | |||
/* Compute the corresponding public key and serialize it. */ | |||
// Compute the corresponding public key and serialize it. | |||
UniquePtr<EC_POINT> public_key(EC_POINT_new(group.get())); | |||
if (!public_key || | |||
!EC_POINT_mul(group.get(), public_key.get(), private_key_.get(), NULL, | |||
@@ -76,7 +76,7 @@ class ECKeyShare : public SSLKeyShare { | |||
assert(private_key_); | |||
*out_alert = SSL_AD_INTERNAL_ERROR; | |||
/* Set up a shared |BN_CTX| for all operations. */ | |||
// Set up a shared |BN_CTX| for all operations. | |||
UniquePtr<BN_CTX> bn_ctx(BN_CTX_new()); | |||
if (!bn_ctx) { | |||
return false; | |||
@@ -101,7 +101,7 @@ class ECKeyShare : public SSLKeyShare { | |||
return false; | |||
} | |||
/* Compute the x-coordinate of |peer_key| * |private_key_|. */ | |||
// Compute the x-coordinate of |peer_key| * |private_key_|. | |||
if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(), | |||
private_key_.get(), bn_ctx.get()) || | |||
!EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL, | |||
@@ -109,7 +109,7 @@ class ECKeyShare : public SSLKeyShare { | |||
return false; | |||
} | |||
/* Encode the x-coordinate left-padded with zeros. */ | |||
// Encode the x-coordinate left-padded with zeros. | |||
size_t secret_len = (EC_GROUP_get_degree(group.get()) + 7) / 8; | |||
UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(secret_len)); | |||
if (!secret || !BN_bn2bin_padded(secret.get(), secret_len, x)) { | |||
@@ -164,22 +164,22 @@ | |||
namespace bssl { | |||
/* |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it | |||
* to avoid downstream churn. */ | |||
// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it | |||
// to avoid downstream churn. | |||
OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL) | |||
/* The following errors are no longer emitted, but are used in nginx without | |||
* #ifdefs. */ | |||
// The following errors are no longer emitted, but are used in nginx without | |||
// #ifdefs. | |||
OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG) | |||
OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED) | |||
/* Some error codes are special. Ensure the make_errors.go script never | |||
* regresses this. */ | |||
// Some error codes are special. Ensure the make_errors.go script never | |||
// regresses this. | |||
static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION == | |||
SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET, | |||
"alert reason code mismatch"); | |||
/* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */ | |||
// kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. | |||
static const size_t kMaxHandshakeSize = (1u << 24) - 1; | |||
static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl = | |||
@@ -188,8 +188,8 @@ static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx = | |||
CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; | |||
void ssl_reset_error_state(SSL *ssl) { | |||
/* Functions which use |SSL_get_error| must reset I/O and error state on | |||
* entry. */ | |||
// Functions which use |SSL_get_error| must reset I/O and error state on | |||
// entry. | |||
ssl->rwstate = SSL_NOTHING; | |||
ERR_clear_error(); | |||
ERR_clear_system_error(); | |||
@@ -216,20 +216,20 @@ void ssl_cipher_preference_list_free( | |||
void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { | |||
SSL *const ssl = hs->ssl; | |||
SSL_CTX *ctx = ssl->session_ctx; | |||
/* Never cache sessions with empty session IDs. */ | |||
// Never cache sessions with empty session IDs. | |||
if (ssl->s3->established_session->session_id_length == 0 || | |||
ssl->s3->established_session->not_resumable || | |||
(ctx->session_cache_mode & mode) != mode) { | |||
return; | |||
} | |||
/* Clients never use the internal session cache. */ | |||
// Clients never use the internal session cache. | |||
int use_internal_cache = ssl->server && !(ctx->session_cache_mode & | |||
SSL_SESS_CACHE_NO_INTERNAL_STORE); | |||
/* A client may see new sessions on abbreviated handshakes if the server | |||
* decides to renew the ticket. Once the handshake is completed, it should be | |||
* inserted into the cache. */ | |||
// A client may see new sessions on abbreviated handshakes if the server | |||
// decides to renew the ticket. Once the handshake is completed, it should be | |||
// inserted into the cache. | |||
if (ssl->s3->established_session != ssl->session || | |||
(!ssl->server && hs->ticket_expected)) { | |||
if (use_internal_cache) { | |||
@@ -238,7 +238,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { | |||
if (ctx->new_session_cb != NULL) { | |||
SSL_SESSION_up_ref(ssl->s3->established_session); | |||
if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) { | |||
/* |new_session_cb|'s return value signals whether it took ownership. */ | |||
// |new_session_cb|'s return value signals whether it took ownership. | |||
SSL_SESSION_free(ssl->s3->established_session); | |||
} | |||
} | |||
@@ -246,7 +246,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) { | |||
if (use_internal_cache && | |||
!(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) { | |||
/* Automatically flush the internal session cache every 255 connections. */ | |||
// Automatically flush the internal session cache every 255 connections. | |||
int flush_cache = 0; | |||
CRYPTO_MUTEX_lock_write(&ctx->lock); | |||
ctx->handshakes_since_cache_flush++; | |||
@@ -309,7 +309,7 @@ int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret, | |||
int ssl3_can_false_start(const SSL *ssl) { | |||
const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl); | |||
/* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */ | |||
// False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. | |||
return !SSL_is_dtls(ssl) && | |||
SSL_version(ssl) == TLS1_2_VERSION && | |||
(ssl->s3->alpn_selected != NULL || | |||
@@ -338,12 +338,12 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, | |||
return; | |||
} | |||
/* |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for | |||
* a V2ClientHello. */ | |||
// |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for | |||
// a V2ClientHello. | |||
int version; | |||
switch (content_type) { | |||
case 0: | |||
/* V2ClientHello */ | |||
// V2ClientHello | |||
version = SSL2_VERSION; | |||
break; | |||
case SSL3_RT_HEADER: | |||
@@ -358,16 +358,16 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type, | |||
} | |||
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) { | |||
/* TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the | |||
* |ssl| arg from |current_time_cb| if possible. */ | |||
// TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the | |||
// |ssl| arg from |current_time_cb| if possible. | |||
ssl_ctx_get_current_time(ssl->ctx, out_clock); | |||
} | |||
void ssl_ctx_get_current_time(const SSL_CTX *ctx, | |||
struct OPENSSL_timeval *out_clock) { | |||
if (ctx->current_time_cb != NULL) { | |||
/* TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See | |||
* https://crbug.com/boringssl/155. */ | |||
// TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See | |||
// https://crbug.com/boringssl/155. | |||
struct timeval clock; | |||
ctx->current_time_cb(nullptr /* ssl */, &clock); | |||
if (clock.tv_sec < 0) { | |||
@@ -437,11 +437,11 @@ static uint32_t ssl_session_hash(const SSL_SESSION *sess) { | |||
return hash; | |||
} | |||
/* NB: If this function (or indeed the hash function which uses a sort of | |||
* coarser function than this one) is changed, ensure | |||
* SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being | |||
* able to construct an SSL_SESSION that will collide with any existing session | |||
* with a matching session ID. */ | |||
// NB: If this function (or indeed the hash function which uses a sort of | |||
// coarser function than this one) is changed, ensure | |||
// SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being | |||
// able to construct an SSL_SESSION that will collide with any existing session | |||
// with a matching session ID. | |||
static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { | |||
if (a->ssl_version != b->ssl_version) { | |||
return 1; | |||
@@ -511,16 +511,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { | |||
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; | |||
/* Disable the auto-chaining feature by default. Once this has stuck without | |||
* problems, the feature will be removed entirely. */ | |||
// Disable the auto-chaining feature by default. Once this has stuck without | |||
// problems, the feature will be removed entirely. | |||
ret->mode = SSL_MODE_NO_AUTO_CHAIN; | |||
/* Lock the SSL_CTX to the specified version, for compatibility with legacy | |||
* uses of SSL_METHOD, but we do not set the minimum version for | |||
* |SSLv3_method|. */ | |||
// Lock the SSL_CTX to the specified version, for compatibility with legacy | |||
// uses of SSL_METHOD, but we do not set the minimum version for | |||
// |SSLv3_method|. | |||
if (!SSL_CTX_set_max_proto_version(ret, method->version) || | |||
!SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION | |||
? 0 /* default */ | |||
? 0 // default | |||
: method->version)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
goto err2; | |||
@@ -546,12 +546,12 @@ void SSL_CTX_free(SSL_CTX *ctx) { | |||
return; | |||
} | |||
/* Free internal session cache. However: the remove_cb() may reference the | |||
* ex_data of SSL_CTX, thus the ex_data store can only be removed after the | |||
* sessions were flushed. As the ex_data handling routines might also touch | |||
* the session cache, the most secure solution seems to be: empty (flush) the | |||
* cache, then free ex_data, then finally free the cache. (See ticket | |||
* [openssl.org #212].) */ | |||
// Free internal session cache. However: the remove_cb() may reference the | |||
// ex_data of SSL_CTX, thus the ex_data store can only be removed after the | |||
// sessions were flushed. As the ex_data handling routines might also touch | |||
// the session cache, the most secure solution seems to be: empty (flush) the | |||
// cache, then free ex_data, then finally free the cache. (See ticket | |||
// [openssl.org #212].) | |||
SSL_CTX_flush_sessions(ctx, 0); | |||
CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data); | |||
@@ -598,8 +598,8 @@ SSL *SSL_new(SSL_CTX *ctx) { | |||
ssl->conf_max_version = ctx->conf_max_version; | |||
ssl->tls13_variant = ctx->tls13_variant; | |||
/* RFC 6347 states that implementations SHOULD use an initial timer value of | |||
* 1 second. */ | |||
// RFC 6347 states that implementations SHOULD use an initial timer value of | |||
// 1 second. | |||
ssl->initial_timeout_duration_ms = 1000; | |||
ssl->options = ctx->options; | |||
@@ -703,7 +703,7 @@ void SSL_free(SSL *ssl) { | |||
BUF_MEM_free(ssl->init_buf); | |||
/* add extra stuff */ | |||
// add extra stuff | |||
ssl_cipher_preference_list_free(ssl->cipher_list); | |||
SSL_SESSION_free(ssl->session); | |||
@@ -748,35 +748,35 @@ void SSL_set0_wbio(SSL *ssl, BIO *wbio) { | |||
} | |||
void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) { | |||
/* For historical reasons, this function has many different cases in ownership | |||
* handling. */ | |||
// For historical reasons, this function has many different cases in ownership | |||
// handling. | |||
/* If nothing has changed, do nothing */ | |||
// If nothing has changed, do nothing | |||
if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) { | |||
return; | |||
} | |||
/* If the two arguments are equal, one fewer reference is granted than | |||
* taken. */ | |||
// If the two arguments are equal, one fewer reference is granted than | |||
// taken. | |||
if (rbio != NULL && rbio == wbio) { | |||
BIO_up_ref(rbio); | |||
} | |||
/* If only the wbio is changed, adopt only one reference. */ | |||
// If only the wbio is changed, adopt only one reference. | |||
if (rbio == SSL_get_rbio(ssl)) { | |||
SSL_set0_wbio(ssl, wbio); | |||
return; | |||
} | |||
/* There is an asymmetry here for historical reasons. If only the rbio is | |||
* changed AND the rbio and wbio were originally different, then we only adopt | |||
* one reference. */ | |||
// There is an asymmetry here for historical reasons. If only the rbio is | |||
// changed AND the rbio and wbio were originally different, then we only adopt | |||
// one reference. | |||
if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) { | |||
SSL_set0_rbio(ssl, rbio); | |||
return; | |||
} | |||
/* Otherwise, adopt both references. */ | |||
// Otherwise, adopt both references. | |||
SSL_set0_rbio(ssl, rbio); | |||
SSL_set0_wbio(ssl, wbio); | |||
} | |||
@@ -797,7 +797,7 @@ int SSL_do_handshake(SSL *ssl) { | |||
return 1; | |||
} | |||
/* Run the handshake. */ | |||
// Run the handshake. | |||
SSL_HANDSHAKE *hs = ssl->s3->hs; | |||
int early_return = 0; | |||
@@ -808,7 +808,7 @@ int SSL_do_handshake(SSL *ssl) { | |||
return ret; | |||
} | |||
/* Destroy the handshake object if the handshake has completely finished. */ | |||
// Destroy the handshake object if the handshake has completely finished. | |||
if (!early_return) { | |||
ssl_handshake_free(ssl->s3->hs); | |||
ssl->s3->hs = NULL; | |||
@@ -819,7 +819,7 @@ int SSL_do_handshake(SSL *ssl) { | |||
int SSL_connect(SSL *ssl) { | |||
if (ssl->do_handshake == NULL) { | |||
/* Not properly initialized yet */ | |||
// Not properly initialized yet | |||
SSL_set_connect_state(ssl); | |||
} | |||
@@ -828,7 +828,7 @@ int SSL_connect(SSL *ssl) { | |||
int SSL_accept(SSL *ssl) { | |||
if (ssl->do_handshake == NULL) { | |||
/* Not properly initialized yet */ | |||
// Not properly initialized yet | |||
SSL_set_accept_state(ssl); | |||
} | |||
@@ -840,9 +840,9 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { | |||
return tls13_post_handshake(ssl, msg); | |||
} | |||
/* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be | |||
* removed entirely in the future and requires retaining more data for | |||
* renegotiation_info. */ | |||
// We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be | |||
// removed entirely in the future and requires retaining more data for | |||
// renegotiation_info. | |||
if (ssl->server || ssl->version == SSL3_VERSION) { | |||
goto no_renegotiation; | |||
} | |||
@@ -855,7 +855,7 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { | |||
switch (ssl->renegotiate_mode) { | |||
case ssl_renegotiate_ignore: | |||
/* Ignore the HelloRequest. */ | |||
// Ignore the HelloRequest. | |||
return 1; | |||
case ssl_renegotiate_once: | |||
@@ -871,15 +871,15 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) { | |||
break; | |||
} | |||
/* Renegotiation is only supported at quiescent points in the application | |||
* protocol, namely in HTTPS, just before reading the HTTP response. Require | |||
* the record-layer be idle and avoid complexities of sending a handshake | |||
* record while an application_data record is being written. */ | |||
// Renegotiation is only supported at quiescent points in the application | |||
// protocol, namely in HTTPS, just before reading the HTTP response. Require | |||
// the record-layer be idle and avoid complexities of sending a handshake | |||
// record while an application_data record is being written. | |||
if (ssl_write_buffer_is_pending(ssl)) { | |||
goto no_renegotiation; | |||
} | |||
/* Begin a new handshake. */ | |||
// Begin a new handshake. | |||
if (ssl->s3->hs != NULL) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return 0; | |||
@@ -907,9 +907,9 @@ static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) { | |||
} | |||
for (;;) { | |||
/* Complete the current handshake, if any. False Start will cause | |||
* |SSL_do_handshake| to return mid-handshake, so this may require multiple | |||
* iterations. */ | |||
// Complete the current handshake, if any. False Start will cause | |||
// |SSL_do_handshake| to return mid-handshake, so this may require multiple | |||
// iterations. | |||
while (!ssl_can_read(ssl)) { | |||
int ret = SSL_do_handshake(ssl); | |||
if (ret < 0) { | |||
@@ -929,15 +929,15 @@ static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) { | |||
return ret; | |||
} | |||
/* If we received an interrupt in early read (the end_of_early_data alert), | |||
* loop again for the handshake to process it. */ | |||
// If we received an interrupt in early read (the end_of_early_data alert), | |||
// loop again for the handshake to process it. | |||
if (SSL_in_init(ssl)) { | |||
continue; | |||
} | |||
SSLMessage msg; | |||
while (ssl->method->get_message(ssl, &msg)) { | |||
/* Handle the post-handshake message and try again. */ | |||
// Handle the post-handshake message and try again. | |||
if (!ssl_do_post_handshake(ssl, msg)) { | |||
return -1; | |||
} | |||
@@ -969,7 +969,7 @@ int SSL_write(SSL *ssl, const void *buf, int num) { | |||
int ret = 0, needs_handshake = 0; | |||
do { | |||
/* If necessary, complete the handshake implicitly. */ | |||
// If necessary, complete the handshake implicitly. | |||
if (!ssl_can_write(ssl)) { | |||
ret = SSL_do_handshake(ssl); | |||
if (ret < 0) { | |||
@@ -995,43 +995,43 @@ int SSL_shutdown(SSL *ssl) { | |||
return -1; | |||
} | |||
/* If we are in the middle of a handshake, silently succeed. Consumers often | |||
* call this function before |SSL_free|, whether the handshake succeeded or | |||
* not. We assume the caller has already handled failed handshakes. */ | |||
// If we are in the middle of a handshake, silently succeed. Consumers often | |||
// call this function before |SSL_free|, whether the handshake succeeded or | |||
// not. We assume the caller has already handled failed handshakes. | |||
if (SSL_in_init(ssl)) { | |||
return 1; | |||
} | |||
if (ssl->quiet_shutdown) { | |||
/* Do nothing if configured not to send a close_notify. */ | |||
// Do nothing if configured not to send a close_notify. | |||
ssl->s3->send_shutdown = ssl_shutdown_close_notify; | |||
ssl->s3->recv_shutdown = ssl_shutdown_close_notify; | |||
return 1; | |||
} | |||
/* This function completes in two stages. It sends a close_notify and then it | |||
* waits for a close_notify to come in. Perform exactly one action and return | |||
* whether or not it succeeds. */ | |||
// This function completes in two stages. It sends a close_notify and then it | |||
// waits for a close_notify to come in. Perform exactly one action and return | |||
// whether or not it succeeds. | |||
if (ssl->s3->send_shutdown != ssl_shutdown_close_notify) { | |||
/* Send a close_notify. */ | |||
// Send a close_notify. | |||
if (ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) { | |||
return -1; | |||
} | |||
} else if (ssl->s3->alert_dispatch) { | |||
/* Finish sending the close_notify. */ | |||
// Finish sending the close_notify. | |||
if (ssl->method->dispatch_alert(ssl) <= 0) { | |||
return -1; | |||
} | |||
} else if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) { | |||
/* Wait for the peer's close_notify. */ | |||
// Wait for the peer's close_notify. | |||
ssl->method->read_close_notify(ssl); | |||
if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) { | |||
return -1; | |||
} | |||
} | |||
/* Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. */ | |||
// Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. | |||
return ssl->s3->recv_shutdown == ssl_shutdown_close_notify; | |||
} | |||
@@ -1039,7 +1039,7 @@ int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) { | |||
if (ssl->s3->alert_dispatch) { | |||
if (ssl->s3->send_alert[0] != SSL3_AL_FATAL || | |||
ssl->s3->send_alert[1] != alert) { | |||
/* We are already attempting to write a different alert. */ | |||
// We are already attempting to write a different alert. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN); | |||
return -1; | |||
} | |||
@@ -1087,9 +1087,9 @@ void SSL_reset_early_data_reject(SSL *ssl) { | |||
hs->in_early_data = 0; | |||
hs->early_session.reset(); | |||
/* Discard any unfinished writes from the perspective of |SSL_write|'s | |||
* retry. The handshake will transparently flush out the pending record | |||
* (discarded by the server) to keep the framing correct. */ | |||
// Discard any unfinished writes from the perspective of |SSL_write|'s | |||
// retry. The handshake will transparently flush out the pending record | |||
// (discarded by the server) to keep the framing correct. | |||
ssl->s3->wpend_pending = 0; | |||
} | |||
@@ -1109,8 +1109,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) { | |||
return SSL_ERROR_NONE; | |||
} | |||
/* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, | |||
* where we do encode the error */ | |||
// Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc, | |||
// where we do encode the error | |||
uint32_t err = ERR_peek_error(); | |||
if (err != 0) { | |||
if (ERR_GET_LIB(err) == ERR_LIB_SYS) { | |||
@@ -1123,9 +1123,9 @@ int SSL_get_error(const SSL *ssl, int ret_code) { | |||
if (ssl->s3->recv_shutdown == ssl_shutdown_close_notify) { | |||
return SSL_ERROR_ZERO_RETURN; | |||
} | |||
/* An EOF was observed which violates the protocol, and the underlying | |||
* transport does not participate in the error queue. Bubble up to the | |||
* caller. */ | |||
// An EOF was observed which violates the protocol, and the underlying | |||
// transport does not participate in the error queue. Bubble up to the | |||
// caller. | |||
return SSL_ERROR_SYSCALL; | |||
} | |||
@@ -1143,8 +1143,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) { | |||
} | |||
if (BIO_should_write(bio)) { | |||
/* TODO(davidben): OpenSSL historically checked for writes on the read | |||
* BIO. Can this be removed? */ | |||
// TODO(davidben): OpenSSL historically checked for writes on the read | |||
// BIO. Can this be removed? | |||
return SSL_ERROR_WANT_WRITE; | |||
} | |||
@@ -1162,8 +1162,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) { | |||
} | |||
if (BIO_should_read(bio)) { | |||
/* TODO(davidben): OpenSSL historically checked for reads on the write | |||
* BIO. Can this be removed? */ | |||
// TODO(davidben): OpenSSL historically checked for reads on the write | |||
// BIO. Can this be removed? | |||
return SSL_ERROR_WANT_READ; | |||
} | |||
@@ -1253,20 +1253,20 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, | |||
*out_len = 0; | |||
OPENSSL_memset(out, 0, max_out); | |||
/* tls-unique is not defined for SSL 3.0 or TLS 1.3. */ | |||
// tls-unique is not defined for SSL 3.0 or TLS 1.3. | |||
if (!ssl->s3->initial_handshake_complete || | |||
ssl3_protocol_version(ssl) < TLS1_VERSION || | |||
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { | |||
return 0; | |||
} | |||
/* The tls-unique value is the first Finished message in the handshake, which | |||
* is the client's in a full handshake and the server's for a resumption. See | |||
* https://tools.ietf.org/html/rfc5929#section-3.1. */ | |||
// The tls-unique value is the first Finished message in the handshake, which | |||
// is the client's in a full handshake and the server's for a resumption. See | |||
// https://tools.ietf.org/html/rfc5929#section-3.1. | |||
const uint8_t *finished = ssl->s3->previous_client_finished; | |||
size_t finished_len = ssl->s3->previous_client_finished_len; | |||
if (ssl->session != NULL) { | |||
/* tls-unique is broken for resumed sessions unless EMS is used. */ | |||
// tls-unique is broken for resumed sessions unless EMS is used. | |||
if (!ssl->session->extended_master_secret) { | |||
return 0; | |||
} | |||
@@ -1356,7 +1356,7 @@ int SSL_set_wfd(SSL *ssl, int fd) { | |||
BIO_set_fd(bio, fd, BIO_NOCLOSE); | |||
SSL_set0_wbio(ssl, bio); | |||
} else { | |||
/* Copy the rbio over to the wbio. */ | |||
// Copy the rbio over to the wbio. | |||
BIO_up_ref(rbio); | |||
SSL_set0_wbio(ssl, rbio); | |||
} | |||
@@ -1376,7 +1376,7 @@ int SSL_set_rfd(SSL *ssl, int fd) { | |||
BIO_set_fd(bio, fd, BIO_NOCLOSE); | |||
SSL_set0_rbio(ssl, bio); | |||
} else { | |||
/* Copy the wbio over to the rbio. */ | |||
// Copy the wbio over to the rbio. | |||
BIO_up_ref(wbio); | |||
SSL_set0_rbio(ssl, wbio); | |||
} | |||
@@ -1427,8 +1427,8 @@ size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { | |||
int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; } | |||
int SSL_get_extms_support(const SSL *ssl) { | |||
/* TLS 1.3 does not require extended master secret and always reports as | |||
* supporting it. */ | |||
// TLS 1.3 does not require extended master secret and always reports as | |||
// supporting it. | |||
if (!ssl->s3->have_version) { | |||
return 0; | |||
} | |||
@@ -1436,12 +1436,12 @@ int SSL_get_extms_support(const SSL *ssl) { | |||
return 1; | |||
} | |||
/* If the initial handshake completed, query the established session. */ | |||
// If the initial handshake completed, query the established session. | |||
if (ssl->s3->established_session != NULL) { | |||
return ssl->s3->established_session->extended_master_secret; | |||
} | |||
/* Otherwise, query the in-progress handshake. */ | |||
// Otherwise, query the in-progress handshake. | |||
if (ssl->s3->hs != NULL) { | |||
return ssl->s3->hs->extended_master_secret; | |||
} | |||
@@ -1464,12 +1464,12 @@ int SSL_pending(const SSL *ssl) { | |||
return ssl->s3->rrec.length; | |||
} | |||
/* Fix this so it checks all the valid key/cert options */ | |||
// Fix this so it checks all the valid key/cert options | |||
int SSL_CTX_check_private_key(const SSL_CTX *ctx) { | |||
return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey); | |||
} | |||
/* Fix this function so that it takes an optional type parameter */ | |||
// Fix this function so that it takes an optional type parameter | |||
int SSL_check_private_key(const SSL *ssl) { | |||
return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey); | |||
} | |||
@@ -1479,7 +1479,7 @@ long SSL_get_default_timeout(const SSL *ssl) { | |||
} | |||
int SSL_renegotiate(SSL *ssl) { | |||
/* Caller-initiated renegotiation is not supported. */ | |||
// Caller-initiated renegotiation is not supported. | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); | |||
return 0; | |||
} | |||
@@ -1590,8 +1590,8 @@ int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) { | |||
return 0; | |||
} | |||
/* The default ticket keys are initialized lazily. Trigger a key | |||
* rotation to initialize them. */ | |||
// The default ticket keys are initialized lazily. Trigger a key | |||
// rotation to initialize them. | |||
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) { | |||
return 0; | |||
} | |||
@@ -1626,7 +1626,7 @@ int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) { | |||
OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16); | |||
OPENSSL_free(ctx->tlsext_ticket_key_prev); | |||
ctx->tlsext_ticket_key_prev = nullptr; | |||
/* Disable automatic key rotation. */ | |||
// Disable automatic key rotation. | |||
ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0; | |||
return 1; | |||
} | |||
@@ -1662,8 +1662,8 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) { | |||
} | |||
uint16_t SSL_get_curve_id(const SSL *ssl) { | |||
/* TODO(davidben): This checks the wrong session if there is a renegotiation in | |||
* progress. */ | |||
// TODO(davidben): This checks the wrong session if there is a renegotiation | |||
// in progress. | |||
SSL_SESSION *session = SSL_get_session(ssl); | |||
if (session == NULL) { | |||
return 0; | |||
@@ -1748,21 +1748,21 @@ const char *SSL_get_servername(const SSL *ssl, const int type) { | |||
return NULL; | |||
} | |||
/* Historically, |SSL_get_servername| was also the configuration getter | |||
* corresponding to |SSL_set_tlsext_host_name|. */ | |||
// Historically, |SSL_get_servername| was also the configuration getter | |||
// corresponding to |SSL_set_tlsext_host_name|. | |||
if (ssl->tlsext_hostname != NULL) { | |||
return ssl->tlsext_hostname; | |||
} | |||
/* During the handshake, report the handshake value. */ | |||
// During the handshake, report the handshake value. | |||
if (ssl->s3->hs != NULL) { | |||
return ssl->s3->hs->hostname.get(); | |||
} | |||
/* SSL_get_servername may also be called after the handshake to look up the | |||
* SNI value. | |||
* | |||
* TODO(davidben): This is almost unused. Can we remove it? */ | |||
// SSL_get_servername may also be called after the handshake to look up the | |||
// SNI value. | |||
// | |||
// TODO(davidben): This is almost unused. Can we remove it? | |||
SSL_SESSION *session = SSL_get_session(ssl); | |||
if (session == NULL) { | |||
return NULL; | |||
@@ -1872,12 +1872,12 @@ int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, | |||
const uint8_t *result; | |||
int status; | |||
/* For each protocol in peer preference order, see if we support it. */ | |||
// For each protocol in peer preference order, see if we support it. | |||
for (unsigned i = 0; i < peer_len;) { | |||
for (unsigned j = 0; j < supported_len;) { | |||
if (peer[i] == supported[j] && | |||
OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) { | |||
/* We found a match */ | |||
// We found a match | |||
result = &peer[i]; | |||
status = OPENSSL_NPN_NEGOTIATED; | |||
goto found; | |||
@@ -1889,7 +1889,7 @@ int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, | |||
i++; | |||
} | |||
/* There's no overlap between our protocols and the peer's list. */ | |||
// There's no overlap between our protocols and the peer's list. | |||
result = supported; | |||
status = OPENSSL_NPN_NO_OVERLAP; | |||
@@ -2084,8 +2084,8 @@ void SSL_set_quiet_shutdown(SSL *ssl, int mode) { | |||
int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; } | |||
void SSL_set_shutdown(SSL *ssl, int mode) { | |||
/* It is an error to clear any bits that have already been set. (We can't try | |||
* to get a second close_notify or send two.) */ | |||
// It is an error to clear any bits that have already been set. (We can't try | |||
// to get a second close_notify or send two.) | |||
assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl)); | |||
if (mode & SSL_RECEIVED_SHUTDOWN && | |||
@@ -2102,12 +2102,12 @@ void SSL_set_shutdown(SSL *ssl, int mode) { | |||
int SSL_get_shutdown(const SSL *ssl) { | |||
int ret = 0; | |||
if (ssl->s3->recv_shutdown != ssl_shutdown_none) { | |||
/* Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify | |||
* and fatal alert. */ | |||
// Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify | |||
// and fatal alert. | |||
ret |= SSL_RECEIVED_SHUTDOWN; | |||
} | |||
if (ssl->s3->send_shutdown == ssl_shutdown_close_notify) { | |||
/* Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. */ | |||
// Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. | |||
ret |= SSL_SENT_SHUTDOWN; | |||
} | |||
return ret; | |||
@@ -2120,7 +2120,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { | |||
return ssl->ctx; | |||
} | |||
/* One cannot change the X.509 callbacks during a connection. */ | |||
// One cannot change the X.509 callbacks during a connection. | |||
if (ssl->ctx->x509_method != ctx->x509_method) { | |||
assert(0); | |||
return NULL; | |||
@@ -2223,14 +2223,14 @@ static int use_psk_identity_hint(char **out, const char *identity_hint) { | |||
return 0; | |||
} | |||
/* Clear currently configured hint, if any. */ | |||
// Clear currently configured hint, if any. | |||
OPENSSL_free(*out); | |||
*out = NULL; | |||
/* Treat the empty hint as not supplying one. Plain PSK makes it possible to | |||
* send either no hint (omit ServerKeyExchange) or an empty hint, while | |||
* ECDHE_PSK can only spell empty hint. Having different capabilities is odd, | |||
* so we interpret empty and missing as identical. */ | |||
// Treat the empty hint as not supplying one. Plain PSK makes it possible to | |||
// send either no hint (omit ServerKeyExchange) or an empty hint, while | |||
// ECDHE_PSK can only spell empty hint. Having different capabilities is odd, | |||
// so we interpret empty and missing as identical. | |||
if (identity_hint != NULL && identity_hint[0] != '\0') { | |||
*out = BUF_strdup(identity_hint); | |||
if (*out == NULL) { | |||
@@ -2396,9 +2396,9 @@ static uint64_t be_to_u64(const uint8_t in[8]) { | |||
} | |||
uint64_t SSL_get_read_sequence(const SSL *ssl) { | |||
/* TODO(davidben): Internally represent sequence numbers as uint64_t. */ | |||
// TODO(davidben): Internally represent sequence numbers as uint64_t. | |||
if (SSL_is_dtls(ssl)) { | |||
/* max_seq_num already includes the epoch. */ | |||
// max_seq_num already includes the epoch. | |||
assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48)); | |||
return ssl->d1->bitmap.max_seq_num; | |||
} | |||
@@ -2415,8 +2415,8 @@ uint64_t SSL_get_write_sequence(const SSL *ssl) { | |||
} | |||
uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) { | |||
/* TODO(davidben): This checks the wrong session if there is a renegotiation | |||
* in progress. */ | |||
// TODO(davidben): This checks the wrong session if there is a renegotiation | |||
// in progress. | |||
SSL_SESSION *session = SSL_get_session(ssl); | |||
if (session == NULL) { | |||
return 0; | |||
@@ -2472,30 +2472,30 @@ int32_t SSL_get_ticket_age_skew(const SSL *ssl) { | |||
} | |||
int SSL_clear(SSL *ssl) { | |||
/* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously | |||
* established session to be offered the next time around. wpa_supplicant | |||
* depends on this behavior, so emulate it. */ | |||
// In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously | |||
// established session to be offered the next time around. wpa_supplicant | |||
// depends on this behavior, so emulate it. | |||
SSL_SESSION *session = NULL; | |||
if (!ssl->server && ssl->s3->established_session != NULL) { | |||
session = ssl->s3->established_session; | |||
SSL_SESSION_up_ref(session); | |||
} | |||
/* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and | |||
* |SSL_clear| because it is per-connection state rather than configuration | |||
* state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is | |||
* naturally reset at the right points between |SSL_new|, |SSL_clear|, and | |||
* |ssl3_new|. */ | |||
// TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and | |||
// |SSL_clear| because it is per-connection state rather than configuration | |||
// state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is | |||
// naturally reset at the right points between |SSL_new|, |SSL_clear|, and | |||
// |ssl3_new|. | |||
ssl->rwstate = SSL_NOTHING; | |||
BUF_MEM_free(ssl->init_buf); | |||
ssl->init_buf = NULL; | |||
/* The ssl->d1->mtu is simultaneously configuration (preserved across | |||
* clear) and connection-specific state (gets reset). | |||
* | |||
* TODO(davidben): Avoid this. */ | |||
// The ssl->d1->mtu is simultaneously configuration (preserved across | |||
// clear) and connection-specific state (gets reset). | |||
// | |||
// TODO(davidben): Avoid this. | |||
unsigned mtu = 0; | |||
if (ssl->d1 != NULL) { | |||
mtu = ssl->d1->mtu; | |||
@@ -84,7 +84,7 @@ static int ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) { | |||
if (cert->chain != NULL && | |||
sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL && | |||
/* Sanity-check that the private key and the certificate match. */ | |||
// Sanity-check that the private key and the certificate match. | |||
!ssl_cert_check_private_key(cert, pkey)) { | |||
return 0; | |||
} | |||
@@ -148,12 +148,12 @@ static int pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, | |||
} | |||
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { | |||
/* RSA keys may only be used with RSA-PSS. */ | |||
// RSA keys may only be used with RSA-PSS. | |||
if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) { | |||
return 0; | |||
} | |||
/* EC keys have a curve requirement. */ | |||
// EC keys have a curve requirement. | |||
if (alg->pkey_type == EVP_PKEY_EC && | |||
(alg->curve == NID_undef || | |||
EC_GROUP_get_curve_name( | |||
@@ -201,8 +201,8 @@ static int legacy_sign_digest_supported(const SSL_SIGNATURE_ALGORITHM *alg) { | |||
static enum ssl_private_key_result_t legacy_sign( | |||
SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg, | |||
const uint8_t *in, size_t in_len) { | |||
/* TODO(davidben): Remove support for |sign_digest|-only | |||
* |SSL_PRIVATE_KEY_METHOD|s. */ | |||
// TODO(davidben): Remove support for |sign_digest|-only | |||
// |SSL_PRIVATE_KEY_METHOD|s. | |||
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); | |||
if (alg == NULL || !legacy_sign_digest_supported(alg)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY); | |||
@@ -272,13 +272,13 @@ enum ssl_private_key_result_t ssl_private_key_decrypt( | |||
RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey); | |||
if (rsa == NULL) { | |||
/* Decrypt operations are only supported for RSA keys. */ | |||
// Decrypt operations are only supported for RSA keys. | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return ssl_private_key_failure; | |||
} | |||
/* Decrypt with no padding. PKCS#1 padding will be removed as part | |||
* of the timing-sensitive code by the caller. */ | |||
// Decrypt with no padding. PKCS#1 padding will be removed as part of the | |||
// timing-sensitive code by the caller. | |||
if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) { | |||
return ssl_private_key_failure; | |||
} | |||
@@ -292,20 +292,20 @@ int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs, | |||
return 0; | |||
} | |||
/* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that | |||
* emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the | |||
* hash in TLS. Reasonable RSA key sizes are large enough for the largest | |||
* defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for | |||
* SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the | |||
* size so that we can fall back to another algorithm in that case. */ | |||
// Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that | |||
// emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the | |||
// hash in TLS. Reasonable RSA key sizes are large enough for the largest | |||
// defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for | |||
// SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the | |||
// size so that we can fall back to another algorithm in that case. | |||
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); | |||
if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) < | |||
2 * EVP_MD_size(alg->digest_func()) + 2) { | |||
return 0; | |||
} | |||
/* Newer algorithms require message-based private keys. | |||
* TODO(davidben): Remove this check when sign_digest is gone. */ | |||
// Newer algorithms require message-based private keys. | |||
// TODO(davidben): Remove this check when sign_digest is gone. | |||
if (ssl->cert->key_method != NULL && | |||
ssl->cert->key_method->sign == NULL && | |||
!legacy_sign_digest_supported(alg)) { | |||
@@ -483,9 +483,9 @@ int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids, | |||
return 0; | |||
} | |||
/* Convert the digest list to a signature algorithms list. | |||
* | |||
* TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */ | |||
// Convert the digest list to a signature algorithms list. | |||
// | |||
// TODO(davidben): Replace this API with one that can express RSA-PSS, etc. | |||
for (size_t i = 0; i < num_digests; i++) { | |||
switch (digest_nids[i]) { | |||
case NID_sha1: | |||
@@ -152,9 +152,9 @@ | |||
namespace bssl { | |||
/* The address of this is a magic value, a pointer to which is returned by | |||
* SSL_magic_pending_session_ptr(). It allows a session callback to indicate | |||
* that it needs to asynchronously fetch session information. */ | |||
// The address of this is a magic value, a pointer to which is returned by | |||
// SSL_magic_pending_session_ptr(). It allows a session callback to indicate | |||
// that it needs to asynchronously fetch session information. | |||
static const char g_pending_session_magic = 0; | |||
static CRYPTO_EX_DATA_CLASS g_ex_data_class = | |||
@@ -194,13 +194,13 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { | |||
new_session->sid_ctx_length = session->sid_ctx_length; | |||
OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length); | |||
/* Copy the key material. */ | |||
// Copy the key material. | |||
new_session->master_key_length = session->master_key_length; | |||
OPENSSL_memcpy(new_session->master_key, session->master_key, | |||
session->master_key_length); | |||
new_session->cipher = session->cipher; | |||
/* Copy authentication state. */ | |||
// Copy authentication state. | |||
if (session->psk_identity != NULL) { | |||
new_session->psk_identity = BUF_strdup(session->psk_identity); | |||
if (new_session->psk_identity == NULL) { | |||
@@ -255,7 +255,7 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { | |||
new_session->auth_timeout = session->auth_timeout; | |||
new_session->time = session->time; | |||
/* Copy non-authentication connection properties. */ | |||
// Copy non-authentication connection properties. | |||
if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) { | |||
new_session->session_id_length = session->session_id_length; | |||
OPENSSL_memcpy(new_session->session_id, session->session_id, | |||
@@ -283,7 +283,7 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { | |||
new_session->early_alpn_len = session->early_alpn_len; | |||
} | |||
/* Copy the ticket. */ | |||
// Copy the ticket. | |||
if (dup_flags & SSL_SESSION_INCLUDE_TICKET) { | |||
if (session->tlsext_tick != NULL) { | |||
new_session->tlsext_tick = | |||
@@ -295,7 +295,7 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { | |||
new_session->tlsext_ticklen = session->tlsext_ticklen; | |||
} | |||
/* The new_session does not get a copy of the ex_data. */ | |||
// The new_session does not get a copy of the ex_data. | |||
new_session->not_resumable = 1; | |||
return new_session; | |||
@@ -305,8 +305,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) { | |||
struct OPENSSL_timeval now; | |||
ssl_get_current_time(ssl, &now); | |||
/* To avoid overflows and underflows, if we've gone back in time, update the | |||
* time, but mark the session expired. */ | |||
// To avoid overflows and underflows, if we've gone back in time, update the | |||
// time, but mark the session expired. | |||
if (session->time > now.tv_sec) { | |||
session->time = now.tv_sec; | |||
session->timeout = 0; | |||
@@ -314,8 +314,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) { | |||
return; | |||
} | |||
/* Adjust the session time and timeouts. If the session has already expired, | |||
* clamp the timeouts at zero. */ | |||
// Adjust the session time and timeouts. If the session has already expired, | |||
// clamp the timeouts at zero. | |||
uint64_t delta = now.tv_sec - session->time; | |||
session->time = now.tv_sec; | |||
if (session->timeout < delta) { | |||
@@ -332,8 +332,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) { | |||
void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session, | |||
uint32_t timeout) { | |||
/* Rebase the timestamp relative to the current time so |timeout| is measured | |||
* correctly. */ | |||
// Rebase the timestamp relative to the current time so |timeout| is measured | |||
// correctly. | |||
ssl_session_rebase_time(ssl, session); | |||
if (session->timeout > timeout) { | |||
@@ -349,8 +349,8 @@ void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session, | |||
uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session) { | |||
uint16_t ret; | |||
if (!ssl_protocol_version_from_wire(&ret, session->ssl_version)) { | |||
/* An |SSL_SESSION| will never have an invalid version. This is enforced by | |||
* the parser. */ | |||
// An |SSL_SESSION| will never have an invalid version. This is enforced by | |||
// the parser. | |||
assert(0); | |||
return 0; | |||
} | |||
@@ -378,28 +378,28 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) { | |||
session->is_server = is_server; | |||
session->ssl_version = ssl->version; | |||
/* Fill in the time from the |SSL_CTX|'s clock. */ | |||
// Fill in the time from the |SSL_CTX|'s clock. | |||
struct OPENSSL_timeval now; | |||
ssl_get_current_time(ssl, &now); | |||
session->time = now.tv_sec; | |||
uint16_t version = ssl3_protocol_version(ssl); | |||
if (version >= TLS1_3_VERSION) { | |||
/* TLS 1.3 uses tickets as authenticators, so we are willing to use them for | |||
* longer. */ | |||
// TLS 1.3 uses tickets as authenticators, so we are willing to use them for | |||
// longer. | |||
session->timeout = ssl->session_ctx->session_psk_dhe_timeout; | |||
session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT; | |||
} else { | |||
/* TLS 1.2 resumption does not incorporate new key material, so we use a | |||
* much shorter timeout. */ | |||
// TLS 1.2 resumption does not incorporate new key material, so we use a | |||
// much shorter timeout. | |||
session->timeout = ssl->session_ctx->session_timeout; | |||
session->auth_timeout = ssl->session_ctx->session_timeout; | |||
} | |||
if (is_server) { | |||
if (hs->ticket_expected || version >= TLS1_3_VERSION) { | |||
/* Don't set session IDs for sessions resumed with tickets. This will keep | |||
* them out of the session cache. */ | |||
// Don't set session IDs for sessions resumed with tickets. This will keep | |||
// them out of the session cache. | |||
session->session_id_length = 0; | |||
} else { | |||
session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; | |||
@@ -419,7 +419,7 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) { | |||
ssl->cert->sid_ctx_length); | |||
session->sid_ctx_length = ssl->cert->sid_ctx_length; | |||
/* The session is marked not resumable until it is completely filled in. */ | |||
// The session is marked not resumable until it is completely filled in. | |||
session->not_resumable = 1; | |||
session->verify_result = X509_V_ERR_INVALID_CALL; | |||
@@ -432,8 +432,8 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) { | |||
OPENSSL_timeval now; | |||
ssl_ctx_get_current_time(ctx, &now); | |||
{ | |||
/* Avoid acquiring a write lock in the common case (i.e. a non-default key | |||
* is used or the default keys have not expired yet). */ | |||
// Avoid acquiring a write lock in the common case (i.e. a non-default key | |||
// is used or the default keys have not expired yet). | |||
MutexReadLock lock(&ctx->lock); | |||
if (ctx->tlsext_ticket_key_current && | |||
(ctx->tlsext_ticket_key_current->next_rotation_tv_sec == 0 || | |||
@@ -448,16 +448,16 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) { | |||
if (!ctx->tlsext_ticket_key_current || | |||
(ctx->tlsext_ticket_key_current->next_rotation_tv_sec != 0 && | |||
ctx->tlsext_ticket_key_current->next_rotation_tv_sec <= now.tv_sec)) { | |||
/* The current key has not been initialized or it is expired. */ | |||
// The current key has not been initialized or it is expired. | |||
auto new_key = bssl::MakeUnique<struct tlsext_ticket_key>(); | |||
if (!new_key) { | |||
return 0; | |||
} | |||
OPENSSL_memset(new_key.get(), 0, sizeof(struct tlsext_ticket_key)); | |||
if (ctx->tlsext_ticket_key_current) { | |||
/* The current key expired. Rotate it to prev and bump up its rotation | |||
* timestamp. Note that even with the new rotation time it may still be | |||
* expired and get droppped below. */ | |||
// The current key expired. Rotate it to prev and bump up its rotation | |||
// timestamp. Note that even with the new rotation time it may still be | |||
// expired and get droppped below. | |||
ctx->tlsext_ticket_key_current->next_rotation_tv_sec += | |||
SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL; | |||
OPENSSL_free(ctx->tlsext_ticket_key_prev); | |||
@@ -471,7 +471,7 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) { | |||
now.tv_sec + SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL; | |||
} | |||
/* Drop an expired prev key. */ | |||
// Drop an expired prev key. | |||
if (ctx->tlsext_ticket_key_prev && | |||
ctx->tlsext_ticket_key_prev->next_rotation_tv_sec <= now.tv_sec) { | |||
OPENSSL_free(ctx->tlsext_ticket_key_prev); | |||
@@ -487,8 +487,8 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out, | |||
ScopedEVP_CIPHER_CTX ctx; | |||
ScopedHMAC_CTX hctx; | |||
/* If the session is too long, emit a dummy value rather than abort the | |||
* connection. */ | |||
// If the session is too long, emit a dummy value rather than abort the | |||
// connection. | |||
static const size_t kMaxTicketOverhead = | |||
16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE; | |||
if (session_len > 0xffff - kMaxTicketOverhead) { | |||
@@ -497,8 +497,8 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out, | |||
strlen(kTicketPlaceholder)); | |||
} | |||
/* Initialize HMAC and cipher contexts. If callback present it does all the | |||
* work otherwise use generated values from parent ctx. */ | |||
// Initialize HMAC and cipher contexts. If callback present it does all the | |||
// work otherwise use generated values from parent ctx. | |||
SSL_CTX *tctx = ssl->session_ctx; | |||
uint8_t iv[EVP_MAX_IV_LENGTH]; | |||
uint8_t key_name[16]; | |||
@@ -508,7 +508,7 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out, | |||
return 0; | |||
} | |||
} else { | |||
/* Rotate ticket key if necessary. */ | |||
// Rotate ticket key if necessary. | |||
if (!ssl_ctx_rotate_ticket_encryption_key(tctx)) { | |||
return 0; | |||
} | |||
@@ -590,7 +590,7 @@ static int ssl_encrypt_ticket_with_method(SSL *ssl, CBB *out, | |||
} | |||
int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session) { | |||
/* Serialize the SSL_SESSION to be encoded into the ticket. */ | |||
// Serialize the SSL_SESSION to be encoded into the ticket. | |||
uint8_t *session_buf = NULL; | |||
size_t session_len; | |||
if (!SSL_SESSION_to_bytes_for_ticket(session, &session_buf, &session_len)) { | |||
@@ -627,7 +627,7 @@ int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session) { | |||
struct OPENSSL_timeval now; | |||
ssl_get_current_time(ssl, &now); | |||
/* Reject tickets from the future to avoid underflow. */ | |||
// Reject tickets from the future to avoid underflow. | |||
if (now.tv_sec < session->time) { | |||
return 0; | |||
} | |||
@@ -639,27 +639,27 @@ int ssl_session_is_resumable(const SSL_HANDSHAKE *hs, | |||
const SSL_SESSION *session) { | |||
const SSL *const ssl = hs->ssl; | |||
return ssl_session_is_context_valid(ssl, session) && | |||
/* The session must have been created by the same type of end point as | |||
* we're now using it with. */ | |||
// The session must have been created by the same type of end point as | |||
// we're now using it with. | |||
ssl->server == session->is_server && | |||
/* The session must not be expired. */ | |||
// The session must not be expired. | |||
ssl_session_is_time_valid(ssl, session) && | |||
/* Only resume if the session's version matches the negotiated | |||
* version. */ | |||
ssl->version == session->ssl_version && | |||
/* Only resume if the session's cipher matches the negotiated one. */ | |||
// Only resume if the session's cipher matches the negotiated one. | |||
hs->new_cipher == session->cipher && | |||
/* If the session contains a client certificate (either the full | |||
* certificate or just the hash) then require that the form of the | |||
* certificate matches the current configuration. */ | |||
// If the session contains a client certificate (either the full | |||
// certificate or just the hash) then require that the form of the | |||
// certificate matches the current configuration. | |||
((sk_CRYPTO_BUFFER_num(session->certs) == 0 && | |||
!session->peer_sha256_valid) || | |||
session->peer_sha256_valid == | |||
ssl->retain_only_sha256_of_client_certs); | |||
} | |||
/* ssl_lookup_session looks up |session_id| in the session cache and sets | |||
* |*out_session| to an |SSL_SESSION| object if found. */ | |||
// ssl_lookup_session looks up |session_id| in the session cache and sets | |||
// |*out_session| to an |SSL_SESSION| object if found. | |||
static enum ssl_hs_wait_t ssl_lookup_session( | |||
SSL *ssl, UniquePtr<SSL_SESSION> *out_session, const uint8_t *session_id, | |||
size_t session_id_len) { | |||
@@ -670,7 +670,7 @@ static enum ssl_hs_wait_t ssl_lookup_session( | |||
} | |||
UniquePtr<SSL_SESSION> session; | |||
/* Try the internal cache, if it exists. */ | |||
// Try the internal cache, if it exists. | |||
if (!(ssl->session_ctx->session_cache_mode & | |||
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { | |||
SSL_SESSION data; | |||
@@ -681,14 +681,14 @@ static enum ssl_hs_wait_t ssl_lookup_session( | |||
CRYPTO_MUTEX_lock_read(&ssl->session_ctx->lock); | |||
session.reset(lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &data)); | |||
if (session) { | |||
/* |lh_SSL_SESSION_retrieve| returns a non-owning pointer. */ | |||
// |lh_SSL_SESSION_retrieve| returns a non-owning pointer. | |||
SSL_SESSION_up_ref(session.get()); | |||
} | |||
/* TODO(davidben): This should probably move it to the front of the list. */ | |||
// TODO(davidben): This should probably move it to the front of the list. | |||
CRYPTO_MUTEX_unlock_read(&ssl->session_ctx->lock); | |||
} | |||
/* Fall back to the external cache, if it exists. */ | |||
// Fall back to the external cache, if it exists. | |||
if (!session && ssl->session_ctx->get_session_cb != NULL) { | |||
int copy = 1; | |||
session.reset(ssl->session_ctx->get_session_cb(ssl, (uint8_t *)session_id, | |||
@@ -703,15 +703,15 @@ static enum ssl_hs_wait_t ssl_lookup_session( | |||
return ssl_hs_pending_session; | |||
} | |||
/* Increment reference count now if the session callback asks us to do so | |||
* (note that if the session structures returned by the callback are shared | |||
* between threads, it must handle the reference count itself [i.e. copy == | |||
* 0], or things won't be thread-safe). */ | |||
// Increment reference count now if the session callback asks us to do so | |||
// (note that if the session structures returned by the callback are shared | |||
// between threads, it must handle the reference count itself [i.e. copy == | |||
// 0], or things won't be thread-safe). | |||
if (copy) { | |||
SSL_SESSION_up_ref(session.get()); | |||
} | |||
/* Add the externally cached session to the internal cache if necessary. */ | |||
// Add the externally cached session to the internal cache if necessary. | |||
if (!(ssl->session_ctx->session_cache_mode & | |||
SSL_SESS_CACHE_NO_INTERNAL_STORE)) { | |||
SSL_CTX_add_session(ssl->session_ctx, session.get()); | |||
@@ -719,7 +719,7 @@ static enum ssl_hs_wait_t ssl_lookup_session( | |||
} | |||
if (session && !ssl_session_is_time_valid(ssl, session.get())) { | |||
/* The session was from the cache, so remove it. */ | |||
// The session was from the cache, so remove it. | |||
SSL_CTX_remove_session(ssl->session_ctx, session.get()); | |||
session.reset(); | |||
} | |||
@@ -733,12 +733,12 @@ enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl, | |||
int *out_tickets_supported, | |||
int *out_renew_ticket, | |||
const SSL_CLIENT_HELLO *client_hello) { | |||
/* This is used only by servers. */ | |||
// This is used only by servers. | |||
assert(ssl->server); | |||
UniquePtr<SSL_SESSION> session; | |||
int renew_ticket = 0; | |||
/* If tickets are disabled, always behave as if no tickets are present. */ | |||
// If tickets are disabled, always behave as if no tickets are present. | |||
const uint8_t *ticket = NULL; | |||
size_t ticket_len = 0; | |||
const int tickets_supported = | |||
@@ -761,7 +761,7 @@ enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl, | |||
return ssl_hs_pending_ticket; | |||
} | |||
} else { | |||
/* The client didn't send a ticket, so the session ID is a real ID. */ | |||
// The client didn't send a ticket, so the session ID is a real ID. | |||
enum ssl_hs_wait_t lookup_ret = ssl_lookup_session( | |||
ssl, &session, client_hello->session_id, client_hello->session_id_len); | |||
if (lookup_ret != ssl_hs_ok) { | |||
@@ -817,16 +817,16 @@ void ssl_set_session(SSL *ssl, SSL_SESSION *session) { | |||
} | |||
} | |||
/* locked by SSL_CTX in the calling function */ | |||
// locked by SSL_CTX in the calling function | |||
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) { | |||
if (session->next == NULL || session->prev == NULL) { | |||
return; | |||
} | |||
if (session->next == (SSL_SESSION *)&ctx->session_cache_tail) { | |||
/* last element in list */ | |||
// last element in list | |||
if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) { | |||
/* only one element in list */ | |||
// only one element in list | |||
ctx->session_cache_head = NULL; | |||
ctx->session_cache_tail = NULL; | |||
} else { | |||
@@ -835,10 +835,10 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) { | |||
} | |||
} else { | |||
if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) { | |||
/* first element in list */ | |||
// first element in list | |||
ctx->session_cache_head = session->next; | |||
session->next->prev = (SSL_SESSION *)&(ctx->session_cache_head); | |||
} else { /* middle of list */ | |||
} else { // middle of list | |||
session->next->prev = session->prev; | |||
session->prev->next = session->next; | |||
} | |||
@@ -913,7 +913,7 @@ uint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session) { | |||
uint64_t SSL_SESSION_get_time(const SSL_SESSION *session) { | |||
if (session == NULL) { | |||
/* NULL should crash, but silently accept it here for compatibility. */ | |||
// NULL should crash, but silently accept it here for compatibility. | |||
return 0; | |||
} | |||
return session->time; | |||
@@ -925,7 +925,7 @@ X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) { | |||
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out, | |||
size_t max_out) { | |||
/* TODO(davidben): Fix master_key_length's type and remove these casts. */ | |||
// TODO(davidben): Fix master_key_length's type and remove these casts. | |||
if (max_out == 0) { | |||
return (size_t)session->master_key_length; | |||
} | |||
@@ -974,9 +974,9 @@ SSL_SESSION *SSL_magic_pending_session_ptr(void) { | |||
} | |||
SSL_SESSION *SSL_get_session(const SSL *ssl) { | |||
/* Once the handshake completes we return the established session. Otherwise | |||
* we return the intermediate session, either |session| (for resumption) or | |||
* |new_session| if doing a full handshake. */ | |||
// Once the handshake completes we return the established session. Otherwise | |||
// we return the intermediate session, either |session| (for resumption) or | |||
// |new_session| if doing a full handshake. | |||
if (!SSL_in_init(ssl)) { | |||
return ssl->s3->established_session; | |||
} | |||
@@ -1019,8 +1019,8 @@ void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx) { | |||
} | |||
int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) { | |||
/* Although |session| is inserted into two structures (a doubly-linked list | |||
* and the hash table), |ctx| only takes one reference. */ | |||
// Although |session| is inserted into two structures (a doubly-linked list | |||
// and the hash table), |ctx| only takes one reference. | |||
SSL_SESSION_up_ref(session); | |||
SSL_SESSION *old_session; | |||
@@ -1033,21 +1033,21 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) { | |||
if (old_session != NULL) { | |||
if (old_session == session) { | |||
/* |session| was already in the cache. */ | |||
// |session| was already in the cache. | |||
CRYPTO_MUTEX_unlock_write(&ctx->lock); | |||
SSL_SESSION_free(old_session); | |||
return 0; | |||
} | |||
/* There was a session ID collision. |old_session| must be removed from | |||
* the linked list and released. */ | |||
// There was a session ID collision. |old_session| must be removed from | |||
// the linked list and released. | |||
SSL_SESSION_list_remove(ctx, old_session); | |||
SSL_SESSION_free(old_session); | |||
} | |||
SSL_SESSION_list_add(ctx, session); | |||
/* Enforce any cache size limits. */ | |||
// Enforce any cache size limits. | |||
if (SSL_CTX_sess_get_cache_size(ctx) > 0) { | |||
while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) { | |||
if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) { | |||
@@ -1065,7 +1065,7 @@ int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session) { | |||
} | |||
int SSL_set_session(SSL *ssl, SSL_SESSION *session) { | |||
/* SSL_set_session may only be called before the handshake has started. */ | |||
// SSL_set_session may only be called before the handshake has started. | |||
if (ssl->s3->initial_handshake_complete || | |||
ssl->s3->hs == NULL || | |||
ssl->s3->hs->state != 0) { | |||
@@ -1081,7 +1081,7 @@ uint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout) { | |||
return 0; | |||
} | |||
/* Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|. */ | |||
// Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|. | |||
if (timeout == 0) { | |||
timeout = SSL_DEFAULT_SESSION_TIMEOUT; | |||
} | |||
@@ -1115,9 +1115,8 @@ static void timeout_doall_arg(SSL_SESSION *session, void *void_param) { | |||
if (param->time == 0 || | |||
session->time + session->timeout < session->time || | |||
param->time > (session->time + session->timeout)) { | |||
/* timeout */ | |||
/* The reason we don't call SSL_CTX_remove_session() is to | |||
* save on locking overhead */ | |||
// The reason we don't call SSL_CTX_remove_session() is to | |||
// save on locking overhead | |||
(void) lh_SSL_SESSION_delete(param->cache, session); | |||
SSL_SESSION_list_remove(param->ctx, session); | |||
if (param->ctx->remove_session_cb != NULL) { | |||
@@ -40,7 +40,7 @@ | |||
#include "../crypto/test/test_util.h" | |||
#if defined(OPENSSL_WINDOWS) | |||
/* Windows defines struct timeval in winsock2.h. */ | |||
// Windows defines struct timeval in winsock2.h. | |||
OPENSSL_MSVC_PRAGMA(warning(push, 3)) | |||
#include <winsock2.h> | |||
OPENSSL_MSVC_PRAGMA(warning(pop)) | |||
@@ -1538,9 +1538,9 @@ static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client, | |||
return true; | |||
} | |||
/* SSLVersionTest executes its test cases under all available protocol versions. | |||
* Test cases call |Connect| to create a connection using context objects with | |||
* the protocol version fixed to the current version under test. */ | |||
// SSLVersionTest executes its test cases under all available protocol versions. | |||
// Test cases call |Connect| to create a connection using context objects with | |||
// the protocol version fixed to the current version under test. | |||
class SSLVersionTest : public ::testing::TestWithParam<VersionParam> { | |||
protected: | |||
SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {} | |||
@@ -2192,7 +2192,7 @@ static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx, | |||
static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key, | |||
bool changed) { | |||
uint8_t new_key[kTicketKeyLen]; | |||
/* May return 0, 1 or 48. */ | |||
// May return 0, 1 or 48. | |||
ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1); | |||
if (changed) { | |||
ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key)); | |||
@@ -2493,8 +2493,8 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { | |||
g_current_time.tv_sec = kStartTime; | |||
uint8_t ticket_key[kTicketKeyLen]; | |||
/* We use session reuse as a proxy for ticket decryption success, hence | |||
* disable session timeouts. */ | |||
// We use session reuse as a proxy for ticket decryption success, hence | |||
// disable session timeouts. | |||
SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max()); | |||
SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(), | |||
std::numeric_limits<uint32_t>::max()); | |||
@@ -2505,11 +2505,11 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { | |||
SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH); | |||
SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF); | |||
/* Initialize ticket_key with the current key. */ | |||
// Initialize ticket_key with the current key. | |||
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, | |||
true /* changed */)); | |||
/* Verify ticket resumption actually works. */ | |||
// Verify ticket resumption actually works. | |||
bssl::UniquePtr<SSL> client, server; | |||
bssl::UniquePtr<SSL_SESSION> session = | |||
CreateClientSession(client_ctx_.get(), server_ctx_.get()); | |||
@@ -2517,21 +2517,21 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { | |||
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), | |||
session.get(), true /* reused */)); | |||
/* Advance time to just before key rotation. */ | |||
// Advance time to just before key rotation. | |||
g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1; | |||
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), | |||
session.get(), true /* reused */)); | |||
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, | |||
false /* NOT changed */)); | |||
/* Force key rotation. */ | |||
// Force key rotation. | |||
g_current_time.tv_sec += 1; | |||
bssl::UniquePtr<SSL_SESSION> new_session = | |||
CreateClientSession(client_ctx_.get(), server_ctx_.get()); | |||
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, | |||
true /* changed */)); | |||
/* Resumption with both old and new ticket should work. */ | |||
// Resumption with both old and new ticket should work. | |||
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), | |||
session.get(), true /* reused */)); | |||
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), | |||
@@ -2539,14 +2539,14 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) { | |||
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, | |||
false /* NOT changed */)); | |||
/* Force key rotation again. Resumption with the old ticket now fails. */ | |||
// Force key rotation again. Resumption with the old ticket now fails. | |||
g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL; | |||
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), | |||
session.get(), false /* NOT reused */)); | |||
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key, | |||
true /* changed */)); | |||
/* But resumption with the newer session still works. */ | |||
// But resumption with the newer session still works. | |||
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(), | |||
new_session.get(), true /* reused */)); | |||
} | |||
@@ -167,8 +167,8 @@ bool SSLTranscript::Init() { | |||
return true; | |||
} | |||
/* InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then | |||
* writes the data in |buf| to it. */ | |||
// InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then | |||
// writes the data in |buf| to it. | |||
static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md, | |||
const BUF_MEM *buf) { | |||
if (!EVP_DigestInit_ex(ctx, md, NULL)) { | |||
@@ -181,9 +181,9 @@ static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md, | |||
bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) { | |||
const EVP_MD *md = ssl_get_handshake_digest(version, cipher); | |||
/* To support SSL 3.0's Finished and CertificateVerify constructions, | |||
* EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed, | |||
* we can simplify this. */ | |||
// To support SSL 3.0's Finished and CertificateVerify constructions, | |||
// EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed, | |||
// we can simplify this. | |||
if (md == EVP_md5_sha1()) { | |||
if (!InitDigestWithData(md5_.get(), EVP_md5(), buffer_.get())) { | |||
return false; | |||
@@ -210,8 +210,8 @@ const EVP_MD *SSLTranscript::Digest() const { | |||
} | |||
bool SSLTranscript::Update(const uint8_t *in, size_t in_len) { | |||
/* Depending on the state of the handshake, either the handshake buffer may be | |||
* active, the rolling hash, or both. */ | |||
// Depending on the state of the handshake, either the handshake buffer may be | |||
// active, the rolling hash, or both. | |||
if (buffer_) { | |||
size_t new_len = buffer_->length + in_len; | |||
if (new_len < in_len) { | |||
@@ -351,8 +351,8 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len, | |||
return true; | |||
} | |||
/* At this point, the handshake should have released the handshake buffer on | |||
* its own. */ | |||
// At this point, the handshake should have released the handshake buffer on | |||
// its own. | |||
assert(!buffer_); | |||
const char *label = TLS_MD_CLIENT_FINISH_CONST; | |||
@@ -41,7 +41,7 @@ int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { | |||
return 1; | |||
case DTLS1_VERSION: | |||
/* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */ | |||
// DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. | |||
*out = TLS1_1_VERSION; | |||
return 1; | |||
@@ -54,8 +54,8 @@ int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { | |||
} | |||
} | |||
/* The follow arrays are the supported versions for TLS and DTLS, in order of | |||
* decreasing preference. */ | |||
// The follow arrays are the supported versions for TLS and DTLS, in order of | |||
// decreasing preference. | |||
static const uint16_t kTLSVersions[] = { | |||
TLS1_3_EXPERIMENT_VERSION, | |||
@@ -98,9 +98,9 @@ static int method_supports_version(const SSL_PROTOCOL_METHOD *method, | |||
static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out, | |||
uint16_t version) { | |||
/* The public API uses wire versions, except we use |TLS1_3_VERSION| | |||
* everywhere to refer to any draft TLS 1.3 versions. In this direction, we | |||
* map it to some representative TLS 1.3 draft version. */ | |||
// The public API uses wire versions, except we use |TLS1_3_VERSION| | |||
// everywhere to refer to any draft TLS 1.3 versions. In this direction, we | |||
// map it to some representative TLS 1.3 draft version. | |||
if (version == TLS1_3_DRAFT_VERSION || | |||
version == TLS1_3_EXPERIMENT_VERSION || | |||
version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) { | |||
@@ -122,9 +122,9 @@ static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out, | |||
static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, | |||
uint16_t version) { | |||
/* Zero is interpreted as the default minimum version. */ | |||
// Zero is interpreted as the default minimum version. | |||
if (version == 0) { | |||
/* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */ | |||
// SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. | |||
*out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION; | |||
return 1; | |||
} | |||
@@ -134,7 +134,7 @@ static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, | |||
static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, | |||
uint16_t version) { | |||
/* Zero is interpreted as the default maximum version. */ | |||
// Zero is interpreted as the default maximum version. | |||
if (version == 0) { | |||
*out = TLS1_2_VERSION; | |||
return 1; | |||
@@ -156,8 +156,8 @@ const struct { | |||
int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, | |||
uint16_t *out_max_version) { | |||
/* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but | |||
* DTLS 1.0 should be mapped to TLS 1.1. */ | |||
// For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but | |||
// DTLS 1.0 should be mapped to TLS 1.1. | |||
uint32_t options = ssl->options; | |||
if (SSL_is_dtls(ssl)) { | |||
options &= ~SSL_OP_NO_TLSv1_1; | |||
@@ -169,19 +169,19 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, | |||
uint16_t min_version = ssl->conf_min_version; | |||
uint16_t max_version = ssl->conf_max_version; | |||
/* OpenSSL's API for controlling versions entails blacklisting individual | |||
* protocols. This has two problems. First, on the client, the protocol can | |||
* only express a contiguous range of versions. Second, a library consumer | |||
* trying to set a maximum version cannot disable protocol versions that get | |||
* added in a future version of the library. | |||
* | |||
* To account for both of these, OpenSSL interprets the client-side bitmask | |||
* as a min/max range by picking the lowest contiguous non-empty range of | |||
* enabled protocols. Note that this means it is impossible to set a maximum | |||
* version of the higest supported TLS version in a future-proof way. */ | |||
// OpenSSL's API for controlling versions entails blacklisting individual | |||
// protocols. This has two problems. First, on the client, the protocol can | |||
// only express a contiguous range of versions. Second, a library consumer | |||
// trying to set a maximum version cannot disable protocol versions that get | |||
// added in a future version of the library. | |||
// | |||
// To account for both of these, OpenSSL interprets the client-side bitmask | |||
// as a min/max range by picking the lowest contiguous non-empty range of | |||
// enabled protocols. Note that this means it is impossible to set a maximum | |||
// version of the higest supported TLS version in a future-proof way. | |||
int any_enabled = 0; | |||
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) { | |||
/* Only look at the versions already enabled. */ | |||
// Only look at the versions already enabled. | |||
if (min_version > kProtocolVersions[i].version) { | |||
continue; | |||
} | |||
@@ -190,7 +190,7 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, | |||
} | |||
if (!(options & kProtocolVersions[i].flag)) { | |||
/* The minimum version is the first enabled version. */ | |||
// The minimum version is the first enabled version. | |||
if (!any_enabled) { | |||
any_enabled = 1; | |||
min_version = kProtocolVersions[i].version; | |||
@@ -198,8 +198,8 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, | |||
continue; | |||
} | |||
/* If there is a disabled version after the first enabled one, all versions | |||
* after it are implicitly disabled. */ | |||
// If there is a disabled version after the first enabled one, all versions | |||
// after it are implicitly disabled. | |||
if (any_enabled) { | |||
max_version = kProtocolVersions[i-1].version; | |||
break; | |||
@@ -217,7 +217,7 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version, | |||
} | |||
static uint16_t ssl_version(const SSL *ssl) { | |||
/* In early data, we report the predicted version. */ | |||
// In early data, we report the predicted version. | |||
if (SSL_in_early_data(ssl) && !ssl->server) { | |||
return ssl->s3->hs->early_session->ssl_version; | |||
} | |||
@@ -226,7 +226,7 @@ static uint16_t ssl_version(const SSL *ssl) { | |||
static const char *ssl_version_to_string(uint16_t version) { | |||
switch (version) { | |||
/* Report TLS 1.3 draft version as TLS 1.3 in the public API. */ | |||
// Report TLS 1.3 draft version as TLS 1.3 in the public API. | |||
case TLS1_3_DRAFT_VERSION: | |||
case TLS1_3_EXPERIMENT_VERSION: | |||
case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION: | |||
@@ -259,7 +259,7 @@ uint16_t ssl3_protocol_version(const SSL *ssl) { | |||
assert(ssl->s3->have_version); | |||
uint16_t version; | |||
if (!ssl_protocol_version_from_wire(&version, ssl->version)) { | |||
/* |ssl->version| will always be set to a valid version. */ | |||
// |ssl->version| will always be set to a valid version. | |||
assert(0); | |||
return 0; | |||
} | |||
@@ -269,9 +269,9 @@ uint16_t ssl3_protocol_version(const SSL *ssl) { | |||
int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) { | |||
SSL *const ssl = hs->ssl; | |||
/* As a client, only allow the configured TLS 1.3 variant. As a server, | |||
* support all TLS 1.3 variants as long as tls13_variant is set to a | |||
* non-default value. */ | |||
// As a client, only allow the configured TLS 1.3 variant. As a server, | |||
// support all TLS 1.3 variants as long as tls13_variant is set to a | |||
// non-default value. | |||
if (ssl->server) { | |||
if (ssl->tls13_variant == tls13_default && | |||
(version == TLS1_3_EXPERIMENT_VERSION || | |||
@@ -363,7 +363,7 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { | |||
int SSL_version(const SSL *ssl) { | |||
uint16_t ret = ssl_version(ssl); | |||
/* Report TLS 1.3 draft version as TLS 1.3 in the public API. */ | |||
// Report TLS 1.3 draft version as TLS 1.3 in the public API. | |||
if (ret == TLS1_3_DRAFT_VERSION || ret == TLS1_3_EXPERIMENT_VERSION || | |||
ret == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) { | |||
return TLS1_3_VERSION; | |||
@@ -157,21 +157,21 @@ | |||
namespace bssl { | |||
/* check_ssl_x509_method asserts that |ssl| has the X509-based method | |||
* installed. Calling an X509-based method on an |ssl| with a different method | |||
* will likely misbehave and possibly crash or leak memory. */ | |||
// check_ssl_x509_method asserts that |ssl| has the X509-based method | |||
// installed. Calling an X509-based method on an |ssl| with a different method | |||
// will likely misbehave and possibly crash or leak memory. | |||
static void check_ssl_x509_method(const SSL *ssl) { | |||
assert(ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method); | |||
} | |||
/* check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an | |||
* |SSL_CTX|. */ | |||
// check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an | |||
// |SSL_CTX|. | |||
static void check_ssl_ctx_x509_method(const SSL_CTX *ctx) { | |||
assert(ctx == NULL || ctx->x509_method == &ssl_crypto_x509_method); | |||
} | |||
/* x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised | |||
* contents of |x509|. */ | |||
// x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised | |||
// contents of |x509|. | |||
static UniquePtr<CRYPTO_BUFFER> x509_to_buffer(X509 *x509) { | |||
uint8_t *buf = NULL; | |||
int cert_len = i2d_X509(x509, &buf); | |||
@@ -185,7 +185,7 @@ static UniquePtr<CRYPTO_BUFFER> x509_to_buffer(X509 *x509) { | |||
return buffer; | |||
} | |||
/* new_leafless_chain returns a fresh stack of buffers set to {NULL}. */ | |||
// new_leafless_chain returns a fresh stack of buffers set to {NULL}. | |||
static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) { | |||
STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null(); | |||
if (chain == NULL) { | |||
@@ -200,10 +200,10 @@ static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) { | |||
return chain; | |||
} | |||
/* ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised | |||
* forms of elements of |chain|. It returns one on success or zero on error, in | |||
* which case no change to |cert->chain| is made. It preverses the existing | |||
* leaf from |cert->chain|, if any. */ | |||
// ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised | |||
// forms of elements of |chain|. It returns one on success or zero on error, in | |||
// which case no change to |cert->chain| is made. It preverses the existing | |||
// leaf from |cert->chain|, if any. | |||
static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) { | |||
UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_chain; | |||
@@ -217,7 +217,7 @@ static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) { | |||
if (!sk_CRYPTO_BUFFER_push(new_chain.get(), leaf)) { | |||
return 0; | |||
} | |||
/* |leaf| might be NULL if it's a “leafless” chain. */ | |||
// |leaf| might be NULL if it's a “leafless” chain. | |||
if (leaf != NULL) { | |||
CRYPTO_BUFFER_up_ref(leaf); | |||
} | |||
@@ -439,13 +439,13 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, | |||
return 0; | |||
} | |||
/* We need to inherit the verify parameters. These can be determined by the | |||
* context: if its a server it will verify SSL client certificates or vice | |||
* versa. */ | |||
// We need to inherit the verify parameters. These can be determined by the | |||
// context: if its a server it will verify SSL client certificates or vice | |||
// versa. | |||
X509_STORE_CTX_set_default(ctx.get(), | |||
ssl->server ? "ssl_client" : "ssl_server"); | |||
/* Anything non-default in "param" should overwrite anything in the ctx. */ | |||
// Anything non-default in "param" should overwrite anything in the ctx. | |||
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param); | |||
if (ssl->verify_callback) { | |||
@@ -462,7 +462,7 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session, | |||
session->verify_result = ctx->error; | |||
/* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */ | |||
// If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. | |||
if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) { | |||
*out_alert = ssl_verify_alarm_type(ctx->error); | |||
return 0; | |||
@@ -497,8 +497,8 @@ static void ssl_crypto_x509_ssl_free(SSL *ssl) { | |||
} | |||
static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) { | |||
/* Only build a chain if there are no intermediates configured and the feature | |||
* isn't disabled. */ | |||
// Only build a chain if there are no intermediates configured and the feature | |||
// isn't disabled. | |||
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || | |||
!ssl_has_certificate(ssl) || | |||
ssl->cert->chain == NULL || | |||
@@ -519,11 +519,11 @@ static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) { | |||
return 0; | |||
} | |||
/* Attempt to build a chain, ignoring the result. */ | |||
// Attempt to build a chain, ignoring the result. | |||
X509_verify_cert(ctx.get()); | |||
ERR_clear_error(); | |||
/* Remove the leaf from the generated chain. */ | |||
// Remove the leaf from the generated chain. | |||
X509_free(sk_X509_shift(ctx->chain)); | |||
if (!ssl_cert_set_chain(ssl->cert, ctx->chain)) { | |||
@@ -605,8 +605,8 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) { | |||
return session->x509_chain; | |||
} | |||
/* OpenSSL historically didn't include the leaf certificate in the returned | |||
* certificate chain, but only for servers. */ | |||
// OpenSSL historically didn't include the leaf certificate in the returned | |||
// certificate chain, but only for servers. | |||
if (session->x509_chain_without_leaf == NULL) { | |||
session->x509_chain_without_leaf = sk_X509_new_null(); | |||
if (session->x509_chain_without_leaf == NULL) { | |||
@@ -800,8 +800,8 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) { | |||
return ssl_use_certificate(ctx->cert, x); | |||
} | |||
/* ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the | |||
* first element of |cert->chain|. */ | |||
// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the | |||
// first element of |cert->chain|. | |||
static int ssl_cert_cache_leaf_cert(CERT *cert) { | |||
assert(cert->x509_method); | |||
@@ -963,8 +963,8 @@ int SSL_clear_chain_certs(SSL *ssl) { | |||
return SSL_set0_chain(ssl, NULL); | |||
} | |||
/* ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of | |||
* |cert->chain|. */ | |||
// ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of | |||
// |cert->chain|. | |||
static int ssl_cert_cache_chain_certs(CERT *cert) { | |||
assert(cert->x509_method); | |||
@@ -1140,11 +1140,11 @@ static STACK_OF(X509_NAME) * | |||
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) { | |||
check_ssl_x509_method(ssl); | |||
/* For historical reasons, this function is used both to query configuration | |||
* state on a server as well as handshake state on a client. However, whether | |||
* |ssl| is a client or server is not known until explicitly configured with | |||
* |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an | |||
* indeterminate mode and |ssl->server| is unset. */ | |||
// For historical reasons, this function is used both to query configuration | |||
// state on a server as well as handshake state on a client. However, whether | |||
// |ssl| is a client or server is not known until explicitly configured with | |||
// |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an | |||
// indeterminate mode and |ssl->server| is unset. | |||
if (ssl->do_handshake != NULL && !ssl->server) { | |||
if (ssl->s3->hs != NULL) { | |||
return buffer_names_to_x509(ssl->s3->hs->ca_names.get(), | |||
@@ -1163,8 +1163,8 @@ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) { | |||
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { | |||
check_ssl_ctx_x509_method(ctx); | |||
/* This is a logically const operation that may be called on multiple threads, | |||
* so it needs to lock around updating |cached_x509_client_CA|. */ | |||
// This is a logically const operation that may be called on multiple threads, | |||
// so it needs to lock around updating |cached_x509_client_CA|. | |||
CRYPTO_MUTEX_lock_write((CRYPTO_MUTEX *) &ctx->lock); | |||
STACK_OF(X509_NAME) *ret = buffer_names_to_x509( | |||
ctx->client_CA, (STACK_OF(X509_NAME) **)&ctx->cached_x509_client_CA); | |||
@@ -1259,7 +1259,7 @@ void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, | |||
X509 **out_x509, | |||
EVP_PKEY **out_pkey)) { | |||
check_ssl_ctx_x509_method(ctx); | |||
/* Emulate the old client certificate callback with the new one. */ | |||
// Emulate the old client certificate callback with the new one. | |||
SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL); | |||
ctx->client_cert_cb = cb; | |||
} | |||
@@ -1277,10 +1277,10 @@ static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store, | |||
} | |||
int SSL_get_ex_data_X509_STORE_CTX_idx(void) { | |||
/* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the | |||
* reserved app_data slot. Before ex_data was introduced, app_data was used. | |||
* Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data| | |||
* works. */ | |||
// The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the | |||
// reserved app_data slot. Before ex_data was introduced, app_data was used. | |||
// Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data| | |||
// works. | |||
return 0; | |||
} | |||
@@ -154,10 +154,10 @@ | |||
namespace bssl { | |||
/* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246, | |||
* section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and | |||
* |secret| as the secret. |seed1| through |seed3| are concatenated to form the | |||
* seed parameter. It returns one on success and zero on failure. */ | |||
// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246, | |||
// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and | |||
// |secret| as the secret. |seed1| through |seed3| are concatenated to form the | |||
// seed parameter. It returns one on success and zero on failure. | |||
static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, | |||
const uint8_t *secret, size_t secret_len, | |||
const uint8_t *seed1, size_t seed1_len, | |||
@@ -184,7 +184,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, | |||
uint8_t hmac[EVP_MAX_MD_SIZE]; | |||
if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) || | |||
!HMAC_Update(ctx.get(), A1, A1_len) || | |||
/* Save a copy of |ctx| to compute the next A1 value below. */ | |||
// Save a copy of |ctx| to compute the next A1 value below. | |||
(out_len > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) || | |||
!HMAC_Update(ctx.get(), seed1, seed1_len) || | |||
!HMAC_Update(ctx.get(), seed2, seed2_len) || | |||
@@ -194,7 +194,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, | |||
} | |||
assert(len == chunk); | |||
/* XOR the result into |out|. */ | |||
// XOR the result into |out|. | |||
if (len > out_len) { | |||
len = out_len; | |||
} | |||
@@ -209,7 +209,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, | |||
break; | |||
} | |||
/* Calculate the next A1 value. */ | |||
// Calculate the next A1 value. | |||
if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) { | |||
goto err; | |||
} | |||
@@ -233,8 +233,8 @@ int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, | |||
OPENSSL_memset(out, 0, out_len); | |||
if (digest == EVP_md5_sha1()) { | |||
/* If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and | |||
* MD5, MD5 first. */ | |||
// If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and | |||
// MD5, MD5 first. | |||
size_t secret_half = secret_len - (secret_len / 2); | |||
if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, | |||
(const uint8_t *)label, label_len, seed1, seed1_len, seed2, | |||
@@ -242,7 +242,7 @@ int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, | |||
return 0; | |||
} | |||
/* Note that, if |secret_len| is odd, the two halves share a byte. */ | |||
// Note that, if |secret_len| is odd, the two halves share a byte. | |||
secret = secret + (secret_len - secret_half); | |||
secret_len = secret_half; | |||
@@ -272,7 +272,7 @@ static int ssl3_prf(uint8_t *out, size_t out_len, const uint8_t *secret, | |||
for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) { | |||
k++; | |||
if (k > sizeof(buf)) { | |||
/* bug: 'buf' is too small for this ciphersuite */ | |||
// bug: 'buf' is too small for this ciphersuite | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return 0; | |||
} | |||
@@ -287,7 +287,7 @@ static int ssl3_prf(uint8_t *out, size_t out_len, const uint8_t *secret, | |||
} | |||
EVP_DigestUpdate(sha1.get(), buf, k); | |||
EVP_DigestUpdate(sha1.get(), secret, secret_len); | |||
/* |label| is ignored for SSLv3. */ | |||
// |label| is ignored for SSLv3. | |||
if (seed1_len) { | |||
EVP_DigestUpdate(sha1.get(), seed1, seed1_len); | |||
} | |||
@@ -338,9 +338,9 @@ static int tls1_setup_key_block(SSL_HANDSHAKE *hs) { | |||
} | |||
size_t key_len = EVP_AEAD_key_length(aead); | |||
if (mac_secret_len > 0) { | |||
/* For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the | |||
* key length reported by |EVP_AEAD_key_length| will include the MAC key | |||
* bytes and initial implicit IV. */ | |||
// For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the | |||
// key length reported by |EVP_AEAD_key_length| will include the MAC key | |||
// bytes and initial implicit IV. | |||
if (key_len < mac_secret_len + fixed_iv_len) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return 0; | |||
@@ -377,17 +377,17 @@ static int tls1_setup_key_block(SSL_HANDSHAKE *hs) { | |||
int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which) { | |||
SSL *const ssl = hs->ssl; | |||
/* Ensure the key block is set up. */ | |||
// Ensure the key block is set up. | |||
if (!tls1_setup_key_block(hs)) { | |||
return 0; | |||
} | |||
/* is_read is true if we have just read a ChangeCipherSpec message - i.e. we | |||
* need to update the read cipherspec. Otherwise we have just written one. */ | |||
// is_read is true if we have just read a ChangeCipherSpec message - i.e. we | |||
// need to update the read cipherspec. Otherwise we have just written one. | |||
const char is_read = (which & SSL3_CC_READ) != 0; | |||
/* use_client_keys is true if we wish to use the keys for the "client write" | |||
* direction. This is the case if we're a client sending a ChangeCipherSpec, | |||
* or a server reading a client's ChangeCipherSpec. */ | |||
// use_client_keys is true if we wish to use the keys for the "client write" | |||
// direction. This is the case if we're a client sending a ChangeCipherSpec, | |||
// or a server reading a client's ChangeCipherSpec. | |||
const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE || | |||
which == SSL3_CHANGE_CIPHER_SERVER_READ; | |||
@@ -506,7 +506,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, | |||
return 0; | |||
} | |||
/* Exporters may not be used in the middle of a renegotiation. */ | |||
// Exporters may not be used in the middle of a renegotiation. | |||
if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) { | |||
return 0; | |||
} | |||
@@ -1040,8 +1040,8 @@ static void MessageCallback(int is_write, int version, int content_type, | |||
uint8_t type; | |||
uint32_t msg_len; | |||
if (!CBS_get_u8(&cbs, &type) || | |||
/* TODO(davidben): Reporting on entire messages would be more | |||
* consistent than fragments. */ | |||
// TODO(davidben): Reporting on entire messages would be more | |||
// consistent than fragments. | |||
(config->is_dtls && | |||
!CBS_skip(&cbs, 3 /* total */ + 2 /* seq */ + 3 /* frag_off */)) || | |||
!CBS_get_u24(&cbs, &msg_len) || | |||
@@ -2421,7 +2421,7 @@ int main(int argc, char **argv) { | |||
StderrDelimiter delimiter; | |||
#if defined(OPENSSL_WINDOWS) | |||
/* Initialize Winsock. */ | |||
// Initialize Winsock. | |||
WORD wsa_version = MAKEWORD(2, 2); | |||
WSADATA wsa_data; | |||
int wsa_err = WSAStartup(wsa_version, &wsa_data); | |||
@@ -32,9 +32,9 @@ | |||
namespace bssl { | |||
/* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be | |||
* processed. Without this limit an attacker could force unbounded processing | |||
* without being able to return application data. */ | |||
// kMaxKeyUpdates is the number of consecutive KeyUpdates that will be | |||
// processed. Without this limit an attacker could force unbounded processing | |||
// without being able to return application data. | |||
static const uint8_t kMaxKeyUpdates = 32; | |||
int tls13_get_cert_verify_signature_input( | |||
@@ -56,7 +56,7 @@ int tls13_get_cert_verify_signature_input( | |||
const uint8_t *context; | |||
size_t context_len; | |||
if (cert_verify_context == ssl_cert_verify_server) { | |||
/* Include the NUL byte. */ | |||
// Include the NUL byte. | |||
static const char kContext[] = "TLS 1.3, server CertificateVerify"; | |||
context = (const uint8_t *)kContext; | |||
context_len = sizeof(kContext); | |||
@@ -130,15 +130,15 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); | |||
return 0; | |||
} | |||
/* TLS 1.3 always uses certificate keys for signing thus the correct | |||
* keyUsage is enforced. */ | |||
// TLS 1.3 always uses certificate keys for signing thus the correct | |||
// keyUsage is enforced. | |||
if (!ssl_cert_check_digital_signature_key_usage(&certificate)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
return 0; | |||
} | |||
if (retain_sha256) { | |||
/* Retain the hash of the leaf certificate if requested. */ | |||
// Retain the hash of the leaf certificate if requested. | |||
SHA256(CBS_data(&certificate), CBS_len(&certificate), | |||
hs->new_session->peer_sha256); | |||
} | |||
@@ -153,7 +153,7 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, | |||
return 0; | |||
} | |||
/* Parse out the extensions. */ | |||
// Parse out the extensions. | |||
int have_status_request = 0, have_sct = 0; | |||
CBS status_request, sct; | |||
const SSL_EXTENSION_TYPE ext_types[] = { | |||
@@ -169,8 +169,8 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, | |||
return 0; | |||
} | |||
/* All Certificate extensions are parsed, but only the leaf extensions are | |||
* stored. */ | |||
// All Certificate extensions are parsed, but only the leaf extensions are | |||
// stored. | |||
if (have_status_request) { | |||
if (ssl->server || !ssl->ocsp_stapling_enabled) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); | |||
@@ -225,8 +225,8 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, | |||
} | |||
} | |||
/* Store a null certificate list rather than an empty one if the peer didn't | |||
* send certificates. */ | |||
// Store a null certificate list rather than an empty one if the peer didn't | |||
// send certificates. | |||
if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) { | |||
certs.reset(); | |||
} | |||
@@ -249,11 +249,11 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, | |||
return 0; | |||
} | |||
/* OpenSSL returns X509_V_OK when no certificates are requested. This is | |||
* classed by them as a bug, but it's assumed by at least NGINX. */ | |||
// OpenSSL returns X509_V_OK when no certificates are requested. This is | |||
// classed by them as a bug, but it's assumed by at least NGINX. | |||
hs->new_session->verify_result = X509_V_OK; | |||
/* No certificate, so nothing more to do. */ | |||
// No certificate, so nothing more to do. | |||
return 1; | |||
} | |||
@@ -347,7 +347,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) { | |||
ScopedCBB cbb; | |||
CBB body, certificate_list; | |||
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) || | |||
/* The request context is always empty in the handshake. */ | |||
// The request context is always empty in the handshake. | |||
!CBB_add_u8(&body, 0) || | |||
!CBB_add_u24_length_prefixed(&body, &certificate_list)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
@@ -430,7 +430,7 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) { | |||
return ssl_private_key_failure; | |||
} | |||
/* Sign the digest. */ | |||
// Sign the digest. | |||
CBB child; | |||
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); | |||
uint8_t *sig; | |||
@@ -503,7 +503,7 @@ static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) { | |||
return 0; | |||
} | |||
/* Acknowledge the KeyUpdate */ | |||
// Acknowledge the KeyUpdate | |||
if (key_update_request == SSL_KEY_UPDATE_REQUESTED && | |||
!ssl->s3->key_update_pending) { | |||
ScopedCBB cbb; | |||
@@ -516,10 +516,10 @@ static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) { | |||
return 0; | |||
} | |||
/* Suppress KeyUpdate acknowledgments until this change is written to the | |||
* wire. This prevents us from accumulating write obligations when read and | |||
* write progress at different rates. See draft-ietf-tls-tls13-18, section | |||
* 4.5.3. */ | |||
// Suppress KeyUpdate acknowledgments until this change is written to the | |||
// wire. This prevents us from accumulating write obligations when read and | |||
// write progress at different rates. See draft-ietf-tls-tls13-18, section | |||
// 4.5.3. | |||
ssl->s3->key_update_pending = 1; | |||
} | |||
@@ -66,7 +66,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { | |||
uint16_t server_version; | |||
if (!CBS_get_u16(&body, &server_version) || | |||
!CBS_get_u16_length_prefixed(&body, &extensions) || | |||
/* HelloRetryRequest may not be empty. */ | |||
// HelloRetryRequest may not be empty. | |||
CBS_len(&extensions) == 0 || | |||
CBS_len(&body) != 0) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); | |||
@@ -112,7 +112,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* The group must be supported. */ | |||
// The group must be supported. | |||
const uint16_t *groups; | |||
size_t groups_len; | |||
tls1_get_grouplist(ssl, &groups, &groups_len); | |||
@@ -130,8 +130,8 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Check that the HelloRetryRequest does not request the key share that | |||
* was provided in the initial ClientHello. */ | |||
// Check that the HelloRetryRequest does not request the key share that | |||
// was provided in the initial ClientHello. | |||
if (hs->key_share->GroupID() == group_id) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); | |||
@@ -149,7 +149,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { | |||
ssl->method->next_message(ssl); | |||
hs->received_hello_retry_request = 1; | |||
hs->tls13_state = state_send_second_client_hello; | |||
/* 0-RTT is rejected if we receive a HelloRetryRequest. */ | |||
// 0-RTT is rejected if we receive a HelloRetryRequest. | |||
if (hs->in_early_data) { | |||
return ssl_hs_early_data_rejected; | |||
} | |||
@@ -158,7 +158,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* Restore the null cipher. We may have switched due to 0-RTT. */ | |||
// Restore the null cipher. We may have switched due to 0-RTT. | |||
bssl::UniquePtr<SSLAEADContext> null_ctx = SSLAEADContext::CreateNullCipher(); | |||
if (!null_ctx || | |||
!ssl->method->set_write_state(ssl, std::move(null_ctx)) || | |||
@@ -217,7 +217,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Check if the cipher is a TLS 1.3 cipher. */ | |||
// Check if the cipher is a TLS 1.3 cipher. | |||
if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) || | |||
SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); | |||
@@ -225,7 +225,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Parse out the extensions. */ | |||
// Parse out the extensions. | |||
int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0; | |||
CBS key_share, pre_shared_key, supported_versions; | |||
const SSL_EXTENSION_TYPE ext_types[] = { | |||
@@ -243,8 +243,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* supported_versions is parsed in handshake_client to select the experimental | |||
* TLS 1.3 version. */ | |||
// supported_versions is parsed in handshake_client to select the experimental | |||
// TLS 1.3 version. | |||
if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); | |||
@@ -278,7 +278,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
if (!ssl_session_is_context_valid(ssl, ssl->session)) { | |||
/* This is actually a client application bug. */ | |||
// This is actually a client application bug. | |||
OPENSSL_PUT_ERROR(SSL, | |||
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
@@ -286,7 +286,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
ssl->s3->session_reused = 1; | |||
/* Only authentication information carries over in TLS 1.3. */ | |||
// Only authentication information carries over in TLS 1.3. | |||
hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY); | |||
if (!hs->new_session) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
@@ -294,7 +294,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
ssl_set_session(ssl, NULL); | |||
/* Resumption incorporates fresh key material, so refresh the timeout. */ | |||
// Resumption incorporates fresh key material, so refresh the timeout. | |||
ssl_session_renew_timeout(ssl, hs->new_session.get(), | |||
ssl->session_ctx->session_psk_dhe_timeout); | |||
} else if (!ssl_get_new_session(hs, 0)) { | |||
@@ -305,12 +305,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
hs->new_session->cipher = cipher; | |||
hs->new_cipher = cipher; | |||
/* The PRF hash is now known. Set up the key schedule. */ | |||
// The PRF hash is now known. Set up the key schedule. | |||
if (!tls13_init_key_schedule(hs)) { | |||
return ssl_hs_error; | |||
} | |||
/* Incorporate the PSK into the running secret. */ | |||
// Incorporate the PSK into the running secret. | |||
if (ssl->s3->session_reused) { | |||
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key, | |||
hs->new_session->master_key_length)) { | |||
@@ -321,13 +321,13 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
if (!have_key_share) { | |||
/* We do not support psk_ke and thus always require a key share. */ | |||
// We do not support psk_ke and thus always require a key share. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); | |||
return ssl_hs_error; | |||
} | |||
/* Resolve ECDHE and incorporate it into the secret. */ | |||
// Resolve ECDHE and incorporate it into the secret. | |||
uint8_t *dhe_secret; | |||
size_t dhe_secret_len; | |||
alert = SSL_AD_DECODE_ERROR; | |||
@@ -363,8 +363,8 @@ static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) { | |||
} | |||
if (!hs->early_data_offered) { | |||
/* If not sending early data, set client traffic keys now so that alerts are | |||
* encrypted. */ | |||
// If not sending early data, set client traffic keys now so that alerts are | |||
// encrypted. | |||
if ((ssl->version == TLS1_3_EXPERIMENT_VERSION && | |||
!ssl3_add_change_cipher_spec(ssl)) || | |||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret, | |||
@@ -398,7 +398,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Store the negotiated ALPN in the session. */ | |||
// Store the negotiated ALPN in the session. | |||
if (ssl->s3->alpn_selected != NULL) { | |||
hs->new_session->early_alpn = (uint8_t *)BUF_memdup( | |||
ssl->s3->alpn_selected, ssl->s3->alpn_selected_len); | |||
@@ -437,7 +437,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* CertificateRequest may only be sent in non-resumption handshakes. */ | |||
// CertificateRequest may only be sent in non-resumption handshakes. | |||
if (ssl->s3->session_reused) { | |||
hs->tls13_state = state_read_server_finished; | |||
return ssl_hs_ok; | |||
@@ -448,7 +448,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_read_message; | |||
} | |||
/* CertificateRequest is optional. */ | |||
// CertificateRequest is optional. | |||
if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) { | |||
hs->tls13_state = state_read_server_certificate; | |||
return ssl_hs_ok; | |||
@@ -456,7 +456,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { | |||
CBS body = msg.body, context, supported_signature_algorithms; | |||
if (!CBS_get_u8_length_prefixed(&body, &context) || | |||
/* The request context is always empty during the handshake. */ | |||
// The request context is always empty during the handshake. | |||
CBS_len(&context) != 0 || | |||
!CBS_get_u16_length_prefixed(&body, &supported_signature_algorithms) || | |||
CBS_len(&supported_signature_algorithms) == 0 || | |||
@@ -474,7 +474,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Ignore extensions. */ | |||
// Ignore extensions. | |||
CBS extensions; | |||
if (!CBS_get_u16_length_prefixed(&body, &extensions) || | |||
CBS_len(&body) != 0) { | |||
@@ -550,7 +550,7 @@ static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) { | |||
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) || | |||
!tls13_process_finished(hs, msg, 0 /* don't use saved value */) || | |||
!ssl_hash_message(hs, msg) || | |||
/* Update the secret to the master secret and derive traffic keys. */ | |||
// Update the secret to the master secret and derive traffic keys. | |||
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) || | |||
!tls13_derive_application_secrets(hs)) { | |||
return ssl_hs_error; | |||
@@ -588,13 +588,13 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* The peer didn't request a certificate. */ | |||
// The peer didn't request a certificate. | |||
if (!hs->cert_request) { | |||
hs->tls13_state = state_complete_second_flight; | |||
return ssl_hs_ok; | |||
} | |||
/* Call cert_cb to update the certificate. */ | |||
// Call cert_cb to update the certificate. | |||
if (ssl->cert->cert_cb != NULL) { | |||
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); | |||
if (rv == 0) { | |||
@@ -619,7 +619,7 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* Don't send CertificateVerify if there is no certificate. */ | |||
// Don't send CertificateVerify if there is no certificate. | |||
if (!ssl_has_certificate(ssl)) { | |||
hs->tls13_state = state_complete_second_flight; | |||
return ssl_hs_ok; | |||
@@ -645,7 +645,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* Send a Channel ID assertion if necessary. */ | |||
// Send a Channel ID assertion if necessary. | |||
if (ssl->s3->tlsext_channel_id_valid) { | |||
if (!ssl_do_channel_id_callback(ssl)) { | |||
hs->tls13_state = state_complete_second_flight; | |||
@@ -665,12 +665,12 @@ static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Send a Finished message. */ | |||
// Send a Finished message. | |||
if (!tls13_add_finished(hs)) { | |||
return ssl_hs_error; | |||
} | |||
/* Derive the final keys and enable them. */ | |||
// Derive the final keys and enable them. | |||
if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0, | |||
hs->hash_len) || | |||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0, | |||
@@ -804,13 +804,13 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) { | |||
return 0; | |||
} | |||
/* Cap the renewable lifetime by the server advertised value. This avoids | |||
* wasting bandwidth on 0-RTT when we know the server will reject it. */ | |||
// Cap the renewable lifetime by the server advertised value. This avoids | |||
// wasting bandwidth on 0-RTT when we know the server will reject it. | |||
if (session->timeout > server_timeout) { | |||
session->timeout = server_timeout; | |||
} | |||
/* Parse out the extensions. */ | |||
// Parse out the extensions. | |||
int have_early_data_info = 0; | |||
CBS early_data_info; | |||
const SSL_EXTENSION_TYPE ext_types[] = { | |||
@@ -840,7 +840,7 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) { | |||
if (ssl->ctx->new_session_cb != NULL && | |||
ssl->ctx->new_session_cb(ssl, session.get())) { | |||
/* |new_session_cb|'s return value signals that it took ownership. */ | |||
// |new_session_cb|'s return value signals that it took ownership. | |||
session.release(); | |||
} | |||
@@ -40,7 +40,7 @@ static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version, | |||
hs->hash_len = hs->transcript.DigestLen(); | |||
/* Initialize the secret to the zero key. */ | |||
// Initialize the secret to the zero key. | |||
OPENSSL_memset(hs->secret, 0, hs->hash_len); | |||
return 1; | |||
@@ -96,9 +96,9 @@ static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest, | |||
return ret; | |||
} | |||
/* derive_secret derives a secret of length |len| and writes the result in |out| | |||
* with the given label and the current base secret and most recently-saved | |||
* handshake context. It returns one on success and zero on error. */ | |||
// derive_secret derives a secret of length |len| and writes the result in |out| | |||
// with the given label and the current base secret and most recently-saved | |||
// handshake context. It returns one on success and zero on error. | |||
static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len, | |||
const uint8_t *label, size_t label_len) { | |||
uint8_t context_hash[EVP_MAX_MD_SIZE]; | |||
@@ -123,7 +123,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, | |||
return 0; | |||
} | |||
/* Look up cipher suite properties. */ | |||
// Look up cipher suite properties. | |||
const EVP_AEAD *aead; | |||
size_t discard; | |||
if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher, | |||
@@ -133,7 +133,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, | |||
const EVP_MD *digest = SSL_SESSION_get_digest(session); | |||
/* Derive the key. */ | |||
// Derive the key. | |||
size_t key_len = EVP_AEAD_key_length(aead); | |||
uint8_t key[EVP_AEAD_MAX_KEY_LENGTH]; | |||
if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len, | |||
@@ -141,7 +141,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, | |||
return 0; | |||
} | |||
/* Derive the IV. */ | |||
// Derive the IV. | |||
size_t iv_len = EVP_AEAD_nonce_length(aead); | |||
uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH]; | |||
if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, | |||
@@ -166,7 +166,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction, | |||
} | |||
} | |||
/* Save the traffic secret. */ | |||
// Save the traffic secret. | |||
if (direction == evp_aead_open) { | |||
OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret, | |||
traffic_secret_len); | |||
@@ -279,8 +279,8 @@ int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) { | |||
static const char kTLS13LabelFinished[] = "finished"; | |||
/* tls13_verify_data sets |out| to be the HMAC of |context| using a derived | |||
* Finished key for both Finished messages and the PSK binder. */ | |||
// tls13_verify_data sets |out| to be the HMAC of |context| using a derived | |||
// Finished key for both Finished messages and the PSK binder. | |||
static int tls13_verify_data(const EVP_MD *digest, uint8_t *out, | |||
size_t *out_len, const uint8_t *secret, | |||
size_t hash_len, uint8_t *context, | |||
@@ -401,15 +401,15 @@ int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session, | |||
const SSLMessage &msg, CBS *binders) { | |||
size_t hash_len = hs->transcript.DigestLen(); | |||
/* The message must be large enough to exclude the binders. */ | |||
// The message must be large enough to exclude the binders. | |||
if (CBS_len(&msg.raw) < CBS_len(binders) + 2) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return 0; | |||
} | |||
/* Hash a ClientHello prefix up to the binders. This includes the header. For | |||
* now, this assumes we only ever verify PSK binders on initial | |||
* ClientHellos. */ | |||
// Hash a ClientHello prefix up to the binders. This includes the header. For | |||
// now, this assumes we only ever verify PSK binders on initial | |||
// ClientHellos. | |||
uint8_t context[EVP_MAX_MD_SIZE]; | |||
unsigned context_len; | |||
if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2, | |||
@@ -422,7 +422,7 @@ int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session, | |||
if (!tls13_psk_binder(verify_data, hs->transcript.Digest(), | |||
session->master_key, session->master_key_length, | |||
context, context_len, hash_len) || | |||
/* We only consider the first PSK, so compare against the first binder. */ | |||
// We only consider the first PSK, so compare against the first binder. | |||
!CBS_get_u8_length_prefixed(binders, &binder)) { | |||
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); | |||
return 0; | |||
@@ -12,9 +12,9 @@ | |||
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN | |||
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ | |||
/* Per C99, various stdint.h macros are unavailable in C++ unless some macros | |||
* are defined. C++11 overruled this decision, but older Android NDKs still | |||
* require it. */ | |||
// Per C99, various stdint.h macros are unavailable in C++ unless some macros | |||
// are defined. C++11 overruled this decision, but older Android NDKs still | |||
// require it. | |||
#if !defined(__STDC_LIMIT_MACROS) | |||
#define __STDC_LIMIT_MACROS | |||
#endif | |||
@@ -64,7 +64,7 @@ static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, int *out_need_retry, | |||
SSL *const ssl = hs->ssl; | |||
*out_need_retry = 0; | |||
/* We only support connections that include an ECDHE key exchange. */ | |||
// We only support connections that include an ECDHE key exchange. | |||
CBS key_share; | |||
if (!ssl_client_hello_get_extension(client_hello, &key_share, | |||
TLSEXT_TYPE_key_share)) { | |||
@@ -127,7 +127,7 @@ static const SSL_CIPHER *choose_tls13_cipher( | |||
return NULL; | |||
} | |||
/* Limit to TLS 1.3 ciphers we know about. */ | |||
// Limit to TLS 1.3 ciphers we know about. | |||
const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite); | |||
if (candidate == NULL || | |||
SSL_CIPHER_get_min_version(candidate) > version || | |||
@@ -135,8 +135,8 @@ static const SSL_CIPHER *choose_tls13_cipher( | |||
continue; | |||
} | |||
/* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer | |||
* ChaCha20 if we do not have AES hardware. */ | |||
// TLS 1.3 removes legacy ciphers, so honor the client order, but prefer | |||
// ChaCha20 if we do not have AES hardware. | |||
if (aes_is_fine) { | |||
return candidate; | |||
} | |||
@@ -155,12 +155,12 @@ static const SSL_CIPHER *choose_tls13_cipher( | |||
static int add_new_session_tickets(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case | |||
* the client makes several connections before getting a renewal. */ | |||
// TLS 1.3 recommends single-use tickets, so issue multiple tickets in case | |||
// the client makes several connections before getting a renewal. | |||
static const int kNumTickets = 2; | |||
/* Rebase the session timestamp so that it is measured from ticket | |||
* issuance. */ | |||
// Rebase the session timestamp so that it is measured from ticket | |||
// issuance. | |||
ssl_session_rebase_time(ssl, hs->new_session.get()); | |||
for (int i = 0; i < kNumTickets; i++) { | |||
@@ -194,7 +194,7 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Add a fake extension. See draft-davidben-tls-grease-01. */ | |||
// Add a fake extension. See draft-davidben-tls-grease-01. | |||
if (!CBB_add_u16(&extensions, | |||
ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) || | |||
!CBB_add_u16(&extensions, 0 /* empty */)) { | |||
@@ -210,8 +210,8 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) { | |||
} | |||
static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
/* At this point, most ClientHello extensions have already been processed by | |||
* the common handshake logic. Resolve the remaining non-PSK parameters. */ | |||
// At this point, most ClientHello extensions have already been processed by | |||
// the common handshake logic. Resolve the remaining non-PSK parameters. | |||
SSL *const ssl = hs->ssl; | |||
SSLMessage msg; | |||
if (!ssl->method->get_message(ssl, &msg)) { | |||
@@ -228,7 +228,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
client_hello.session_id_len); | |||
hs->session_id_len = client_hello.session_id_len; | |||
/* Negotiate the cipher suite. */ | |||
// Negotiate the cipher suite. | |||
hs->new_cipher = choose_tls13_cipher(ssl, &client_hello); | |||
if (hs->new_cipher == NULL) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); | |||
@@ -236,16 +236,16 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was | |||
* deferred. Complete it now. */ | |||
// HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was | |||
// deferred. Complete it now. | |||
uint8_t alert = SSL_AD_DECODE_ERROR; | |||
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); | |||
return ssl_hs_error; | |||
} | |||
/* The PRF hash is now known. Set up the key schedule and hash the | |||
* ClientHello. */ | |||
// The PRF hash is now known. Set up the key schedule and hash the | |||
// ClientHello. | |||
if (!tls13_init_key_schedule(hs) || | |||
!ssl_hash_message(hs, msg)) { | |||
return ssl_hs_error; | |||
@@ -262,7 +262,7 @@ static enum ssl_ticket_aead_result_t select_session( | |||
SSL *const ssl = hs->ssl; | |||
*out_session = NULL; | |||
/* Decode the ticket if we agreed on a PSK key exchange mode. */ | |||
// Decode the ticket if we agreed on a PSK key exchange mode. | |||
CBS pre_shared_key; | |||
if (!hs->accept_psk_mode || | |||
!ssl_client_hello_get_extension(client_hello, &pre_shared_key, | |||
@@ -270,8 +270,8 @@ static enum ssl_ticket_aead_result_t select_session( | |||
return ssl_ticket_aead_ignore_ticket; | |||
} | |||
/* Verify that the pre_shared_key extension is the last extension in | |||
* ClientHello. */ | |||
// Verify that the pre_shared_key extension is the last extension in | |||
// ClientHello. | |||
if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) != | |||
client_hello->extensions + client_hello->extensions_len) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST); | |||
@@ -287,8 +287,8 @@ static enum ssl_ticket_aead_result_t select_session( | |||
return ssl_ticket_aead_error; | |||
} | |||
/* TLS 1.3 session tickets are renewed separately as part of the | |||
* NewSessionTicket. */ | |||
// TLS 1.3 session tickets are renewed separately as part of the | |||
// NewSessionTicket. | |||
int unused_renew; | |||
UniquePtr<SSL_SESSION> session; | |||
enum ssl_ticket_aead_result_t ret = | |||
@@ -305,34 +305,34 @@ static enum ssl_ticket_aead_result_t select_session( | |||
} | |||
if (!ssl_session_is_resumable(hs, session.get()) || | |||
/* Historically, some TLS 1.3 tickets were missing ticket_age_add. */ | |||
// Historically, some TLS 1.3 tickets were missing ticket_age_add. | |||
!session->ticket_age_add_valid) { | |||
return ssl_ticket_aead_ignore_ticket; | |||
} | |||
/* Recover the client ticket age and convert to seconds. */ | |||
// Recover the client ticket age and convert to seconds. | |||
client_ticket_age -= session->ticket_age_add; | |||
client_ticket_age /= 1000; | |||
struct OPENSSL_timeval now; | |||
ssl_get_current_time(ssl, &now); | |||
/* Compute the server ticket age in seconds. */ | |||
// Compute the server ticket age in seconds. | |||
assert(now.tv_sec >= session->time); | |||
uint64_t server_ticket_age = now.tv_sec - session->time; | |||
/* To avoid overflowing |hs->ticket_age_skew|, we will not resume | |||
* 68-year-old sessions. */ | |||
// To avoid overflowing |hs->ticket_age_skew|, we will not resume | |||
// 68-year-old sessions. | |||
if (server_ticket_age > INT32_MAX) { | |||
return ssl_ticket_aead_ignore_ticket; | |||
} | |||
/* TODO(davidben,svaldez): Measure this value to decide on tolerance. For | |||
* now, accept all values. https://crbug.com/boringssl/113. */ | |||
// TODO(davidben,svaldez): Measure this value to decide on tolerance. For | |||
// now, accept all values. https://crbug.com/boringssl/113. | |||
*out_ticket_age_skew = | |||
(int32_t)client_ticket_age - (int32_t)server_ticket_age; | |||
/* Check the PSK binder. */ | |||
// Check the PSK binder. | |||
if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) { | |||
*out_alert = SSL_AD_DECRYPT_ERROR; | |||
return ssl_ticket_aead_error; | |||
@@ -368,21 +368,21 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { | |||
break; | |||
case ssl_ticket_aead_success: | |||
/* Carry over authentication information from the previous handshake into | |||
* a fresh session. */ | |||
// Carry over authentication information from the previous handshake into | |||
// a fresh session. | |||
hs->new_session = | |||
SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY); | |||
if (/* Early data must be acceptable for this ticket. */ | |||
if (// Early data must be acceptable for this ticket. | |||
ssl->cert->enable_early_data && | |||
session->ticket_max_early_data != 0 && | |||
/* The client must have offered early data. */ | |||
// The client must have offered early data. | |||
hs->early_data_offered && | |||
/* Channel ID is incompatible with 0-RTT. */ | |||
// Channel ID is incompatible with 0-RTT. | |||
!ssl->s3->tlsext_channel_id_valid && | |||
/* Custom extensions is incompatible with 0-RTT. */ | |||
// Custom extensions is incompatible with 0-RTT. | |||
hs->custom_extensions.received == 0 && | |||
/* The negotiated ALPN must match the one in the ticket. */ | |||
// The negotiated ALPN must match the one in the ticket. | |||
ssl->s3->alpn_selected_len == session->early_alpn_len && | |||
OPENSSL_memcmp(ssl->s3->alpn_selected, session->early_alpn, | |||
ssl->s3->alpn_selected_len) == 0) { | |||
@@ -396,7 +396,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { | |||
ssl->s3->session_reused = 1; | |||
/* Resumption incorporates fresh key material, so refresh the timeout. */ | |||
// Resumption incorporates fresh key material, so refresh the timeout. | |||
ssl_session_renew_timeout(ssl, hs->new_session.get(), | |||
ssl->session_ctx->session_psk_dhe_timeout); | |||
break; | |||
@@ -410,7 +410,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_pending_ticket; | |||
} | |||
/* Record connection properties in the new session. */ | |||
// Record connection properties in the new session. | |||
hs->new_session->cipher = hs->new_cipher; | |||
if (hs->hostname != NULL) { | |||
@@ -422,7 +422,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Store the initial negotiated ALPN in the session. */ | |||
// Store the initial negotiated ALPN in the session. | |||
if (ssl->s3->alpn_selected != NULL) { | |||
hs->new_session->early_alpn = (uint8_t *)BUF_memdup( | |||
ssl->s3->alpn_selected, ssl->s3->alpn_selected_len); | |||
@@ -435,13 +435,13 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { | |||
if (ssl->ctx->dos_protection_cb != NULL && | |||
ssl->ctx->dos_protection_cb(&client_hello) == 0) { | |||
/* Connection rejected for DOS reasons. */ | |||
// Connection rejected for DOS reasons. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); | |||
return ssl_hs_error; | |||
} | |||
/* Incorporate the PSK into the running secret. */ | |||
// Incorporate the PSK into the running secret. | |||
if (ssl->s3->session_reused) { | |||
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key, | |||
hs->new_session->master_key_length)) { | |||
@@ -459,7 +459,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { | |||
ssl->s3->skip_early_data = 1; | |||
} | |||
/* Resolve ECDHE and incorporate it into the secret. */ | |||
// Resolve ECDHE and incorporate it into the secret. | |||
int need_retry; | |||
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) { | |||
if (need_retry) { | |||
@@ -517,7 +517,7 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) { | |||
int need_retry; | |||
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) { | |||
if (need_retry) { | |||
/* Only send one HelloRetryRequest. */ | |||
// Only send one HelloRetryRequest. | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); | |||
} | |||
@@ -541,7 +541,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { | |||
version = TLS1_2_VERSION; | |||
} | |||
/* Send a ServerHello. */ | |||
// Send a ServerHello. | |||
ScopedCBB cbb; | |||
CBB body, extensions, session_id; | |||
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || | |||
@@ -567,14 +567,14 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Derive and enable the handshake traffic secrets. */ | |||
// Derive and enable the handshake traffic secrets. | |||
if (!tls13_derive_handshake_secrets(hs) || | |||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret, | |||
hs->hash_len)) { | |||
return ssl_hs_error; | |||
} | |||
/* Send EncryptedExtensions. */ | |||
// Send EncryptedExtensions. | |||
if (!ssl->method->init_message(ssl, cbb.get(), &body, | |||
SSL3_MT_ENCRYPTED_EXTENSIONS) || | |||
!ssl_add_serverhello_tlsext(hs, &body) || | |||
@@ -583,16 +583,16 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
if (!ssl->s3->session_reused) { | |||
/* Determine whether to request a client certificate. */ | |||
// Determine whether to request a client certificate. | |||
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); | |||
/* Only request a certificate if Channel ID isn't negotiated. */ | |||
// Only request a certificate if Channel ID isn't negotiated. | |||
if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) && | |||
ssl->s3->tlsext_channel_id_valid) { | |||
hs->cert_request = 0; | |||
} | |||
} | |||
/* Send a CertificateRequest, if necessary. */ | |||
// Send a CertificateRequest, if necessary. | |||
if (hs->cert_request) { | |||
CBB sigalgs_cbb; | |||
if (!ssl->method->init_message(ssl, cbb.get(), &body, | |||
@@ -607,7 +607,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { | |||
} | |||
} | |||
/* Send the server Certificate message, if necessary. */ | |||
// Send the server Certificate message, if necessary. | |||
if (!ssl->s3->session_reused) { | |||
if (!ssl_has_certificate(ssl)) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); | |||
@@ -647,7 +647,7 @@ static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
if (!tls13_add_finished(hs) || | |||
/* Update the secret to the master secret and derive traffic keys. */ | |||
// Update the secret to the master secret and derive traffic keys. | |||
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) || | |||
!tls13_derive_application_secrets(hs) || | |||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0, | |||
@@ -656,10 +656,10 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { | |||
} | |||
if (ssl->early_data_accepted) { | |||
/* If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on | |||
* the wire sooner and also avoids triggering a write on |SSL_read| when | |||
* processing the client Finished. This requires computing the client | |||
* Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. */ | |||
// If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on | |||
// the wire sooner and also avoids triggering a write on |SSL_read| when | |||
// processing the client Finished. This requires computing the client | |||
// Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. | |||
size_t finished_len; | |||
if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len, | |||
0 /* client */)) { | |||
@@ -671,10 +671,10 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* Feed the predicted Finished into the transcript. This allows us to derive | |||
* the resumption secret early and send half-RTT tickets. | |||
* | |||
* TODO(davidben): This will need to be updated for DTLS 1.3. */ | |||
// Feed the predicted Finished into the transcript. This allows us to derive | |||
// the resumption secret early and send half-RTT tickets. | |||
// | |||
// TODO(davidben): This will need to be updated for DTLS 1.3. | |||
assert(!SSL_is_dtls(hs->ssl)); | |||
assert(hs->hash_len <= 0xff); | |||
uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0, | |||
@@ -710,8 +710,8 @@ static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) { | |||
hs->tls13_state = state_process_change_cipher_spec; | |||
/* If early data was accepted, the ChangeCipherSpec message will be in the | |||
* discarded early data. */ | |||
// If early data was accepted, the ChangeCipherSpec message will be in the | |||
// discarded early data. | |||
if (hs->early_data_offered && !hs->ssl->early_data_accepted) { | |||
return ssl_hs_ok; | |||
} | |||
@@ -734,11 +734,11 @@ static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) { | |||
static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
if (!hs->cert_request) { | |||
/* OpenSSL returns X509_V_OK when no certificates are requested. This is | |||
* classed by them as a bug, but it's assumed by at least NGINX. */ | |||
// OpenSSL returns X509_V_OK when no certificates are requested. This is | |||
// classed by them as a bug, but it's assumed by at least NGINX. | |||
hs->new_session->verify_result = X509_V_OK; | |||
/* Skip this state. */ | |||
// Skip this state. | |||
hs->tls13_state = state_read_channel_id; | |||
return ssl_hs_ok; | |||
} | |||
@@ -764,7 +764,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify( | |||
SSL_HANDSHAKE *hs) { | |||
SSL *const ssl = hs->ssl; | |||
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) { | |||
/* Skip this state. */ | |||
// Skip this state. | |||
hs->tls13_state = state_read_channel_id; | |||
return ssl_hs_ok; | |||
} | |||
@@ -824,10 +824,10 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_read_message; | |||
} | |||
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) || | |||
/* If early data was accepted, we've already computed the client Finished | |||
* and derived the resumption secret. */ | |||
// If early data was accepted, we've already computed the client Finished | |||
// and derived the resumption secret. | |||
!tls13_process_finished(hs, msg, ssl->early_data_accepted) || | |||
/* evp_aead_seal keys have already been switched. */ | |||
// evp_aead_seal keys have already been switched. | |||
!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0, | |||
hs->hash_len)) { | |||
return ssl_hs_error; | |||
@@ -839,10 +839,10 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { | |||
return ssl_hs_error; | |||
} | |||
/* We send post-handshake tickets as part of the handshake in 1-RTT. */ | |||
// We send post-handshake tickets as part of the handshake in 1-RTT. | |||
hs->tls13_state = state_send_new_session_ticket; | |||
} else { | |||
/* We already sent half-RTT tickets. */ | |||
// We already sent half-RTT tickets. | |||
hs->tls13_state = state_done; | |||
} | |||
@@ -851,8 +851,8 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { | |||
} | |||
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) { | |||
/* If the client doesn't accept resumption with PSK_DHE_KE, don't send a | |||
* session ticket. */ | |||
// If the client doesn't accept resumption with PSK_DHE_KE, don't send a | |||
// session ticket. | |||
if (!hs->accept_psk_mode) { | |||
hs->tls13_state = state_done; | |||
return ssl_hs_ok; | |||
@@ -70,15 +70,15 @@ namespace bssl { | |||
static int ssl3_supports_cipher(const SSL_CIPHER *cipher) { return 1; } | |||
static void ssl3_on_handshake_complete(SSL *ssl) { | |||
/* The handshake should have released its final message. */ | |||
// The handshake should have released its final message. | |||
assert(!ssl->s3->has_message); | |||
/* During the handshake, |init_buf| is retained. Release if it there is no | |||
* excess in it. | |||
* | |||
* TODO(davidben): The second check is always true but will not be once we | |||
* switch to copying the entire handshake record. Replace this comment with an | |||
* explanation when that happens and a TODO to reject it. */ | |||
// During the handshake, |init_buf| is retained. Release if it there is no | |||
// excess in it. | |||
// | |||
// TODO(davidben): The second check is always true but will not be once we | |||
// switch to copying the entire handshake record. Replace this comment with an | |||
// explanation when that happens and a TODO to reject it. | |||
if (ssl->init_buf != NULL && ssl->init_buf->length == 0) { | |||
BUF_MEM_free(ssl->init_buf); | |||
ssl->init_buf = NULL; | |||
@@ -87,7 +87,7 @@ static void ssl3_on_handshake_complete(SSL *ssl) { | |||
static int ssl3_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) { | |||
if (ssl->s3->rrec.length != 0) { | |||
/* There may not be unprocessed record data at a cipher change. */ | |||
// There may not be unprocessed record data at a cipher change. | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE); | |||
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); | |||
return 0; | |||
@@ -212,7 +212,7 @@ const SSL_METHOD *TLS_with_buffers_method(void) { | |||
return &kMethod; | |||
} | |||
/* Legacy version-locked methods. */ | |||
// Legacy version-locked methods. | |||
const SSL_METHOD *TLSv1_2_method(void) { | |||
static const SSL_METHOD kMethod = { | |||
@@ -250,7 +250,7 @@ const SSL_METHOD *SSLv3_method(void) { | |||
return &kMethod; | |||
} | |||
/* Legacy side-specific methods. */ | |||
// Legacy side-specific methods. | |||
const SSL_METHOD *TLSv1_2_server_method(void) { | |||
return TLSv1_2_method(); | |||
@@ -121,25 +121,25 @@ | |||
namespace bssl { | |||
/* kMaxEmptyRecords is the number of consecutive, empty records that will be | |||
* processed. Without this limit an attacker could send empty records at a | |||
* faster rate than we can process and cause record processing to loop | |||
* forever. */ | |||
// kMaxEmptyRecords is the number of consecutive, empty records that will be | |||
// processed. Without this limit an attacker could send empty records at a | |||
// faster rate than we can process and cause record processing to loop | |||
// forever. | |||
static const uint8_t kMaxEmptyRecords = 32; | |||
/* kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that | |||
* will be skipped. Without this limit an attacker could send records at a | |||
* faster rate than we can process and cause trial decryption to loop forever. | |||
* This value should be slightly above kMaxEarlyDataAccepted, which is measured | |||
* in plaintext. */ | |||
// kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that | |||
// will be skipped. Without this limit an attacker could send records at a | |||
// faster rate than we can process and cause trial decryption to loop forever. | |||
// This value should be slightly above kMaxEarlyDataAccepted, which is measured | |||
// in plaintext. | |||
static const size_t kMaxEarlyDataSkipped = 16384; | |||
/* kMaxWarningAlerts is the number of consecutive warning alerts that will be | |||
* processed. */ | |||
// kMaxWarningAlerts is the number of consecutive warning alerts that will be | |||
// processed. | |||
static const uint8_t kMaxWarningAlerts = 4; | |||
/* ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher | |||
* state needs record-splitting and zero otherwise. */ | |||
// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher | |||
// state needs record-splitting and zero otherwise. | |||
static int ssl_needs_record_splitting(const SSL *ssl) { | |||
#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE) | |||
return !ssl->s3->aead_write_ctx->is_null_cipher() && | |||
@@ -195,7 +195,7 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
CBS cbs; | |||
CBS_init(&cbs, in, in_len); | |||
/* Decode the record header. */ | |||
// Decode the record header. | |||
uint8_t type; | |||
uint16_t version, ciphertext_len; | |||
if (!CBS_get_u8(&cbs, &type) || | |||
@@ -207,14 +207,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
int version_ok; | |||
if (ssl->s3->aead_read_ctx->is_null_cipher()) { | |||
/* Only check the first byte. Enforcing beyond that can prevent decoding | |||
* version negotiation failure alerts. */ | |||
// Only check the first byte. Enforcing beyond that can prevent decoding | |||
// version negotiation failure alerts. | |||
version_ok = (version >> 8) == SSL3_VERSION_MAJOR; | |||
} else if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) { | |||
/* Earlier versions of TLS switch the record version. */ | |||
// Earlier versions of TLS switch the record version. | |||
version_ok = version == ssl->version; | |||
} else { | |||
/* Starting TLS 1.3, the version field is frozen at {3, 1}. */ | |||
// Starting TLS 1.3, the version field is frozen at {3, 1}. | |||
version_ok = version == TLS1_VERSION; | |||
} | |||
@@ -224,14 +224,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
return ssl_open_record_error; | |||
} | |||
/* Check the ciphertext length. */ | |||
// Check the ciphertext length. | |||
if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); | |||
*out_alert = SSL_AD_RECORD_OVERFLOW; | |||
return ssl_open_record_error; | |||
} | |||
/* Extract the body. */ | |||
// Extract the body. | |||
CBS body; | |||
if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) { | |||
*out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len; | |||
@@ -243,15 +243,15 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
*out_consumed = in_len - CBS_len(&cbs); | |||
/* Skip early data received when expecting a second ClientHello if we rejected | |||
* 0RTT. */ | |||
// Skip early data received when expecting a second ClientHello if we rejected | |||
// 0RTT. | |||
if (ssl->s3->skip_early_data && | |||
ssl->s3->aead_read_ctx->is_null_cipher() && | |||
type == SSL3_RT_APPLICATION_DATA) { | |||
goto skipped_data; | |||
} | |||
/* Decrypt the body in-place. */ | |||
// Decrypt the body in-place. | |||
if (!ssl->s3->aead_read_ctx->Open(out, type, version, ssl->s3->read_sequence, | |||
(uint8_t *)CBS_data(&body), | |||
CBS_len(&body))) { | |||
@@ -272,10 +272,10 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
return ssl_open_record_error; | |||
} | |||
/* TLS 1.3 hides the record type inside the encrypted data. */ | |||
// TLS 1.3 hides the record type inside the encrypted data. | |||
if (!ssl->s3->aead_read_ctx->is_null_cipher() && | |||
ssl->s3->aead_read_ctx->version() >= TLS1_3_VERSION) { | |||
/* The outer record type is always application_data. */ | |||
// The outer record type is always application_data. | |||
if (type != SSL3_RT_APPLICATION_DATA) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE); | |||
*out_alert = SSL_AD_DECODE_ERROR; | |||
@@ -291,14 +291,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
} while (type == 0); | |||
} | |||
/* Check the plaintext length. */ | |||
// Check the plaintext length. | |||
if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) { | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); | |||
*out_alert = SSL_AD_RECORD_OVERFLOW; | |||
return ssl_open_record_error; | |||
} | |||
/* Limit the number of consecutive empty records. */ | |||
// Limit the number of consecutive empty records. | |||
if (CBS_len(out) == 0) { | |||
ssl->s3->empty_record_count++; | |||
if (ssl->s3->empty_record_count > kMaxEmptyRecords) { | |||
@@ -306,14 +306,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out, | |||
*out_alert = SSL_AD_UNEXPECTED_MESSAGE; | |||
return ssl_open_record_error; | |||
} | |||
/* Apart from the limit, empty records are returned up to the caller. This | |||
* allows the caller to reject records of the wrong type. */ | |||
// Apart from the limit, empty records are returned up to the caller. This | |||
// allows the caller to reject records of the wrong type. | |||
} else { | |||
ssl->s3->empty_record_count = 0; | |||
} | |||
if (type == SSL3_RT_ALERT) { | |||
/* Return end_of_early_data alerts as-is for the caller to process. */ | |||
// Return end_of_early_data alerts as-is for the caller to process. | |||
if (CBS_len(out) == 2 && | |||
CBS_data(out)[0] == SSL3_AL_WARNING && | |||
CBS_data(out)[1] == TLS1_AD_END_OF_EARLY_DATA) { | |||
@@ -351,7 +351,7 @@ static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, | |||
size_t extra_in_len = 0; | |||
if (!ssl->s3->aead_write_ctx->is_null_cipher() && | |||
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) { | |||
/* TLS 1.3 hides the actual record type inside the encrypted data. */ | |||
// TLS 1.3 hides the actual record type inside the encrypted data. | |||
extra_in = &type; | |||
extra_in_len = 1; | |||
} | |||
@@ -379,10 +379,10 @@ static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, | |||
out_prefix[0] = type; | |||
} | |||
/* The TLS record-layer version number is meaningless and, starting in | |||
* TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0 | |||
* ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version | |||
* to change after version negotiation. */ | |||
// The TLS record-layer version number is meaningless and, starting in | |||
// TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0 | |||
// ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version | |||
// to change after version negotiation. | |||
uint16_t wire_version = TLS1_VERSION; | |||
if (ssl->s3->hs != NULL && ssl->s3->hs->max_version == SSL3_VERSION) { | |||
wire_version = SSL3_VERSION; | |||
@@ -413,10 +413,10 @@ static size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type, | |||
size_t ret = SSL3_RT_HEADER_LENGTH; | |||
if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 && | |||
ssl_needs_record_splitting(ssl)) { | |||
/* In the case of record splitting, the 1-byte record (of the 1/n-1 split) | |||
* will be placed in the prefix, as will four of the five bytes of the | |||
* record header for the main record. The final byte will replace the first | |||
* byte of the plaintext that was used in the small record. */ | |||
// In the case of record splitting, the 1-byte record (of the 1/n-1 split) | |||
// will be placed in the prefix, as will four of the five bytes of the | |||
// record header for the main record. The final byte will replace the first | |||
// byte of the plaintext that was used in the small record. | |||
ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher()); | |||
ret += SSL3_RT_HEADER_LENGTH - 1; | |||
} else { | |||
@@ -430,26 +430,26 @@ static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len, | |||
size_t extra_in_len = 0; | |||
if (!ssl->s3->aead_write_ctx->is_null_cipher() && | |||
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) { | |||
/* TLS 1.3 adds an extra byte for encrypted record type. */ | |||
// TLS 1.3 adds an extra byte for encrypted record type. | |||
extra_in_len = 1; | |||
} | |||
if (type == SSL3_RT_APPLICATION_DATA && // clang-format off | |||
in_len > 1 && | |||
ssl_needs_record_splitting(ssl)) { | |||
/* With record splitting enabled, the first byte gets sealed into a separate | |||
* record which is written into the prefix. */ | |||
// With record splitting enabled, the first byte gets sealed into a separate | |||
// record which is written into the prefix. | |||
in_len -= 1; | |||
} | |||
return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len); | |||
} | |||
/* tls_seal_scatter_record seals a new record of type |type| and body |in| and | |||
* splits it between |out_prefix|, |out|, and |out_suffix|. Exactly | |||
* |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len| | |||
* bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It | |||
* returns one on success and zero on error. If enabled, | |||
* |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and | |||
* may write two records concatenated. */ | |||
// tls_seal_scatter_record seals a new record of type |type| and body |in| and | |||
// splits it between |out_prefix|, |out|, and |out_suffix|. Exactly | |||
// |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len| | |||
// bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It | |||
// returns one on success and zero on error. If enabled, | |||
// |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and | |||
// may write two records concatenated. | |||
static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, | |||
uint8_t *out_suffix, uint8_t type, | |||
const uint8_t *in, size_t in_len) { | |||
@@ -458,7 +458,7 @@ static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, | |||
assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0); | |||
const size_t prefix_len = SSL3_RT_HEADER_LENGTH; | |||
/* Write the 1-byte fragment into |out_prefix|. */ | |||
// Write the 1-byte fragment into |out_prefix|. | |||
uint8_t *split_body = out_prefix + prefix_len; | |||
uint8_t *split_suffix = split_body + 1; | |||
@@ -477,8 +477,8 @@ static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, | |||
ssl->s3->aead_write_ctx->cipher()) == | |||
split_record_len); | |||
/* Write the n-1-byte fragment. The header gets split between |out_prefix| | |||
* (header[:-1]) and |out| (header[-1:]). */ | |||
// Write the n-1-byte fragment. The header gets split between |out_prefix| | |||
// (header[:-1]) and |out| (header[-1:]). | |||
uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH]; | |||
if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1, | |||
in_len - 1)) { | |||
@@ -530,7 +530,7 @@ int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len, | |||
enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, | |||
const uint8_t *in, size_t in_len) { | |||
/* Alerts records may not contain fragmented or multiple alerts. */ | |||
// Alerts records may not contain fragmented or multiple alerts. | |||
if (in_len != 2) { | |||
*out_alert = SSL_AD_DECODE_ERROR; | |||
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT); | |||
@@ -551,7 +551,7 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, | |||
return ssl_open_record_close_notify; | |||
} | |||
/* Warning alerts do not exist in TLS 1.3. */ | |||
// Warning alerts do not exist in TLS 1.3. | |||
if (ssl->s3->have_version && | |||
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) { | |||
*out_alert = SSL_AD_DECODE_ERROR; | |||
@@ -677,7 +677,7 @@ size_t SSL_max_seal_overhead(const SSL *ssl) { | |||
size_t ret = SSL3_RT_HEADER_LENGTH; | |||
ret += ssl->s3->aead_write_ctx->MaxOverhead(); | |||
/* TLS 1.3 needs an extra byte for the encrypted record type. */ | |||
// TLS 1.3 needs an extra byte for the encrypted record type. | |||
if (!ssl->s3->aead_write_ctx->is_null_cipher() && | |||
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) { | |||
ret += 1; | |||