kris
/
boringssl
1
0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Bläddra i källkod

Convert comments in ssl. 

That's the last of it!

Change-Id: I93d1f5ab7e95b2ad105c34b24297a0bf77625263
Reviewed-on: https://boringssl-review.googlesource.com/19784
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
kris/onging/CECPQ3_patch15
David Benjamin 7 år sedan
committed by CQ bot account: commit-bot@chromium.org
förälder
66d49b4952
incheckning
c11ea942b7
37 ändrade filer med 2778 tillägg och 2784 borttagningar
Delad Vy
Diff Options
Show Stats Download Patch File Download Diff File
  1. +11
    -11
      ssl/custom_extensions.cc
  2. +83
    -83
      ssl/d1_both.cc
  3. +24
    -24
      ssl/d1_lib.cc
  4. +27
    -27
      ssl/d1_pkt.cc
  5. +2
    -2
      ssl/d1_srtp.cc
  6. +6
    -6
      ssl/dtls_method.cc
  7. +25
    -25
      ssl/dtls_record.cc
  8. +47
    -47
      ssl/handshake.cc
  9. +120
    -121
      ssl/handshake_client.cc
  10. +129
    -131
      ssl/handshake_server.cc
  11. +989
    -989
      ssl/internal.h
  12. +42
    -42
      ssl/s3_both.cc
  13. +5
    -5
      ssl/s3_lib.cc
  14. +50
    -51
      ssl/s3_pkt.cc
  15. +26
    -26
      ssl/ssl_aead_ctx.cc
  16. +76
    -77
      ssl/ssl_asn1.cc
  17. +29
    -29
      ssl/ssl_buffer.cc
  18. +40
    -40
      ssl/ssl_cert.cc
  19. +142
    -142
      ssl/ssl_cipher.cc
  20. +16
    -16
      ssl/ssl_file.cc
  21. +6
    -6
      ssl/ssl_key_share.cc
  22. +154
    -154
      ssl/ssl_lib.cc
  23. +19
    -19
      ssl/ssl_privkey.cc
  24. +80
    -81
      ssl/ssl_session.cc
  25. +14
    -14
      ssl/ssl_test.cc
  26. +9
    -9
      ssl/ssl_transcript.cc
  27. +32
    -32
      ssl/ssl_versions.cc
  28. +40
    -40
      ssl/ssl_x509.cc
  29. +22
    -22
      ssl/t1_enc.cc
  30. +298
    -298
      ssl/t1_lib.cc
  31. +3
    -3
      ssl/test/bssl_shim.cc
  32. +22
    -22
      ssl/tls13_both.cc
  33. +35
    -35
      ssl/tls13_client.cc
  34. +15
    -15
      ssl/tls13_enc.cc
  35. +75
    -75
      ssl/tls13_server.cc
  36. +10
    -10
      ssl/tls_method.cc
  37. +55
    -55
      ssl/tls_record.cc

+ 11
- 11
ssl/custom_extensions.cc Visa fil

@@ -47,9 +47,9 @@ static const SSL_CUSTOM_EXTENSION *custom_ext_find(
return NULL;
}

/* default_add_callback is used as the |add_callback| when the user doesn't
* provide one. For servers, it does nothing while, for clients, it causes an
* empty extension to be included. */
// default_add_callback is used as the |add_callback| when the user doesn't
// provide one. For servers, it does nothing while, for clients, it causes an
// empty extension to be included.
static int default_add_callback(SSL *ssl, unsigned extension_value,
const uint8_t **out, size_t *out_len,
int *out_alert_value, void *add_arg) {
@@ -76,7 +76,7 @@ static int custom_ext_add_hello(SSL_HANDSHAKE *hs, CBB *extensions) {

if (ssl->server &&
!(hs->custom_extensions.received & (1u << i))) {
/* Servers cannot echo extensions that the client didn't send. */
// Servers cannot echo extensions that the client didn't send.
continue;
}

@@ -135,9 +135,9 @@ int custom_ext_parse_serverhello(SSL_HANDSHAKE *hs, int *out_alert,
const SSL_CUSTOM_EXTENSION *ext =
custom_ext_find(ssl->ctx->client_custom_extensions, &index, value);

if (/* Unknown extensions are not allowed in a ServerHello. */
if (// Unknown extensions are not allowed in a ServerHello.
ext == NULL ||
/* Also, if we didn't send the extension, that's also unacceptable. */
// Also, if we didn't send the extension, that's also unacceptable.
!(hs->custom_extensions.sent & (1u << index))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ERR_add_error_dataf("extension %u", (unsigned)value);
@@ -185,9 +185,9 @@ int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions) {
return custom_ext_add_hello(hs, extensions);
}

/* MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that
* can be set on an |SSL_CTX|. It's determined by the size of the bitset used
* to track when an extension has been sent. */
// MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that
// can be set on an |SSL_CTX|. It's determined by the size of the bitset used
// to track when an extension has been sent.
#define MAX_NUM_CUSTOM_EXTENSIONS \
(sizeof(((SSL_HANDSHAKE *)NULL)->custom_extensions.sent) * 8)

@@ -200,8 +200,8 @@ static int custom_ext_append(STACK_OF(SSL_CUSTOM_EXTENSION) **stack,
if (add_cb == NULL ||
0xffff < extension_value ||
SSL_extension_supported(extension_value) ||
/* Specifying a free callback without an add callback is nonsensical
* and an error. */
// Specifying a free callback without an add callback is nonsensical
// and an error.
(*stack != NULL &&
(MAX_NUM_CUSTOM_EXTENSIONS <= sk_SSL_CUSTOM_EXTENSION_num(*stack) ||
custom_ext_find(*stack, NULL, extension_value) != NULL))) {


+ 83
- 83
ssl/d1_both.cc Visa fil

@@ -129,20 +129,20 @@

namespace bssl {

/* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
* for these values? Notably, why is kMinMTU a function of the transport
* protocol's overhead rather than, say, what's needed to hold a minimally-sized
* handshake fragment plus protocol overhead. */
// TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
// for these values? Notably, why is kMinMTU a function of the transport
// protocol's overhead rather than, say, what's needed to hold a minimally-sized
// handshake fragment plus protocol overhead.

/* kMinMTU is the minimum acceptable MTU value. */
// kMinMTU is the minimum acceptable MTU value.
static const unsigned int kMinMTU = 256 - 28;

/* kDefaultMTU is the default MTU value to use if neither the user nor
* the underlying BIO supplies one. */
// kDefaultMTU is the default MTU value to use if neither the user nor
// the underlying BIO supplies one.
static const unsigned int kDefaultMTU = 1500 - 28;


/* Receiving handshake messages. */
// Receiving handshake messages.

static void dtls1_hm_fragment_free(hm_fragment *frag) {
if (frag == NULL) {
@@ -165,7 +165,7 @@ static hm_fragment *dtls1_hm_fragment_new(const struct hm_header_st *msg_hdr) {
frag->seq = msg_hdr->seq;
frag->msg_len = msg_hdr->msg_len;

/* Allocate space for the reassembled message and fill in the header. */
// Allocate space for the reassembled message and fill in the header.
frag->data =
(uint8_t *)OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len);
if (frag->data == NULL) {
@@ -184,9 +184,9 @@ static hm_fragment *dtls1_hm_fragment_new(const struct hm_header_st *msg_hdr) {
goto err;
}

/* If the handshake message is empty, |frag->reassembly| is NULL. */
// If the handshake message is empty, |frag->reassembly| is NULL.
if (msg_hdr->msg_len > 0) {
/* Initialize reassembly bitmask. */
// Initialize reassembly bitmask.
if (msg_hdr->msg_len + 7 < msg_hdr->msg_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
goto err;
@@ -207,16 +207,16 @@ err:
return NULL;
}

/* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
* exclusive, set. */
// bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
// exclusive, set.
static uint8_t bit_range(size_t start, size_t end) {
return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));
}

/* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
* as received in |frag|. If |frag| becomes complete, it clears
* |frag->reassembly|. The range must be within the bounds of |frag|'s message
* and |frag->reassembly| must not be NULL. */
// dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
// as received in |frag|. If |frag| becomes complete, it clears
// |frag->reassembly|. The range must be within the bounds of |frag|'s message
// and |frag->reassembly| must not be NULL.
static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
size_t end) {
size_t msg_len = frag->msg_len;
@@ -225,7 +225,7 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
assert(0);
return;
}
/* A zero-length message will never have a pending reassembly. */
// A zero-length message will never have a pending reassembly.
assert(msg_len > 0);

if ((start >> 3) == (end >> 3)) {
@@ -240,7 +240,7 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
}
}

/* Check if the fragment is complete. */
// Check if the fragment is complete.
for (size_t i = 0; i < (msg_len >> 3); i++) {
if (frag->reassembly[i] != 0xff) {
return;
@@ -255,18 +255,18 @@ static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
frag->reassembly = NULL;
}

/* dtls1_is_current_message_complete returns one if the current handshake
* message is complete and zero otherwise. */
// dtls1_is_current_message_complete returns one if the current handshake
// message is complete and zero otherwise.
static int dtls1_is_current_message_complete(const SSL *ssl) {
hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq %
SSL_MAX_HANDSHAKE_FLIGHT];
return frag != NULL && frag->reassembly == NULL;
}

/* dtls1_get_incoming_message returns the incoming message corresponding to
* |msg_hdr|. If none exists, it creates a new one and inserts it in the
* queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
* returns NULL on failure. The caller does not take ownership of the result. */
// dtls1_get_incoming_message returns the incoming message corresponding to
// |msg_hdr|. If none exists, it creates a new one and inserts it in the
// queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
// returns NULL on failure. The caller does not take ownership of the result.
static hm_fragment *dtls1_get_incoming_message(
SSL *ssl, const struct hm_header_st *msg_hdr) {
if (msg_hdr->seq < ssl->d1->handshake_read_seq ||
@@ -278,8 +278,8 @@ static hm_fragment *dtls1_get_incoming_message(
hm_fragment *frag = ssl->d1->incoming_messages[idx];
if (frag != NULL) {
assert(frag->seq == msg_hdr->seq);
/* The new fragment must be compatible with the previous fragments from this
* message. */
// The new fragment must be compatible with the previous fragments from this
// message.
if (frag->type != msg_hdr->type ||
frag->msg_len != msg_hdr->msg_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);
@@ -289,7 +289,7 @@ static hm_fragment *dtls1_get_incoming_message(
return frag;
}

/* This is the first fragment from this message. */
// This is the first fragment from this message.
frag = dtls1_hm_fragment_new(msg_hdr);
if (frag == NULL) {
return NULL;
@@ -309,22 +309,22 @@ int dtls1_read_message(SSL *ssl) {

switch (rr->type) {
case SSL3_RT_APPLICATION_DATA:
/* Unencrypted application data records are always illegal. */
// Unencrypted application data records are always illegal.
if (ssl->s3->aead_read_ctx->is_null_cipher()) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
return -1;
}

/* Out-of-order application data may be received between ChangeCipherSpec
* and finished. Discard it. */
// Out-of-order application data may be received between ChangeCipherSpec
// and finished. Discard it.
rr->length = 0;
ssl_read_buffer_discard(ssl);
return 1;

case SSL3_RT_CHANGE_CIPHER_SPEC:
/* We do not support renegotiation, so encrypted ChangeCipherSpec records
* are illegal. */
// We do not support renegotiation, so encrypted ChangeCipherSpec records
// are illegal.
if (!ssl->s3->aead_read_ctx->is_null_cipher()) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
@@ -337,7 +337,7 @@ int dtls1_read_message(SSL *ssl) {
return -1;
}

/* Flag the ChangeCipherSpec for later. */
// Flag the ChangeCipherSpec for later.
ssl->d1->has_change_cipher_spec = true;
ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC,
rr->data, rr->length);
@@ -347,7 +347,7 @@ int dtls1_read_message(SSL *ssl) {
return 1;

case SSL3_RT_HANDSHAKE:
/* Break out to main processing. */
// Break out to main processing.
break;

default:
@@ -360,7 +360,7 @@ int dtls1_read_message(SSL *ssl) {
CBS_init(&cbs, rr->data, rr->length);

while (CBS_len(&cbs) > 0) {
/* Read a handshake fragment. */
// Read a handshake fragment.
struct hm_header_st msg_hdr;
CBS body;
if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) {
@@ -380,7 +380,7 @@ int dtls1_read_message(SSL *ssl) {
return -1;
}

/* The encrypted epoch in DTLS has only one handshake message. */
// The encrypted epoch in DTLS has only one handshake message.
if (ssl->d1->r_epoch == 1 && msg_hdr.seq != ssl->d1->handshake_read_seq) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -390,7 +390,7 @@ int dtls1_read_message(SSL *ssl) {
if (msg_hdr.seq < ssl->d1->handshake_read_seq ||
msg_hdr.seq >
(unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) {
/* Ignore fragments from the past, or ones too far in the future. */
// Ignore fragments from the past, or ones too far in the future.
continue;
}

@@ -401,12 +401,12 @@ int dtls1_read_message(SSL *ssl) {
assert(frag->msg_len == msg_len);

if (frag->reassembly == NULL) {
/* The message is already assembled. */
// The message is already assembled.
continue;
}
assert(msg_len > 0);

/* Copy the body into the fragment. */
// Copy the body into the fragment.
OPENSSL_memcpy(frag->data + DTLS1_HM_HEADER_LENGTH + frag_off,
CBS_data(&body), CBS_len(&body));
dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);
@@ -444,8 +444,8 @@ void dtls1_next_message(SSL *ssl) {
ssl->d1->incoming_messages[index] = NULL;
ssl->d1->handshake_read_seq++;
ssl->s3->has_message = 0;
/* If we previously sent a flight, mark it as having a reply, so
* |on_handshake_complete| can manage post-handshake retransmission. */
// If we previously sent a flight, mark it as having a reply, so
// |on_handshake_complete| can manage post-handshake retransmission.
if (ssl->d1->outgoing_messages_complete) {
ssl->d1->flight_has_reply = true;
}
@@ -461,7 +461,7 @@ void dtls_clear_incoming_messages(SSL *ssl) {
int dtls_has_incoming_messages(const SSL *ssl) {
size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {
/* Skip the current message. */
// Skip the current message.
if (ssl->s3->has_message && i == current) {
assert(dtls1_is_current_message_complete(ssl));
continue;
@@ -490,7 +490,7 @@ int dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr,
}

int dtls1_read_change_cipher_spec(SSL *ssl) {
/* Process handshake records until there is a ChangeCipherSpec. */
// Process handshake records until there is a ChangeCipherSpec.
while (!ssl->d1->has_change_cipher_spec) {
int ret = dtls1_read_message(ssl);
if (ret <= 0) {
@@ -503,7 +503,7 @@ int dtls1_read_change_cipher_spec(SSL *ssl) {
}


/* Sending handshake messages. */
// Sending handshake messages.

void dtls_clear_outgoing_messages(SSL *ssl) {
for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) {
@@ -518,7 +518,7 @@ void dtls_clear_outgoing_messages(SSL *ssl) {
}

int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
/* Pick a modest size hint to save most of the |realloc| calls. */
// Pick a modest size hint to save most of the |realloc| calls.
if (!CBB_init(cbb, 64) ||
!CBB_add_u8(cbb, type) ||
!CBB_add_u24(cbb, 0 /* length (filled in later) */) ||
@@ -541,20 +541,20 @@ int dtls1_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,
return 0;
}

/* Fix up the header. Copy the fragment length into the total message
* length. */
// Fix up the header. Copy the fragment length into the total message
// length.
OPENSSL_memcpy(*out_msg + 1, *out_msg + DTLS1_HM_HEADER_LENGTH - 3, 3);
return 1;
}

/* add_outgoing adds a new handshake message or ChangeCipherSpec to the current
* outgoing flight. It returns one on success and zero on error. In both cases,
* it takes ownership of |data| and releases it with |OPENSSL_free| when
* done. */
// add_outgoing adds a new handshake message or ChangeCipherSpec to the current
// outgoing flight. It returns one on success and zero on error. In both cases,
// it takes ownership of |data| and releases it with |OPENSSL_free| when
// done.
static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) {
if (ssl->d1->outgoing_messages_complete) {
/* If we've begun writing a new flight, we received the peer flight. Discard
* the timer and the our flight. */
// If we've begun writing a new flight, we received the peer flight. Discard
// the timer and the our flight.
dtls1_stop_timer(ssl);
dtls_clear_outgoing_messages(ssl);
}
@@ -570,8 +570,8 @@ static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) {
}

if (!is_ccs) {
/* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
* on hs. */
// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
// on hs.
if (ssl->s3->hs != NULL &&
!ssl->s3->hs->transcript.Update(data, len)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -601,20 +601,20 @@ int dtls1_add_change_cipher_spec(SSL *ssl) {
}

int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {
/* The |add_alert| path is only used for warning alerts for now, which DTLS
* never sends. This will be implemented later once closure alerts are
* converted. */
// The |add_alert| path is only used for warning alerts for now, which DTLS
// never sends. This will be implemented later once closure alerts are
// converted.
assert(0);
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}

/* dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above
* the minimum. */
// dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above
// the minimum.
static void dtls1_update_mtu(SSL *ssl) {
/* TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the
* only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use
* |SSL_set_mtu|. Does this need to be so complex? */
// TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the
// only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use
// |SSL_set_mtu|. Does this need to be so complex?
if (ssl->d1->mtu < dtls1_min_mtu() &&
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
@@ -626,7 +626,7 @@ static void dtls1_update_mtu(SSL *ssl) {
}
}

/* The MTU should be above the minimum now. */
// The MTU should be above the minimum now.
assert(ssl->d1->mtu >= dtls1_min_mtu());
}

@@ -637,9 +637,9 @@ enum seal_result_t {
seal_success,
};

/* seal_next_message seals |msg|, which must be the next message, to |out|. If
* progress was made, it returns |seal_partial| or |seal_success| and sets
* |*out_len| to the number of bytes written. */
// seal_next_message seals |msg|, which must be the next message, to |out|. If
// progress was made, it returns |seal_partial| or |seal_success| and sets
// |*out_len| to the number of bytes written.
static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
size_t *out_len, size_t max_out,
const DTLS_OUTGOING_MESSAGE *msg) {
@@ -658,7 +658,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);

if (msg->is_ccs) {
/* Check there is room for the ChangeCipherSpec. */
// Check there is room for the ChangeCipherSpec.
static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};
if (max_out < sizeof(kChangeCipherSpec) + overhead) {
return seal_no_progress;
@@ -675,7 +675,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
return seal_success;
}

/* DTLS messages are serialized as a single fragment in |msg|. */
// DTLS messages are serialized as a single fragment in |msg|.
CBS cbs, body;
struct hm_header_st hdr;
CBS_init(&cbs, msg->data, msg->len);
@@ -689,7 +689,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
return seal_error;
}

/* Determine how much progress can be made. */
// Determine how much progress can be made.
if (max_out < DTLS1_HM_HEADER_LENGTH + 1 + overhead || max_out < prefix) {
return seal_no_progress;
}
@@ -698,7 +698,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead;
}

/* Assemble a fragment, to be sealed in-place. */
// Assemble a fragment, to be sealed in-place.
ScopedCBB cbb;
uint8_t *frag = out + prefix;
size_t max_frag = max_out - prefix, frag_len;
@@ -722,7 +722,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
}

if (todo == CBS_len(&body)) {
/* The next message is complete. */
// The next message is complete.
ssl->d1->outgoing_offset = 0;
return seal_success;
}
@@ -731,9 +731,9 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
return seal_partial;
}

/* seal_next_packet writes as much of the next flight as possible to |out| and
* advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as
* appropriate. */
// seal_next_packet writes as much of the next flight as possible to |out| and
// advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as
// appropriate.
static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out) {
int made_progress = 0;
@@ -767,7 +767,7 @@ static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len,
}

packet_full:
/* The MTU was too small to make any progress. */
// The MTU was too small to make any progress.
if (!made_progress) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);
return 0;
@@ -798,7 +798,7 @@ static int send_flight(SSL *ssl) {

int bio_ret = BIO_write(ssl->wbio, packet, packet_len);
if (bio_ret <= 0) {
/* Retry this packet the next time around. */
// Retry this packet the next time around.
ssl->d1->outgoing_written = old_written;
ssl->d1->outgoing_offset = old_offset;
ssl->rwstate = SSL_WRITING;
@@ -821,16 +821,16 @@ err:

int dtls1_flush_flight(SSL *ssl) {
ssl->d1->outgoing_messages_complete = true;
/* Start the retransmission timer for the next flight (if any). */
// Start the retransmission timer for the next flight (if any).
dtls1_start_timer(ssl);
return send_flight(ssl);
}

int dtls1_retransmit_outgoing_messages(SSL *ssl) {
/* Rewind to the start of the flight and write it again.
*
* TODO(davidben): This does not allow retransmits to be resumed on
* non-blocking write. */
// Rewind to the start of the flight and write it again.
//
// TODO(davidben): This does not allow retransmits to be resumed on
// non-blocking write.
ssl->d1->outgoing_written = 0;
ssl->d1->outgoing_offset = 0;



+ 24
- 24
ssl/d1_lib.cc Visa fil

@@ -70,12 +70,12 @@

namespace bssl {

/* DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
* before starting to decrease the MTU. */
// DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
// before starting to decrease the MTU.
#define DTLS1_MTU_TIMEOUTS 2

/* DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
* before failing the DTLS handshake. */
// DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
// before failing the DTLS handshake.
#define DTLS1_MAX_TIMEOUTS 12

int dtls1_new(SSL *ssl) {
@@ -91,11 +91,11 @@ int dtls1_new(SSL *ssl) {

ssl->d1 = d1;

/* Set the version to the highest supported version.
*
* TODO(davidben): Move this field into |s3|, have it store the normalized
* protocol version, and implement this pre-negotiation quirk in |SSL_version|
* at the API boundary rather than in internal state. */
// Set the version to the highest supported version.
//
// TODO(davidben): Move this field into |s3|, have it store the normalized
// protocol version, and implement this pre-negotiation quirk in |SSL_version|
// at the API boundary rather than in internal state.
ssl->version = DTLS1_2_VERSION;
return 1;
}
@@ -116,15 +116,15 @@ void dtls1_free(SSL *ssl) {
}

void dtls1_start_timer(SSL *ssl) {
/* If timer is not set, initialize duration (by default, 1 second) */
// If timer is not set, initialize duration (by default, 1 second)
if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) {
ssl->d1->timeout_duration_ms = ssl->initial_timeout_duration_ms;
}

/* Set timeout to current time */
// Set timeout to current time
ssl_get_current_time(ssl, &ssl->d1->next_timeout);

/* Add duration to current time */
// Add duration to current time
ssl->d1->next_timeout.tv_sec += ssl->d1->timeout_duration_ms / 1000;
ssl->d1->next_timeout.tv_usec += (ssl->d1->timeout_duration_ms % 1000) * 1000;
if (ssl->d1->next_timeout.tv_usec >= 1000000) {
@@ -136,17 +136,17 @@ void dtls1_start_timer(SSL *ssl) {
int dtls1_is_timer_expired(SSL *ssl) {
struct timeval timeleft;

/* Get time left until timeout, return false if no timer running */
// Get time left until timeout, return false if no timer running
if (!DTLSv1_get_timeout(ssl, &timeleft)) {
return 0;
}

/* Return false if timer is not expired yet */
// Return false if timer is not expired yet
if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
return 0;
}

/* Timer expired, so return true */
// Timer expired, so return true
return 1;
}

@@ -166,7 +166,7 @@ void dtls1_stop_timer(SSL *ssl) {
int dtls1_check_timeout_num(SSL *ssl) {
ssl->d1->num_timeouts++;

/* Reduce MTU after 2 unsuccessful retransmissions */
// Reduce MTU after 2 unsuccessful retransmissions
if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS &&
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
@@ -176,7 +176,7 @@ int dtls1_check_timeout_num(SSL *ssl) {
}

if (ssl->d1->num_timeouts > DTLS1_MAX_TIMEOUTS) {
/* fail the connection, enough alerts have been sent */
// fail the connection, enough alerts have been sent
OPENSSL_PUT_ERROR(SSL, SSL_R_READ_TIMEOUT_EXPIRED);
return 0;
}
@@ -197,7 +197,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) {
return 0;
}

/* If no timeout is set, just return 0. */
// If no timeout is set, just return 0.
if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) {
return 0;
}
@@ -205,7 +205,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) {
struct OPENSSL_timeval timenow;
ssl_get_current_time(ssl, &timenow);

/* If timer already expired, set remaining time to 0. */
// If timer already expired, set remaining time to 0.
if (ssl->d1->next_timeout.tv_sec < timenow.tv_sec ||
(ssl->d1->next_timeout.tv_sec == timenow.tv_sec &&
ssl->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
@@ -213,7 +213,7 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) {
return 1;
}

/* Calculate time left until timer expires. */
// Calculate time left until timer expires.
struct OPENSSL_timeval ret;
OPENSSL_memcpy(&ret, &ssl->d1->next_timeout, sizeof(ret));
ret.tv_sec -= timenow.tv_sec;
@@ -224,13 +224,13 @@ int DTLSv1_get_timeout(const SSL *ssl, struct timeval *out) {
ret.tv_sec--;
}

/* If remaining time is less than 15 ms, set it to 0 to prevent issues
* because of small divergences with socket timeouts. */
// If remaining time is less than 15 ms, set it to 0 to prevent issues
// because of small divergences with socket timeouts.
if (ret.tv_sec == 0 && ret.tv_usec < 15000) {
OPENSSL_memset(&ret, 0, sizeof(ret));
}

/* Clamp the result in case of overflow. */
// Clamp the result in case of overflow.
if (ret.tv_sec > INT_MAX) {
assert(0);
out->tv_sec = INT_MAX;
@@ -250,7 +250,7 @@ int DTLSv1_handle_timeout(SSL *ssl) {
return -1;
}

/* If no timer is expired, don't do anything. */
// If no timer is expired, don't do anything.
if (!dtls1_is_timer_expired(ssl)) {
return 0;
}


+ 27
- 27
ssl/d1_pkt.cc Visa fil

@@ -140,15 +140,15 @@ again:
return 0;
}

/* Read a new packet if there is no unconsumed one. */
// Read a new packet if there is no unconsumed one.
if (ssl_read_buffer_len(ssl) == 0) {
int read_ret = ssl_read_buffer_extend_to(ssl, 0 /* unused */);
if (read_ret < 0 && dtls1_is_timer_expired(ssl)) {
/* Historically, timeouts were handled implicitly if the caller did not
* handle them.
*
* TODO(davidben): This was to support blocking sockets but affected
* non-blocking sockets. Can it be removed? */
// Historically, timeouts were handled implicitly if the caller did not
// handle them.
//
// TODO(davidben): This was to support blocking sockets but affected
// non-blocking sockets. Can it be removed?
int timeout_ret = DTLSv1_handle_timeout(ssl);
if (timeout_ret <= 0) {
return timeout_ret;
@@ -170,7 +170,7 @@ again:
ssl_read_buffer_consume(ssl, consumed);
switch (open_ret) {
case ssl_open_record_partial:
/* Impossible in DTLS. */
// Impossible in DTLS.
break;

case ssl_open_record_success: {
@@ -221,9 +221,9 @@ again:
}

if (rr->type == SSL3_RT_HANDSHAKE) {
/* Parse the first fragment header to determine if this is a pre-CCS or
* post-CCS handshake record. DTLS resets handshake message numbers on each
* handshake, so renegotiations and retransmissions are ambiguous. */
// Parse the first fragment header to determine if this is a pre-CCS or
// post-CCS handshake record. DTLS resets handshake message numbers on each
// handshake, so renegotiations and retransmissions are ambiguous.
CBS cbs, body;
struct hm_header_st msg_hdr;
CBS_init(&cbs, rr->data, rr->length);
@@ -236,9 +236,9 @@ again:
if (msg_hdr.type == SSL3_MT_FINISHED &&
msg_hdr.seq == ssl->d1->handshake_read_seq - 1) {
if (msg_hdr.frag_off == 0) {
/* Retransmit our last flight of messages. If the peer sends the second
* Finished, they may not have received ours. Only do this for the
* first fragment, in case the Finished was fragmented. */
// Retransmit our last flight of messages. If the peer sends the second
// Finished, they may not have received ours. Only do this for the
// first fragment, in case the Finished was fragmented.
if (!dtls1_check_timeout_num(ssl)) {
return -1;
}
@@ -250,8 +250,8 @@ again:
goto again;
}

/* Otherwise, this is a pre-CCS handshake message from an unsupported
* renegotiation attempt. Fall through to the error path. */
// Otherwise, this is a pre-CCS handshake message from an unsupported
// renegotiation attempt. Fall through to the error path.
}

if (rr->type != SSL3_RT_APPLICATION_DATA) {
@@ -260,7 +260,7 @@ again:
return -1;
}

/* Discard empty records. */
// Discard empty records.
if (rr->length == 0) {
goto again;
}
@@ -275,12 +275,12 @@ again:

OPENSSL_memcpy(buf, rr->data, len);
if (!peek) {
/* TODO(davidben): Should the record be truncated instead? This is a
* datagram transport. See https://crbug.com/boringssl/65. */
// TODO(davidben): Should the record be truncated instead? This is a
// datagram transport. See https://crbug.com/boringssl/65.
rr->length -= len;
rr->data += len;
if (rr->length == 0) {
/* The record has been consumed, so we may now clear the buffer. */
// The record has been consumed, so we may now clear the buffer.
ssl_read_buffer_discard(ssl);
}
}
@@ -289,10 +289,10 @@ again:
}

void dtls1_read_close_notify(SSL *ssl) {
/* Bidirectional shutdown doesn't make sense for an unordered transport. DTLS
* alerts also aren't delivered reliably, so we may even time out because the
* peer never received our close_notify. Report to the caller that the channel
* has fully shut down. */
// Bidirectional shutdown doesn't make sense for an unordered transport. DTLS
// alerts also aren't delivered reliably, so we may even time out because the
// peer never received our close_notify. Report to the caller that the channel
// has fully shut down.
if (ssl->s3->recv_shutdown == ssl_shutdown_none) {
ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
}
@@ -328,9 +328,9 @@ int dtls1_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len,
enum dtls1_use_epoch_t use_epoch) {
assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
/* There should never be a pending write buffer in DTLS. One can't write half
* a datagram, so the write buffer is always dropped in
* |ssl_write_buffer_flush|. */
// There should never be a pending write buffer in DTLS. One can't write half
// a datagram, so the write buffer is always dropped in
// |ssl_write_buffer_flush|.
assert(!ssl_write_buffer_is_pending(ssl));

if (len > SSL3_RT_MAX_PLAIN_LENGTH) {
@@ -364,7 +364,7 @@ int dtls1_dispatch_alert(SSL *ssl) {
}
ssl->s3->alert_dispatch = 0;

/* If the alert is fatal, flush the BIO now. */
// If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
BIO_flush(ssl->wbio);
}


+ 2
- 2
ssl/d1_srtp.cc Visa fil

@@ -226,11 +226,11 @@ const SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *ssl) {
}

int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) {
/* This API inverts its return value. */
// This API inverts its return value.
return !SSL_CTX_set_srtp_profiles(ctx, profiles);
}

int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles) {
/* This API inverts its return value. */
// This API inverts its return value.
return !SSL_set_srtp_profiles(ssl, profiles);
}

+ 6
- 6
ssl/dtls_method.cc Visa fil

@@ -73,17 +73,17 @@ static int dtls1_supports_cipher(const SSL_CIPHER *cipher) {
}

static void dtls1_on_handshake_complete(SSL *ssl) {
/* Stop the reply timer left by the last flight we sent. */
// Stop the reply timer left by the last flight we sent.
dtls1_stop_timer(ssl);
/* If the final flight had a reply, we know the peer has received it. If not,
* we must leave the flight around for post-handshake retransmission. */
// If the final flight had a reply, we know the peer has received it. If not,
// we must leave the flight around for post-handshake retransmission.
if (ssl->d1->flight_has_reply) {
dtls_clear_outgoing_messages(ssl);
}
}

static int dtls1_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
/* Cipher changes are illegal when there are buffered incoming messages. */
// Cipher changes are illegal when there are buffered incoming messages.
if (dtls_has_incoming_messages(ssl) || ssl->d1->has_change_cipher_spec) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -153,7 +153,7 @@ const SSL_METHOD *DTLS_with_buffers_method(void) {
return &kMethod;
}

/* Legacy version-locked methods. */
// Legacy version-locked methods.

const SSL_METHOD *DTLSv1_2_method(void) {
static const SSL_METHOD kMethod = {
@@ -173,7 +173,7 @@ const SSL_METHOD *DTLSv1_method(void) {
return &kMethod;
}

/* Legacy side-specific methods. */
// Legacy side-specific methods.

const SSL_METHOD *DTLSv1_2_server_method(void) {
return DTLSv1_2_method();


+ 25
- 25
ssl/dtls_record.cc Visa fil

@@ -123,8 +123,8 @@

namespace bssl {

/* to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
* a |uint64_t|. */
// to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
// a |uint64_t|.
static uint64_t to_u64_be(const uint8_t in[8]) {
uint64_t ret = 0;
unsigned i;
@@ -135,8 +135,8 @@ static uint64_t to_u64_be(const uint8_t in[8]) {
return ret;
}

/* dtls1_bitmap_should_discard returns one if |seq_num| has been seen in |bitmap|
* or is stale. Otherwise it returns zero. */
// dtls1_bitmap_should_discard returns one if |seq_num| has been seen in
// |bitmap| or is stale. Otherwise it returns zero.
static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap,
const uint8_t seq_num[8]) {
const unsigned kWindowSize = sizeof(bitmap->map) * 8;
@@ -149,15 +149,15 @@ static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap,
return idx >= kWindowSize || (bitmap->map & (((uint64_t)1) << idx));
}

/* dtls1_bitmap_record updates |bitmap| to record receipt of sequence number
* |seq_num|. It slides the window forward if needed. It is an error to call
* this function on a stale sequence number. */
// dtls1_bitmap_record updates |bitmap| to record receipt of sequence number
// |seq_num|. It slides the window forward if needed. It is an error to call
// this function on a stale sequence number.
static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap,
const uint8_t seq_num[8]) {
const unsigned kWindowSize = sizeof(bitmap->map) * 8;

uint64_t seq_num_u = to_u64_be(seq_num);
/* Shift the window if necessary. */
// Shift the window if necessary.
if (seq_num_u > bitmap->max_seq_num) {
uint64_t shift = seq_num_u - bitmap->max_seq_num;
if (shift >= kWindowSize) {
@@ -183,7 +183,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
CBS cbs;
CBS_init(&cbs, in, in_len);

/* Decode the record. */
// Decode the record.
uint8_t type;
uint16_t version;
uint8_t sequence[8];
@@ -195,7 +195,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
(ssl->s3->have_version && version != ssl->version) ||
(version >> 8) != DTLS1_VERSION_MAJOR ||
CBS_len(&body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
/* The record header was incomplete or malformed. Drop the entire packet. */
// The record header was incomplete or malformed. Drop the entire packet.
*out_consumed = in_len;
return ssl_open_record_discard;
}
@@ -206,31 +206,31 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
uint16_t epoch = (((uint16_t)sequence[0]) << 8) | sequence[1];
if (epoch != ssl->d1->r_epoch ||
dtls1_bitmap_should_discard(&ssl->d1->bitmap, sequence)) {
/* Drop this record. It's from the wrong epoch or is a replay. Note that if
* |epoch| is the next epoch, the record could be buffered for later. For
* simplicity, drop it and expect retransmit to handle it later; DTLS must
* handle packet loss anyway. */
// Drop this record. It's from the wrong epoch or is a replay. Note that if
// |epoch| is the next epoch, the record could be buffered for later. For
// simplicity, drop it and expect retransmit to handle it later; DTLS must
// handle packet loss anyway.
*out_consumed = in_len - CBS_len(&cbs);
return ssl_open_record_discard;
}

/* Decrypt the body in-place. */
// Decrypt the body in-place.
if (!ssl->s3->aead_read_ctx->Open(out, type, version, sequence,
(uint8_t *)CBS_data(&body),
CBS_len(&body))) {
/* Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
* Clear the error queue of any errors decryption may have added. Drop the
* entire packet as it must not have come from the peer.
*
* TODO(davidben): This doesn't distinguish malloc failures from encryption
* failures. */
// Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
// Clear the error queue of any errors decryption may have added. Drop the
// entire packet as it must not have come from the peer.
//
// TODO(davidben): This doesn't distinguish malloc failures from encryption
// failures.
ERR_clear_error();
*out_consumed = in_len - CBS_len(&cbs);
return ssl_open_record_discard;
}
*out_consumed = in_len - CBS_len(&cbs);

/* Check the plaintext length. */
// Check the plaintext length.
if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
@@ -239,8 +239,8 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,

dtls1_bitmap_record(&ssl->d1->bitmap, sequence);

/* TODO(davidben): Limit the number of empty records as in TLS? This is only
* useful if we also limit discarded packets. */
// TODO(davidben): Limit the number of empty records as in TLS? This is only
// useful if we also limit discarded packets.

if (type == SSL3_RT_ALERT) {
return ssl_process_alert(ssl, out_alert, CBS_data(out), CBS_len(out));
@@ -282,7 +282,7 @@ int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
return 0;
}

/* Determine the parameters for the current epoch. */
// Determine the parameters for the current epoch.
uint16_t epoch = ssl->d1->w_epoch;
SSLAEADContext *aead = ssl->s3->aead_write_ctx;
uint8_t *seq = ssl->s3->write_sequence;


+ 47
- 47
ssl/handshake.cc Visa fil

@@ -199,8 +199,8 @@ int ssl_add_message_cbb(SSL *ssl, CBB *cbb) {
}

size_t ssl_max_handshake_message_len(const SSL *ssl) {
/* kMaxMessageLen is the default maximum message size for handshakes which do
* not accept peer certificate chains. */
// kMaxMessageLen is the default maximum message size for handshakes which do
// not accept peer certificate chains.
static const size_t kMaxMessageLen = 16384;

if (SSL_in_init(ssl)) {
@@ -212,24 +212,24 @@ size_t ssl_max_handshake_message_len(const SSL *ssl) {
}

if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
/* In TLS 1.2 and below, the largest acceptable post-handshake message is
* a HelloRequest. */
// In TLS 1.2 and below, the largest acceptable post-handshake message is
// a HelloRequest.
return 0;
}

if (ssl->server) {
/* The largest acceptable post-handshake message for a server is a
* KeyUpdate. We will never initiate post-handshake auth. */
// The largest acceptable post-handshake message for a server is a
// KeyUpdate. We will never initiate post-handshake auth.
return 1;
}

/* Clients must accept NewSessionTicket and CertificateRequest, so allow the
* default size. */
// Clients must accept NewSessionTicket and CertificateRequest, so allow the
// default size.
return kMaxMessageLen;
}

bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
/* V2ClientHello messages are pre-hashed. */
// V2ClientHello messages are pre-hashed.
if (msg.is_v2_hello) {
return true;
}
@@ -240,7 +240,7 @@ bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
const SSL_EXTENSION_TYPE *ext_types,
size_t num_ext_types, int ignore_unknown) {
/* Reset everything. */
// Reset everything.
for (size_t i = 0; i < num_ext_types; i++) {
*ext_types[i].out_present = 0;
CBS_init(ext_types[i].out_data, NULL, 0);
@@ -274,7 +274,7 @@ int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
return 0;
}

/* Duplicate ext_types are forbidden. */
// Duplicate ext_types are forbidden.
if (*ext_type->out_present) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
@@ -289,8 +289,8 @@ int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
}

static void set_crypto_buffer(CRYPTO_BUFFER **dest, CRYPTO_BUFFER *src) {
/* TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr|
* and |UniquePtr| has up_ref helpers. */
// TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr|
// and |UniquePtr| has up_ref helpers.
CRYPTO_BUFFER_free(*dest);
*dest = src;
if (src != nullptr) {
@@ -302,10 +302,10 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
const SSL_SESSION *prev_session = ssl->s3->established_session;
if (prev_session != NULL) {
/* If renegotiating, the server must not change the server certificate. See
* https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
* so this check is sufficient to ensure the reported peer certificate never
* changes on renegotiation. */
// If renegotiating, the server must not change the server certificate. See
// https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
// so this check is sufficient to ensure the reported peer certificate never
// changes on renegotiation.
assert(!ssl->server);
if (sk_CRYPTO_BUFFER_num(prev_session->certs) !=
sk_CRYPTO_BUFFER_num(hs->new_session->certs)) {
@@ -329,10 +329,10 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
}
}

/* The certificate is identical, so we may skip re-verifying the
* certificate. Since we only authenticated the previous one, copy other
* authentication from the established session and ignore what was newly
* received. */
// The certificate is identical, so we may skip re-verifying the
// certificate. Since we only authenticated the previous one, copy other
// authentication from the established session and ignore what was newly
// received.
set_crypto_buffer(&hs->new_session->ocsp_response,
prev_session->ocsp_response);
set_crypto_buffer(&hs->new_session->signed_cert_timestamp_list,
@@ -371,17 +371,17 @@ enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
}

uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index) {
/* Use the client_random or server_random for entropy. This both avoids
* calling |RAND_bytes| on a single byte repeatedly and ensures the values are
* deterministic. This allows the same ClientHello be sent twice for a
* HelloRetryRequest or the same group be advertised in both supported_groups
* and key_shares. */
// Use the client_random or server_random for entropy. This both avoids
// calling |RAND_bytes| on a single byte repeatedly and ensures the values are
// deterministic. This allows the same ClientHello be sent twice for a
// HelloRetryRequest or the same group be advertised in both supported_groups
// and key_shares.
uint16_t ret = ssl->server ? ssl->s3->server_random[index]
: ssl->s3->client_random[index];
/* The first four bytes of server_random are a timestamp prior to TLS 1.3, but
* servers have no fields to GREASE until TLS 1.3. */
// The first four bytes of server_random are a timestamp prior to TLS 1.3, but
// servers have no fields to GREASE until TLS 1.3.
assert(!ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION);
/* This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. */
// This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16.
ret = (ret & 0xf0) | 0x0a;
ret |= ret << 8;
return ret;
@@ -398,7 +398,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Snapshot the finished hash before incorporating the new message. */
// Snapshot the finished hash before incorporating the new message.
uint8_t finished[EVP_MAX_MD_SIZE];
size_t finished_len;
if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
@@ -418,7 +418,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Copy the Finished so we can use it for renegotiation checks. */
// Copy the Finished so we can use it for renegotiation checks.
if (ssl->version != SSL3_VERSION) {
if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
finished_len > sizeof(ssl->s3->previous_server_finished)) {
@@ -442,7 +442,7 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) {
SSL *const ssl = hs->ssl;
for (;;) {
/* Resolve the operation the handshake was waiting on. */
// Resolve the operation the handshake was waiting on.
switch (hs->wait) {
case ssl_hs_error:
OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
@@ -464,13 +464,13 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) {
if (hs->wait == ssl_hs_read_server_hello &&
ERR_GET_LIB(err) == ERR_LIB_SSL &&
ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) {
/* Add a dedicated error code to the queue for a handshake_failure
* alert in response to ClientHello. This matches NSS's client
* behavior and gives a better error on a (probable) failure to
* negotiate initial parameters. Note: this error code comes after
* the original one.
*
* See https://crbug.com/446505. */
// Add a dedicated error code to the queue for a handshake_failure
// alert in response to ClientHello. This matches NSS's client
// behavior and gives a better error on a (probable) failure to
// negotiate initial parameters. Note: this error code comes after
// the original one.
//
// See https://crbug.com/446505.
OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO);
}
return ret;
@@ -488,7 +488,7 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) {

case ssl_hs_read_end_of_early_data: {
if (ssl->s3->hs->can_early_read) {
/* While we are processing early data, the handshake returns early. */
// While we are processing early data, the handshake returns early.
*out_early_return = 1;
return 1;
}
@@ -533,7 +533,7 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) {

case ssl_hs_early_data_rejected:
ssl->rwstate = SSL_EARLY_DATA_REJECTED;
/* Cause |SSL_write| to start failing immediately. */
// Cause |SSL_write| to start failing immediately.
hs->can_early_write = 0;
return -1;

@@ -546,20 +546,20 @@ int ssl_run_handshake(SSL_HANDSHAKE *hs, int *out_early_return) {
break;
}

/* Run the state machine again. */
// Run the state machine again.
hs->wait = ssl->do_handshake(hs);
if (hs->wait == ssl_hs_error) {
/* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
* first time around. */
// Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
// first time around.
return -1;
}
if (hs->wait == ssl_hs_ok) {
/* The handshake has completed. */
// The handshake has completed.
return 1;
}

/* Otherwise, loop to the beginning and resolve what was blocking the
* handshake. */
// Otherwise, loop to the beginning and resolve what was blocking the
// handshake.
}
}



+ 120
- 121
ssl/handshake_client.cc Visa fil

@@ -199,14 +199,14 @@ enum ssl_client_hs_state_t {
state_done,
};

/* ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
* disabled algorithms. */
// ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
// disabled algorithms.
static void ssl_get_client_disabled(SSL *ssl, uint32_t *out_mask_a,
uint32_t *out_mask_k) {
*out_mask_a = 0;
*out_mask_k = 0;

/* PSK requires a client callback. */
// PSK requires a client callback.
if (ssl->psk_client_callback == NULL) {
*out_mask_a |= SSL_aPSK;
*out_mask_k |= SSL_kPSK;
@@ -223,14 +223,14 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) {
return 0;
}

/* Add a fake cipher suite. See draft-davidben-tls-grease-01. */
// Add a fake cipher suite. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
!CBB_add_u16(&child, ssl_get_grease_value(ssl, ssl_grease_cipher))) {
return 0;
}

/* Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
* hardware support. */
// Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
// hardware support.
if (hs->max_version >= TLS1_3_VERSION) {
if (!EVP_has_aes_hardware() &&
!CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
@@ -249,7 +249,7 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) {
if (hs->min_version < TLS1_3_VERSION) {
int any_enabled = 0;
for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) {
/* Skip disabled ciphers */
// Skip disabled ciphers
if ((cipher->algorithm_mkey & mask_k) ||
(cipher->algorithm_auth & mask_a)) {
continue;
@@ -264,15 +264,15 @@ static int ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) {
}
}

/* If all ciphers were disabled, return the error to the caller. */
// If all ciphers were disabled, return the error to the caller.
if (!any_enabled && hs->max_version < TLS1_3_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
return 0;
}
}

/* For SSLv3, the SCSV is added. Otherwise the renegotiation extension is
* added. */
// For SSLv3, the SCSV is added. Otherwise the renegotiation extension is
// added.
if (hs->max_version == SSL3_VERSION &&
!ssl->s3->initial_handshake_complete) {
if (!CBB_add_u16(&child, SSL3_CK_SCSV & 0xffff)) {
@@ -297,7 +297,7 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) {
return 0;
}

/* Renegotiations do not participate in session resumption. */
// Renegotiations do not participate in session resumption.
int has_session_id = ssl->session != NULL &&
!ssl->s3->initial_handshake_complete &&
ssl->session->session_id_length > 0;
@@ -315,8 +315,8 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) {
return 0;
}
} else {
/* In TLS 1.3 experimental encodings, send a fake placeholder session ID
* when we do not otherwise have one to send. */
// In TLS 1.3 experimental encodings, send a fake placeholder session ID
// when we do not otherwise have one to send.
if (hs->max_version >= TLS1_3_VERSION &&
ssl->tls13_variant == tls13_experiment &&
!CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) {
@@ -346,8 +346,8 @@ int ssl_write_client_hello(SSL_HANDSHAKE *hs) {
return 0;
}

/* Now that the length prefixes have been computed, fill in the placeholder
* PSK binder. */
// Now that the length prefixes have been computed, fill in the placeholder
// PSK binder.
if (hs->needs_psk_binder &&
!tls13_write_psk_binder(hs, msg, len)) {
OPENSSL_free(msg);
@@ -374,8 +374,8 @@ static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out,
return 0;
}

/* The server version may also be in the supported_versions extension if
* applicable. */
// The server version may also be in the supported_versions extension if
// applicable.
if (msg.type != SSL3_MT_SERVER_HELLO || *out != TLS1_2_VERSION) {
return 1;
}
@@ -390,7 +390,7 @@ static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out,
return 0;
}

/* The extensions block may not be present. */
// The extensions block may not be present.
if (CBS_len(&server_hello) == 0) {
return 1;
}
@@ -433,14 +433,14 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {

ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);

/* Freeze the version range. */
// Freeze the version range.
if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) {
return ssl_hs_error;
}

/* Always advertise the ClientHello version from the original maximum version,
* even on renegotiation. The static RSA key exchange uses this field, and
* some servers fail when it changes across handshakes. */
// Always advertise the ClientHello version from the original maximum version,
// even on renegotiation. The static RSA key exchange uses this field, and
// some servers fail when it changes across handshakes.
if (SSL_is_dtls(hs->ssl)) {
hs->client_version =
hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION;
@@ -449,8 +449,8 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;
}

/* If the configured session has expired or was created at a disabled
* version, drop it. */
// If the configured session has expired or was created at a disabled
// version, drop it.
if (ssl->session != NULL) {
if (ssl->session->is_server ||
!ssl_supports_version(hs, ssl->session->ssl_version) ||
@@ -466,8 +466,8 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Initialize a random session ID for the experimental TLS 1.3 variant
* requiring a session id. */
// Initialize a random session ID for the experimental TLS 1.3 variant
// requiring a session id.
if (ssl->tls13_variant == tls13_experiment) {
hs->session_id_len = sizeof(hs->session_id);
if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
@@ -505,8 +505,8 @@ static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Stash the early data session, so connection properties may be queried out
* of it. */
// Stash the early data session, so connection properties may be queried out
// of it.
hs->in_early_data = 1;
SSL_SESSION_up_ref(ssl->session);
hs->early_session.reset(ssl->session);
@@ -547,7 +547,7 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {

ssl->method->next_message(ssl);

/* DTLS resets the handshake buffer after HelloVerifyRequest. */
// DTLS resets the handshake buffer after HelloVerifyRequest.
if (!hs->transcript.Init()) {
return ssl_hs_error;
}
@@ -581,8 +581,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
if (!ssl->s3->have_version) {
ssl->version = server_version;
/* At this point, the connection's version is known and ssl->version is
* fixed. Begin enforcing the record-layer version. */
// At this point, the connection's version is known and ssl->version is
// fixed. Begin enforcing the record-layer version.
ssl->s3->have_version = 1;
} else if (server_version != ssl->version) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
@@ -621,12 +621,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Copy over the server random. */
// Copy over the server random.
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
SSL3_RANDOM_SIZE);

/* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
* 1.3 is finalized and we are not implementing a draft version. */
// TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
// 1.3 is finalized and we are not implementing a draft version.

if (!ssl->s3->initial_handshake_complete && ssl->session != NULL &&
ssl->session->session_id_length != 0 &&
@@ -634,14 +634,14 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
ssl->session->session_id_length)) {
ssl->s3->session_reused = 1;
} else {
/* The session wasn't resumed. Create a fresh SSL_SESSION to
* fill out. */
// The session wasn't resumed. Create a fresh SSL_SESSION to
// fill out.
ssl_set_session(ssl, NULL);
if (!ssl_get_new_session(hs, 0 /* client */)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
/* Note: session_id could be empty. */
// Note: session_id could be empty.
hs->new_session->session_id_length = CBS_len(&session_id);
OPENSSL_memcpy(hs->new_session->session_id, CBS_data(&session_id),
CBS_len(&session_id));
@@ -649,13 +649,13 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {

const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
if (cipher == NULL) {
/* unknown cipher */
// unknown cipher
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}

/* The cipher must be allowed in the selected version and enabled. */
// The cipher must be allowed in the selected version and enabled.
uint32_t mask_a, mask_k;
ssl_get_client_disabled(ssl, &mask_a, &mask_k);
if ((cipher->algorithm_mkey & mask_k) || (cipher->algorithm_auth & mask_a) ||
@@ -679,7 +679,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}
if (!ssl_session_is_context_valid(ssl, ssl->session)) {
/* This is actually a client application bug. */
// This is actually a client application bug.
OPENSSL_PUT_ERROR(SSL,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -690,38 +690,38 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
}
hs->new_cipher = cipher;

/* Now that the cipher is known, initialize the handshake hash and hash the
* ServerHello. */
// Now that the cipher is known, initialize the handshake hash and hash the
// ServerHello.
if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) ||
!ssl_hash_message(hs, msg)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}

/* If doing a full handshake, the server may request a client certificate
* which requires hashing the handshake transcript. Otherwise, the handshake
* buffer may be released. */
// If doing a full handshake, the server may request a client certificate
// which requires hashing the handshake transcript. Otherwise, the handshake
// buffer may be released.
if (ssl->session != NULL ||
!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
hs->transcript.FreeBuffer();
}

/* Only the NULL compression algorithm is supported. */
// Only the NULL compression algorithm is supported.
if (compression_method != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}

/* TLS extensions */
// TLS extensions
if (!ssl_parse_serverhello_tlsext(hs, &server_hello)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
return ssl_hs_error;
}

/* There should be nothing left over in the record. */
// There should be nothing left over in the record.
if (CBS_len(&server_hello) != 0) {
/* wrong packet length */
// wrong packet length
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return ssl_hs_error;
@@ -823,8 +823,8 @@ static enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) {
}

if (msg.type != SSL3_MT_CERTIFICATE_STATUS) {
/* A server may send status_request in ServerHello and then change
* its mind about sending CertificateStatus. */
// A server may send status_request in ServerHello and then change its mind
// about sending CertificateStatus.
hs->state = state_verify_server_certificate;
return ssl_hs_ok;
}
@@ -887,7 +887,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
}

if (msg.type != SSL3_MT_SERVER_KEY_EXCHANGE) {
/* Some ciphers (pure PSK) have an optional ServerKeyExchange message. */
// Some ciphers (pure PSK) have an optional ServerKeyExchange message.
if (ssl_cipher_requires_server_key_exchange(hs->new_cipher)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -908,7 +908,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
if (alg_a & SSL_aPSK) {
CBS psk_identity_hint;

/* Each of the PSK key exchanges begins with a psk_identity_hint. */
// Each of the PSK key exchanges begins with a psk_identity_hint.
if (!CBS_get_u16_length_prefixed(&server_key_exchange,
&psk_identity_hint)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -916,13 +916,13 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Store PSK identity hint for later use, hint is used in
* ssl3_send_client_key_exchange. Assume that the maximum length of a PSK
* identity hint can be as long as the maximum length of a PSK identity.
* Also do not allow NULL characters; identities are saved as C strings.
*
* TODO(davidben): Should invalid hints be ignored? It's a hint rather than
* a specific identity. */
// Store PSK identity hint for later use, hint is used in
// ssl3_send_client_key_exchange. Assume that the maximum length of a PSK
// identity hint can be as long as the maximum length of a PSK identity.
// Also do not allow NULL characters; identities are saved as C strings.
//
// TODO(davidben): Should invalid hints be ignored? It's a hint rather than
// a specific identity.
if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||
CBS_contains_zero_byte(&psk_identity_hint)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
@@ -930,11 +930,11 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Save non-empty identity hints as a C string. Empty identity hints we
* treat as missing. Plain PSK makes it possible to send either no hint
* (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
* empty hint. Having different capabilities is odd, so we interpret empty
* and missing as identical. */
// Save non-empty identity hints as a C string. Empty identity hints we
// treat as missing. Plain PSK makes it possible to send either no hint
// (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
// empty hint. Having different capabilities is odd, so we interpret empty
// and missing as identical.
char *raw = nullptr;
if (CBS_len(&psk_identity_hint) != 0 &&
!CBS_strdup(&psk_identity_hint, &raw)) {
@@ -946,7 +946,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
}

if (alg_k & SSL_kECDHE) {
/* Parse the server parameters. */
// Parse the server parameters.
uint8_t group_type;
uint16_t group_id;
CBS point;
@@ -960,14 +960,14 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
}
hs->new_session->group_id = group_id;

/* Ensure the group is consistent with preferences. */
// Ensure the group is consistent with preferences.
if (!tls1_check_group_id(ssl, group_id)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}

/* Initialize ECDH and save the peer public key for later. */
// Initialize ECDH and save the peer public key for later.
hs->key_share = SSLKeyShare::Create(group_id);
if (!hs->key_share ||
!CBS_stow(&point, &hs->peer_key, &hs->peer_key_len)) {
@@ -979,14 +979,14 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* At this point, |server_key_exchange| contains the signature, if any, while
* |msg.body| contains the entire message. From that, derive a CBS containing
* just the parameter. */
// At this point, |server_key_exchange| contains the signature, if any, while
// |msg.body| contains the entire message. From that, derive a CBS containing
// just the parameter.
CBS parameter;
CBS_init(&parameter, CBS_data(&msg.body),
CBS_len(&msg.body) - CBS_len(&server_key_exchange));

/* ServerKeyExchange should be signed by the server's public key. */
// ServerKeyExchange should be signed by the server's public key.
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
uint16_t signature_algorithm = 0;
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
@@ -1008,7 +1008,7 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* The last field in |server_key_exchange| is the signature. */
// The last field in |server_key_exchange| is the signature.
CBS signature;
if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) ||
CBS_len(&server_key_exchange) != 0) {
@@ -1044,13 +1044,13 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
ERR_clear_error();
#endif
if (!sig_ok) {
/* bad signature */
// bad signature
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
return ssl_hs_error;
}
} else {
/* PSK ciphers are the only supported certificate-less ciphers. */
// PSK ciphers are the only supported certificate-less ciphers.
assert(alg_a == SSL_aPSK);

if (CBS_len(&server_key_exchange) > 0) {
@@ -1079,8 +1079,8 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
}

if (msg.type == SSL3_MT_SERVER_HELLO_DONE) {
/* If we get here we don't need the handshake buffer as we won't be doing
* client auth. */
// If we get here we don't need the handshake buffer as we won't be doing
// client auth.
hs->transcript.FreeBuffer();
hs->state = state_read_server_hello_done;
return ssl_hs_ok;
@@ -1091,7 +1091,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Get the certificate types. */
// Get the certificate types.
CBS body = msg.body, certificate_types;
if (!CBS_get_u8_length_prefixed(&body, &certificate_types)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -1150,7 +1150,7 @@ static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* ServerHelloDone is empty. */
// ServerHelloDone is empty.
if (CBS_len(&msg.body) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -1165,13 +1165,13 @@ static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) {
static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;

/* The peer didn't request a certificate. */
// The peer didn't request a certificate.
if (!hs->cert_request) {
hs->state = state_send_client_key_exchange;
return ssl_hs_ok;
}

/* Call cert_cb to update the certificate. */
// Call cert_cb to update the certificate.
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
if (rv == 0) {
@@ -1186,10 +1186,10 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
}

if (!ssl_has_certificate(ssl)) {
/* Without a client certificate, the handshake buffer may be released. */
// Without a client certificate, the handshake buffer may be released.
hs->transcript.FreeBuffer();

/* In SSL 3.0, the Certificate message is replaced with a warning alert. */
// In SSL 3.0, the Certificate message is replaced with a warning alert.
if (ssl->version == SSL3_VERSION) {
if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING,
SSL_AD_NO_CERTIFICATE)) {
@@ -1227,7 +1227,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;

/* If using a PSK key exchange, prepare the pre-shared key. */
// If using a PSK key exchange, prepare the pre-shared key.
unsigned psk_len = 0;
uint8_t psk[PSK_MAX_PSK_LEN];
if (alg_a & SSL_aPSK) {
@@ -1255,7 +1255,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* Write out psk_identity. */
// Write out psk_identity.
CBB child;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
!CBB_add_bytes(&child, (const uint8_t *)identity,
@@ -1265,7 +1265,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
}
}

/* Depending on the key exchange method, compute |pms| and |pms_len|. */
// Depending on the key exchange method, compute |pms| and |pms_len|.
if (alg_k & SSL_kRSA) {
pms_len = SSL_MAX_MASTER_KEY_LENGTH;
pms = (uint8_t *)OPENSSL_malloc(pms_len);
@@ -1288,7 +1288,7 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {

CBB child, *enc_pms = &body;
size_t enc_pms_len;
/* In TLS, there is a length prefix. */
// In TLS, there is a length prefix.
if (ssl->version > SSL3_VERSION) {
if (!CBB_add_u16_length_prefixed(&body, &child)) {
goto err;
@@ -1305,13 +1305,13 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}
} else if (alg_k & SSL_kECDHE) {
/* Generate a keypair and serialize the public half. */
// Generate a keypair and serialize the public half.
CBB child;
if (!CBB_add_u8_length_prefixed(&body, &child)) {
goto err;
}

/* Compute the premaster. */
// Compute the premaster.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!hs->key_share->Accept(&child, &pms, &pms_len, &alert, hs->peer_key,
hs->peer_key_len)) {
@@ -1322,14 +1322,14 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* The key exchange state may now be discarded. */
// The key exchange state may now be discarded.
hs->key_share.reset();
OPENSSL_free(hs->peer_key);
hs->peer_key = NULL;
hs->peer_key_len = 0;
} else if (alg_k & SSL_kPSK) {
/* For plain PSK, other_secret is a block of 0s with the same length as
* the pre-shared key. */
// For plain PSK, other_secret is a block of 0s with the same length as
// the pre-shared key.
pms_len = psk_len;
pms = (uint8_t *)OPENSSL_malloc(pms_len);
if (pms == NULL) {
@@ -1343,8 +1343,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* For a PSK cipher suite, other_secret is combined with the pre-shared
* key. */
// For a PSK cipher suite, other_secret is combined with the pre-shared
// key.
if (alg_a & SSL_aPSK) {
ScopedCBB pms_cbb;
CBB child;
@@ -1366,8 +1366,8 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
pms_len = new_pms_len;
}

/* The message must be added to the finished hash before calculating the
* master secret. */
// The message must be added to the finished hash before calculating the
// master secret.
if (!ssl_add_message_cbb(ssl, cbb.get())) {
goto err;
}
@@ -1414,14 +1414,14 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
/* Write out the digest type in TLS 1.2. */
// Write out the digest type in TLS 1.2.
if (!CBB_add_u16(&body, signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_hs_error;
}
}

/* Set aside space for the signature. */
// Set aside space for the signature.
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *ptr;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
@@ -1430,8 +1430,8 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
}

size_t sig_len = max_sig_len;
/* The SSL3 construction for CertificateVerify does not decompose into a
* single final digest and signature, and must be special-cased. */
// The SSL3 construction for CertificateVerify does not decompose into a
// single final digest and signature, and must be special-cased.
if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
if (ssl->cert->key_method != NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
@@ -1470,7 +1470,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* The handshake buffer is no longer necessary. */
// The handshake buffer is no longer necessary.
hs->transcript.FreeBuffer();

hs->state = state_send_second_client_flight;
@@ -1553,9 +1553,9 @@ static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) {
return ssl_hs_ok;
}

/* This is a full handshake. If it involves ChannelID, then record the
* handshake hashes at this point in the session so that any resumption of
* this session with ChannelID can sign those hashes. */
// This is a full handshake. If it involves ChannelID, then record the
// handshake hashes at this point in the session so that any resumption of
// this session with ChannelID can sign those hashes.
if (!tls1_record_handshake_hashes_for_channel_id(hs)) {
return ssl_hs_error;
}
@@ -1564,8 +1564,7 @@ static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) {

if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) &&
ssl3_can_false_start(ssl) &&
/* No False Start on renegotiation (would complicate the state
* machine). */
// No False Start on renegotiation (would complicate the state machine).
!ssl->s3->initial_handshake_complete) {
hs->in_false_start = 1;
hs->can_early_write = 1;
@@ -1604,9 +1603,9 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
}

if (CBS_len(&ticket) == 0) {
/* RFC 5077 allows a server to change its mind and send no ticket after
* negotiating the extension. The value of |ticket_expected| is checked in
* |ssl_update_cache| so is cleared here to avoid an unnecessary update. */
// RFC 5077 allows a server to change its mind and send no ticket after
// negotiating the extension. The value of |ticket_expected| is checked in
// |ssl_update_cache| so is cleared here to avoid an unnecessary update.
hs->ticket_expected = 0;
ssl->method->next_message(ssl);
hs->state = state_process_change_cipher_spec;
@@ -1616,20 +1615,20 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
SSL_SESSION *session = hs->new_session.get();
UniquePtr<SSL_SESSION> renewed_session;
if (ssl->session != NULL) {
/* The server is sending a new ticket for an existing session. Sessions are
* immutable once established, so duplicate all but the ticket of the
* existing session. */
// The server is sending a new ticket for an existing session. Sessions are
// immutable once established, so duplicate all but the ticket of the
// existing session.
renewed_session =
SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
if (!renewed_session) {
/* This should never happen. */
// This should never happen.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_hs_error;
}
session = renewed_session.get();
}

/* |tlsext_tick_lifetime_hint| is measured from when the ticket was issued. */
// |tlsext_tick_lifetime_hint| is measured from when the ticket was issued.
ssl_session_rebase_time(ssl, session);

if (!CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen)) {
@@ -1638,9 +1637,9 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
}
session->tlsext_tick_lifetime_hint = tlsext_tick_lifetime_hint;

/* Generate a session ID for this session based on the session ticket. We use
* the session ID mechanism for detecting ticket resumption. This also fits in
* with assumptions elsewhere in OpenSSL.*/
// Generate a session ID for this session based on the session ticket. We use
// the session ID mechanism for detecting ticket resumption. This also fits in
// with assumptions elsewhere in OpenSSL.
if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
session->session_id, &session->session_id_length,
EVP_sha256(), NULL)) {
@@ -1693,16 +1692,16 @@ static enum ssl_hs_wait_t do_finish_client_handshake(SSL_HANDSHAKE *hs) {
SSL_SESSION_up_ref(ssl->session);
ssl->s3->established_session = ssl->session;
} else {
/* We make a copy of the session in order to maintain the immutability
* of the new established_session due to False Start. The caller may
* have taken a reference to the temporary session. */
// We make a copy of the session in order to maintain the immutability
// of the new established_session due to False Start. The caller may
// have taken a reference to the temporary session.
ssl->s3->established_session =
SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_DUP_ALL)
.release();
if (ssl->s3->established_session == NULL) {
return ssl_hs_error;
}
/* Renegotiations do not participate in session resumption. */
// Renegotiations do not participate in session resumption.
if (!ssl->s3->initial_handshake_complete) {
ssl->s3->established_session->not_resumable = 0;
}


+ 129
- 131
ssl/handshake_server.cc Visa fil

@@ -231,18 +231,18 @@ static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
return 0;
}
} else {
/* Convert the ClientHello version to an equivalent supported_versions
* extension. */
// Convert the ClientHello version to an equivalent supported_versions
// extension.
static const uint8_t kTLSVersions[] = {
0x03, 0x03, /* TLS 1.2 */
0x03, 0x02, /* TLS 1.1 */
0x03, 0x01, /* TLS 1 */
0x03, 0x00, /* SSL 3 */
0x03, 0x03, // TLS 1.2
0x03, 0x02, // TLS 1.1
0x03, 0x01, // TLS 1
0x03, 0x00, // SSL 3
};

static const uint8_t kDTLSVersions[] = {
0xfe, 0xfd, /* DTLS 1.2 */
0xfe, 0xff, /* DTLS 1.0 */
0xfe, 0xfd, // DTLS 1.2
0xfe, 0xff, // DTLS 1.0
};

size_t versions_len = 0;
@@ -273,11 +273,11 @@ static int negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
return 0;
}

/* At this point, the connection's version is known and |ssl->version| is
* fixed. Begin enforcing the record-layer version. */
// At this point, the connection's version is known and |ssl->version| is
// fixed. Begin enforcing the record-layer version.
ssl->s3->have_version = 1;

/* Handle FALLBACK_SCSV. */
// Handle FALLBACK_SCSV.
if (ssl_client_cipher_list_contains_cipher(client_hello,
SSL3_CK_FALLBACK_SCSV & 0xffff) &&
ssl3_protocol_version(ssl) < hs->max_version) {
@@ -319,10 +319,10 @@ static UniquePtr<STACK_OF(SSL_CIPHER)> ssl_parse_client_cipher_list(
return sk;
}

/* ssl_get_compatible_server_ciphers determines the key exchange and
* authentication cipher suite masks compatible with the server configuration
* and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
* exchange mask and |*out_mask_a| to the authentication mask. */
// ssl_get_compatible_server_ciphers determines the key exchange and
// authentication cipher suite masks compatible with the server configuration
// and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
// exchange mask and |*out_mask_a| to the authentication mask.
static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs,
uint32_t *out_mask_k,
uint32_t *out_mask_a) {
@@ -337,13 +337,13 @@ static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs,
}
}

/* Check for a shared group to consider ECDHE ciphers. */
// Check for a shared group to consider ECDHE ciphers.
uint16_t unused;
if (tls1_get_shared_group(hs, &unused)) {
mask_k |= SSL_kECDHE;
}

/* PSK requires a server callback. */
// PSK requires a server callback.
if (ssl->psk_server_callback != NULL) {
mask_k |= SSL_kPSK;
mask_a |= SSL_aPSK;
@@ -358,13 +358,13 @@ static const SSL_CIPHER *ssl3_choose_cipher(
const struct ssl_cipher_preference_list_st *server_pref) {
SSL *const ssl = hs->ssl;
STACK_OF(SSL_CIPHER) *prio, *allow;
/* in_group_flags will either be NULL, or will point to an array of bytes
* which indicate equal-preference groups in the |prio| stack. See the
* comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
* struct. */
// in_group_flags will either be NULL, or will point to an array of bytes
// which indicate equal-preference groups in the |prio| stack. See the
// comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
// struct.
const uint8_t *in_group_flags;
/* group_min contains the minimal index so far found in a group, or -1 if no
* such value exists yet. */
// group_min contains the minimal index so far found in a group, or -1 if no
// such value exists yet.
int group_min = -1;

UniquePtr<STACK_OF(SSL_CIPHER)> client_pref =
@@ -390,17 +390,17 @@ static const SSL_CIPHER *ssl3_choose_cipher(
const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i);

size_t cipher_index;
if (/* Check if the cipher is supported for the current version. */
if (// Check if the cipher is supported for the current version.
SSL_CIPHER_get_min_version(c) <= ssl3_protocol_version(ssl) &&
ssl3_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) &&
/* Check the cipher is supported for the server configuration. */
// Check the cipher is supported for the server configuration.
(c->algorithm_mkey & mask_k) &&
(c->algorithm_auth & mask_a) &&
/* Check the cipher is in the |allow| list. */
// Check the cipher is in the |allow| list.
sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
if (in_group_flags != NULL && in_group_flags[i] == 1) {
/* This element of |prio| is in a group. Update the minimum index found
* so far and continue looking. */
// This element of |prio| is in a group. Update the minimum index found
// so far and continue looking.
if (group_min == -1 || (size_t)group_min > cipher_index) {
group_min = cipher_index;
}
@@ -413,8 +413,8 @@ static const SSL_CIPHER *ssl3_choose_cipher(
}

if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) {
/* We are about to leave a group, but we found a match in it, so that's
* our answer. */
// We are about to leave a group, but we found a match in it, so that's
// our answer.
return sk_SSL_CIPHER_value(allow, group_min);
}
}
@@ -447,14 +447,14 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Run the early callback. */
// Run the early callback.
if (ssl->ctx->select_certificate_cb != NULL) {
switch (ssl->ctx->select_certificate_cb(&client_hello)) {
case ssl_select_cert_retry:
return ssl_hs_certificate_selection_pending;

case ssl_select_cert_error:
/* Connection rejected. */
// Connection rejected.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
@@ -464,7 +464,7 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
}
}

/* Freeze the version range after the early callback. */
// Freeze the version range after the early callback.
if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) {
return ssl_hs_error;
}
@@ -483,8 +483,8 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,
client_hello.random_len);

/* Only null compression is supported. TLS 1.3 further requires the peer
* advertise no other compression. */
// Only null compression is supported. TLS 1.3 further requires the peer
// advertise no other compression.
if (OPENSSL_memchr(client_hello.compression_methods, 0,
client_hello.compression_methods_len) == NULL ||
(ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
@@ -494,7 +494,7 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* TLS extensions. */
// TLS extensions.
if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
return ssl_hs_error;
@@ -512,7 +512,7 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
return ssl_hs_read_message;
}

/* Call |cert_cb| to update server certificates if required. */
// Call |cert_cb| to update server certificates if required.
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
if (rv == 0) {
@@ -530,7 +530,7 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
}

if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
/* Jump to the TLS 1.3 state machine. */
// Jump to the TLS 1.3 state machine.
hs->state = state_tls13;
return ssl_hs_ok;
}
@@ -540,8 +540,8 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Negotiate the cipher suite. This must be done after |cert_cb| so the
* certificate is finalized. */
// Negotiate the cipher suite. This must be done after |cert_cb| so the
// certificate is finalized.
hs->new_cipher =
ssl3_choose_cipher(hs, &client_hello, ssl_get_cipher_preferences(ssl));
if (hs->new_cipher == NULL) {
@@ -577,7 +577,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Determine whether we are doing session resumption. */
// Determine whether we are doing session resumption.
UniquePtr<SSL_SESSION> session;
int tickets_supported = 0, renew_ticket = 0;
enum ssl_hs_wait_t wait = ssl_get_prev_session(
@@ -588,23 +588,23 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {

if (session) {
if (session->extended_master_secret && !hs->extended_master_secret) {
/* A ClientHello without EMS that attempts to resume a session with EMS
* is fatal to the connection. */
// A ClientHello without EMS that attempts to resume a session with EMS
// is fatal to the connection.
OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}

if (!ssl_session_is_resumable(hs, session.get()) ||
/* If the client offers the EMS extension, but the previous session
* didn't use it, then negotiate a new session. */
// If the client offers the EMS extension, but the previous session
// didn't use it, then negotiate a new session.
hs->extended_master_secret != session->extended_master_secret) {
session.reset();
}
}

if (session) {
/* Use the old session. */
// Use the old session.
hs->ticket_expected = renew_ticket;
ssl->session = session.release();
ssl->s3->session_reused = 1;
@@ -615,7 +615,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Clear the session ID if we want the session to be single-use. */
// Clear the session ID if we want the session to be single-use.
if (!(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
hs->new_session->session_id_length = 0;
}
@@ -623,7 +623,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {

if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
/* Connection rejected for DOS reasons. */
// Connection rejected for DOS reasons.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
@@ -632,7 +632,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
if (ssl->session == NULL) {
hs->new_session->cipher = hs->new_cipher;

/* On new sessions, stash the SNI value in the session. */
// On new sessions, stash the SNI value in the session.
if (hs->hostname != NULL) {
OPENSSL_free(hs->new_session->tlsext_hostname);
hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname.get());
@@ -642,42 +642,42 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
}
}

/* Determine whether to request a client certificate. */
// Determine whether to request a client certificate.
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
/* Only request a certificate if Channel ID isn't negotiated. */
// Only request a certificate if Channel ID isn't negotiated.
if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
ssl->s3->tlsext_channel_id_valid) {
hs->cert_request = 0;
}
/* CertificateRequest may only be sent in certificate-based ciphers. */
// CertificateRequest may only be sent in certificate-based ciphers.
if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
hs->cert_request = 0;
}

if (!hs->cert_request) {
/* OpenSSL returns X509_V_OK when no certificates are requested. This is
* classed by them as a bug, but it's assumed by at least NGINX. */
// OpenSSL returns X509_V_OK when no certificates are requested. This is
// classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
}
}

/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
* deferred. Complete it now. */
// HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
// deferred. Complete it now.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}

/* Now that all parameters are known, initialize the handshake hash and hash
* the ClientHello. */
// Now that all parameters are known, initialize the handshake hash and hash
// the ClientHello.
if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) ||
!ssl_hash_message(hs, msg)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}

/* Release the handshake buffer if client authentication isn't required. */
// Release the handshake buffer if client authentication isn't required.
if (!hs->cert_request) {
hs->transcript.FreeBuffer();
}
@@ -691,16 +691,16 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;

/* We only accept ChannelIDs on connections with ECDHE in order to avoid a
* known attack while we fix ChannelID itself. */
// We only accept ChannelIDs on connections with ECDHE in order to avoid a
// known attack while we fix ChannelID itself.
if (ssl->s3->tlsext_channel_id_valid &&
(hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
ssl->s3->tlsext_channel_id_valid = 0;
}

/* If this is a resumption and the original handshake didn't support
* ChannelID then we didn't record the original handshake hashes in the
* session and so cannot resume with ChannelIDs. */
// If this is a resumption and the original handshake didn't support
// ChannelID then we didn't record the original handshake hashes in the
// session and so cannot resume with ChannelIDs.
if (ssl->session != NULL &&
ssl->session->original_handshake_hash_len == 0) {
ssl->s3->tlsext_channel_id_valid = 0;
@@ -716,8 +716,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
* 1.3 is finalized and we are not implementing a draft version. */
// TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
// 1.3 is finalized and we are not implementing a draft version.

const SSL_SESSION *session = hs->new_session.get();
if (ssl->session != NULL) {
@@ -778,14 +778,14 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
}
}

/* Assemble ServerKeyExchange parameters if needed. */
// Assemble ServerKeyExchange parameters if needed.
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;
if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) ||
((alg_a & SSL_aPSK) && ssl->psk_identity_hint)) {

/* Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
* the client and server randoms for the signing transcript. */
// Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
// the client and server randoms for the signing transcript.
CBB child;
if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) ||
!CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
@@ -793,7 +793,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* PSK ciphers begin with an identity hint. */
// PSK ciphers begin with an identity hint.
if (alg_a & SSL_aPSK) {
size_t len =
(ssl->psk_identity_hint == NULL) ? 0 : strlen(ssl->psk_identity_hint);
@@ -805,7 +805,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
}

if (alg_k & SSL_kECDHE) {
/* Determine the group to use. */
// Determine the group to use.
uint16_t group_id;
if (!tls1_get_shared_group(hs, &group_id)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -814,7 +814,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
}
hs->new_session->group_id = group_id;

/* Set up ECDH, generate a key, and emit the public half. */
// Set up ECDH, generate a key, and emit the public half.
hs->key_share = SSLKeyShare::Create(group_id);
if (!hs->key_share ||
!CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
@@ -848,21 +848,21 @@ static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) {
CBB body, child;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_SERVER_KEY_EXCHANGE) ||
/* |hs->server_params| contains a prefix for signing. */
// |hs->server_params| contains a prefix for signing.
hs->server_params_len < 2 * SSL3_RANDOM_SIZE ||
!CBB_add_bytes(&body, hs->server_params + 2 * SSL3_RANDOM_SIZE,
hs->server_params_len - 2 * SSL3_RANDOM_SIZE)) {
return ssl_hs_error;
}

/* Add a signature. */
// Add a signature.
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
if (!ssl_has_private_key(ssl)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}

/* Determine the signature algorithm. */
// Determine the signature algorithm.
uint16_t signature_algorithm;
if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
return ssl_hs_error;
@@ -875,7 +875,7 @@ static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) {
}
}

/* Add space for the signature. */
// Add space for the signature.
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *ptr;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
@@ -962,16 +962,16 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
if (msg.type != SSL3_MT_CERTIFICATE) {
if (ssl->version == SSL3_VERSION &&
msg.type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
/* In SSL 3.0, the Certificate message is omitted to signal no
* certificate. */
// In SSL 3.0, the Certificate message is omitted to signal no
// certificate.
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}

/* OpenSSL returns X509_V_OK when no certificates are received. This is
* classed by them as a bug, but it's assumed by at least NGINX. */
// OpenSSL returns X509_V_OK when no certificates are received. This is
// classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
hs->state = state_verify_client_certificate;
return ssl_hs_ok;
@@ -1008,11 +1008,11 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
}

if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
/* No client certificate so the handshake buffer may be discarded. */
// No client certificate so the handshake buffer may be discarded.
hs->transcript.FreeBuffer();

/* In SSL 3.0, sending no certificate is signaled by omitting the
* Certificate message. */
// In SSL 3.0, sending no certificate is signaled by omitting the
// Certificate message.
if (ssl->version == SSL3_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
@@ -1020,17 +1020,17 @@ static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
}

if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
/* Fail for TLS only if we required a certificate */
// Fail for TLS only if we required a certificate
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return ssl_hs_error;
}

/* OpenSSL returns X509_V_OK when no certificates are received. This is
* classed by them as a bug, but it's assumed by at least NGINX. */
// OpenSSL returns X509_V_OK when no certificates are received. This is
// classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
} else if (ssl->retain_only_sha256_of_client_certs) {
/* The hash will have been filled in. */
// The hash will have been filled in.
hs->new_session->peer_sha256_valid = 1;
}

@@ -1076,12 +1076,12 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;

/* If using a PSK key exchange, parse the PSK identity. */
// If using a PSK key exchange, parse the PSK identity.
if (alg_a & SSL_aPSK) {
CBS psk_identity;

/* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
* then this is the only field in the message. */
// If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
// then this is the only field in the message.
if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -1103,8 +1103,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
}
}

/* Depending on the key exchange method, compute |premaster_secret| and
* |premaster_secret_len|. */
// Depending on the key exchange method, compute |premaster_secret| and
// |premaster_secret_len|.
if (alg_k & SSL_kRSA) {
CBS encrypted_premaster_secret;
if (ssl->version > SSL3_VERSION) {
@@ -1119,7 +1119,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
encrypted_premaster_secret = client_key_exchange;
}

/* Allocate a buffer large enough for an RSA decryption. */
// Allocate a buffer large enough for an RSA decryption.
const size_t rsa_size = EVP_PKEY_size(hs->local_pubkey.get());
decrypt_buf = (uint8_t *)OPENSSL_malloc(rsa_size);
if (decrypt_buf == NULL) {
@@ -1127,8 +1127,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* Decrypt with no padding. PKCS#1 padding will be removed as part of the
* timing-sensitive code below. */
// Decrypt with no padding. PKCS#1 padding will be removed as part of the
// timing-sensitive code below.
size_t decrypt_len;
switch (ssl_private_key_decrypt(hs, decrypt_buf, &decrypt_len, rsa_size,
CBS_data(&encrypted_premaster_secret),
@@ -1148,8 +1148,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* Prepare a random premaster, to be used on invalid padding. See RFC 5246,
* section 7.4.7.1. */
// Prepare a random premaster, to be used on invalid padding. See RFC 5246,
// section 7.4.7.1.
premaster_secret_len = SSL_MAX_MASTER_KEY_LENGTH;
premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len);
if (premaster_secret == NULL) {
@@ -1160,15 +1160,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* The smallest padded premaster is 11 bytes of overhead. Small keys are
* publicly invalid. */
// The smallest padded premaster is 11 bytes of overhead. Small keys are
// publicly invalid.
if (decrypt_len < 11 + premaster_secret_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
goto err;
}

/* Check the padding. See RFC 3447, section 7.2.2. */
// Check the padding. See RFC 3447, section 7.2.2.
size_t padding_len = decrypt_len - premaster_secret_len;
uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &
constant_time_eq_int_8(decrypt_buf[1], 2);
@@ -1177,15 +1177,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
}
good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);

/* The premaster secret must begin with |client_version|. This too must be
* checked in constant time (http://eprint.iacr.org/2003/052/). */
// The premaster secret must begin with |client_version|. This too must be
// checked in constant time (http://eprint.iacr.org/2003/052/).
good &= constant_time_eq_8(decrypt_buf[padding_len],
(unsigned)(hs->client_version >> 8));
good &= constant_time_eq_8(decrypt_buf[padding_len + 1],
(unsigned)(hs->client_version & 0xff));

/* Select, in constant time, either the decrypted premaster or the random
* premaster based on |good|. */
// Select, in constant time, either the decrypted premaster or the random
// premaster based on |good|.
for (size_t i = 0; i < premaster_secret_len; i++) {
premaster_secret[i] = constant_time_select_8(
good, decrypt_buf[padding_len + i], premaster_secret[i]);
@@ -1194,7 +1194,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
OPENSSL_free(decrypt_buf);
decrypt_buf = NULL;
} else if (alg_k & SSL_kECDHE) {
/* Parse the ClientKeyExchange. */
// Parse the ClientKeyExchange.
CBS peer_key;
if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) ||
CBS_len(&client_key_exchange) != 0) {
@@ -1203,7 +1203,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* Compute the premaster. */
// Compute the premaster.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!hs->key_share->Finish(&premaster_secret, &premaster_secret_len, &alert,
CBS_data(&peer_key), CBS_len(&peer_key))) {
@@ -1211,7 +1211,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* The key exchange state may now be discarded. */
// The key exchange state may now be discarded.
hs->key_share.reset();
} else if (!(alg_k & SSL_kPSK)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1219,8 +1219,8 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* For a PSK cipher suite, the actual pre-master secret is combined with the
* pre-shared key. */
// For a PSK cipher suite, the actual pre-master secret is combined with the
// pre-shared key.
if (alg_a & SSL_aPSK) {
if (ssl->psk_server_callback == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1228,7 +1228,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* Look up the key for the identity. */
// Look up the key for the identity.
uint8_t psk[PSK_MAX_PSK_LEN];
unsigned psk_len = ssl->psk_server_callback(
ssl, hs->new_session->psk_identity, psk, sizeof(psk));
@@ -1237,15 +1237,15 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
} else if (psk_len == 0) {
/* PSK related to the given identity not found */
// PSK related to the given identity not found.
OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY);
goto err;
}

if (alg_k & SSL_kPSK) {
/* In plain PSK, other_secret is a block of 0s with the same length as the
* pre-shared key. */
// In plain PSK, other_secret is a block of 0s with the same length as the
// pre-shared key.
premaster_secret_len = psk_len;
premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len);
if (premaster_secret == NULL) {
@@ -1280,7 +1280,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
goto err;
}

/* Compute the master secret */
// Compute the master secret.
hs->new_session->master_key_length = tls1_generate_master_secret(
hs, hs->new_session->master_key, premaster_secret, premaster_secret_len);
if (hs->new_session->master_key_length == 0) {
@@ -1306,9 +1306,8 @@ err:
static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;

/* Only RSA and ECDSA client certificates are supported, so a
* CertificateVerify is required if and only if there's a client certificate.
* */
// Only RSA and ECDSA client certificates are supported, so a
// CertificateVerify is required if and only if there's a client certificate.
if (!hs->peer_pubkey) {
hs->transcript.FreeBuffer();
hs->state = state_read_change_cipher_spec;
@@ -1326,7 +1325,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {

CBS certificate_verify = msg.body, signature;

/* Determine the signature algorithm. */
// Determine the signature algorithm.
uint16_t signature_algorithm = 0;
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {
@@ -1347,7 +1346,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Parse and verify the signature. */
// Parse and verify the signature.
if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
CBS_len(&certificate_verify) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -1356,8 +1355,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
}

int sig_ok;
/* The SSL3 construction for CertificateVerify does not decompose into a
* single final digest and signature, and must be special-cased. */
// The SSL3 construction for CertificateVerify does not decompose into a
// single final digest and signature, and must be special-cased.
if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
uint8_t digest[EVP_MAX_MD_SIZE];
size_t digest_len;
@@ -1389,8 +1388,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* The handshake buffer is no longer necessary, and we may hash the current
* message.*/
// The handshake buffer is no longer necessary, and we may hash the current
// message.
hs->transcript.FreeBuffer();
if (!ssl_hash_message(hs, msg)) {
return ssl_hs_error;
@@ -1489,9 +1488,9 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
hs->state = state_send_server_finished;
}

/* If this is a full handshake with ChannelID then record the handshake
* hashes in |hs->new_session| in case we need them to verify a
* ChannelID signature on a resumption of this session in the future. */
// If this is a full handshake with ChannelID then record the handshake
// hashes in |hs->new_session| in case we need them to verify a
// ChannelID signature on a resumption of this session in the future.
if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid &&
!tls1_record_handshake_hashes_for_channel_id(hs)) {
return ssl_hs_error;
@@ -1507,12 +1506,12 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
const SSL_SESSION *session;
UniquePtr<SSL_SESSION> session_copy;
if (ssl->session == NULL) {
/* Fix the timeout to measure from the ticket issuance time. */
// Fix the timeout to measure from the ticket issuance time.
ssl_session_rebase_time(ssl, hs->new_session.get());
session = hs->new_session.get();
} else {
/* We are renewing an existing session. Duplicate the session to adjust
* the timeout. */
// We are renewing an existing session. Duplicate the session to adjust
// the timeout.
session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
if (!session_copy) {
return ssl_hs_error;
@@ -1553,8 +1552,7 @@ static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) {

ssl->method->on_handshake_complete(ssl);

/* If we aren't retaining peer certificates then we can discard it
* now. */
// If we aren't retaining peer certificates then we can discard it now.
if (hs->new_session != NULL && ssl->retain_only_sha256_of_client_certs) {
sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);
hs->new_session->certs = NULL;


+ 989
- 989
ssl/internal.h
Filskillnaden har hållits tillbaka eftersom den är för stor
Visa fil


+ 42
- 42
ssl/s3_both.cc Visa fil

@@ -134,7 +134,7 @@ namespace bssl {

static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in,
size_t in_len) {
/* We'll never add a flight while in the process of writing it out. */
// We'll never add a flight while in the process of writing it out.
assert(ssl->s3->pending_flight_offset == 0);

if (ssl->s3->pending_flight == NULL) {
@@ -164,7 +164,7 @@ static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in,
}

int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
/* Pick a modest size hint to save most of the |realloc| calls. */
// Pick a modest size hint to save most of the |realloc| calls.
if (!CBB_init(cbb, 64) ||
!CBB_add_u8(cbb, type) ||
!CBB_add_u24_length_prefixed(cbb, body)) {
@@ -187,8 +187,8 @@ int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg,
}

int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) {
/* Add the message to the current flight, splitting into several records if
* needed. */
// Add the message to the current flight, splitting into several records if
// needed.
int ret = 0;
size_t added = 0;
do {
@@ -212,8 +212,8 @@ int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) {
} while (added < len);

ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len);
/* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
* hs. */
// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
// hs.
if (ssl->s3->hs != NULL &&
!ssl->s3->hs->transcript.Update(msg, len)) {
goto err;
@@ -260,8 +260,8 @@ int ssl3_flush_flight(SSL *ssl) {
return -1;
}

/* If there is pending data in the write buffer, it must be flushed out before
* any new data in pending_flight. */
// If there is pending data in the write buffer, it must be flushed out before
// any new data in pending_flight.
if (ssl_write_buffer_is_pending(ssl)) {
int ret = ssl_write_buffer_flush(ssl);
if (ret <= 0) {
@@ -270,7 +270,7 @@ int ssl3_flush_flight(SSL *ssl) {
}
}

/* Write the pending flight. */
// Write the pending flight.
while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {
int ret = BIO_write(
ssl->wbio,
@@ -306,14 +306,14 @@ int ssl3_send_finished(SSL_HANDSHAKE *hs) {
return 0;
}

/* Log the master secret, if logging is enabled. */
// Log the master secret, if logging is enabled.
if (!ssl_log_secret(ssl, "CLIENT_RANDOM",
session->master_key,
session->master_key_length)) {
return 0;
}

/* Copy the Finished so we can use it for renegotiation checks. */
// Copy the Finished so we can use it for renegotiation checks.
if (ssl->version != SSL3_VERSION) {
if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
finished_len > sizeof(ssl->s3->previous_server_finished)) {
@@ -372,18 +372,18 @@ static int extend_handshake_buffer(SSL *ssl, size_t length) {
}

static int read_v2_client_hello(SSL *ssl) {
/* Read the first 5 bytes, the size of the TLS record header. This is
* sufficient to detect a V2ClientHello and ensures that we never read beyond
* the first record. */
// Read the first 5 bytes, the size of the TLS record header. This is
// sufficient to detect a V2ClientHello and ensures that we never read beyond
// the first record.
int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);
if (ret <= 0) {
return ret;
}
const uint8_t *p = ssl_read_buffer(ssl);

/* Some dedicated error codes for protocol mixups should the application wish
* to interpret them differently. (These do not overlap with ClientHello or
* V2ClientHello.) */
// Some dedicated error codes for protocol mixups should the application wish
// to interpret them differently. (These do not overlap with ClientHello or
// V2ClientHello.)
if (strncmp("GET ", (const char *)p, 4) == 0 ||
strncmp("POST ", (const char *)p, 5) == 0 ||
strncmp("HEAD ", (const char *)p, 5) == 0 ||
@@ -398,25 +398,25 @@ static int read_v2_client_hello(SSL *ssl) {

if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||
p[3] != SSL3_VERSION_MAJOR) {
/* Not a V2ClientHello. */
// Not a V2ClientHello.
return 1;
}

/* Determine the length of the V2ClientHello. */
// Determine the length of the V2ClientHello.
size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];
if (msg_length > (1024 * 4)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
return -1;
}
if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {
/* Reject lengths that are too short early. We have already read
* |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
* (invalid) V2ClientHello which would be shorter than that. */
// Reject lengths that are too short early. We have already read
// |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
// (invalid) V2ClientHello which would be shorter than that.
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
return -1;
}

/* Read the remainder of the V2ClientHello. */
// Read the remainder of the V2ClientHello.
ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);
if (ret <= 0) {
return ret;
@@ -425,9 +425,9 @@ static int read_v2_client_hello(SSL *ssl) {
CBS v2_client_hello;
CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);

/* The V2ClientHello without the length is incorporated into the handshake
* hash. This is only ever called at the start of the handshake, so hs is
* guaranteed to be non-NULL. */
// The V2ClientHello without the length is incorporated into the handshake
// hash. This is only ever called at the start of the handshake, so hs is
// guaranteed to be non-NULL.
if (!ssl->s3->hs->transcript.Update(CBS_data(&v2_client_hello),
CBS_len(&v2_client_hello))) {
return -1;
@@ -452,11 +452,11 @@ static int read_v2_client_hello(SSL *ssl) {
return -1;
}

/* msg_type has already been checked. */
// msg_type has already been checked.
assert(msg_type == SSL2_MT_CLIENT_HELLO);

/* The client_random is the V2ClientHello challenge. Truncate or
* left-pad with zeros as needed. */
// The client_random is the V2ClientHello challenge. Truncate or left-pad with
// zeros as needed.
size_t rand_len = CBS_len(&challenge);
if (rand_len > SSL3_RANDOM_SIZE) {
rand_len = SSL3_RANDOM_SIZE;
@@ -466,7 +466,7 @@ static int read_v2_client_hello(SSL *ssl) {
OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
rand_len);

/* Write out an equivalent SSLv3 ClientHello. */
// Write out an equivalent SSLv3 ClientHello.
size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +
SSL3_RANDOM_SIZE + 1 /* session ID length */ +
2 /* cipher list length */ +
@@ -481,14 +481,14 @@ static int read_v2_client_hello(SSL *ssl) {
!CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||
!CBB_add_u16(&hello_body, version) ||
!CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||
/* No session id. */
// No session id.
!CBB_add_u8(&hello_body, 0) ||
!CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return -1;
}

/* Copy the cipher suites. */
// Copy the cipher suites.
while (CBS_len(&cipher_specs) > 0) {
uint32_t cipher_spec;
if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
@@ -496,7 +496,7 @@ static int read_v2_client_hello(SSL *ssl) {
return -1;
}

/* Skip SSLv2 ciphers. */
// Skip SSLv2 ciphers.
if ((cipher_spec & 0xff0000) != 0) {
continue;
}
@@ -506,7 +506,7 @@ static int read_v2_client_hello(SSL *ssl) {
}
}

/* Add the null compression scheme and finish. */
// Add the null compression scheme and finish.
if (!CBB_add_u8(&hello_body, 1) ||
!CBB_add_u8(&hello_body, 0) ||
!CBB_finish(client_hello.get(), NULL, &ssl->init_buf->length)) {
@@ -514,7 +514,7 @@ static int read_v2_client_hello(SSL *ssl) {
return -1;
}

/* Consume and discard the V2ClientHello. */
// Consume and discard the V2ClientHello.
ssl_read_buffer_consume(ssl, 2 + msg_length);
ssl_read_buffer_discard(ssl);

@@ -522,8 +522,8 @@ static int read_v2_client_hello(SSL *ssl) {
return 1;
}

/* TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message|
* when the entire record is copied into |init_buf|. */
// TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message|
// when the entire record is copied into |init_buf|.
static bool parse_message(SSL *ssl, SSLMessage *out, size_t *out_bytes_needed) {
if (ssl->init_buf == NULL) {
*out_bytes_needed = 4;
@@ -571,14 +571,14 @@ int ssl3_read_message(SSL *ssl) {
return -1;
}

/* Enforce the limit so the peer cannot force us to buffer 16MB. */
// Enforce the limit so the peer cannot force us to buffer 16MB.
if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
return -1;
}

/* Re-create the handshake buffer if needed. */
// Re-create the handshake buffer if needed.
if (ssl->init_buf == NULL) {
ssl->init_buf = BUF_MEM_new();
if (ssl->init_buf == NULL) {
@@ -586,7 +586,7 @@ int ssl3_read_message(SSL *ssl) {
}
}

/* Bypass the record layer for the first message to handle V2ClientHello. */
// Bypass the record layer for the first message to handle V2ClientHello.
if (ssl->server && !ssl->s3->v2_hello_done) {
int ret = read_v2_client_hello(ssl);
if (ret > 0) {
@@ -613,8 +613,8 @@ void ssl3_next_message(SSL *ssl) {
ssl->s3->is_v2_hello = 0;
ssl->s3->has_message = 0;

/* Post-handshake messages are rare, so release the buffer after every
* message. During the handshake, |on_handshake_complete| will release it. */
// Post-handshake messages are rare, so release the buffer after every
// message. During the handshake, |on_handshake_complete| will release it.
if (!SSL_in_init(ssl) && ssl->init_buf->length == 0) {
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;


+ 5
- 5
ssl/s3_lib.cc Visa fil

@@ -187,11 +187,11 @@ int ssl3_new(SSL *ssl) {
s3->aead_write_ctx = aead_write_ctx.release();
ssl->s3 = s3;

/* Set the version to the highest supported version.
*
* TODO(davidben): Move this field into |s3|, have it store the normalized
* protocol version, and implement this pre-negotiation quirk in |SSL_version|
* at the API boundary rather than in internal state. */
// Set the version to the highest supported version.
//
// TODO(davidben): Move this field into |s3|, have it store the normalized
// protocol version, and implement this pre-negotiation quirk in |SSL_version|
// at the API boundary rather than in internal state.
ssl->version = TLS1_2_VERSION;
return 1;
}


+ 50
- 51
ssl/s3_pkt.cc Visa fil

@@ -126,9 +126,9 @@ namespace bssl {

static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len);

/* ssl3_get_record reads a new input record. On success, it places it in
* |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
* more data is needed. */
// ssl3_get_record reads a new input record. On success, it places it in
// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
// more data is needed.
static int ssl3_get_record(SSL *ssl) {
again:
switch (ssl->s3->recv_shutdown) {
@@ -204,13 +204,13 @@ int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
tot = ssl->s3->wnum;
ssl->s3->wnum = 0;

/* Ensure that if we end up with a smaller value of data to write out than
* the the original len from a write which didn't complete for non-blocking
* I/O and also somehow ended up avoiding the check for this in
* ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
* end up with (len-tot) as a large number that will then promptly send
* beyond the end of the users buffer ... so we trap and report the error in
* a way the user will notice. */
// Ensure that if we end up with a smaller value of data to write out than
// the the original len from a write which didn't complete for non-blocking
// I/O and also somehow ended up avoiding the check for this in
// ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
// end up with (len-tot) as a large number that will then promptly send
// beyond the end of the users buffer ... so we trap and report the error in
// a way the user will notice.
if (len < 0 || (size_t)len < tot) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);
return -1;
@@ -221,8 +221,7 @@ int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,

n = len - tot;
for (;;) {
/* max contains the maximum number of bytes that we can put into a
* record. */
// max contains the maximum number of bytes that we can put into a record.
unsigned max = ssl->max_send_fragment;
if (is_early_data_write && max > ssl->session->ticket_max_early_data -
ssl->s3->hs->early_data_written) {
@@ -278,9 +277,9 @@ static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *buf,
return ssl->s3->wpend_ret;
}

/* do_ssl3_write writes an SSL record of the given type. */
// do_ssl3_write writes an SSL record of the given type.
static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) {
/* If there is still data from the previous record, flush it. */
// If there is still data from the previous record, flush it.
if (ssl->s3->wpend_pending) {
return ssl3_write_pending(ssl, type, buf, len);
}
@@ -313,10 +312,10 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) {
return -1;
}

/* Add any unflushed handshake data as a prefix. This may be a KeyUpdate
* acknowledgment or 0-RTT key change messages. |pending_flight| must be clear
* when data is added to |write_buffer| or it will be written in the wrong
* order. */
// Add any unflushed handshake data as a prefix. This may be a KeyUpdate
// acknowledgment or 0-RTT key change messages. |pending_flight| must be clear
// when data is added to |write_buffer| or it will be written in the wrong
// order.
if (ssl->s3->pending_flight != NULL) {
OPENSSL_memcpy(
out, ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,
@@ -332,19 +331,19 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) {
}
ssl_write_buffer_set_len(ssl, flight_len + ciphertext_len);

/* Now that we've made progress on the connection, uncork KeyUpdate
* acknowledgments. */
// Now that we've made progress on the connection, uncork KeyUpdate
// acknowledgments.
ssl->s3->key_update_pending = 0;

/* memorize arguments so that ssl3_write_pending can detect bad write retries
* later */
// Memorize arguments so that ssl3_write_pending can detect bad write retries
// later.
ssl->s3->wpend_tot = len;
ssl->s3->wpend_buf = buf;
ssl->s3->wpend_type = type;
ssl->s3->wpend_ret = len;
ssl->s3->wpend_pending = 1;

/* we now just need to write the buffer */
// We now just need to write the buffer.
return ssl3_write_pending(ssl, type, buf, len);
}

@@ -364,7 +363,7 @@ static int consume_record(SSL *ssl, uint8_t *out, int len, int peek) {
rr->length -= len;
rr->data += len;
if (rr->length == 0) {
/* The record has been consumed, so we may now clear the buffer. */
// The record has been consumed, so we may now clear the buffer.
ssl_read_buffer_discard(ssl);
}
}
@@ -380,11 +379,11 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
SSL3_RECORD *rr = &ssl->s3->rrec;

for (;;) {
/* A previous iteration may have read a partial handshake message. Do not
* allow more app data in that case. */
// A previous iteration may have read a partial handshake message. Do not
// allow more app data in that case.
int has_hs_data = ssl->init_buf != NULL && ssl->init_buf->length > 0;

/* Get new packet if necessary. */
// Get new packet if necessary.
if (rr->length == 0 && !has_hs_data) {
int ret = ssl3_get_record(ssl);
if (ret <= 0) {
@@ -393,24 +392,24 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
}

if (has_hs_data || rr->type == SSL3_RT_HANDSHAKE) {
/* If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
* by an alert. */
// If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
// by an alert.
if (SSL_in_init(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
return -1;
}

/* Post-handshake data prior to TLS 1.3 is always renegotiation, which we
* never accept as a server. Otherwise |ssl3_get_message| will send
* |SSL_R_EXCESSIVE_MESSAGE_SIZE|. */
// Post-handshake data prior to TLS 1.3 is always renegotiation, which we
// never accept as a server. Otherwise |ssl3_get_message| will send
// |SSL_R_EXCESSIVE_MESSAGE_SIZE|.
if (ssl->server && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
return -1;
}

/* Parse post-handshake handshake messages. */
// Parse post-handshake handshake messages.
int ret = ssl3_read_message(ssl);
if (ret <= 0) {
return ret;
@@ -424,16 +423,16 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
ssl->s3->hs->can_early_read &&
ssl3_protocol_version(ssl) >= TLS1_3_VERSION;

/* Handle the end_of_early_data alert. */
// Handle the end_of_early_data alert.
if (rr->type == SSL3_RT_ALERT &&
rr->length == 2 &&
rr->data[0] == SSL3_AL_WARNING &&
rr->data[1] == TLS1_AD_END_OF_EARLY_DATA &&
is_early_data_read) {
/* Consume the record. */
// Consume the record.
rr->length = 0;
ssl_read_buffer_discard(ssl);
/* Stop accepting early data. */
// Stop accepting early data.
ssl->s3->hs->can_early_read = 0;
*out_got_handshake = 1;
return -1;
@@ -459,7 +458,7 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
return consume_record(ssl, buf, len, peek);
}

/* Discard empty records and loop again. */
// Discard empty records and loop again.
}
}

@@ -494,7 +493,7 @@ int ssl3_read_change_cipher_spec(SSL *ssl) {
}

void ssl3_read_close_notify(SSL *ssl) {
/* Read records until an error or close_notify. */
// Read records until an error or close_notify.
while (ssl3_get_record(ssl) > 0) {
;
}
@@ -504,7 +503,7 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) {
SSL3_RECORD *rr = &ssl->s3->rrec;

for (;;) {
/* Get new packet if necessary. */
// Get new packet if necessary.
if (rr->length == 0) {
int ret = ssl3_get_record(ssl);
if (ret <= 0) {
@@ -512,10 +511,10 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) {
}
}

/* WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
* ServerHello and send the remaining encrypted application data records
* as-is. This manifests as an application data record when we expect
* handshake. Report a dedicated error code for this case. */
// WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
// ServerHello and send the remaining encrypted application data records
// as-is. This manifests as an application data record when we expect
// handshake. Report a dedicated error code for this case.
if (!ssl->server && rr->type == SSL3_RT_APPLICATION_DATA &&
ssl->s3->aead_read_ctx->is_null_cipher()) {
OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);
@@ -523,8 +522,8 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) {
return -1;
}

/* Accept server_plaintext_handshake records when the content type TLS 1.3
* variant is enabled. */
// Accept server_plaintext_handshake records when the content type TLS 1.3
// variant is enabled.
if (rr->type != SSL3_RT_HANDSHAKE &&
!(!ssl->server &&
ssl->tls13_variant == tls13_record_type_experiment &&
@@ -539,12 +538,12 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) {
return consume_record(ssl, buf, len, 0 /* consume data */);
}

/* Discard empty records and loop again. */
// Discard empty records and loop again.
}
}

int ssl3_send_alert(SSL *ssl, int level, int desc) {
/* It is illegal to send an alert when we've already sent a closing one. */
// It is illegal to send an alert when we've already sent a closing one.
if (ssl->s3->send_shutdown != ssl_shutdown_none) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
return -1;
@@ -561,12 +560,12 @@ int ssl3_send_alert(SSL *ssl, int level, int desc) {
ssl->s3->send_alert[0] = level;
ssl->s3->send_alert[1] = desc;
if (!ssl_write_buffer_is_pending(ssl)) {
/* Nothing is being written out, so the alert may be dispatched
* immediately. */
// Nothing is being written out, so the alert may be dispatched
// immediately.
return ssl->method->dispatch_alert(ssl);
}

/* The alert will be dispatched later. */
// The alert will be dispatched later.
return -1;
}

@@ -577,7 +576,7 @@ int ssl3_dispatch_alert(SSL *ssl) {
}
ssl->s3->alert_dispatch = 0;

/* If the alert is fatal, flush the BIO now. */
// If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
BIO_flush(ssl->wbio);
}


+ 26
- 26
ssl/ssl_aead_ctx.cc Visa fil

@@ -62,7 +62,7 @@ UniquePtr<SSLAEADContext> SSLAEADContext::Create(
if (!ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len,
&expected_fixed_iv_len, cipher, version,
is_dtls) ||
/* Ensure the caller returned correct key sizes. */
// Ensure the caller returned correct key sizes.
expected_fixed_iv_len != fixed_iv_len ||
expected_mac_key_len != mac_key_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -71,8 +71,8 @@ UniquePtr<SSLAEADContext> SSLAEADContext::Create(

uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH];
if (mac_key_len > 0) {
/* This is a "stateful" AEAD (for compatibility with pre-AEAD cipher
* suites). */
// This is a "stateful" AEAD (for compatibility with pre-AEAD cipher
// suites).
if (mac_key_len + enc_key_len + fixed_iv_len > sizeof(merged_key)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return nullptr;
@@ -109,22 +109,22 @@ UniquePtr<SSLAEADContext> SSLAEADContext::Create(
aead_ctx->fixed_nonce_len_ = fixed_iv_len;

if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) {
/* The fixed nonce into the actual nonce (the sequence number). */
// The fixed nonce into the actual nonce (the sequence number).
aead_ctx->xor_fixed_nonce_ = true;
aead_ctx->variable_nonce_len_ = 8;
} else {
/* The fixed IV is prepended to the nonce. */
// The fixed IV is prepended to the nonce.
assert(fixed_iv_len <= aead_ctx->variable_nonce_len_);
aead_ctx->variable_nonce_len_ -= fixed_iv_len;
}

/* AES-GCM uses an explicit nonce. */
// AES-GCM uses an explicit nonce.
if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) {
aead_ctx->variable_nonce_included_in_record_ = true;
}

/* The TLS 1.3 construction XORs the fixed nonce into the sequence number
* and omits the additional data. */
// The TLS 1.3 construction XORs the fixed nonce into the sequence number
// and omits the additional data.
if (version >= TLS1_3_VERSION) {
aead_ctx->xor_fixed_nonce_ = true;
aead_ctx->variable_nonce_len_ = 8;
@@ -192,18 +192,18 @@ size_t SSLAEADContext::GetAdditionalData(uint8_t out[13], uint8_t type,
bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version,
const uint8_t seqnum[8], uint8_t *in, size_t in_len) {
if (is_null_cipher() || FUZZER_MODE) {
/* Handle the initial NULL cipher. */
// Handle the initial NULL cipher.
CBS_init(out, in, in_len);
return true;
}

/* TLS 1.2 AEADs include the length in the AD and are assumed to have fixed
* overhead. Otherwise the parameter is unused. */
// TLS 1.2 AEADs include the length in the AD and are assumed to have fixed
// overhead. Otherwise the parameter is unused.
size_t plaintext_len = 0;
if (!omit_length_in_ad_) {
size_t overhead = MaxOverhead();
if (in_len < overhead) {
/* Publicly invalid. */
// Publicly invalid.
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
return false;
}
@@ -213,11 +213,11 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version,
size_t ad_len =
GetAdditionalData(ad, type, wire_version, seqnum, plaintext_len);

/* Assemble the nonce. */
// Assemble the nonce.
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
size_t nonce_len = 0;

/* Prepend the fixed nonce, or left-pad with zeros if XORing. */
// Prepend the fixed nonce, or left-pad with zeros if XORing.
if (xor_fixed_nonce_) {
nonce_len = fixed_nonce_len_ - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
@@ -226,10 +226,10 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version,
nonce_len += fixed_nonce_len_;
}

/* Add the variable nonce. */
// Add the variable nonce.
if (variable_nonce_included_in_record_) {
if (in_len < variable_nonce_len_) {
/* Publicly invalid. */
// Publicly invalid.
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
return false;
}
@@ -242,7 +242,7 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version,
}
nonce_len += variable_nonce_len_;

/* XOR the fixed nonce, if necessary. */
// XOR the fixed nonce, if necessary.
if (xor_fixed_nonce_) {
assert(nonce_len == fixed_nonce_len_);
for (size_t i = 0; i < fixed_nonce_len_; i++) {
@@ -250,7 +250,7 @@ bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version,
}
}

/* Decrypt in-place. */
// Decrypt in-place.
size_t len;
if (!EVP_AEAD_CTX_open(ctx_.get(), in, &len, in_len, nonce, nonce_len, in,
in_len, ad, ad_len)) {
@@ -279,7 +279,7 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,
}

if (is_null_cipher() || FUZZER_MODE) {
/* Handle the initial NULL cipher. */
// Handle the initial NULL cipher.
OPENSSL_memmove(out, in, in_len);
OPENSSL_memmove(out_suffix, extra_in, extra_in_len);
return true;
@@ -288,11 +288,11 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,
uint8_t ad[13];
size_t ad_len = GetAdditionalData(ad, type, wire_version, seqnum, in_len);

/* Assemble the nonce. */
// Assemble the nonce.
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
size_t nonce_len = 0;

/* Prepend the fixed nonce, or left-pad with zeros if XORing. */
// Prepend the fixed nonce, or left-pad with zeros if XORing.
if (xor_fixed_nonce_) {
nonce_len = fixed_nonce_len_ - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
@@ -301,21 +301,21 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,
nonce_len += fixed_nonce_len_;
}

/* Select the variable nonce. */
// Select the variable nonce.
if (random_variable_nonce_) {
assert(variable_nonce_included_in_record_);
if (!RAND_bytes(nonce + nonce_len, variable_nonce_len_)) {
return false;
}
} else {
/* When sending we use the sequence number as the variable part of the
* nonce. */
// When sending we use the sequence number as the variable part of the
// nonce.
assert(variable_nonce_len_ == 8);
OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_);
}
nonce_len += variable_nonce_len_;

/* Emit the variable nonce if included in the record. */
// Emit the variable nonce if included in the record.
if (variable_nonce_included_in_record_) {
assert(!xor_fixed_nonce_);
if (buffers_alias(in, in_len, out_prefix, variable_nonce_len_)) {
@@ -326,7 +326,7 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out,
variable_nonce_len_);
}

/* XOR the fixed nonce, if necessary. */
// XOR the fixed nonce, if necessary.
if (xor_fixed_nonce_) {
assert(nonce_len == fixed_nonce_len_);
for (size_t i = 0; i < fixed_nonce_len_; i++) {


+ 76
- 77
ssl/ssl_asn1.cc Visa fil

@@ -80,9 +80,9 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */

/* Per C99, various stdint.h macros are unavailable in C++ unless some macros
* are defined. C++11 overruled this decision, but older Android NDKs still
* require it. */
// Per C99, various stdint.h macros are unavailable in C++ unless some macros
// are defined. C++11 overruled this decision, but older Android NDKs still
// require it.
#if !defined(__STDC_LIMIT_MACROS)
#define __STDC_LIMIT_MACROS
#endif
@@ -106,50 +106,49 @@

namespace bssl {

/* An SSL_SESSION is serialized as the following ASN.1 structure:
*
* SSLSession ::= SEQUENCE {
* version INTEGER (1), -- session structure version
* sslVersion INTEGER, -- protocol version number
* cipher OCTET STRING, -- two bytes long
* sessionID OCTET STRING,
* masterKey OCTET STRING,
* time [1] INTEGER, -- seconds since UNIX epoch
* timeout [2] INTEGER, -- in seconds
* peer [3] Certificate OPTIONAL,
* sessionIDContext [4] OCTET STRING OPTIONAL,
* verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
* hostName [6] OCTET STRING OPTIONAL,
* -- from server_name extension
* pskIdentity [8] OCTET STRING OPTIONAL,
* ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
* ticket [10] OCTET STRING OPTIONAL, -- client-only
* peerSHA256 [13] OCTET STRING OPTIONAL,
* originalHandshakeHash [14] OCTET STRING OPTIONAL,
* signedCertTimestampList [15] OCTET STRING OPTIONAL,
* -- contents of SCT extension
* ocspResponse [16] OCTET STRING OPTIONAL,
* -- stapled OCSP response from the server
* extendedMasterSecret [17] BOOLEAN OPTIONAL,
* groupID [18] INTEGER OPTIONAL,
* certChain [19] SEQUENCE OF Certificate OPTIONAL,
* ticketAgeAdd [21] OCTET STRING OPTIONAL,
* isServer [22] BOOLEAN DEFAULT TRUE,
* peerSignatureAlgorithm [23] INTEGER OPTIONAL,
* ticketMaxEarlyData [24] INTEGER OPTIONAL,
* authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout
* earlyALPN [26] OCTET STRING OPTIONAL,
* }
*
* Note: historically this serialization has included other optional
* fields. Their presence is currently treated as a parse error:
*
* keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
* pskIdentityHint [7] OCTET STRING OPTIONAL,
* compressionMethod [11] OCTET STRING OPTIONAL,
* srpUsername [12] OCTET STRING OPTIONAL,
* ticketFlags [20] INTEGER OPTIONAL,
*/
// An SSL_SESSION is serialized as the following ASN.1 structure:
//
// SSLSession ::= SEQUENCE {
// version INTEGER (1), -- session structure version
// sslVersion INTEGER, -- protocol version number
// cipher OCTET STRING, -- two bytes long
// sessionID OCTET STRING,
// masterKey OCTET STRING,
// time [1] INTEGER, -- seconds since UNIX epoch
// timeout [2] INTEGER, -- in seconds
// peer [3] Certificate OPTIONAL,
// sessionIDContext [4] OCTET STRING OPTIONAL,
// verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
// hostName [6] OCTET STRING OPTIONAL,
// -- from server_name extension
// pskIdentity [8] OCTET STRING OPTIONAL,
// ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
// ticket [10] OCTET STRING OPTIONAL, -- client-only
// peerSHA256 [13] OCTET STRING OPTIONAL,
// originalHandshakeHash [14] OCTET STRING OPTIONAL,
// signedCertTimestampList [15] OCTET STRING OPTIONAL,
// -- contents of SCT extension
// ocspResponse [16] OCTET STRING OPTIONAL,
// -- stapled OCSP response from the server
// extendedMasterSecret [17] BOOLEAN OPTIONAL,
// groupID [18] INTEGER OPTIONAL,
// certChain [19] SEQUENCE OF Certificate OPTIONAL,
// ticketAgeAdd [21] OCTET STRING OPTIONAL,
// isServer [22] BOOLEAN DEFAULT TRUE,
// peerSignatureAlgorithm [23] INTEGER OPTIONAL,
// ticketMaxEarlyData [24] INTEGER OPTIONAL,
// authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout
// earlyALPN [26] OCTET STRING OPTIONAL,
// }
//
// Note: historically this serialization has included other optional
// fields. Their presence is currently treated as a parse error:
//
// keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
// pskIdentityHint [7] OCTET STRING OPTIONAL,
// compressionMethod [11] OCTET STRING OPTIONAL,
// srpUsername [12] OCTET STRING OPTIONAL,
// ticketFlags [20] INTEGER OPTIONAL,

static const unsigned kVersion = 1;

@@ -213,7 +212,7 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data,
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
!CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) ||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
/* The session ID is irrelevant for a session ticket. */
// The session ID is irrelevant for a session ticket.
!CBB_add_bytes(&child, in->session_id,
for_ticket ? 0 : in->session_id_length) ||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
@@ -226,8 +225,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data,
return 0;
}

/* The peer certificate is only serialized if the SHA-256 isn't
* serialized instead. */
// The peer certificate is only serialized if the SHA-256 isn't
// serialized instead.
if (sk_CRYPTO_BUFFER_num(in->certs) > 0 && !in->peer_sha256_valid) {
const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, 0);
if (!CBB_add_asn1(&session, &child, kPeerTag) ||
@@ -238,8 +237,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data,
}
}

/* Although it is OPTIONAL and usually empty, OpenSSL has
* historically always encoded the sid_ctx. */
// Although it is OPTIONAL and usually empty, OpenSSL has
// historically always encoded the sid_ctx.
if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) {
@@ -348,8 +347,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data,
return 0;
}

/* The certificate chain is only serialized if the leaf's SHA-256 isn't
* serialized instead. */
// The certificate chain is only serialized if the leaf's SHA-256 isn't
// serialized instead.
if (in->certs != NULL &&
!in->peer_sha256_valid &&
sk_CRYPTO_BUFFER_num(in->certs) >= 2) {
@@ -423,12 +422,12 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, uint8_t **out_data,
return 1;
}

/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
* explicitly tagged with |tag| from |cbs| and saves it in |*out|. On
* entry, if |*out| is not NULL, it frees the existing contents. If
* the element was not found, it sets |*out| to NULL. It returns one
* on success, whether or not the element was found, and zero on
* decode error. */
// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
// explicitly tagged with |tag| from |cbs| and saves it in |*out|. On
// entry, if |*out| is not NULL, it frees the existing contents. If
// the element was not found, it sets |*out| to NULL. It returns one
// on success, whether or not the element was found, and zero on
// decode error.
static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) {
CBS value;
int present;
@@ -452,12 +451,12 @@ static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) {
return 1;
}

/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
* explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr|
* and |*out_len|. If |*out_ptr| is not NULL, it frees the existing
* contents. On entry, if the element was not found, it sets
* |*out_ptr| to NULL. It returns one on success, whether or not the
* element was found, and zero on decode error. */
// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
// explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr|
// and |*out_len|. If |*out_ptr| is not NULL, it frees the existing
// contents. On entry, if the element was not found, it sets
// |*out_ptr| to NULL. It returns one on success, whether or not the
// element was found, and zero on decode error.
static int SSL_SESSION_parse_octet_string(CBS *cbs, uint8_t **out_ptr,
size_t *out_len, unsigned tag) {
CBS value;
@@ -495,8 +494,8 @@ static int SSL_SESSION_parse_crypto_buffer(CBS *cbs, CRYPTO_BUFFER **out,
return 1;
}

/* SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
* explicitly tagged with |tag| of size at most |max_out|. */
// SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
// explicitly tagged with |tag| of size at most |max_out|.
static int SSL_SESSION_parse_bounded_octet_string(
CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) {
CBS value;
@@ -564,10 +563,10 @@ UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
!CBS_get_asn1_uint64(&session, &version) ||
version != kVersion ||
!CBS_get_asn1_uint64(&session, &ssl_version) ||
/* Require sessions have versions valid in either TLS or DTLS. The session
* will not be used by the handshake if not applicable, but, for
* simplicity, never parse a session that does not pass
* |ssl_protocol_version_from_wire|. */
// Require sessions have versions valid in either TLS or DTLS. The session
// will not be used by the handshake if not applicable, but, for
// simplicity, never parse a session that does not pass
// |ssl_protocol_version_from_wire|.
ssl_version > UINT16_MAX ||
!ssl_protocol_version_from_wire(&unused, ssl_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
@@ -622,7 +621,7 @@ UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
return nullptr;
}
/* |peer| is processed with the certificate chain. */
// |peer| is processed with the certificate chain.

if (!SSL_SESSION_parse_bounded_octet_string(
&session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx),
@@ -779,10 +778,10 @@ using namespace bssl;
int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data,
size_t *out_len) {
if (in->not_resumable) {
/* If the caller has an unresumable session, e.g. if |SSL_get_session| were
* called on a TLS 1.3 or False Started connection, serialize with a
* placeholder value so it is not accidentally deserialized into a resumable
* one. */
// If the caller has an unresumable session, e.g. if |SSL_get_session| were
// called on a TLS 1.3 or False Started connection, serialize with a
// placeholder value so it is not accidentally deserialized into a resumable
// one.
static const char kNotResumableSession[] = "NOT RESUMABLE";

*out_len = strlen(kNotResumableSession);


+ 29
- 29
ssl/ssl_buffer.cc Visa fil

@@ -29,16 +29,16 @@

namespace bssl {

/* BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
* not overflow. */
// BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
// not overflow.
static_assert(0xffff <= INT_MAX, "uint16_t does not fit in int");

static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0,
"SSL3_ALIGN_PAYLOAD must be a power of 2");

/* ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that
* data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte
* boundary. It returns one on success and zero on error. */
// ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that
// data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte
// boundary. It returns one on success and zero on error.
static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) {
if (cap > 0xffff) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -49,14 +49,14 @@ static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) {
return 1;
}

/* Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment. */
// Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment.
uint8_t *new_buf = (uint8_t *)OPENSSL_malloc(cap + SSL3_ALIGN_PAYLOAD - 1);
if (new_buf == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}

/* Offset the buffer such that the record body is aligned. */
// Offset the buffer such that the record body is aligned.
size_t new_offset =
(0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1);

@@ -97,19 +97,19 @@ static int dtls_read_buffer_next_packet(SSL *ssl) {
SSL3_BUFFER *buf = &ssl->s3->read_buffer;

if (buf->len > 0) {
/* It is an error to call |dtls_read_buffer_extend| when the read buffer is
* not empty. */
// It is an error to call |dtls_read_buffer_extend| when the read buffer is
// not empty.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}

/* Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int. */
// Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int.
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset, (int)buf->cap);
if (ret <= 0) {
ssl->rwstate = SSL_READING;
return ret;
}
/* |BIO_read| was bound by |buf->cap|, so this cannot overflow. */
// |BIO_read| was bound by |buf->cap|, so this cannot overflow.
buf->len = (uint16_t)ret;
return 1;
}
@@ -122,18 +122,18 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) {
return -1;
}

/* Read until the target length is reached. */
// Read until the target length is reached.
while (buf->len < len) {
/* The amount of data to read is bounded by |buf->cap|, which must fit in an
* int. */
// The amount of data to read is bounded by |buf->cap|, which must fit in an
// int.
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset + buf->len,
(int)(len - buf->len));
if (ret <= 0) {
ssl->rwstate = SSL_READING;
return ret;
}
/* |BIO_read| was bound by |buf->cap - buf->len|, so this cannot
* overflow. */
// |BIO_read| was bound by |buf->cap - buf->len|, so this cannot
// overflow.
buf->len += (uint16_t)ret;
}

@@ -141,7 +141,7 @@ static int tls_read_buffer_extend_to(SSL *ssl, size_t len) {
}

int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
/* |ssl_read_buffer_extend_to| implicitly discards any consumed data. */
// |ssl_read_buffer_extend_to| implicitly discards any consumed data.
ssl_read_buffer_discard(ssl);

if (SSL_is_dtls(ssl)) {
@@ -149,7 +149,7 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff,
"DTLS read buffer is too large");

/* The |len| parameter is ignored in DTLS. */
// The |len| parameter is ignored in DTLS.
len = DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
}

@@ -164,15 +164,15 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {

int ret;
if (SSL_is_dtls(ssl)) {
/* |len| is ignored for a datagram transport. */
// |len| is ignored for a datagram transport.
ret = dtls_read_buffer_next_packet(ssl);
} else {
ret = tls_read_buffer_extend_to(ssl, len);
}

if (ret <= 0) {
/* If the buffer was empty originally and remained empty after attempting to
* extend it, release the buffer until the next attempt. */
// If the buffer was empty originally and remained empty after attempting to
// extend it, release the buffer until the next attempt.
ssl_read_buffer_discard(ssl);
}
return ret;
@@ -183,11 +183,11 @@ void ssl_read_buffer_consume(SSL *ssl, size_t len) {

consume_buffer(buf, len);

/* The TLS stack never reads beyond the current record, so there will never be
* unconsumed data. If read-ahead is ever reimplemented,
* |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back
* to the front of the buffer, to ensure there is enough space for the next
* record. */
// The TLS stack never reads beyond the current record, so there will never be
// unconsumed data. If read-ahead is ever reimplemented,
// |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back
// to the front of the buffer, to ensure there is enough space for the next
// record.
assert(SSL_is_dtls(ssl) || len == 0 || buf->len == 0);
}

@@ -265,9 +265,9 @@ static int dtls_write_buffer_flush(SSL *ssl) {
int ret = BIO_write(ssl->wbio, buf->buf + buf->offset, buf->len);
if (ret <= 0) {
ssl->rwstate = SSL_WRITING;
/* If the write failed, drop the write buffer anyway. Datagram transports
* can't write half a packet, so the caller is expected to retry from the
* top. */
// If the write failed, drop the write buffer anyway. Datagram transports
// can't write half a packet, so the caller is expected to retry from the
// top.
ssl_write_buffer_clear(ssl);
return ret;
}


+ 40
- 40
ssl/ssl_cert.cc Visa fil

@@ -207,7 +207,7 @@ err:
return NULL;
}

/* Free up and clear all certificates and chains */
// Free up and clear all certificates and chains
void ssl_cert_clear_certs(CERT *cert) {
if (cert == NULL) {
return;
@@ -248,12 +248,12 @@ enum leaf_cert_and_privkey_result_t {
leaf_cert_and_privkey_mismatch,
};

/* check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|
* and the private key in |privkey| are suitable and coherent. It returns
* |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is
* found. If the certificate and private key are valid, but incoherent, it
* returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns
* |leaf_cert_and_privkey_ok|. */
// check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|
// and the private key in |privkey| are suitable and coherent. It returns
// |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is
// found. If the certificate and private key are valid, but incoherent, it
// returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns
// |leaf_cert_and_privkey_ok|.
static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(
CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) {
CBS cert_cbs;
@@ -269,8 +269,8 @@ static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(
return leaf_cert_and_privkey_error;
}

/* An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
* certificates, so sanity-check the key usage extension. */
// An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
// certificates, so sanity-check the key usage extension.
if (pubkey->type == EVP_PKEY_EC &&
!ssl_cert_check_digital_signature_key_usage(&cert_cbs)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
@@ -278,7 +278,7 @@ static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(
}

if (privkey != NULL &&
/* Sanity-check that the private key and the certificate match. */
// Sanity-check that the private key and the certificate match.
!ssl_compare_public_and_private_key(pubkey.get(), privkey)) {
ERR_clear_error();
return leaf_cert_and_privkey_mismatch;
@@ -342,9 +342,9 @@ int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
case leaf_cert_and_privkey_error:
return 0;
case leaf_cert_and_privkey_mismatch:
/* don't fail for a cert/key mismatch, just free current private key
* (when switching to a different cert & key, first this function should
* be used, then |ssl_set_pkey|. */
// don't fail for a cert/key mismatch, just free current private key
// (when switching to a different cert & key, first this function should
// be used, then |ssl_set_pkey|.
EVP_PKEY_free(cert->privatekey);
cert->privatekey = NULL;
break;
@@ -423,7 +423,7 @@ bool ssl_parse_cert_chain(uint8_t *out_alert,
return false;
}

/* Retain the hash of the leaf certificate if requested. */
// Retain the hash of the leaf certificate if requested.
if (out_leaf_sha256 != NULL) {
SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);
}
@@ -471,9 +471,9 @@ int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {
return CBB_flush(cbb);
}

/* ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
* positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
* subjectPublicKeyInfo. */
// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
// subjectPublicKeyInfo.
static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
/* From RFC 5280, section 4.1
* Certificate ::= SEQUENCE {
@@ -496,19 +496,19 @@ static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) ||
CBS_len(&buf) != 0 ||
!CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) ||
/* version */
// version
!CBS_get_optional_asn1(
out_tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
/* serialNumber */
// serialNumber
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||
/* signature algorithm */
// signature algorithm
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
/* issuer */
// issuer
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
/* validity */
// validity
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
/* subject */
// subject
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {
return 0;
}
@@ -529,8 +529,8 @@ UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in) {
int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
const EVP_PKEY *privkey) {
if (EVP_PKEY_is_opaque(privkey)) {
/* We cannot check an opaque private key and have to trust that it
* matches. */
// We cannot check an opaque private key and have to trust that it
// matches.
return 1;
}

@@ -586,13 +586,13 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
CBS tbs_cert, outer_extensions;
int has_extensions;
if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) ||
/* subjectPublicKeyInfo */
// subjectPublicKeyInfo
!CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
/* issuerUniqueID */
// issuerUniqueID
!CBS_get_optional_asn1(
&tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||
/* subjectUniqueID */
// subjectUniqueID
!CBS_get_optional_asn1(
&tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||
@@ -635,8 +635,8 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
goto parse_err;
}

/* This is the KeyUsage extension. See
* https://tools.ietf.org/html/rfc5280#section-4.2.1.3 */
// This is the KeyUsage extension. See
// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
if (!CBS_is_valid_asn1_bitstring(&bit_string)) {
goto parse_err;
}
@@ -649,7 +649,7 @@ int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
return 1;
}

/* No KeyUsage extension found. */
// No KeyUsage extension found.
return 1;

parse_err:
@@ -733,18 +733,18 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
SSL *const ssl = hs->ssl;
assert(ssl3_protocol_version(ssl) < TLS1_3_VERSION);

/* Check the certificate's type matches the cipher. */
// Check the certificate's type matches the cipher.
if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);
return 0;
}

/* Check key usages for all key types but RSA. This is needed to distinguish
* ECDH certificates, which we do not support, from ECDSA certificates. In
* principle, we should check RSA key usages based on cipher, but this breaks
* buggy antivirus deployments. Other key types are always used for signing.
*
* TODO(davidben): Get more recent data on RSA key usages. */
// Check key usages for all key types but RSA. This is needed to distinguish
// ECDH certificates, which we do not support, from ECDSA certificates. In
// principle, we should check RSA key usages based on cipher, but this breaks
// buggy antivirus deployments. Other key types are always used for signing.
//
// TODO(davidben): Get more recent data on RSA key usages.
if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
CBS leaf_cbs;
CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));
@@ -754,7 +754,7 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
}

if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
/* Check the key's group and point format are acceptable. */
// Check the key's group and point format are acceptable.
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
uint16_t group_id;
if (!ssl_nid_to_group_id(
@@ -772,7 +772,7 @@ int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!ssl_has_certificate(ssl)) {
/* Nothing to do. */
// Nothing to do.
return 1;
}



+ 142
- 142
ssl/ssl_cipher.cc Visa fil

@@ -156,10 +156,10 @@

namespace bssl {

/* kCiphers is an array of all supported ciphers, sorted by id. */
// kCiphers is an array of all supported ciphers, sorted by id.
static const SSL_CIPHER kCiphers[] = {
/* The RSA ciphers */
/* Cipher 02 */
// The RSA ciphers
// Cipher 02
{
SSL3_TXT_RSA_NULL_SHA,
"TLS_RSA_WITH_NULL_SHA",
@@ -171,7 +171,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* Cipher 0A */
// Cipher 0A
{
SSL3_TXT_RSA_DES_192_CBC3_SHA,
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
@@ -184,9 +184,9 @@ static const SSL_CIPHER kCiphers[] = {
},


/* New AES ciphersuites */
// New AES ciphersuites

/* Cipher 2F */
// Cipher 2F
{
TLS1_TXT_RSA_WITH_AES_128_SHA,
"TLS_RSA_WITH_AES_128_CBC_SHA",
@@ -198,7 +198,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* Cipher 35 */
// Cipher 35
{
TLS1_TXT_RSA_WITH_AES_256_SHA,
"TLS_RSA_WITH_AES_256_CBC_SHA",
@@ -211,9 +211,9 @@ static const SSL_CIPHER kCiphers[] = {
},


/* TLS v1.2 ciphersuites */
// TLS v1.2 ciphersuites

/* Cipher 3C */
// Cipher 3C
{
TLS1_TXT_RSA_WITH_AES_128_SHA256,
"TLS_RSA_WITH_AES_128_CBC_SHA256",
@@ -225,7 +225,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher 3D */
// Cipher 3D
{
TLS1_TXT_RSA_WITH_AES_256_SHA256,
"TLS_RSA_WITH_AES_256_CBC_SHA256",
@@ -237,9 +237,9 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* PSK cipher suites. */
// PSK cipher suites.

/* Cipher 8C */
// Cipher 8C
{
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
"TLS_PSK_WITH_AES_128_CBC_SHA",
@@ -251,7 +251,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* Cipher 8D */
// Cipher 8D
{
TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
"TLS_PSK_WITH_AES_256_CBC_SHA",
@@ -263,9 +263,9 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* GCM ciphersuites from RFC5288 */
// GCM ciphersuites from RFC5288

/* Cipher 9C */
// Cipher 9C
{
TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
"TLS_RSA_WITH_AES_128_GCM_SHA256",
@@ -277,7 +277,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher 9D */
// Cipher 9D
{
TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
"TLS_RSA_WITH_AES_256_GCM_SHA384",
@@ -289,9 +289,9 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA384,
},

/* TLS 1.3 suites. */
// TLS 1.3 suites.

/* Cipher 1301 */
// Cipher 1301
{
TLS1_TXT_AES_128_GCM_SHA256,
"TLS_AES_128_GCM_SHA256",
@@ -303,7 +303,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher 1302 */
// Cipher 1302
{
TLS1_TXT_AES_256_GCM_SHA384,
"TLS_AES_256_GCM_SHA384",
@@ -315,7 +315,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA384,
},

/* Cipher 1303 */
// Cipher 1303
{
TLS1_TXT_CHACHA20_POLY1305_SHA256,
"TLS_CHACHA20_POLY1305_SHA256",
@@ -327,7 +327,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher C009 */
// Cipher C009
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
@@ -339,7 +339,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* Cipher C00A */
// Cipher C00A
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
@@ -351,7 +351,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* Cipher C013 */
// Cipher C013
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
@@ -363,7 +363,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* Cipher C014 */
// Cipher C014
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
@@ -376,9 +376,9 @@ static const SSL_CIPHER kCiphers[] = {
},


/* HMAC based TLS v1.2 ciphersuites from RFC5289 */
// HMAC based TLS v1.2 ciphersuites from RFC5289

/* Cipher C023 */
// Cipher C023
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
@@ -390,7 +390,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher C024 */
// Cipher C024
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
@@ -402,7 +402,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA384,
},

/* Cipher C027 */
// Cipher C027
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
@@ -414,7 +414,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher C028 */
// Cipher C028
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
@@ -427,9 +427,9 @@ static const SSL_CIPHER kCiphers[] = {
},


/* GCM based TLS v1.2 ciphersuites from RFC5289 */
// GCM based TLS v1.2 ciphersuites from RFC5289

/* Cipher C02B */
// Cipher C02B
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
@@ -441,7 +441,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher C02C */
// Cipher C02C
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
@@ -453,7 +453,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA384,
},

/* Cipher C02F */
// Cipher C02F
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
@@ -465,7 +465,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher C030 */
// Cipher C030
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
@@ -477,9 +477,9 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA384,
},

/* ECDHE-PSK cipher suites. */
// ECDHE-PSK cipher suites.

/* Cipher C035 */
// Cipher C035
{
TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
@@ -491,7 +491,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* Cipher C036 */
// Cipher C036
{
TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
@@ -503,9 +503,9 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_DEFAULT,
},

/* ChaCha20-Poly1305 cipher suites. */
// ChaCha20-Poly1305 cipher suites.

/* Cipher CCA8 */
// Cipher CCA8
{
TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -517,7 +517,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher CCA9 */
// Cipher CCA9
{
TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -529,7 +529,7 @@ static const SSL_CIPHER kCiphers[] = {
SSL_HANDSHAKE_MAC_SHA256,
},

/* Cipher CCAB */
// Cipher CCAB
{
TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
@@ -559,32 +559,32 @@ typedef struct cipher_order_st {
} CIPHER_ORDER;

typedef struct cipher_alias_st {
/* name is the name of the cipher alias. */
// name is the name of the cipher alias.
const char *name;

/* The following fields are bitmasks for the corresponding fields on
* |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
* bit corresponding to the cipher's value is set to 1. If any bitmask is
* all zeroes, the alias matches nothing. Use |~0u| for the default value. */
// The following fields are bitmasks for the corresponding fields on
// |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
// bit corresponding to the cipher's value is set to 1. If any bitmask is
// all zeroes, the alias matches nothing. Use |~0u| for the default value.
uint32_t algorithm_mkey;
uint32_t algorithm_auth;
uint32_t algorithm_enc;
uint32_t algorithm_mac;

/* min_version, if non-zero, matches all ciphers which were added in that
* particular protocol version. */
// min_version, if non-zero, matches all ciphers which were added in that
// particular protocol version.
uint16_t min_version;
} CIPHER_ALIAS;

static const CIPHER_ALIAS kCipherAliases[] = {
/* "ALL" doesn't include eNULL. It must be explicitly enabled. */
// "ALL" doesn't include eNULL. It must be explicitly enabled.
{"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},

/* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
// The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.

/* key exchange aliases
* (some of those using only a single bit here combine
* multiple key exchange algs according to the RFCs. */
// key exchange aliases
// (some of those using only a single bit here combine
// multiple key exchange algs according to the RFCs.
{"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},

{"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
@@ -593,19 +593,19 @@ static const CIPHER_ALIAS kCipherAliases[] = {

{"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},

/* server authentication aliases */
// server authentication aliases
{"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
{"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
{"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
{"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},

/* aliases combining key exchange and server authentication */
// aliases combining key exchange and server authentication
{"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
{"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
{"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
{"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},

/* symmetric encryption aliases */
// symmetric encryption aliases
{"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
{"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
{"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
@@ -613,19 +613,19 @@ static const CIPHER_ALIAS kCipherAliases[] = {
{"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
{"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},

/* MAC aliases */
// MAC aliases
{"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
{"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
{"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
{"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},

/* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
* same as "SSLv3". */
// Legacy protocol minimum version aliases. "TLSv1" is intentionally the
// same as "SSLv3".
{"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
{"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
{"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},

/* Legacy strength classes. */
// Legacy strength classes.
{"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
{"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
};
@@ -671,8 +671,8 @@ int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
return 0;
}

/* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
* above computes the TLS 1.2 construction. */
// In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
// above computes the TLS 1.2 construction.
if (version >= TLS1_3_VERSION) {
*out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
}
@@ -764,10 +764,10 @@ static bool is_cipher_list_separator(char c, int is_strict) {
return !is_strict && (c == ' ' || c == ';' || c == ',');
}

/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
* |buf_len| bytes at |buf|. */
// rule_equals returns one iff the NUL-terminated string |rule| is equal to the
// |buf_len| bytes at |buf|.
static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
/* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
// |strncmp| alone only checks that |buf| is a prefix of |rule|.
return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
}

@@ -815,13 +815,13 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p) {
/* The set of ciphers is static, but some subset may be unsupported by
* |ssl_method|, so the list may be smaller. */
// The set of ciphers is static, but some subset may be unsupported by
// |ssl_method|, so the list may be smaller.
size_t co_list_num = 0;
for (size_t i = 0; i < kCiphersLen; i++) {
const SSL_CIPHER *cipher = &kCiphers[i];
if (ssl_method->supports_cipher(cipher) &&
/* TLS 1.3 ciphers do not participate in this mechanism. */
// TLS 1.3 ciphers do not participate in this mechanism.
cipher->algorithm_mkey != SSL_kGENERIC) {
co_list[co_list_num].cipher = cipher;
co_list[co_list_num].next = NULL;
@@ -832,7 +832,7 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
}
}

/* Prepare linked list from list entries. */
// Prepare linked list from list entries.
if (co_list_num > 0) {
co_list[0].prev = NULL;

@@ -854,15 +854,15 @@ static void ssl_cipher_collect_ciphers(const SSL_PROTOCOL_METHOD *ssl_method,
}
}

/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
* parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
* head and tail of the list to |*head_p| and |*tail_p|, respectively.
*
* - If |cipher_id| is non-zero, only that cipher is selected.
* - Otherwise, if |strength_bits| is non-negative, it selects ciphers
* of that strength.
* - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
* |min_version|. */
// ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
// parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
// head and tail of the list to |*head_p| and |*tail_p|, respectively.
//
// - If |cipher_id| is non-zero, only that cipher is selected.
// - Otherwise, if |strength_bits| is non-negative, it selects ciphers
// of that strength.
// - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
// |min_version|.
static void ssl_cipher_apply_rule(
uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
@@ -874,12 +874,12 @@ static void ssl_cipher_apply_rule(

if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
(alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
/* The rule matches nothing, so bail early. */
// The rule matches nothing, so bail early.
return;
}

if (rule == CIPHER_DEL) {
/* needed to maintain sorting between currently deleted ciphers */
// needed to maintain sorting between currently deleted ciphers
reverse = 1;
}

@@ -908,8 +908,8 @@ static void ssl_cipher_apply_rule(
next = reverse ? curr->prev : curr->next;
cp = curr->cipher;

/* Selection criteria is either a specific cipher, the value of
* |strength_bits|, or the algorithms used. */
// Selection criteria is either a specific cipher, the value of
// |strength_bits|, or the algorithms used.
if (cipher_id != 0) {
if (cipher_id != cp->id) {
continue;
@@ -928,9 +928,9 @@ static void ssl_cipher_apply_rule(
}
}

/* add the cipher if it has not been added yet. */
// add the cipher if it has not been added yet.
if (rule == CIPHER_ADD) {
/* reverse == 0 */
// reverse == 0
if (!curr->active) {
ll_append_tail(&head, curr, &tail);
curr->active = 1;
@@ -938,25 +938,25 @@ static void ssl_cipher_apply_rule(
}
}

/* Move the added cipher to this location */
// Move the added cipher to this location
else if (rule == CIPHER_ORD) {
/* reverse == 0 */
// reverse == 0
if (curr->active) {
ll_append_tail(&head, curr, &tail);
curr->in_group = 0;
}
} else if (rule == CIPHER_DEL) {
/* reverse == 1 */
// reverse == 1
if (curr->active) {
/* most recently deleted ciphersuites get best positions
* for any future CIPHER_ADD (note that the CIPHER_DEL loop
* works in reverse to maintain the order) */
// most recently deleted ciphersuites get best positions
// for any future CIPHER_ADD (note that the CIPHER_DEL loop
// works in reverse to maintain the order)
ll_append_head(&head, curr, &tail);
curr->active = 0;
curr->in_group = 0;
}
} else if (rule == CIPHER_KILL) {
/* reverse == 0 */
// reverse == 0
if (head == curr) {
head = curr->next;
} else {
@@ -987,9 +987,9 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
int max_strength_bits, i, *number_uses;
CIPHER_ORDER *curr;

/* This routine sorts the ciphers with descending strength. The sorting must
* keep the pre-sorted sequence, so we apply the normal sorting routine as
* '+' movement to the end of the list. */
// This routine sorts the ciphers with descending strength. The sorting must
// keep the pre-sorted sequence, so we apply the normal sorting routine as
// '+' movement to the end of the list.
max_strength_bits = 0;
curr = *head_p;
while (curr != NULL) {
@@ -1007,7 +1007,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
}
OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));

/* Now find the strength_bits values actually used. */
// Now find the strength_bits values actually used.
curr = *head_p;
while (curr != NULL) {
if (curr->active) {
@@ -1016,7 +1016,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p,
curr = curr->next;
}

/* Go through the list of used strength_bits values in descending order. */
// Go through the list of used strength_bits values in descending order.
for (i = max_strength_bits; i >= 0; i--) {
if (number_uses[i] > 0) {
ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
@@ -1044,7 +1044,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
ch = *l;

if (ch == '\0') {
break; /* done */
break; // done
}

if (in_group) {
@@ -1090,8 +1090,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
rule = CIPHER_ADD;
}

/* If preference groups are enabled, the only legal operator is +.
* Otherwise the in_group bits will get mixed up. */
// If preference groups are enabled, the only legal operator is +.
// Otherwise the in_group bits will get mixed up.
if (has_group && rule != CIPHER_ADD) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
return 0;
@@ -1122,8 +1122,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
}

if (buf_len == 0) {
/* We hit something we cannot deal with, it is no command or separator
* nor alphanumeric, so we call this an error. */
// We hit something we cannot deal with, it is no command or separator
// nor alphanumeric, so we call this an error.
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
return 0;
}
@@ -1132,8 +1132,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
break;
}

/* Look for a matching exact cipher. These aren't allowed in multipart
* rules. */
// Look for a matching exact cipher. These aren't allowed in multipart
// rules.
if (!multi && ch != '+') {
for (j = 0; j < kCiphersLen; j++) {
const SSL_CIPHER *cipher = &kCiphers[j];
@@ -1145,7 +1145,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
}
}
if (cipher_id == 0) {
/* If not an exact cipher, look for a matching cipher alias. */
// If not an exact cipher, look for a matching cipher alias.
for (j = 0; j < kCipherAliasesLen; j++) {
if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
alg_mkey &= kCipherAliases[j].algorithm_mkey;
@@ -1171,7 +1171,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
}
}

/* Check for a multipart rule. */
// Check for a multipart rule.
if (ch != '+') {
break;
}
@@ -1179,7 +1179,7 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
multi = 1;
}

/* Ok, we have the rule, now apply it. */
// Ok, we have the rule, now apply it.
if (rule == CIPHER_SPECIAL) {
if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
@@ -1189,8 +1189,8 @@ static int ssl_cipher_process_rulestr(const SSL_PROTOCOL_METHOD *ssl_method,
return 0;
}

/* We do not support any "multi" options together with "@", so throw away
* the rest of the command, if any left, until end or ':' is found. */
// We do not support any "multi" options together with "@", so throw away
// the rest of the command, if any left, until end or ':' is found.
while (*l != '\0' && !is_cipher_list_separator(*l, strict)) {
l++;
}
@@ -1218,14 +1218,14 @@ int ssl_create_cipher_list(
unsigned int num_in_group_flags = 0;
struct ssl_cipher_preference_list_st *pref_list = NULL;

/* Return with error if nothing to do. */
// Return with error if nothing to do.
if (rule_str == NULL || out_cipher_list == NULL) {
return 0;
}

/* Now we have to collect the available ciphers from the compiled in ciphers.
* We cannot get more than the number compiled in, so it is used for
* allocation. */
// Now we have to collect the available ciphers from the compiled in ciphers.
// We cannot get more than the number compiled in, so it is used for
// allocation.
co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
if (co_list == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
@@ -1234,11 +1234,11 @@ int ssl_create_cipher_list(

ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);

/* Now arrange all ciphers by preference:
* TODO(davidben): Compute this order once and copy it. */
// Now arrange all ciphers by preference:
// TODO(davidben): Compute this order once and copy it.

/* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
* key exchange mechanisms */
// Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
// key exchange mechanisms
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
0, &head, &tail);
ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
@@ -1246,10 +1246,10 @@ int ssl_create_cipher_list(
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
&tail);

/* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
* CHACHA20 unless there is hardware support for fast and constant-time
* AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
* old one. */
// Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
// CHACHA20 unless there is hardware support for fast and constant-time
// AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
// old one.
if (EVP_has_aes_hardware()) {
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
&head, &tail);
@@ -1266,8 +1266,8 @@ int ssl_create_cipher_list(
&head, &tail);
}

/* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
* 3DES_EDE_CBC_SHA. */
// Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
// 3DES_EDE_CBC_SHA.
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
&head, &tail);
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
@@ -1275,20 +1275,20 @@ int ssl_create_cipher_list(
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
&tail);

/* Temporarily enable everything else for sorting */
// Temporarily enable everything else for sorting
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
&tail);

/* Move ciphers without forward secrecy to the end. */
// Move ciphers without forward secrecy to the end.
ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
CIPHER_ORD, -1, 0, &head, &tail);

/* Now disable everything (maintaining the ordering!) */
// Now disable everything (maintaining the ordering!)
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
&tail);

/* If the rule_string begins with DEFAULT, apply the default rule before
* using the (possibly available) additional rules. */
// If the rule_string begins with DEFAULT, apply the default rule before
// using the (possibly available) additional rules.
const char *rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
@@ -1306,8 +1306,8 @@ int ssl_create_cipher_list(
goto err;
}

/* Allocate new "cipherstack" for the result, return with error
* if we cannot get one. */
// Allocate new "cipherstack" for the result, return with error
// if we cannot get one.
cipherstack = sk_SSL_CIPHER_new_null();
if (cipherstack == NULL) {
goto err;
@@ -1318,8 +1318,8 @@ int ssl_create_cipher_list(
goto err;
}

/* The cipher selection for the list is done. The ciphers are added
* to the resulting precedence to the STACK_OF(SSL_CIPHER). */
// The cipher selection for the list is done. The ciphers are added
// to the resulting precedence to the STACK_OF(SSL_CIPHER).
for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) {
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
@@ -1328,7 +1328,7 @@ int ssl_create_cipher_list(
in_group_flags[num_in_group_flags++] = curr->in_group;
}
}
OPENSSL_free(co_list); /* Not needed any longer */
OPENSSL_free(co_list); // Not needed any longer
co_list = NULL;

pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc(
@@ -1350,8 +1350,8 @@ int ssl_create_cipher_list(
*out_cipher_list = pref_list;
pref_list = NULL;

/* Configuring an empty cipher list is an error but still updates the
* output. */
// Configuring an empty cipher list is an error but still updates the
// output.
if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
return 0;
@@ -1372,7 +1372,7 @@ err:

uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
uint32_t id = cipher->id;
/* All ciphers are SSLv3. */
// All ciphers are SSLv3.
assert((id & 0xff000000) == 0x03000000);
return id & 0xffff;
}
@@ -1383,7 +1383,7 @@ uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
return SSL_aRSA;
case EVP_PKEY_EC:
case EVP_PKEY_ED25519:
/* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */
// Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers.
return SSL_aECDSA;
default:
return 0;
@@ -1395,12 +1395,12 @@ int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher) {
}

int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
/* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
// Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange.
if (cipher->algorithm_mkey & SSL_kECDHE) {
return 1;
}

/* It is optional in all others. */
// It is optional in all others.
return 0;
}

@@ -1418,7 +1418,7 @@ size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher) {
return 0;
}

/* All supported TLS 1.0 ciphers use SHA-1. */
// All supported TLS 1.0 ciphers use SHA-1.
assert(cipher->algorithm_mac == SSL_SHA1);
size_t ret = 1 + SHA_DIGEST_LENGTH;
ret += block_size - (ret % block_size);
@@ -1521,8 +1521,8 @@ uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
}

if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
/* Cipher suites before TLS 1.2 use the default PRF, while all those added
* afterwards specify a particular hash. */
// Cipher suites before TLS 1.2 use the default PRF, while all those added
// afterwards specify a particular hash.
return TLS1_2_VERSION;
}
return SSL3_VERSION;
@@ -1536,7 +1536,7 @@ uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
return TLS1_2_VERSION;
}

/* return the actual cipher being used */
// return the actual cipher being used
const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
if (cipher != NULL) {
return cipher->name;


+ 16
- 16
ssl/ssl_file.cc Visa fil

@@ -128,8 +128,8 @@ static int xname_cmp(const X509_NAME **a, const X509_NAME **b) {
return X509_NAME_cmp(*a, *b);
}

/* TODO(davidben): Is there any reason this doesn't call
* |SSL_add_file_cert_subjects_to_stack|? */
// TODO(davidben): Is there any reason this doesn't call
// |SSL_add_file_cert_subjects_to_stack|?
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
BIO *in;
X509 *x = NULL;
@@ -164,7 +164,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
goto err;
}

/* Check for duplicates. */
// Check for duplicates.
if (sk_X509_NAME_find(sk, NULL, xn)) {
continue;
}
@@ -222,7 +222,7 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
goto err;
}

/* Check for duplicates. */
// Check for duplicates.
if (sk_X509_NAME_find(stack, NULL, xn)) {
continue;
}
@@ -493,15 +493,15 @@ end:
return ret;
}

/* Read a file that contains our certificate in "PEM" format, possibly followed
* by a sequence of CA certificates that should be sent to the peer in the
* Certificate message. */
// Read a file that contains our certificate in "PEM" format, possibly followed
// by a sequence of CA certificates that should be sent to the peer in the
// Certificate message.
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
BIO *in;
int ret = 0;
X509 *x = NULL;

ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
ERR_clear_error(); // clear error stack for SSL_CTX_use_certificate()

in = BIO_new(BIO_s_file());
if (in == NULL) {
@@ -524,12 +524,12 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
ret = SSL_CTX_use_certificate(ctx, x);

if (ERR_peek_error() != 0) {
ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
ret = 0; // Key/certificate mismatch doesn't imply ret==0 ...
}

if (ret) {
/* If we could set up our certificate, now proceed to the CA
* certificates. */
// If we could set up our certificate, now proceed to the CA
// certificates.
X509 *ca;
int r;
uint32_t err;
@@ -545,18 +545,18 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
ret = 0;
goto end;
}
/* Note that we must not free r if it was successfully added to the chain
* (while we must free the main certificate, since its reference count is
* increased by SSL_CTX_use_certificate). */
// Note that we must not free r if it was successfully added to the chain
// (while we must free the main certificate, since its reference count is
// increased by SSL_CTX_use_certificate).
}

/* When the while loop ends, it's usually just EOF. */
// When the while loop ends, it's usually just EOF.
err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
ERR_clear_error();
} else {
ret = 0; /* some real error */
ret = 0; // some real error
}
}



+ 6
- 6
ssl/ssl_key_share.cc Visa fil

@@ -42,14 +42,14 @@ class ECKeyShare : public SSLKeyShare {

bool Offer(CBB *out) override {
assert(!private_key_);
/* Set up a shared |BN_CTX| for all operations. */
// Set up a shared |BN_CTX| for all operations.
UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
if (!bn_ctx) {
return false;
}
BN_CTXScope scope(bn_ctx.get());

/* Generate a private key. */
// Generate a private key.
UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_));
private_key_.reset(BN_new());
if (!group || !private_key_ ||
@@ -58,7 +58,7 @@ class ECKeyShare : public SSLKeyShare {
return false;
}

/* Compute the corresponding public key and serialize it. */
// Compute the corresponding public key and serialize it.
UniquePtr<EC_POINT> public_key(EC_POINT_new(group.get()));
if (!public_key ||
!EC_POINT_mul(group.get(), public_key.get(), private_key_.get(), NULL,
@@ -76,7 +76,7 @@ class ECKeyShare : public SSLKeyShare {
assert(private_key_);
*out_alert = SSL_AD_INTERNAL_ERROR;

/* Set up a shared |BN_CTX| for all operations. */
// Set up a shared |BN_CTX| for all operations.
UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
if (!bn_ctx) {
return false;
@@ -101,7 +101,7 @@ class ECKeyShare : public SSLKeyShare {
return false;
}

/* Compute the x-coordinate of |peer_key| * |private_key_|. */
// Compute the x-coordinate of |peer_key| * |private_key_|.
if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(),
private_key_.get(), bn_ctx.get()) ||
!EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL,
@@ -109,7 +109,7 @@ class ECKeyShare : public SSLKeyShare {
return false;
}

/* Encode the x-coordinate left-padded with zeros. */
// Encode the x-coordinate left-padded with zeros.
size_t secret_len = (EC_GROUP_get_degree(group.get()) + 7) / 8;
UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(secret_len));
if (!secret || !BN_bn2bin_padded(secret.get(), secret_len, x)) {


+ 154
- 154
ssl/ssl_lib.cc Visa fil

@@ -164,22 +164,22 @@

namespace bssl {

/* |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
* to avoid downstream churn. */
// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
// to avoid downstream churn.
OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)

/* The following errors are no longer emitted, but are used in nginx without
* #ifdefs. */
// The following errors are no longer emitted, but are used in nginx without
// #ifdefs.
OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG)
OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED)

/* Some error codes are special. Ensure the make_errors.go script never
* regresses this. */
// Some error codes are special. Ensure the make_errors.go script never
// regresses this.
static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==
SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
"alert reason code mismatch");

/* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */
// kMaxHandshakeSize is the maximum size, in bytes, of a handshake message.
static const size_t kMaxHandshakeSize = (1u << 24) - 1;

static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl =
@@ -188,8 +188,8 @@ static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl_ctx =
CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;

void ssl_reset_error_state(SSL *ssl) {
/* Functions which use |SSL_get_error| must reset I/O and error state on
* entry. */
// Functions which use |SSL_get_error| must reset I/O and error state on
// entry.
ssl->rwstate = SSL_NOTHING;
ERR_clear_error();
ERR_clear_system_error();
@@ -216,20 +216,20 @@ void ssl_cipher_preference_list_free(
void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
SSL *const ssl = hs->ssl;
SSL_CTX *ctx = ssl->session_ctx;
/* Never cache sessions with empty session IDs. */
// Never cache sessions with empty session IDs.
if (ssl->s3->established_session->session_id_length == 0 ||
ssl->s3->established_session->not_resumable ||
(ctx->session_cache_mode & mode) != mode) {
return;
}

/* Clients never use the internal session cache. */
// Clients never use the internal session cache.
int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE);

/* A client may see new sessions on abbreviated handshakes if the server
* decides to renew the ticket. Once the handshake is completed, it should be
* inserted into the cache. */
// A client may see new sessions on abbreviated handshakes if the server
// decides to renew the ticket. Once the handshake is completed, it should be
// inserted into the cache.
if (ssl->s3->established_session != ssl->session ||
(!ssl->server && hs->ticket_expected)) {
if (use_internal_cache) {
@@ -238,7 +238,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
if (ctx->new_session_cb != NULL) {
SSL_SESSION_up_ref(ssl->s3->established_session);
if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) {
/* |new_session_cb|'s return value signals whether it took ownership. */
// |new_session_cb|'s return value signals whether it took ownership.
SSL_SESSION_free(ssl->s3->established_session);
}
}
@@ -246,7 +246,7 @@ void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {

if (use_internal_cache &&
!(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) {
/* Automatically flush the internal session cache every 255 connections. */
// Automatically flush the internal session cache every 255 connections.
int flush_cache = 0;
CRYPTO_MUTEX_lock_write(&ctx->lock);
ctx->handshakes_since_cache_flush++;
@@ -309,7 +309,7 @@ int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
int ssl3_can_false_start(const SSL *ssl) {
const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl);

/* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
// False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN.
return !SSL_is_dtls(ssl) &&
SSL_version(ssl) == TLS1_2_VERSION &&
(ssl->s3->alpn_selected != NULL ||
@@ -338,12 +338,12 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
return;
}

/* |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
* a V2ClientHello. */
// |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
// a V2ClientHello.
int version;
switch (content_type) {
case 0:
/* V2ClientHello */
// V2ClientHello
version = SSL2_VERSION;
break;
case SSL3_RT_HEADER:
@@ -358,16 +358,16 @@ void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
}

void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
/* TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
* |ssl| arg from |current_time_cb| if possible. */
// TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
// |ssl| arg from |current_time_cb| if possible.
ssl_ctx_get_current_time(ssl->ctx, out_clock);
}

void ssl_ctx_get_current_time(const SSL_CTX *ctx,
struct OPENSSL_timeval *out_clock) {
if (ctx->current_time_cb != NULL) {
/* TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
* https://crbug.com/boringssl/155. */
// TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
// https://crbug.com/boringssl/155.
struct timeval clock;
ctx->current_time_cb(nullptr /* ssl */, &clock);
if (clock.tv_sec < 0) {
@@ -437,11 +437,11 @@ static uint32_t ssl_session_hash(const SSL_SESSION *sess) {
return hash;
}

/* NB: If this function (or indeed the hash function which uses a sort of
* coarser function than this one) is changed, ensure
* SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
* able to construct an SSL_SESSION that will collide with any existing session
* with a matching session ID. */
// NB: If this function (or indeed the hash function which uses a sort of
// coarser function than this one) is changed, ensure
// SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
// able to construct an SSL_SESSION that will collide with any existing session
// with a matching session ID.
static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
if (a->ssl_version != b->ssl_version) {
return 1;
@@ -511,16 +511,16 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) {

ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;

/* Disable the auto-chaining feature by default. Once this has stuck without
* problems, the feature will be removed entirely. */
// Disable the auto-chaining feature by default. Once this has stuck without
// problems, the feature will be removed entirely.
ret->mode = SSL_MODE_NO_AUTO_CHAIN;

/* Lock the SSL_CTX to the specified version, for compatibility with legacy
* uses of SSL_METHOD, but we do not set the minimum version for
* |SSLv3_method|. */
// Lock the SSL_CTX to the specified version, for compatibility with legacy
// uses of SSL_METHOD, but we do not set the minimum version for
// |SSLv3_method|.
if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
!SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION
? 0 /* default */
? 0 // default
: method->version)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err2;
@@ -546,12 +546,12 @@ void SSL_CTX_free(SSL_CTX *ctx) {
return;
}

/* Free internal session cache. However: the remove_cb() may reference the
* ex_data of SSL_CTX, thus the ex_data store can only be removed after the
* sessions were flushed. As the ex_data handling routines might also touch
* the session cache, the most secure solution seems to be: empty (flush) the
* cache, then free ex_data, then finally free the cache. (See ticket
* [openssl.org #212].) */
// Free internal session cache. However: the remove_cb() may reference the
// ex_data of SSL_CTX, thus the ex_data store can only be removed after the
// sessions were flushed. As the ex_data handling routines might also touch
// the session cache, the most secure solution seems to be: empty (flush) the
// cache, then free ex_data, then finally free the cache. (See ticket
// [openssl.org #212].)
SSL_CTX_flush_sessions(ctx, 0);

CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data);
@@ -598,8 +598,8 @@ SSL *SSL_new(SSL_CTX *ctx) {
ssl->conf_max_version = ctx->conf_max_version;
ssl->tls13_variant = ctx->tls13_variant;

/* RFC 6347 states that implementations SHOULD use an initial timer value of
* 1 second. */
// RFC 6347 states that implementations SHOULD use an initial timer value of
// 1 second.
ssl->initial_timeout_duration_ms = 1000;

ssl->options = ctx->options;
@@ -703,7 +703,7 @@ void SSL_free(SSL *ssl) {

BUF_MEM_free(ssl->init_buf);

/* add extra stuff */
// add extra stuff
ssl_cipher_preference_list_free(ssl->cipher_list);

SSL_SESSION_free(ssl->session);
@@ -748,35 +748,35 @@ void SSL_set0_wbio(SSL *ssl, BIO *wbio) {
}

void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
/* For historical reasons, this function has many different cases in ownership
* handling. */
// For historical reasons, this function has many different cases in ownership
// handling.

/* If nothing has changed, do nothing */
// If nothing has changed, do nothing
if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) {
return;
}

/* If the two arguments are equal, one fewer reference is granted than
* taken. */
// If the two arguments are equal, one fewer reference is granted than
// taken.
if (rbio != NULL && rbio == wbio) {
BIO_up_ref(rbio);
}

/* If only the wbio is changed, adopt only one reference. */
// If only the wbio is changed, adopt only one reference.
if (rbio == SSL_get_rbio(ssl)) {
SSL_set0_wbio(ssl, wbio);
return;
}

/* There is an asymmetry here for historical reasons. If only the rbio is
* changed AND the rbio and wbio were originally different, then we only adopt
* one reference. */
// There is an asymmetry here for historical reasons. If only the rbio is
// changed AND the rbio and wbio were originally different, then we only adopt
// one reference.
if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) {
SSL_set0_rbio(ssl, rbio);
return;
}

/* Otherwise, adopt both references. */
// Otherwise, adopt both references.
SSL_set0_rbio(ssl, rbio);
SSL_set0_wbio(ssl, wbio);
}
@@ -797,7 +797,7 @@ int SSL_do_handshake(SSL *ssl) {
return 1;
}

/* Run the handshake. */
// Run the handshake.
SSL_HANDSHAKE *hs = ssl->s3->hs;

int early_return = 0;
@@ -808,7 +808,7 @@ int SSL_do_handshake(SSL *ssl) {
return ret;
}

/* Destroy the handshake object if the handshake has completely finished. */
// Destroy the handshake object if the handshake has completely finished.
if (!early_return) {
ssl_handshake_free(ssl->s3->hs);
ssl->s3->hs = NULL;
@@ -819,7 +819,7 @@ int SSL_do_handshake(SSL *ssl) {

int SSL_connect(SSL *ssl) {
if (ssl->do_handshake == NULL) {
/* Not properly initialized yet */
// Not properly initialized yet
SSL_set_connect_state(ssl);
}

@@ -828,7 +828,7 @@ int SSL_connect(SSL *ssl) {

int SSL_accept(SSL *ssl) {
if (ssl->do_handshake == NULL) {
/* Not properly initialized yet */
// Not properly initialized yet
SSL_set_accept_state(ssl);
}

@@ -840,9 +840,9 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) {
return tls13_post_handshake(ssl, msg);
}

/* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
* removed entirely in the future and requires retaining more data for
* renegotiation_info. */
// We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
// removed entirely in the future and requires retaining more data for
// renegotiation_info.
if (ssl->server || ssl->version == SSL3_VERSION) {
goto no_renegotiation;
}
@@ -855,7 +855,7 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) {

switch (ssl->renegotiate_mode) {
case ssl_renegotiate_ignore:
/* Ignore the HelloRequest. */
// Ignore the HelloRequest.
return 1;

case ssl_renegotiate_once:
@@ -871,15 +871,15 @@ static int ssl_do_post_handshake(SSL *ssl, const SSLMessage &msg) {
break;
}

/* Renegotiation is only supported at quiescent points in the application
* protocol, namely in HTTPS, just before reading the HTTP response. Require
* the record-layer be idle and avoid complexities of sending a handshake
* record while an application_data record is being written. */
// Renegotiation is only supported at quiescent points in the application
// protocol, namely in HTTPS, just before reading the HTTP response. Require
// the record-layer be idle and avoid complexities of sending a handshake
// record while an application_data record is being written.
if (ssl_write_buffer_is_pending(ssl)) {
goto no_renegotiation;
}

/* Begin a new handshake. */
// Begin a new handshake.
if (ssl->s3->hs != NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
@@ -907,9 +907,9 @@ static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
}

for (;;) {
/* Complete the current handshake, if any. False Start will cause
* |SSL_do_handshake| to return mid-handshake, so this may require multiple
* iterations. */
// Complete the current handshake, if any. False Start will cause
// |SSL_do_handshake| to return mid-handshake, so this may require multiple
// iterations.
while (!ssl_can_read(ssl)) {
int ret = SSL_do_handshake(ssl);
if (ret < 0) {
@@ -929,15 +929,15 @@ static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
return ret;
}

/* If we received an interrupt in early read (the end_of_early_data alert),
* loop again for the handshake to process it. */
// If we received an interrupt in early read (the end_of_early_data alert),
// loop again for the handshake to process it.
if (SSL_in_init(ssl)) {
continue;
}

SSLMessage msg;
while (ssl->method->get_message(ssl, &msg)) {
/* Handle the post-handshake message and try again. */
// Handle the post-handshake message and try again.
if (!ssl_do_post_handshake(ssl, msg)) {
return -1;
}
@@ -969,7 +969,7 @@ int SSL_write(SSL *ssl, const void *buf, int num) {

int ret = 0, needs_handshake = 0;
do {
/* If necessary, complete the handshake implicitly. */
// If necessary, complete the handshake implicitly.
if (!ssl_can_write(ssl)) {
ret = SSL_do_handshake(ssl);
if (ret < 0) {
@@ -995,43 +995,43 @@ int SSL_shutdown(SSL *ssl) {
return -1;
}

/* If we are in the middle of a handshake, silently succeed. Consumers often
* call this function before |SSL_free|, whether the handshake succeeded or
* not. We assume the caller has already handled failed handshakes. */
// If we are in the middle of a handshake, silently succeed. Consumers often
// call this function before |SSL_free|, whether the handshake succeeded or
// not. We assume the caller has already handled failed handshakes.
if (SSL_in_init(ssl)) {
return 1;
}

if (ssl->quiet_shutdown) {
/* Do nothing if configured not to send a close_notify. */
// Do nothing if configured not to send a close_notify.
ssl->s3->send_shutdown = ssl_shutdown_close_notify;
ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
return 1;
}

/* This function completes in two stages. It sends a close_notify and then it
* waits for a close_notify to come in. Perform exactly one action and return
* whether or not it succeeds. */
// This function completes in two stages. It sends a close_notify and then it
// waits for a close_notify to come in. Perform exactly one action and return
// whether or not it succeeds.

if (ssl->s3->send_shutdown != ssl_shutdown_close_notify) {
/* Send a close_notify. */
// Send a close_notify.
if (ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
return -1;
}
} else if (ssl->s3->alert_dispatch) {
/* Finish sending the close_notify. */
// Finish sending the close_notify.
if (ssl->method->dispatch_alert(ssl) <= 0) {
return -1;
}
} else if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
/* Wait for the peer's close_notify. */
// Wait for the peer's close_notify.
ssl->method->read_close_notify(ssl);
if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
return -1;
}
}

/* Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. */
// Return 0 for unidirectional shutdown and 1 for bidirectional shutdown.
return ssl->s3->recv_shutdown == ssl_shutdown_close_notify;
}

@@ -1039,7 +1039,7 @@ int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
if (ssl->s3->alert_dispatch) {
if (ssl->s3->send_alert[0] != SSL3_AL_FATAL ||
ssl->s3->send_alert[1] != alert) {
/* We are already attempting to write a different alert. */
// We are already attempting to write a different alert.
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
return -1;
}
@@ -1087,9 +1087,9 @@ void SSL_reset_early_data_reject(SSL *ssl) {
hs->in_early_data = 0;
hs->early_session.reset();

/* Discard any unfinished writes from the perspective of |SSL_write|'s
* retry. The handshake will transparently flush out the pending record
* (discarded by the server) to keep the framing correct. */
// Discard any unfinished writes from the perspective of |SSL_write|'s
// retry. The handshake will transparently flush out the pending record
// (discarded by the server) to keep the framing correct.
ssl->s3->wpend_pending = 0;
}

@@ -1109,8 +1109,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
return SSL_ERROR_NONE;
}

/* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
* where we do encode the error */
// Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
// where we do encode the error
uint32_t err = ERR_peek_error();
if (err != 0) {
if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
@@ -1123,9 +1123,9 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
if (ssl->s3->recv_shutdown == ssl_shutdown_close_notify) {
return SSL_ERROR_ZERO_RETURN;
}
/* An EOF was observed which violates the protocol, and the underlying
* transport does not participate in the error queue. Bubble up to the
* caller. */
// An EOF was observed which violates the protocol, and the underlying
// transport does not participate in the error queue. Bubble up to the
// caller.
return SSL_ERROR_SYSCALL;
}

@@ -1143,8 +1143,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
}

if (BIO_should_write(bio)) {
/* TODO(davidben): OpenSSL historically checked for writes on the read
* BIO. Can this be removed? */
// TODO(davidben): OpenSSL historically checked for writes on the read
// BIO. Can this be removed?
return SSL_ERROR_WANT_WRITE;
}

@@ -1162,8 +1162,8 @@ int SSL_get_error(const SSL *ssl, int ret_code) {
}

if (BIO_should_read(bio)) {
/* TODO(davidben): OpenSSL historically checked for reads on the write
* BIO. Can this be removed? */
// TODO(davidben): OpenSSL historically checked for reads on the write
// BIO. Can this be removed?
return SSL_ERROR_WANT_READ;
}

@@ -1253,20 +1253,20 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len,
*out_len = 0;
OPENSSL_memset(out, 0, max_out);

/* tls-unique is not defined for SSL 3.0 or TLS 1.3. */
// tls-unique is not defined for SSL 3.0 or TLS 1.3.
if (!ssl->s3->initial_handshake_complete ||
ssl3_protocol_version(ssl) < TLS1_VERSION ||
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
return 0;
}

/* The tls-unique value is the first Finished message in the handshake, which
* is the client's in a full handshake and the server's for a resumption. See
* https://tools.ietf.org/html/rfc5929#section-3.1. */
// The tls-unique value is the first Finished message in the handshake, which
// is the client's in a full handshake and the server's for a resumption. See
// https://tools.ietf.org/html/rfc5929#section-3.1.
const uint8_t *finished = ssl->s3->previous_client_finished;
size_t finished_len = ssl->s3->previous_client_finished_len;
if (ssl->session != NULL) {
/* tls-unique is broken for resumed sessions unless EMS is used. */
// tls-unique is broken for resumed sessions unless EMS is used.
if (!ssl->session->extended_master_secret) {
return 0;
}
@@ -1356,7 +1356,7 @@ int SSL_set_wfd(SSL *ssl, int fd) {
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set0_wbio(ssl, bio);
} else {
/* Copy the rbio over to the wbio. */
// Copy the rbio over to the wbio.
BIO_up_ref(rbio);
SSL_set0_wbio(ssl, rbio);
}
@@ -1376,7 +1376,7 @@ int SSL_set_rfd(SSL *ssl, int fd) {
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set0_rbio(ssl, bio);
} else {
/* Copy the wbio over to the rbio. */
// Copy the wbio over to the rbio.
BIO_up_ref(wbio);
SSL_set0_rbio(ssl, wbio);
}
@@ -1427,8 +1427,8 @@ size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; }

int SSL_get_extms_support(const SSL *ssl) {
/* TLS 1.3 does not require extended master secret and always reports as
* supporting it. */
// TLS 1.3 does not require extended master secret and always reports as
// supporting it.
if (!ssl->s3->have_version) {
return 0;
}
@@ -1436,12 +1436,12 @@ int SSL_get_extms_support(const SSL *ssl) {
return 1;
}

/* If the initial handshake completed, query the established session. */
// If the initial handshake completed, query the established session.
if (ssl->s3->established_session != NULL) {
return ssl->s3->established_session->extended_master_secret;
}

/* Otherwise, query the in-progress handshake. */
// Otherwise, query the in-progress handshake.
if (ssl->s3->hs != NULL) {
return ssl->s3->hs->extended_master_secret;
}
@@ -1464,12 +1464,12 @@ int SSL_pending(const SSL *ssl) {
return ssl->s3->rrec.length;
}

/* Fix this so it checks all the valid key/cert options */
// Fix this so it checks all the valid key/cert options
int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey);
}

/* Fix this function so that it takes an optional type parameter */
// Fix this function so that it takes an optional type parameter
int SSL_check_private_key(const SSL *ssl) {
return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey);
}
@@ -1479,7 +1479,7 @@ long SSL_get_default_timeout(const SSL *ssl) {
}

int SSL_renegotiate(SSL *ssl) {
/* Caller-initiated renegotiation is not supported. */
// Caller-initiated renegotiation is not supported.
OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
@@ -1590,8 +1590,8 @@ int SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, void *out, size_t len) {
return 0;
}

/* The default ticket keys are initialized lazily. Trigger a key
* rotation to initialize them. */
// The default ticket keys are initialized lazily. Trigger a key
// rotation to initialize them.
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
return 0;
}
@@ -1626,7 +1626,7 @@ int SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, const void *in, size_t len) {
OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16);
OPENSSL_free(ctx->tlsext_ticket_key_prev);
ctx->tlsext_ticket_key_prev = nullptr;
/* Disable automatic key rotation. */
// Disable automatic key rotation.
ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0;
return 1;
}
@@ -1662,8 +1662,8 @@ int SSL_set1_curves_list(SSL *ssl, const char *curves) {
}

uint16_t SSL_get_curve_id(const SSL *ssl) {
/* TODO(davidben): This checks the wrong session if there is a renegotiation in
* progress. */
// TODO(davidben): This checks the wrong session if there is a renegotiation
// in progress.
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return 0;
@@ -1748,21 +1748,21 @@ const char *SSL_get_servername(const SSL *ssl, const int type) {
return NULL;
}

/* Historically, |SSL_get_servername| was also the configuration getter
* corresponding to |SSL_set_tlsext_host_name|. */
// Historically, |SSL_get_servername| was also the configuration getter
// corresponding to |SSL_set_tlsext_host_name|.
if (ssl->tlsext_hostname != NULL) {
return ssl->tlsext_hostname;
}

/* During the handshake, report the handshake value. */
// During the handshake, report the handshake value.
if (ssl->s3->hs != NULL) {
return ssl->s3->hs->hostname.get();
}

/* SSL_get_servername may also be called after the handshake to look up the
* SNI value.
*
* TODO(davidben): This is almost unused. Can we remove it? */
// SSL_get_servername may also be called after the handshake to look up the
// SNI value.
//
// TODO(davidben): This is almost unused. Can we remove it?
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return NULL;
@@ -1872,12 +1872,12 @@ int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
const uint8_t *result;
int status;

/* For each protocol in peer preference order, see if we support it. */
// For each protocol in peer preference order, see if we support it.
for (unsigned i = 0; i < peer_len;) {
for (unsigned j = 0; j < supported_len;) {
if (peer[i] == supported[j] &&
OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) {
/* We found a match */
// We found a match
result = &peer[i];
status = OPENSSL_NPN_NEGOTIATED;
goto found;
@@ -1889,7 +1889,7 @@ int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer,
i++;
}

/* There's no overlap between our protocols and the peer's list. */
// There's no overlap between our protocols and the peer's list.
result = supported;
status = OPENSSL_NPN_NO_OVERLAP;

@@ -2084,8 +2084,8 @@ void SSL_set_quiet_shutdown(SSL *ssl, int mode) {
int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }

void SSL_set_shutdown(SSL *ssl, int mode) {
/* It is an error to clear any bits that have already been set. (We can't try
* to get a second close_notify or send two.) */
// It is an error to clear any bits that have already been set. (We can't try
// to get a second close_notify or send two.)
assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));

if (mode & SSL_RECEIVED_SHUTDOWN &&
@@ -2102,12 +2102,12 @@ void SSL_set_shutdown(SSL *ssl, int mode) {
int SSL_get_shutdown(const SSL *ssl) {
int ret = 0;
if (ssl->s3->recv_shutdown != ssl_shutdown_none) {
/* Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
* and fatal alert. */
// Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
// and fatal alert.
ret |= SSL_RECEIVED_SHUTDOWN;
}
if (ssl->s3->send_shutdown == ssl_shutdown_close_notify) {
/* Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. */
// Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify.
ret |= SSL_SENT_SHUTDOWN;
}
return ret;
@@ -2120,7 +2120,7 @@ SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) {
return ssl->ctx;
}

/* One cannot change the X.509 callbacks during a connection. */
// One cannot change the X.509 callbacks during a connection.
if (ssl->ctx->x509_method != ctx->x509_method) {
assert(0);
return NULL;
@@ -2223,14 +2223,14 @@ static int use_psk_identity_hint(char **out, const char *identity_hint) {
return 0;
}

/* Clear currently configured hint, if any. */
// Clear currently configured hint, if any.
OPENSSL_free(*out);
*out = NULL;

/* Treat the empty hint as not supplying one. Plain PSK makes it possible to
* send either no hint (omit ServerKeyExchange) or an empty hint, while
* ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
* so we interpret empty and missing as identical. */
// Treat the empty hint as not supplying one. Plain PSK makes it possible to
// send either no hint (omit ServerKeyExchange) or an empty hint, while
// ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
// so we interpret empty and missing as identical.
if (identity_hint != NULL && identity_hint[0] != '\0') {
*out = BUF_strdup(identity_hint);
if (*out == NULL) {
@@ -2396,9 +2396,9 @@ static uint64_t be_to_u64(const uint8_t in[8]) {
}

uint64_t SSL_get_read_sequence(const SSL *ssl) {
/* TODO(davidben): Internally represent sequence numbers as uint64_t. */
// TODO(davidben): Internally represent sequence numbers as uint64_t.
if (SSL_is_dtls(ssl)) {
/* max_seq_num already includes the epoch. */
// max_seq_num already includes the epoch.
assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
return ssl->d1->bitmap.max_seq_num;
}
@@ -2415,8 +2415,8 @@ uint64_t SSL_get_write_sequence(const SSL *ssl) {
}

uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
/* TODO(davidben): This checks the wrong session if there is a renegotiation
* in progress. */
// TODO(davidben): This checks the wrong session if there is a renegotiation
// in progress.
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return 0;
@@ -2472,30 +2472,30 @@ int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
}

int SSL_clear(SSL *ssl) {
/* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
* established session to be offered the next time around. wpa_supplicant
* depends on this behavior, so emulate it. */
// In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
// established session to be offered the next time around. wpa_supplicant
// depends on this behavior, so emulate it.
SSL_SESSION *session = NULL;
if (!ssl->server && ssl->s3->established_session != NULL) {
session = ssl->s3->established_session;
SSL_SESSION_up_ref(session);
}

/* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
* |SSL_clear| because it is per-connection state rather than configuration
* state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
* naturally reset at the right points between |SSL_new|, |SSL_clear|, and
* |ssl3_new|. */
// TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
// |SSL_clear| because it is per-connection state rather than configuration
// state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
// naturally reset at the right points between |SSL_new|, |SSL_clear|, and
// |ssl3_new|.

ssl->rwstate = SSL_NOTHING;

BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;

/* The ssl->d1->mtu is simultaneously configuration (preserved across
* clear) and connection-specific state (gets reset).
*
* TODO(davidben): Avoid this. */
// The ssl->d1->mtu is simultaneously configuration (preserved across
// clear) and connection-specific state (gets reset).
//
// TODO(davidben): Avoid this.
unsigned mtu = 0;
if (ssl->d1 != NULL) {
mtu = ssl->d1->mtu;


+ 19
- 19
ssl/ssl_privkey.cc Visa fil

@@ -84,7 +84,7 @@ static int ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) {

if (cert->chain != NULL &&
sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL &&
/* Sanity-check that the private key and the certificate match. */
// Sanity-check that the private key and the certificate match.
!ssl_cert_check_private_key(cert, pkey)) {
return 0;
}
@@ -148,12 +148,12 @@ static int pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
}

if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
/* RSA keys may only be used with RSA-PSS. */
// RSA keys may only be used with RSA-PSS.
if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {
return 0;
}

/* EC keys have a curve requirement. */
// EC keys have a curve requirement.
if (alg->pkey_type == EVP_PKEY_EC &&
(alg->curve == NID_undef ||
EC_GROUP_get_curve_name(
@@ -201,8 +201,8 @@ static int legacy_sign_digest_supported(const SSL_SIGNATURE_ALGORITHM *alg) {
static enum ssl_private_key_result_t legacy_sign(
SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg,
const uint8_t *in, size_t in_len) {
/* TODO(davidben): Remove support for |sign_digest|-only
* |SSL_PRIVATE_KEY_METHOD|s. */
// TODO(davidben): Remove support for |sign_digest|-only
// |SSL_PRIVATE_KEY_METHOD|s.
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
if (alg == NULL || !legacy_sign_digest_supported(alg)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
@@ -272,13 +272,13 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(

RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey);
if (rsa == NULL) {
/* Decrypt operations are only supported for RSA keys. */
// Decrypt operations are only supported for RSA keys.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_private_key_failure;
}

/* Decrypt with no padding. PKCS#1 padding will be removed as part
* of the timing-sensitive code by the caller. */
// Decrypt with no padding. PKCS#1 padding will be removed as part of the
// timing-sensitive code by the caller.
if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) {
return ssl_private_key_failure;
}
@@ -292,20 +292,20 @@ int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
return 0;
}

/* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
* emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
* hash in TLS. Reasonable RSA key sizes are large enough for the largest
* defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
* SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
* size so that we can fall back to another algorithm in that case. */
// Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
// emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
// hash in TLS. Reasonable RSA key sizes are large enough for the largest
// defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
// SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
// size so that we can fall back to another algorithm in that case.
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) <
2 * EVP_MD_size(alg->digest_func()) + 2) {
return 0;
}

/* Newer algorithms require message-based private keys.
* TODO(davidben): Remove this check when sign_digest is gone. */
// Newer algorithms require message-based private keys.
// TODO(davidben): Remove this check when sign_digest is gone.
if (ssl->cert->key_method != NULL &&
ssl->cert->key_method->sign == NULL &&
!legacy_sign_digest_supported(alg)) {
@@ -483,9 +483,9 @@ int SSL_set_private_key_digest_prefs(SSL *ssl, const int *digest_nids,
return 0;
}

/* Convert the digest list to a signature algorithms list.
*
* TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */
// Convert the digest list to a signature algorithms list.
//
// TODO(davidben): Replace this API with one that can express RSA-PSS, etc.
for (size_t i = 0; i < num_digests; i++) {
switch (digest_nids[i]) {
case NID_sha1:


+ 80
- 81
ssl/ssl_session.cc Visa fil

@@ -152,9 +152,9 @@

namespace bssl {

/* The address of this is a magic value, a pointer to which is returned by
* SSL_magic_pending_session_ptr(). It allows a session callback to indicate
* that it needs to asynchronously fetch session information. */
// The address of this is a magic value, a pointer to which is returned by
// SSL_magic_pending_session_ptr(). It allows a session callback to indicate
// that it needs to asynchronously fetch session information.
static const char g_pending_session_magic = 0;

static CRYPTO_EX_DATA_CLASS g_ex_data_class =
@@ -194,13 +194,13 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
new_session->sid_ctx_length = session->sid_ctx_length;
OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);

/* Copy the key material. */
// Copy the key material.
new_session->master_key_length = session->master_key_length;
OPENSSL_memcpy(new_session->master_key, session->master_key,
session->master_key_length);
new_session->cipher = session->cipher;

/* Copy authentication state. */
// Copy authentication state.
if (session->psk_identity != NULL) {
new_session->psk_identity = BUF_strdup(session->psk_identity);
if (new_session->psk_identity == NULL) {
@@ -255,7 +255,7 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
new_session->auth_timeout = session->auth_timeout;
new_session->time = session->time;

/* Copy non-authentication connection properties. */
// Copy non-authentication connection properties.
if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) {
new_session->session_id_length = session->session_id_length;
OPENSSL_memcpy(new_session->session_id, session->session_id,
@@ -283,7 +283,7 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
new_session->early_alpn_len = session->early_alpn_len;
}

/* Copy the ticket. */
// Copy the ticket.
if (dup_flags & SSL_SESSION_INCLUDE_TICKET) {
if (session->tlsext_tick != NULL) {
new_session->tlsext_tick =
@@ -295,7 +295,7 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
new_session->tlsext_ticklen = session->tlsext_ticklen;
}

/* The new_session does not get a copy of the ex_data. */
// The new_session does not get a copy of the ex_data.

new_session->not_resumable = 1;
return new_session;
@@ -305,8 +305,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) {
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);

/* To avoid overflows and underflows, if we've gone back in time, update the
* time, but mark the session expired. */
// To avoid overflows and underflows, if we've gone back in time, update the
// time, but mark the session expired.
if (session->time > now.tv_sec) {
session->time = now.tv_sec;
session->timeout = 0;
@@ -314,8 +314,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) {
return;
}

/* Adjust the session time and timeouts. If the session has already expired,
* clamp the timeouts at zero. */
// Adjust the session time and timeouts. If the session has already expired,
// clamp the timeouts at zero.
uint64_t delta = now.tv_sec - session->time;
session->time = now.tv_sec;
if (session->timeout < delta) {
@@ -332,8 +332,8 @@ void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session) {

void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,
uint32_t timeout) {
/* Rebase the timestamp relative to the current time so |timeout| is measured
* correctly. */
// Rebase the timestamp relative to the current time so |timeout| is measured
// correctly.
ssl_session_rebase_time(ssl, session);

if (session->timeout > timeout) {
@@ -349,8 +349,8 @@ void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,
uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session) {
uint16_t ret;
if (!ssl_protocol_version_from_wire(&ret, session->ssl_version)) {
/* An |SSL_SESSION| will never have an invalid version. This is enforced by
* the parser. */
// An |SSL_SESSION| will never have an invalid version. This is enforced by
// the parser.
assert(0);
return 0;
}
@@ -378,28 +378,28 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
session->is_server = is_server;
session->ssl_version = ssl->version;

/* Fill in the time from the |SSL_CTX|'s clock. */
// Fill in the time from the |SSL_CTX|'s clock.
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
session->time = now.tv_sec;

uint16_t version = ssl3_protocol_version(ssl);
if (version >= TLS1_3_VERSION) {
/* TLS 1.3 uses tickets as authenticators, so we are willing to use them for
* longer. */
// TLS 1.3 uses tickets as authenticators, so we are willing to use them for
// longer.
session->timeout = ssl->session_ctx->session_psk_dhe_timeout;
session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
} else {
/* TLS 1.2 resumption does not incorporate new key material, so we use a
* much shorter timeout. */
// TLS 1.2 resumption does not incorporate new key material, so we use a
// much shorter timeout.
session->timeout = ssl->session_ctx->session_timeout;
session->auth_timeout = ssl->session_ctx->session_timeout;
}

if (is_server) {
if (hs->ticket_expected || version >= TLS1_3_VERSION) {
/* Don't set session IDs for sessions resumed with tickets. This will keep
* them out of the session cache. */
// Don't set session IDs for sessions resumed with tickets. This will keep
// them out of the session cache.
session->session_id_length = 0;
} else {
session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
@@ -419,7 +419,7 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) {
ssl->cert->sid_ctx_length);
session->sid_ctx_length = ssl->cert->sid_ctx_length;

/* The session is marked not resumable until it is completely filled in. */
// The session is marked not resumable until it is completely filled in.
session->not_resumable = 1;
session->verify_result = X509_V_ERR_INVALID_CALL;

@@ -432,8 +432,8 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) {
OPENSSL_timeval now;
ssl_ctx_get_current_time(ctx, &now);
{
/* Avoid acquiring a write lock in the common case (i.e. a non-default key
* is used or the default keys have not expired yet). */
// Avoid acquiring a write lock in the common case (i.e. a non-default key
// is used or the default keys have not expired yet).
MutexReadLock lock(&ctx->lock);
if (ctx->tlsext_ticket_key_current &&
(ctx->tlsext_ticket_key_current->next_rotation_tv_sec == 0 ||
@@ -448,16 +448,16 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) {
if (!ctx->tlsext_ticket_key_current ||
(ctx->tlsext_ticket_key_current->next_rotation_tv_sec != 0 &&
ctx->tlsext_ticket_key_current->next_rotation_tv_sec <= now.tv_sec)) {
/* The current key has not been initialized or it is expired. */
// The current key has not been initialized or it is expired.
auto new_key = bssl::MakeUnique<struct tlsext_ticket_key>();
if (!new_key) {
return 0;
}
OPENSSL_memset(new_key.get(), 0, sizeof(struct tlsext_ticket_key));
if (ctx->tlsext_ticket_key_current) {
/* The current key expired. Rotate it to prev and bump up its rotation
* timestamp. Note that even with the new rotation time it may still be
* expired and get droppped below. */
// The current key expired. Rotate it to prev and bump up its rotation
// timestamp. Note that even with the new rotation time it may still be
// expired and get droppped below.
ctx->tlsext_ticket_key_current->next_rotation_tv_sec +=
SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
OPENSSL_free(ctx->tlsext_ticket_key_prev);
@@ -471,7 +471,7 @@ int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx) {
now.tv_sec + SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
}

/* Drop an expired prev key. */
// Drop an expired prev key.
if (ctx->tlsext_ticket_key_prev &&
ctx->tlsext_ticket_key_prev->next_rotation_tv_sec <= now.tv_sec) {
OPENSSL_free(ctx->tlsext_ticket_key_prev);
@@ -487,8 +487,8 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out,
ScopedEVP_CIPHER_CTX ctx;
ScopedHMAC_CTX hctx;

/* If the session is too long, emit a dummy value rather than abort the
* connection. */
// If the session is too long, emit a dummy value rather than abort the
// connection.
static const size_t kMaxTicketOverhead =
16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE;
if (session_len > 0xffff - kMaxTicketOverhead) {
@@ -497,8 +497,8 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out,
strlen(kTicketPlaceholder));
}

/* Initialize HMAC and cipher contexts. If callback present it does all the
* work otherwise use generated values from parent ctx. */
// Initialize HMAC and cipher contexts. If callback present it does all the
// work otherwise use generated values from parent ctx.
SSL_CTX *tctx = ssl->session_ctx;
uint8_t iv[EVP_MAX_IV_LENGTH];
uint8_t key_name[16];
@@ -508,7 +508,7 @@ static int ssl_encrypt_ticket_with_cipher_ctx(SSL *ssl, CBB *out,
return 0;
}
} else {
/* Rotate ticket key if necessary. */
// Rotate ticket key if necessary.
if (!ssl_ctx_rotate_ticket_encryption_key(tctx)) {
return 0;
}
@@ -590,7 +590,7 @@ static int ssl_encrypt_ticket_with_method(SSL *ssl, CBB *out,
}

int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session) {
/* Serialize the SSL_SESSION to be encoded into the ticket. */
// Serialize the SSL_SESSION to be encoded into the ticket.
uint8_t *session_buf = NULL;
size_t session_len;
if (!SSL_SESSION_to_bytes_for_ticket(session, &session_buf, &session_len)) {
@@ -627,7 +627,7 @@ int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session) {
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);

/* Reject tickets from the future to avoid underflow. */
// Reject tickets from the future to avoid underflow.
if (now.tv_sec < session->time) {
return 0;
}
@@ -639,27 +639,27 @@ int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,
const SSL_SESSION *session) {
const SSL *const ssl = hs->ssl;
return ssl_session_is_context_valid(ssl, session) &&
/* The session must have been created by the same type of end point as
* we're now using it with. */
// The session must have been created by the same type of end point as
// we're now using it with.
ssl->server == session->is_server &&
/* The session must not be expired. */
// The session must not be expired.
ssl_session_is_time_valid(ssl, session) &&
/* Only resume if the session's version matches the negotiated
* version. */
ssl->version == session->ssl_version &&
/* Only resume if the session's cipher matches the negotiated one. */
// Only resume if the session's cipher matches the negotiated one.
hs->new_cipher == session->cipher &&
/* If the session contains a client certificate (either the full
* certificate or just the hash) then require that the form of the
* certificate matches the current configuration. */
// If the session contains a client certificate (either the full
// certificate or just the hash) then require that the form of the
// certificate matches the current configuration.
((sk_CRYPTO_BUFFER_num(session->certs) == 0 &&
!session->peer_sha256_valid) ||
session->peer_sha256_valid ==
ssl->retain_only_sha256_of_client_certs);
}

/* ssl_lookup_session looks up |session_id| in the session cache and sets
* |*out_session| to an |SSL_SESSION| object if found. */
// ssl_lookup_session looks up |session_id| in the session cache and sets
// |*out_session| to an |SSL_SESSION| object if found.
static enum ssl_hs_wait_t ssl_lookup_session(
SSL *ssl, UniquePtr<SSL_SESSION> *out_session, const uint8_t *session_id,
size_t session_id_len) {
@@ -670,7 +670,7 @@ static enum ssl_hs_wait_t ssl_lookup_session(
}

UniquePtr<SSL_SESSION> session;
/* Try the internal cache, if it exists. */
// Try the internal cache, if it exists.
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
SSL_SESSION data;
@@ -681,14 +681,14 @@ static enum ssl_hs_wait_t ssl_lookup_session(
CRYPTO_MUTEX_lock_read(&ssl->session_ctx->lock);
session.reset(lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &data));
if (session) {
/* |lh_SSL_SESSION_retrieve| returns a non-owning pointer. */
// |lh_SSL_SESSION_retrieve| returns a non-owning pointer.
SSL_SESSION_up_ref(session.get());
}
/* TODO(davidben): This should probably move it to the front of the list. */
// TODO(davidben): This should probably move it to the front of the list.
CRYPTO_MUTEX_unlock_read(&ssl->session_ctx->lock);
}

/* Fall back to the external cache, if it exists. */
// Fall back to the external cache, if it exists.
if (!session && ssl->session_ctx->get_session_cb != NULL) {
int copy = 1;
session.reset(ssl->session_ctx->get_session_cb(ssl, (uint8_t *)session_id,
@@ -703,15 +703,15 @@ static enum ssl_hs_wait_t ssl_lookup_session(
return ssl_hs_pending_session;
}

/* Increment reference count now if the session callback asks us to do so
* (note that if the session structures returned by the callback are shared
* between threads, it must handle the reference count itself [i.e. copy ==
* 0], or things won't be thread-safe). */
// Increment reference count now if the session callback asks us to do so
// (note that if the session structures returned by the callback are shared
// between threads, it must handle the reference count itself [i.e. copy ==
// 0], or things won't be thread-safe).
if (copy) {
SSL_SESSION_up_ref(session.get());
}

/* Add the externally cached session to the internal cache if necessary. */
// Add the externally cached session to the internal cache if necessary.
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
SSL_CTX_add_session(ssl->session_ctx, session.get());
@@ -719,7 +719,7 @@ static enum ssl_hs_wait_t ssl_lookup_session(
}

if (session && !ssl_session_is_time_valid(ssl, session.get())) {
/* The session was from the cache, so remove it. */
// The session was from the cache, so remove it.
SSL_CTX_remove_session(ssl->session_ctx, session.get());
session.reset();
}
@@ -733,12 +733,12 @@ enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl,
int *out_tickets_supported,
int *out_renew_ticket,
const SSL_CLIENT_HELLO *client_hello) {
/* This is used only by servers. */
// This is used only by servers.
assert(ssl->server);
UniquePtr<SSL_SESSION> session;
int renew_ticket = 0;

/* If tickets are disabled, always behave as if no tickets are present. */
// If tickets are disabled, always behave as if no tickets are present.
const uint8_t *ticket = NULL;
size_t ticket_len = 0;
const int tickets_supported =
@@ -761,7 +761,7 @@ enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl,
return ssl_hs_pending_ticket;
}
} else {
/* The client didn't send a ticket, so the session ID is a real ID. */
// The client didn't send a ticket, so the session ID is a real ID.
enum ssl_hs_wait_t lookup_ret = ssl_lookup_session(
ssl, &session, client_hello->session_id, client_hello->session_id_len);
if (lookup_ret != ssl_hs_ok) {
@@ -817,16 +817,16 @@ void ssl_set_session(SSL *ssl, SSL_SESSION *session) {
}
}

/* locked by SSL_CTX in the calling function */
// locked by SSL_CTX in the calling function
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) {
if (session->next == NULL || session->prev == NULL) {
return;
}

if (session->next == (SSL_SESSION *)&ctx->session_cache_tail) {
/* last element in list */
// last element in list
if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {
/* only one element in list */
// only one element in list
ctx->session_cache_head = NULL;
ctx->session_cache_tail = NULL;
} else {
@@ -835,10 +835,10 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) {
}
} else {
if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {
/* first element in list */
// first element in list
ctx->session_cache_head = session->next;
session->next->prev = (SSL_SESSION *)&(ctx->session_cache_head);
} else { /* middle of list */
} else { // middle of list
session->next->prev = session->prev;
session->prev->next = session->next;
}
@@ -913,7 +913,7 @@ uint32_t SSL_SESSION_get_timeout(const SSL_SESSION *session) {

uint64_t SSL_SESSION_get_time(const SSL_SESSION *session) {
if (session == NULL) {
/* NULL should crash, but silently accept it here for compatibility. */
// NULL should crash, but silently accept it here for compatibility.
return 0;
}
return session->time;
@@ -925,7 +925,7 @@ X509 *SSL_SESSION_get0_peer(const SSL_SESSION *session) {

size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
size_t max_out) {
/* TODO(davidben): Fix master_key_length's type and remove these casts. */
// TODO(davidben): Fix master_key_length's type and remove these casts.
if (max_out == 0) {
return (size_t)session->master_key_length;
}
@@ -974,9 +974,9 @@ SSL_SESSION *SSL_magic_pending_session_ptr(void) {
}

SSL_SESSION *SSL_get_session(const SSL *ssl) {
/* Once the handshake completes we return the established session. Otherwise
* we return the intermediate session, either |session| (for resumption) or
* |new_session| if doing a full handshake. */
// Once the handshake completes we return the established session. Otherwise
// we return the intermediate session, either |session| (for resumption) or
// |new_session| if doing a full handshake.
if (!SSL_in_init(ssl)) {
return ssl->s3->established_session;
}
@@ -1019,8 +1019,8 @@ void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx) {
}

int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) {
/* Although |session| is inserted into two structures (a doubly-linked list
* and the hash table), |ctx| only takes one reference. */
// Although |session| is inserted into two structures (a doubly-linked list
// and the hash table), |ctx| only takes one reference.
SSL_SESSION_up_ref(session);

SSL_SESSION *old_session;
@@ -1033,21 +1033,21 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) {

if (old_session != NULL) {
if (old_session == session) {
/* |session| was already in the cache. */
// |session| was already in the cache.
CRYPTO_MUTEX_unlock_write(&ctx->lock);
SSL_SESSION_free(old_session);
return 0;
}

/* There was a session ID collision. |old_session| must be removed from
* the linked list and released. */
// There was a session ID collision. |old_session| must be removed from
// the linked list and released.
SSL_SESSION_list_remove(ctx, old_session);
SSL_SESSION_free(old_session);
}

SSL_SESSION_list_add(ctx, session);

/* Enforce any cache size limits. */
// Enforce any cache size limits.
if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) {
if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) {
@@ -1065,7 +1065,7 @@ int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session) {
}

int SSL_set_session(SSL *ssl, SSL_SESSION *session) {
/* SSL_set_session may only be called before the handshake has started. */
// SSL_set_session may only be called before the handshake has started.
if (ssl->s3->initial_handshake_complete ||
ssl->s3->hs == NULL ||
ssl->s3->hs->state != 0) {
@@ -1081,7 +1081,7 @@ uint32_t SSL_CTX_set_timeout(SSL_CTX *ctx, uint32_t timeout) {
return 0;
}

/* Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|. */
// Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|.
if (timeout == 0) {
timeout = SSL_DEFAULT_SESSION_TIMEOUT;
}
@@ -1115,9 +1115,8 @@ static void timeout_doall_arg(SSL_SESSION *session, void *void_param) {
if (param->time == 0 ||
session->time + session->timeout < session->time ||
param->time > (session->time + session->timeout)) {
/* timeout */
/* The reason we don't call SSL_CTX_remove_session() is to
* save on locking overhead */
// The reason we don't call SSL_CTX_remove_session() is to
// save on locking overhead
(void) lh_SSL_SESSION_delete(param->cache, session);
SSL_SESSION_list_remove(param->ctx, session);
if (param->ctx->remove_session_cb != NULL) {


+ 14
- 14
ssl/ssl_test.cc Visa fil

@@ -40,7 +40,7 @@
#include "../crypto/test/test_util.h"

#if defined(OPENSSL_WINDOWS)
/* Windows defines struct timeval in winsock2.h. */
// Windows defines struct timeval in winsock2.h.
OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
OPENSSL_MSVC_PRAGMA(warning(pop))
@@ -1538,9 +1538,9 @@ static bool ConnectClientAndServer(bssl::UniquePtr<SSL> *out_client,
return true;
}

/* SSLVersionTest executes its test cases under all available protocol versions.
* Test cases call |Connect| to create a connection using context objects with
* the protocol version fixed to the current version under test. */
// SSLVersionTest executes its test cases under all available protocol versions.
// Test cases call |Connect| to create a connection using context objects with
// the protocol version fixed to the current version under test.
class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
protected:
SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
@@ -2192,7 +2192,7 @@ static bssl::UniquePtr<SSL_SESSION> ExpectSessionRenewed(SSL_CTX *client_ctx,
static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
bool changed) {
uint8_t new_key[kTicketKeyLen];
/* May return 0, 1 or 48. */
// May return 0, 1 or 48.
ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
if (changed) {
ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
@@ -2493,8 +2493,8 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
g_current_time.tv_sec = kStartTime;
uint8_t ticket_key[kTicketKeyLen];

/* We use session reuse as a proxy for ticket decryption success, hence
* disable session timeouts. */
// We use session reuse as a proxy for ticket decryption success, hence
// disable session timeouts.
SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
std::numeric_limits<uint32_t>::max());
@@ -2505,11 +2505,11 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);

/* Initialize ticket_key with the current key. */
// Initialize ticket_key with the current key.
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));

/* Verify ticket resumption actually works. */
// Verify ticket resumption actually works.
bssl::UniquePtr<SSL> client, server;
bssl::UniquePtr<SSL_SESSION> session =
CreateClientSession(client_ctx_.get(), server_ctx_.get());
@@ -2517,21 +2517,21 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));

/* Advance time to just before key rotation. */
// Advance time to just before key rotation.
g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
false /* NOT changed */));

/* Force key rotation. */
// Force key rotation.
g_current_time.tv_sec += 1;
bssl::UniquePtr<SSL_SESSION> new_session =
CreateClientSession(client_ctx_.get(), server_ctx_.get());
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));

/* Resumption with both old and new ticket should work. */
// Resumption with both old and new ticket should work.
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
@@ -2539,14 +2539,14 @@ TEST_P(SSLVersionTest, DefaultTicketKeyRotation) {
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
false /* NOT changed */));

/* Force key rotation again. Resumption with the old ticket now fails. */
// Force key rotation again. Resumption with the old ticket now fails.
g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), false /* NOT reused */));
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));

/* But resumption with the newer session still works. */
// But resumption with the newer session still works.
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
new_session.get(), true /* reused */));
}


+ 9
- 9
ssl/ssl_transcript.cc Visa fil

@@ -167,8 +167,8 @@ bool SSLTranscript::Init() {
return true;
}

/* InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then
* writes the data in |buf| to it. */
// InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then
// writes the data in |buf| to it.
static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md,
const BUF_MEM *buf) {
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
@@ -181,9 +181,9 @@ static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md,
bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) {
const EVP_MD *md = ssl_get_handshake_digest(version, cipher);

/* To support SSL 3.0's Finished and CertificateVerify constructions,
* EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed,
* we can simplify this. */
// To support SSL 3.0's Finished and CertificateVerify constructions,
// EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed,
// we can simplify this.
if (md == EVP_md5_sha1()) {
if (!InitDigestWithData(md5_.get(), EVP_md5(), buffer_.get())) {
return false;
@@ -210,8 +210,8 @@ const EVP_MD *SSLTranscript::Digest() const {
}

bool SSLTranscript::Update(const uint8_t *in, size_t in_len) {
/* Depending on the state of the handshake, either the handshake buffer may be
* active, the rolling hash, or both. */
// Depending on the state of the handshake, either the handshake buffer may be
// active, the rolling hash, or both.
if (buffer_) {
size_t new_len = buffer_->length + in_len;
if (new_len < in_len) {
@@ -351,8 +351,8 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
return true;
}

/* At this point, the handshake should have released the handshake buffer on
* its own. */
// At this point, the handshake should have released the handshake buffer on
// its own.
assert(!buffer_);

const char *label = TLS_MD_CLIENT_FINISH_CONST;


+ 32
- 32
ssl/ssl_versions.cc Visa fil

@@ -41,7 +41,7 @@ int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
return 1;

case DTLS1_VERSION:
/* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */
// DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
*out = TLS1_1_VERSION;
return 1;

@@ -54,8 +54,8 @@ int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
}
}

/* The follow arrays are the supported versions for TLS and DTLS, in order of
* decreasing preference. */
// The follow arrays are the supported versions for TLS and DTLS, in order of
// decreasing preference.

static const uint16_t kTLSVersions[] = {
TLS1_3_EXPERIMENT_VERSION,
@@ -98,9 +98,9 @@ static int method_supports_version(const SSL_PROTOCOL_METHOD *method,

static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
/* The public API uses wire versions, except we use |TLS1_3_VERSION|
* everywhere to refer to any draft TLS 1.3 versions. In this direction, we
* map it to some representative TLS 1.3 draft version. */
// The public API uses wire versions, except we use |TLS1_3_VERSION|
// everywhere to refer to any draft TLS 1.3 versions. In this direction, we
// map it to some representative TLS 1.3 draft version.
if (version == TLS1_3_DRAFT_VERSION ||
version == TLS1_3_EXPERIMENT_VERSION ||
version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) {
@@ -122,9 +122,9 @@ static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,

static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
/* Zero is interpreted as the default minimum version. */
// Zero is interpreted as the default minimum version.
if (version == 0) {
/* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */
// SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS.
*out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
return 1;
}
@@ -134,7 +134,7 @@ static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,

static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
/* Zero is interpreted as the default maximum version. */
// Zero is interpreted as the default maximum version.
if (version == 0) {
*out = TLS1_2_VERSION;
return 1;
@@ -156,8 +156,8 @@ const struct {

int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
uint16_t *out_max_version) {
/* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
* DTLS 1.0 should be mapped to TLS 1.1. */
// For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
// DTLS 1.0 should be mapped to TLS 1.1.
uint32_t options = ssl->options;
if (SSL_is_dtls(ssl)) {
options &= ~SSL_OP_NO_TLSv1_1;
@@ -169,19 +169,19 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
uint16_t min_version = ssl->conf_min_version;
uint16_t max_version = ssl->conf_max_version;

/* OpenSSL's API for controlling versions entails blacklisting individual
* protocols. This has two problems. First, on the client, the protocol can
* only express a contiguous range of versions. Second, a library consumer
* trying to set a maximum version cannot disable protocol versions that get
* added in a future version of the library.
*
* To account for both of these, OpenSSL interprets the client-side bitmask
* as a min/max range by picking the lowest contiguous non-empty range of
* enabled protocols. Note that this means it is impossible to set a maximum
* version of the higest supported TLS version in a future-proof way. */
// OpenSSL's API for controlling versions entails blacklisting individual
// protocols. This has two problems. First, on the client, the protocol can
// only express a contiguous range of versions. Second, a library consumer
// trying to set a maximum version cannot disable protocol versions that get
// added in a future version of the library.
//
// To account for both of these, OpenSSL interprets the client-side bitmask
// as a min/max range by picking the lowest contiguous non-empty range of
// enabled protocols. Note that this means it is impossible to set a maximum
// version of the higest supported TLS version in a future-proof way.
int any_enabled = 0;
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
/* Only look at the versions already enabled. */
// Only look at the versions already enabled.
if (min_version > kProtocolVersions[i].version) {
continue;
}
@@ -190,7 +190,7 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
}

if (!(options & kProtocolVersions[i].flag)) {
/* The minimum version is the first enabled version. */
// The minimum version is the first enabled version.
if (!any_enabled) {
any_enabled = 1;
min_version = kProtocolVersions[i].version;
@@ -198,8 +198,8 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
continue;
}

/* If there is a disabled version after the first enabled one, all versions
* after it are implicitly disabled. */
// If there is a disabled version after the first enabled one, all versions
// after it are implicitly disabled.
if (any_enabled) {
max_version = kProtocolVersions[i-1].version;
break;
@@ -217,7 +217,7 @@ int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
}

static uint16_t ssl_version(const SSL *ssl) {
/* In early data, we report the predicted version. */
// In early data, we report the predicted version.
if (SSL_in_early_data(ssl) && !ssl->server) {
return ssl->s3->hs->early_session->ssl_version;
}
@@ -226,7 +226,7 @@ static uint16_t ssl_version(const SSL *ssl) {

static const char *ssl_version_to_string(uint16_t version) {
switch (version) {
/* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
// Report TLS 1.3 draft version as TLS 1.3 in the public API.
case TLS1_3_DRAFT_VERSION:
case TLS1_3_EXPERIMENT_VERSION:
case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION:
@@ -259,7 +259,7 @@ uint16_t ssl3_protocol_version(const SSL *ssl) {
assert(ssl->s3->have_version);
uint16_t version;
if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
/* |ssl->version| will always be set to a valid version. */
// |ssl->version| will always be set to a valid version.
assert(0);
return 0;
}
@@ -269,9 +269,9 @@ uint16_t ssl3_protocol_version(const SSL *ssl) {

int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
SSL *const ssl = hs->ssl;
/* As a client, only allow the configured TLS 1.3 variant. As a server,
* support all TLS 1.3 variants as long as tls13_variant is set to a
* non-default value. */
// As a client, only allow the configured TLS 1.3 variant. As a server,
// support all TLS 1.3 variants as long as tls13_variant is set to a
// non-default value.
if (ssl->server) {
if (ssl->tls13_variant == tls13_default &&
(version == TLS1_3_EXPERIMENT_VERSION ||
@@ -363,7 +363,7 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version) {

int SSL_version(const SSL *ssl) {
uint16_t ret = ssl_version(ssl);
/* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
// Report TLS 1.3 draft version as TLS 1.3 in the public API.
if (ret == TLS1_3_DRAFT_VERSION || ret == TLS1_3_EXPERIMENT_VERSION ||
ret == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) {
return TLS1_3_VERSION;


+ 40
- 40
ssl/ssl_x509.cc Visa fil

@@ -157,21 +157,21 @@

namespace bssl {

/* check_ssl_x509_method asserts that |ssl| has the X509-based method
* installed. Calling an X509-based method on an |ssl| with a different method
* will likely misbehave and possibly crash or leak memory. */
// check_ssl_x509_method asserts that |ssl| has the X509-based method
// installed. Calling an X509-based method on an |ssl| with a different method
// will likely misbehave and possibly crash or leak memory.
static void check_ssl_x509_method(const SSL *ssl) {
assert(ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method);
}

/* check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an
* |SSL_CTX|. */
// check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an
// |SSL_CTX|.
static void check_ssl_ctx_x509_method(const SSL_CTX *ctx) {
assert(ctx == NULL || ctx->x509_method == &ssl_crypto_x509_method);
}

/* x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
* contents of |x509|. */
// x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
// contents of |x509|.
static UniquePtr<CRYPTO_BUFFER> x509_to_buffer(X509 *x509) {
uint8_t *buf = NULL;
int cert_len = i2d_X509(x509, &buf);
@@ -185,7 +185,7 @@ static UniquePtr<CRYPTO_BUFFER> x509_to_buffer(X509 *x509) {
return buffer;
}

/* new_leafless_chain returns a fresh stack of buffers set to {NULL}. */
// new_leafless_chain returns a fresh stack of buffers set to {NULL}.
static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) {
STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
if (chain == NULL) {
@@ -200,10 +200,10 @@ static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) {
return chain;
}

/* ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
* forms of elements of |chain|. It returns one on success or zero on error, in
* which case no change to |cert->chain| is made. It preverses the existing
* leaf from |cert->chain|, if any. */
// ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
// forms of elements of |chain|. It returns one on success or zero on error, in
// which case no change to |cert->chain| is made. It preverses the existing
// leaf from |cert->chain|, if any.
static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_chain;

@@ -217,7 +217,7 @@ static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
if (!sk_CRYPTO_BUFFER_push(new_chain.get(), leaf)) {
return 0;
}
/* |leaf| might be NULL if it's a “leafless” chain. */
// |leaf| might be NULL if it's a “leafless” chain.
if (leaf != NULL) {
CRYPTO_BUFFER_up_ref(leaf);
}
@@ -439,13 +439,13 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
return 0;
}

/* We need to inherit the verify parameters. These can be determined by the
* context: if its a server it will verify SSL client certificates or vice
* versa. */
// We need to inherit the verify parameters. These can be determined by the
// context: if its a server it will verify SSL client certificates or vice
// versa.
X509_STORE_CTX_set_default(ctx.get(),
ssl->server ? "ssl_client" : "ssl_server");

/* Anything non-default in "param" should overwrite anything in the ctx. */
// Anything non-default in "param" should overwrite anything in the ctx.
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param);

if (ssl->verify_callback) {
@@ -462,7 +462,7 @@ static int ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,

session->verify_result = ctx->error;

/* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
// If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
*out_alert = ssl_verify_alarm_type(ctx->error);
return 0;
@@ -497,8 +497,8 @@ static void ssl_crypto_x509_ssl_free(SSL *ssl) {
}

static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) {
/* Only build a chain if there are no intermediates configured and the feature
* isn't disabled. */
// Only build a chain if there are no intermediates configured and the feature
// isn't disabled.
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
!ssl_has_certificate(ssl) ||
ssl->cert->chain == NULL ||
@@ -519,11 +519,11 @@ static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) {
return 0;
}

/* Attempt to build a chain, ignoring the result. */
// Attempt to build a chain, ignoring the result.
X509_verify_cert(ctx.get());
ERR_clear_error();

/* Remove the leaf from the generated chain. */
// Remove the leaf from the generated chain.
X509_free(sk_X509_shift(ctx->chain));

if (!ssl_cert_set_chain(ssl->cert, ctx->chain)) {
@@ -605,8 +605,8 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl) {
return session->x509_chain;
}

/* OpenSSL historically didn't include the leaf certificate in the returned
* certificate chain, but only for servers. */
// OpenSSL historically didn't include the leaf certificate in the returned
// certificate chain, but only for servers.
if (session->x509_chain_without_leaf == NULL) {
session->x509_chain_without_leaf = sk_X509_new_null();
if (session->x509_chain_without_leaf == NULL) {
@@ -800,8 +800,8 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {
return ssl_use_certificate(ctx->cert, x);
}

/* ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
* first element of |cert->chain|. */
// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
// first element of |cert->chain|.
static int ssl_cert_cache_leaf_cert(CERT *cert) {
assert(cert->x509_method);

@@ -963,8 +963,8 @@ int SSL_clear_chain_certs(SSL *ssl) {
return SSL_set0_chain(ssl, NULL);
}

/* ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
* |cert->chain|. */
// ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
// |cert->chain|.
static int ssl_cert_cache_chain_certs(CERT *cert) {
assert(cert->x509_method);

@@ -1140,11 +1140,11 @@ static STACK_OF(X509_NAME) *

STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {
check_ssl_x509_method(ssl);
/* For historical reasons, this function is used both to query configuration
* state on a server as well as handshake state on a client. However, whether
* |ssl| is a client or server is not known until explicitly configured with
* |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an
* indeterminate mode and |ssl->server| is unset. */
// For historical reasons, this function is used both to query configuration
// state on a server as well as handshake state on a client. However, whether
// |ssl| is a client or server is not known until explicitly configured with
// |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an
// indeterminate mode and |ssl->server| is unset.
if (ssl->do_handshake != NULL && !ssl->server) {
if (ssl->s3->hs != NULL) {
return buffer_names_to_x509(ssl->s3->hs->ca_names.get(),
@@ -1163,8 +1163,8 @@ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {

STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
check_ssl_ctx_x509_method(ctx);
/* This is a logically const operation that may be called on multiple threads,
* so it needs to lock around updating |cached_x509_client_CA|. */
// This is a logically const operation that may be called on multiple threads,
// so it needs to lock around updating |cached_x509_client_CA|.
CRYPTO_MUTEX_lock_write((CRYPTO_MUTEX *) &ctx->lock);
STACK_OF(X509_NAME) *ret = buffer_names_to_x509(
ctx->client_CA, (STACK_OF(X509_NAME) **)&ctx->cached_x509_client_CA);
@@ -1259,7 +1259,7 @@ void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl,
X509 **out_x509,
EVP_PKEY **out_pkey)) {
check_ssl_ctx_x509_method(ctx);
/* Emulate the old client certificate callback with the new one. */
// Emulate the old client certificate callback with the new one.
SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);
ctx->client_cert_cb = cb;
}
@@ -1277,10 +1277,10 @@ static int set_cert_store(X509_STORE **store_ptr, X509_STORE *new_store,
}

int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
/* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
* reserved app_data slot. Before ex_data was introduced, app_data was used.
* Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
* works. */
// The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
// reserved app_data slot. Before ex_data was introduced, app_data was used.
// Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
// works.
return 0;
}



+ 22
- 22
ssl/t1_enc.cc Visa fil

@@ -154,10 +154,10 @@

namespace bssl {

/* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
* section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and
* |secret| as the secret. |seed1| through |seed3| are concatenated to form the
* seed parameter. It returns one on success and zero on failure. */
// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and
// |secret| as the secret. |seed1| through |seed3| are concatenated to form the
// seed parameter. It returns one on success and zero on failure.
static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,
const uint8_t *secret, size_t secret_len,
const uint8_t *seed1, size_t seed1_len,
@@ -184,7 +184,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,
uint8_t hmac[EVP_MAX_MD_SIZE];
if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
!HMAC_Update(ctx.get(), A1, A1_len) ||
/* Save a copy of |ctx| to compute the next A1 value below. */
// Save a copy of |ctx| to compute the next A1 value below.
(out_len > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) ||
!HMAC_Update(ctx.get(), seed1, seed1_len) ||
!HMAC_Update(ctx.get(), seed2, seed2_len) ||
@@ -194,7 +194,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,
}
assert(len == chunk);

/* XOR the result into |out|. */
// XOR the result into |out|.
if (len > out_len) {
len = out_len;
}
@@ -209,7 +209,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,
break;
}

/* Calculate the next A1 value. */
// Calculate the next A1 value.
if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) {
goto err;
}
@@ -233,8 +233,8 @@ int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len,
OPENSSL_memset(out, 0, out_len);

if (digest == EVP_md5_sha1()) {
/* If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and
* MD5, MD5 first. */
// If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and
// MD5, MD5 first.
size_t secret_half = secret_len - (secret_len / 2);
if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half,
(const uint8_t *)label, label_len, seed1, seed1_len, seed2,
@@ -242,7 +242,7 @@ int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len,
return 0;
}

/* Note that, if |secret_len| is odd, the two halves share a byte. */
// Note that, if |secret_len| is odd, the two halves share a byte.
secret = secret + (secret_len - secret_half);
secret_len = secret_half;

@@ -272,7 +272,7 @@ static int ssl3_prf(uint8_t *out, size_t out_len, const uint8_t *secret,
for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
k++;
if (k > sizeof(buf)) {
/* bug: 'buf' is too small for this ciphersuite */
// bug: 'buf' is too small for this ciphersuite
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -287,7 +287,7 @@ static int ssl3_prf(uint8_t *out, size_t out_len, const uint8_t *secret,
}
EVP_DigestUpdate(sha1.get(), buf, k);
EVP_DigestUpdate(sha1.get(), secret, secret_len);
/* |label| is ignored for SSLv3. */
// |label| is ignored for SSLv3.
if (seed1_len) {
EVP_DigestUpdate(sha1.get(), seed1, seed1_len);
}
@@ -338,9 +338,9 @@ static int tls1_setup_key_block(SSL_HANDSHAKE *hs) {
}
size_t key_len = EVP_AEAD_key_length(aead);
if (mac_secret_len > 0) {
/* For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the
* key length reported by |EVP_AEAD_key_length| will include the MAC key
* bytes and initial implicit IV. */
// For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the
// key length reported by |EVP_AEAD_key_length| will include the MAC key
// bytes and initial implicit IV.
if (key_len < mac_secret_len + fixed_iv_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
@@ -377,17 +377,17 @@ static int tls1_setup_key_block(SSL_HANDSHAKE *hs) {

int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which) {
SSL *const ssl = hs->ssl;
/* Ensure the key block is set up. */
// Ensure the key block is set up.
if (!tls1_setup_key_block(hs)) {
return 0;
}

/* is_read is true if we have just read a ChangeCipherSpec message - i.e. we
* need to update the read cipherspec. Otherwise we have just written one. */
// is_read is true if we have just read a ChangeCipherSpec message - i.e. we
// need to update the read cipherspec. Otherwise we have just written one.
const char is_read = (which & SSL3_CC_READ) != 0;
/* use_client_keys is true if we wish to use the keys for the "client write"
* direction. This is the case if we're a client sending a ChangeCipherSpec,
* or a server reading a client's ChangeCipherSpec. */
// use_client_keys is true if we wish to use the keys for the "client write"
// direction. This is the case if we're a client sending a ChangeCipherSpec,
// or a server reading a client's ChangeCipherSpec.
const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE ||
which == SSL3_CHANGE_CIPHER_SERVER_READ;

@@ -506,7 +506,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
return 0;
}

/* Exporters may not be used in the middle of a renegotiation. */
// Exporters may not be used in the middle of a renegotiation.
if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {
return 0;
}


+ 298
- 298
ssl/t1_lib.cc
Filskillnaden har hållits tillbaka eftersom den är för stor
Visa fil


+ 3
- 3
ssl/test/bssl_shim.cc Visa fil

@@ -1040,8 +1040,8 @@ static void MessageCallback(int is_write, int version, int content_type,
uint8_t type;
uint32_t msg_len;
if (!CBS_get_u8(&cbs, &type) ||
/* TODO(davidben): Reporting on entire messages would be more
* consistent than fragments. */
// TODO(davidben): Reporting on entire messages would be more
// consistent than fragments.
(config->is_dtls &&
!CBS_skip(&cbs, 3 /* total */ + 2 /* seq */ + 3 /* frag_off */)) ||
!CBS_get_u24(&cbs, &msg_len) ||
@@ -2421,7 +2421,7 @@ int main(int argc, char **argv) {
StderrDelimiter delimiter;

#if defined(OPENSSL_WINDOWS)
/* Initialize Winsock. */
// Initialize Winsock.
WORD wsa_version = MAKEWORD(2, 2);
WSADATA wsa_data;
int wsa_err = WSAStartup(wsa_version, &wsa_data);


+ 22
- 22
ssl/tls13_both.cc Visa fil

@@ -32,9 +32,9 @@

namespace bssl {

/* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
* processed. Without this limit an attacker could force unbounded processing
* without being able to return application data. */
// kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
// processed. Without this limit an attacker could force unbounded processing
// without being able to return application data.
static const uint8_t kMaxKeyUpdates = 32;

int tls13_get_cert_verify_signature_input(
@@ -56,7 +56,7 @@ int tls13_get_cert_verify_signature_input(
const uint8_t *context;
size_t context_len;
if (cert_verify_context == ssl_cert_verify_server) {
/* Include the NUL byte. */
// Include the NUL byte.
static const char kContext[] = "TLS 1.3, server CertificateVerify";
context = (const uint8_t *)kContext;
context_len = sizeof(kContext);
@@ -130,15 +130,15 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
return 0;
}
/* TLS 1.3 always uses certificate keys for signing thus the correct
* keyUsage is enforced. */
// TLS 1.3 always uses certificate keys for signing thus the correct
// keyUsage is enforced.
if (!ssl_cert_check_digital_signature_key_usage(&certificate)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return 0;
}

if (retain_sha256) {
/* Retain the hash of the leaf certificate if requested. */
// Retain the hash of the leaf certificate if requested.
SHA256(CBS_data(&certificate), CBS_len(&certificate),
hs->new_session->peer_sha256);
}
@@ -153,7 +153,7 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
return 0;
}

/* Parse out the extensions. */
// Parse out the extensions.
int have_status_request = 0, have_sct = 0;
CBS status_request, sct;
const SSL_EXTENSION_TYPE ext_types[] = {
@@ -169,8 +169,8 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
return 0;
}

/* All Certificate extensions are parsed, but only the leaf extensions are
* stored. */
// All Certificate extensions are parsed, but only the leaf extensions are
// stored.
if (have_status_request) {
if (ssl->server || !ssl->ocsp_stapling_enabled) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
@@ -225,8 +225,8 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
}
}

/* Store a null certificate list rather than an empty one if the peer didn't
* send certificates. */
// Store a null certificate list rather than an empty one if the peer didn't
// send certificates.
if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
certs.reset();
}
@@ -249,11 +249,11 @@ int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
return 0;
}

/* OpenSSL returns X509_V_OK when no certificates are requested. This is
* classed by them as a bug, but it's assumed by at least NGINX. */
// OpenSSL returns X509_V_OK when no certificates are requested. This is
// classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;

/* No certificate, so nothing more to do. */
// No certificate, so nothing more to do.
return 1;
}

@@ -347,7 +347,7 @@ int tls13_add_certificate(SSL_HANDSHAKE *hs) {
ScopedCBB cbb;
CBB body, certificate_list;
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) ||
/* The request context is always empty in the handshake. */
// The request context is always empty in the handshake.
!CBB_add_u8(&body, 0) ||
!CBB_add_u24_length_prefixed(&body, &certificate_list)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -430,7 +430,7 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {
return ssl_private_key_failure;
}

/* Sign the digest. */
// Sign the digest.
CBB child;
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *sig;
@@ -503,7 +503,7 @@ static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {
return 0;
}

/* Acknowledge the KeyUpdate */
// Acknowledge the KeyUpdate
if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&
!ssl->s3->key_update_pending) {
ScopedCBB cbb;
@@ -516,10 +516,10 @@ static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {
return 0;
}

/* Suppress KeyUpdate acknowledgments until this change is written to the
* wire. This prevents us from accumulating write obligations when read and
* write progress at different rates. See draft-ietf-tls-tls13-18, section
* 4.5.3. */
// Suppress KeyUpdate acknowledgments until this change is written to the
// wire. This prevents us from accumulating write obligations when read and
// write progress at different rates. See draft-ietf-tls-tls13-18, section
// 4.5.3.
ssl->s3->key_update_pending = 1;
}



+ 35
- 35
ssl/tls13_client.cc Visa fil

@@ -66,7 +66,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
uint16_t server_version;
if (!CBS_get_u16(&body, &server_version) ||
!CBS_get_u16_length_prefixed(&body, &extensions) ||
/* HelloRetryRequest may not be empty. */
// HelloRetryRequest may not be empty.
CBS_len(&extensions) == 0 ||
CBS_len(&body) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -112,7 +112,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* The group must be supported. */
// The group must be supported.
const uint16_t *groups;
size_t groups_len;
tls1_get_grouplist(ssl, &groups, &groups_len);
@@ -130,8 +130,8 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Check that the HelloRetryRequest does not request the key share that
* was provided in the initial ClientHello. */
// Check that the HelloRetryRequest does not request the key share that
// was provided in the initial ClientHello.
if (hs->key_share->GroupID() == group_id) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
@@ -149,7 +149,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
ssl->method->next_message(ssl);
hs->received_hello_retry_request = 1;
hs->tls13_state = state_send_second_client_hello;
/* 0-RTT is rejected if we receive a HelloRetryRequest. */
// 0-RTT is rejected if we receive a HelloRetryRequest.
if (hs->in_early_data) {
return ssl_hs_early_data_rejected;
}
@@ -158,7 +158,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {

static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
/* Restore the null cipher. We may have switched due to 0-RTT. */
// Restore the null cipher. We may have switched due to 0-RTT.
bssl::UniquePtr<SSLAEADContext> null_ctx = SSLAEADContext::CreateNullCipher();
if (!null_ctx ||
!ssl->method->set_write_state(ssl, std::move(null_ctx)) ||
@@ -217,7 +217,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Check if the cipher is a TLS 1.3 cipher. */
// Check if the cipher is a TLS 1.3 cipher.
if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
@@ -225,7 +225,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Parse out the extensions. */
// Parse out the extensions.
int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0;
CBS key_share, pre_shared_key, supported_versions;
const SSL_EXTENSION_TYPE ext_types[] = {
@@ -243,8 +243,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* supported_versions is parsed in handshake_client to select the experimental
* TLS 1.3 version. */
// supported_versions is parsed in handshake_client to select the experimental
// TLS 1.3 version.
if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
@@ -278,7 +278,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
}

if (!ssl_session_is_context_valid(ssl, ssl->session)) {
/* This is actually a client application bug. */
// This is actually a client application bug.
OPENSSL_PUT_ERROR(SSL,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -286,7 +286,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
}

ssl->s3->session_reused = 1;
/* Only authentication information carries over in TLS 1.3. */
// Only authentication information carries over in TLS 1.3.
hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
if (!hs->new_session) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
@@ -294,7 +294,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
}
ssl_set_session(ssl, NULL);

/* Resumption incorporates fresh key material, so refresh the timeout. */
// Resumption incorporates fresh key material, so refresh the timeout.
ssl_session_renew_timeout(ssl, hs->new_session.get(),
ssl->session_ctx->session_psk_dhe_timeout);
} else if (!ssl_get_new_session(hs, 0)) {
@@ -305,12 +305,12 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
hs->new_session->cipher = cipher;
hs->new_cipher = cipher;

/* The PRF hash is now known. Set up the key schedule. */
// The PRF hash is now known. Set up the key schedule.
if (!tls13_init_key_schedule(hs)) {
return ssl_hs_error;
}

/* Incorporate the PSK into the running secret. */
// Incorporate the PSK into the running secret.
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
hs->new_session->master_key_length)) {
@@ -321,13 +321,13 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
}

if (!have_key_share) {
/* We do not support psk_ke and thus always require a key share. */
// We do not support psk_ke and thus always require a key share.
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
return ssl_hs_error;
}

/* Resolve ECDHE and incorporate it into the secret. */
// Resolve ECDHE and incorporate it into the secret.
uint8_t *dhe_secret;
size_t dhe_secret_len;
alert = SSL_AD_DECODE_ERROR;
@@ -363,8 +363,8 @@ static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
}

if (!hs->early_data_offered) {
/* If not sending early data, set client traffic keys now so that alerts are
* encrypted. */
// If not sending early data, set client traffic keys now so that alerts are
// encrypted.
if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
!ssl3_add_change_cipher_spec(ssl)) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
@@ -398,7 +398,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Store the negotiated ALPN in the session. */
// Store the negotiated ALPN in the session.
if (ssl->s3->alpn_selected != NULL) {
hs->new_session->early_alpn = (uint8_t *)BUF_memdup(
ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
@@ -437,7 +437,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {

static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
/* CertificateRequest may only be sent in non-resumption handshakes. */
// CertificateRequest may only be sent in non-resumption handshakes.
if (ssl->s3->session_reused) {
hs->tls13_state = state_read_server_finished;
return ssl_hs_ok;
@@ -448,7 +448,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
return ssl_hs_read_message;
}

/* CertificateRequest is optional. */
// CertificateRequest is optional.
if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
hs->tls13_state = state_read_server_certificate;
return ssl_hs_ok;
@@ -456,7 +456,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {

CBS body = msg.body, context, supported_signature_algorithms;
if (!CBS_get_u8_length_prefixed(&body, &context) ||
/* The request context is always empty during the handshake. */
// The request context is always empty during the handshake.
CBS_len(&context) != 0 ||
!CBS_get_u16_length_prefixed(&body, &supported_signature_algorithms) ||
CBS_len(&supported_signature_algorithms) == 0 ||
@@ -474,7 +474,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Ignore extensions. */
// Ignore extensions.
CBS extensions;
if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
CBS_len(&body) != 0) {
@@ -550,7 +550,7 @@ static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
!tls13_process_finished(hs, msg, 0 /* don't use saved value */) ||
!ssl_hash_message(hs, msg) ||
/* Update the secret to the master secret and derive traffic keys. */
// Update the secret to the master secret and derive traffic keys.
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
!tls13_derive_application_secrets(hs)) {
return ssl_hs_error;
@@ -588,13 +588,13 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;

/* The peer didn't request a certificate. */
// The peer didn't request a certificate.
if (!hs->cert_request) {
hs->tls13_state = state_complete_second_flight;
return ssl_hs_ok;
}

/* Call cert_cb to update the certificate. */
// Call cert_cb to update the certificate.
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
if (rv == 0) {
@@ -619,7 +619,7 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
/* Don't send CertificateVerify if there is no certificate. */
// Don't send CertificateVerify if there is no certificate.
if (!ssl_has_certificate(ssl)) {
hs->tls13_state = state_complete_second_flight;
return ssl_hs_ok;
@@ -645,7 +645,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;

/* Send a Channel ID assertion if necessary. */
// Send a Channel ID assertion if necessary.
if (ssl->s3->tlsext_channel_id_valid) {
if (!ssl_do_channel_id_callback(ssl)) {
hs->tls13_state = state_complete_second_flight;
@@ -665,12 +665,12 @@ static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
}
}

/* Send a Finished message. */
// Send a Finished message.
if (!tls13_add_finished(hs)) {
return ssl_hs_error;
}

/* Derive the final keys and enable them. */
// Derive the final keys and enable them.
if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,
hs->hash_len) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,
@@ -804,13 +804,13 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
return 0;
}

/* Cap the renewable lifetime by the server advertised value. This avoids
* wasting bandwidth on 0-RTT when we know the server will reject it. */
// Cap the renewable lifetime by the server advertised value. This avoids
// wasting bandwidth on 0-RTT when we know the server will reject it.
if (session->timeout > server_timeout) {
session->timeout = server_timeout;
}

/* Parse out the extensions. */
// Parse out the extensions.
int have_early_data_info = 0;
CBS early_data_info;
const SSL_EXTENSION_TYPE ext_types[] = {
@@ -840,7 +840,7 @@ int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {

if (ssl->ctx->new_session_cb != NULL &&
ssl->ctx->new_session_cb(ssl, session.get())) {
/* |new_session_cb|'s return value signals that it took ownership. */
// |new_session_cb|'s return value signals that it took ownership.
session.release();
}



+ 15
- 15
ssl/tls13_enc.cc Visa fil

@@ -40,7 +40,7 @@ static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,

hs->hash_len = hs->transcript.DigestLen();

/* Initialize the secret to the zero key. */
// Initialize the secret to the zero key.
OPENSSL_memset(hs->secret, 0, hs->hash_len);

return 1;
@@ -96,9 +96,9 @@ static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest,
return ret;
}

/* derive_secret derives a secret of length |len| and writes the result in |out|
* with the given label and the current base secret and most recently-saved
* handshake context. It returns one on success and zero on error. */
// derive_secret derives a secret of length |len| and writes the result in |out|
// with the given label and the current base secret and most recently-saved
// handshake context. It returns one on success and zero on error.
static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,
const uint8_t *label, size_t label_len) {
uint8_t context_hash[EVP_MAX_MD_SIZE];
@@ -123,7 +123,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
return 0;
}

/* Look up cipher suite properties. */
// Look up cipher suite properties.
const EVP_AEAD *aead;
size_t discard;
if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,
@@ -133,7 +133,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,

const EVP_MD *digest = SSL_SESSION_get_digest(session);

/* Derive the key. */
// Derive the key.
size_t key_len = EVP_AEAD_key_length(aead);
uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len,
@@ -141,7 +141,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
return 0;
}

/* Derive the IV. */
// Derive the IV.
size_t iv_len = EVP_AEAD_nonce_length(aead);
uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];
if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len,
@@ -166,7 +166,7 @@ int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
}
}

/* Save the traffic secret. */
// Save the traffic secret.
if (direction == evp_aead_open) {
OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret,
traffic_secret_len);
@@ -279,8 +279,8 @@ int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {

static const char kTLS13LabelFinished[] = "finished";

/* tls13_verify_data sets |out| to be the HMAC of |context| using a derived
* Finished key for both Finished messages and the PSK binder. */
// tls13_verify_data sets |out| to be the HMAC of |context| using a derived
// Finished key for both Finished messages and the PSK binder.
static int tls13_verify_data(const EVP_MD *digest, uint8_t *out,
size_t *out_len, const uint8_t *secret,
size_t hash_len, uint8_t *context,
@@ -401,15 +401,15 @@ int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
const SSLMessage &msg, CBS *binders) {
size_t hash_len = hs->transcript.DigestLen();

/* The message must be large enough to exclude the binders. */
// The message must be large enough to exclude the binders.
if (CBS_len(&msg.raw) < CBS_len(binders) + 2) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}

/* Hash a ClientHello prefix up to the binders. This includes the header. For
* now, this assumes we only ever verify PSK binders on initial
* ClientHellos. */
// Hash a ClientHello prefix up to the binders. This includes the header. For
// now, this assumes we only ever verify PSK binders on initial
// ClientHellos.
uint8_t context[EVP_MAX_MD_SIZE];
unsigned context_len;
if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2,
@@ -422,7 +422,7 @@ int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
if (!tls13_psk_binder(verify_data, hs->transcript.Digest(),
session->master_key, session->master_key_length,
context, context_len, hash_len) ||
/* We only consider the first PSK, so compare against the first binder. */
// We only consider the first PSK, so compare against the first binder.
!CBS_get_u8_length_prefixed(binders, &binder)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;


+ 75
- 75
ssl/tls13_server.cc Visa fil

@@ -12,9 +12,9 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

/* Per C99, various stdint.h macros are unavailable in C++ unless some macros
* are defined. C++11 overruled this decision, but older Android NDKs still
* require it. */
// Per C99, various stdint.h macros are unavailable in C++ unless some macros
// are defined. C++11 overruled this decision, but older Android NDKs still
// require it.
#if !defined(__STDC_LIMIT_MACROS)
#define __STDC_LIMIT_MACROS
#endif
@@ -64,7 +64,7 @@ static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, int *out_need_retry,
SSL *const ssl = hs->ssl;
*out_need_retry = 0;

/* We only support connections that include an ECDHE key exchange. */
// We only support connections that include an ECDHE key exchange.
CBS key_share;
if (!ssl_client_hello_get_extension(client_hello, &key_share,
TLSEXT_TYPE_key_share)) {
@@ -127,7 +127,7 @@ static const SSL_CIPHER *choose_tls13_cipher(
return NULL;
}

/* Limit to TLS 1.3 ciphers we know about. */
// Limit to TLS 1.3 ciphers we know about.
const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
if (candidate == NULL ||
SSL_CIPHER_get_min_version(candidate) > version ||
@@ -135,8 +135,8 @@ static const SSL_CIPHER *choose_tls13_cipher(
continue;
}

/* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
* ChaCha20 if we do not have AES hardware. */
// TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
// ChaCha20 if we do not have AES hardware.
if (aes_is_fine) {
return candidate;
}
@@ -155,12 +155,12 @@ static const SSL_CIPHER *choose_tls13_cipher(

static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
* the client makes several connections before getting a renewal. */
// TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
// the client makes several connections before getting a renewal.
static const int kNumTickets = 2;

/* Rebase the session timestamp so that it is measured from ticket
* issuance. */
// Rebase the session timestamp so that it is measured from ticket
// issuance.
ssl_session_rebase_time(ssl, hs->new_session.get());

for (int i = 0; i < kNumTickets; i++) {
@@ -194,7 +194,7 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
}
}

/* Add a fake extension. See draft-davidben-tls-grease-01. */
// Add a fake extension. See draft-davidben-tls-grease-01.
if (!CBB_add_u16(&extensions,
ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) ||
!CBB_add_u16(&extensions, 0 /* empty */)) {
@@ -210,8 +210,8 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
}

static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
/* At this point, most ClientHello extensions have already been processed by
* the common handshake logic. Resolve the remaining non-PSK parameters. */
// At this point, most ClientHello extensions have already been processed by
// the common handshake logic. Resolve the remaining non-PSK parameters.
SSL *const ssl = hs->ssl;
SSLMessage msg;
if (!ssl->method->get_message(ssl, &msg)) {
@@ -228,7 +228,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
client_hello.session_id_len);
hs->session_id_len = client_hello.session_id_len;

/* Negotiate the cipher suite. */
// Negotiate the cipher suite.
hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
if (hs->new_cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
@@ -236,16 +236,16 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
* deferred. Complete it now. */
// HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
// deferred. Complete it now.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}

/* The PRF hash is now known. Set up the key schedule and hash the
* ClientHello. */
// The PRF hash is now known. Set up the key schedule and hash the
// ClientHello.
if (!tls13_init_key_schedule(hs) ||
!ssl_hash_message(hs, msg)) {
return ssl_hs_error;
@@ -262,7 +262,7 @@ static enum ssl_ticket_aead_result_t select_session(
SSL *const ssl = hs->ssl;
*out_session = NULL;

/* Decode the ticket if we agreed on a PSK key exchange mode. */
// Decode the ticket if we agreed on a PSK key exchange mode.
CBS pre_shared_key;
if (!hs->accept_psk_mode ||
!ssl_client_hello_get_extension(client_hello, &pre_shared_key,
@@ -270,8 +270,8 @@ static enum ssl_ticket_aead_result_t select_session(
return ssl_ticket_aead_ignore_ticket;
}

/* Verify that the pre_shared_key extension is the last extension in
* ClientHello. */
// Verify that the pre_shared_key extension is the last extension in
// ClientHello.
if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
client_hello->extensions + client_hello->extensions_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
@@ -287,8 +287,8 @@ static enum ssl_ticket_aead_result_t select_session(
return ssl_ticket_aead_error;
}

/* TLS 1.3 session tickets are renewed separately as part of the
* NewSessionTicket. */
// TLS 1.3 session tickets are renewed separately as part of the
// NewSessionTicket.
int unused_renew;
UniquePtr<SSL_SESSION> session;
enum ssl_ticket_aead_result_t ret =
@@ -305,34 +305,34 @@ static enum ssl_ticket_aead_result_t select_session(
}

if (!ssl_session_is_resumable(hs, session.get()) ||
/* Historically, some TLS 1.3 tickets were missing ticket_age_add. */
// Historically, some TLS 1.3 tickets were missing ticket_age_add.
!session->ticket_age_add_valid) {
return ssl_ticket_aead_ignore_ticket;
}

/* Recover the client ticket age and convert to seconds. */
// Recover the client ticket age and convert to seconds.
client_ticket_age -= session->ticket_age_add;
client_ticket_age /= 1000;

struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);

/* Compute the server ticket age in seconds. */
// Compute the server ticket age in seconds.
assert(now.tv_sec >= session->time);
uint64_t server_ticket_age = now.tv_sec - session->time;

/* To avoid overflowing |hs->ticket_age_skew|, we will not resume
* 68-year-old sessions. */
// To avoid overflowing |hs->ticket_age_skew|, we will not resume
// 68-year-old sessions.
if (server_ticket_age > INT32_MAX) {
return ssl_ticket_aead_ignore_ticket;
}

/* TODO(davidben,svaldez): Measure this value to decide on tolerance. For
* now, accept all values. https://crbug.com/boringssl/113. */
// TODO(davidben,svaldez): Measure this value to decide on tolerance. For
// now, accept all values. https://crbug.com/boringssl/113.
*out_ticket_age_skew =
(int32_t)client_ticket_age - (int32_t)server_ticket_age;

/* Check the PSK binder. */
// Check the PSK binder.
if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
*out_alert = SSL_AD_DECRYPT_ERROR;
return ssl_ticket_aead_error;
@@ -368,21 +368,21 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
break;

case ssl_ticket_aead_success:
/* Carry over authentication information from the previous handshake into
* a fresh session. */
// Carry over authentication information from the previous handshake into
// a fresh session.
hs->new_session =
SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);

if (/* Early data must be acceptable for this ticket. */
if (// Early data must be acceptable for this ticket.
ssl->cert->enable_early_data &&
session->ticket_max_early_data != 0 &&
/* The client must have offered early data. */
// The client must have offered early data.
hs->early_data_offered &&
/* Channel ID is incompatible with 0-RTT. */
// Channel ID is incompatible with 0-RTT.
!ssl->s3->tlsext_channel_id_valid &&
/* Custom extensions is incompatible with 0-RTT. */
// Custom extensions is incompatible with 0-RTT.
hs->custom_extensions.received == 0 &&
/* The negotiated ALPN must match the one in the ticket. */
// The negotiated ALPN must match the one in the ticket.
ssl->s3->alpn_selected_len == session->early_alpn_len &&
OPENSSL_memcmp(ssl->s3->alpn_selected, session->early_alpn,
ssl->s3->alpn_selected_len) == 0) {
@@ -396,7 +396,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {

ssl->s3->session_reused = 1;

/* Resumption incorporates fresh key material, so refresh the timeout. */
// Resumption incorporates fresh key material, so refresh the timeout.
ssl_session_renew_timeout(ssl, hs->new_session.get(),
ssl->session_ctx->session_psk_dhe_timeout);
break;
@@ -410,7 +410,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
return ssl_hs_pending_ticket;
}

/* Record connection properties in the new session. */
// Record connection properties in the new session.
hs->new_session->cipher = hs->new_cipher;

if (hs->hostname != NULL) {
@@ -422,7 +422,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
}
}

/* Store the initial negotiated ALPN in the session. */
// Store the initial negotiated ALPN in the session.
if (ssl->s3->alpn_selected != NULL) {
hs->new_session->early_alpn = (uint8_t *)BUF_memdup(
ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
@@ -435,13 +435,13 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {

if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
/* Connection rejected for DOS reasons. */
// Connection rejected for DOS reasons.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}

/* Incorporate the PSK into the running secret. */
// Incorporate the PSK into the running secret.
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
hs->new_session->master_key_length)) {
@@ -459,7 +459,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
ssl->s3->skip_early_data = 1;
}

/* Resolve ECDHE and incorporate it into the secret. */
// Resolve ECDHE and incorporate it into the secret.
int need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
@@ -517,7 +517,7 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
int need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
/* Only send one HelloRetryRequest. */
// Only send one HelloRetryRequest.
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
}
@@ -541,7 +541,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
version = TLS1_2_VERSION;
}

/* Send a ServerHello. */
// Send a ServerHello.
ScopedCBB cbb;
CBB body, extensions, session_id;
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
@@ -567,14 +567,14 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Derive and enable the handshake traffic secrets. */
// Derive and enable the handshake traffic secrets.
if (!tls13_derive_handshake_secrets(hs) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
hs->hash_len)) {
return ssl_hs_error;
}

/* Send EncryptedExtensions. */
// Send EncryptedExtensions.
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_ENCRYPTED_EXTENSIONS) ||
!ssl_add_serverhello_tlsext(hs, &body) ||
@@ -583,16 +583,16 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
}

if (!ssl->s3->session_reused) {
/* Determine whether to request a client certificate. */
// Determine whether to request a client certificate.
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
/* Only request a certificate if Channel ID isn't negotiated. */
// Only request a certificate if Channel ID isn't negotiated.
if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
ssl->s3->tlsext_channel_id_valid) {
hs->cert_request = 0;
}
}

/* Send a CertificateRequest, if necessary. */
// Send a CertificateRequest, if necessary.
if (hs->cert_request) {
CBB sigalgs_cbb;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
@@ -607,7 +607,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
}
}

/* Send the server Certificate message, if necessary. */
// Send the server Certificate message, if necessary.
if (!ssl->s3->session_reused) {
if (!ssl_has_certificate(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
@@ -647,7 +647,7 @@ static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {
static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!tls13_add_finished(hs) ||
/* Update the secret to the master secret and derive traffic keys. */
// Update the secret to the master secret and derive traffic keys.
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
!tls13_derive_application_secrets(hs) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
@@ -656,10 +656,10 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
}

if (ssl->early_data_accepted) {
/* If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
* the wire sooner and also avoids triggering a write on |SSL_read| when
* processing the client Finished. This requires computing the client
* Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. */
// If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
// the wire sooner and also avoids triggering a write on |SSL_read| when
// processing the client Finished. This requires computing the client
// Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.
size_t finished_len;
if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,
0 /* client */)) {
@@ -671,10 +671,10 @@ static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* Feed the predicted Finished into the transcript. This allows us to derive
* the resumption secret early and send half-RTT tickets.
*
* TODO(davidben): This will need to be updated for DTLS 1.3. */
// Feed the predicted Finished into the transcript. This allows us to derive
// the resumption secret early and send half-RTT tickets.
//
// TODO(davidben): This will need to be updated for DTLS 1.3.
assert(!SSL_is_dtls(hs->ssl));
assert(hs->hash_len <= 0xff);
uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0,
@@ -710,8 +710,8 @@ static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {

static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
hs->tls13_state = state_process_change_cipher_spec;
/* If early data was accepted, the ChangeCipherSpec message will be in the
* discarded early data. */
// If early data was accepted, the ChangeCipherSpec message will be in the
// discarded early data.
if (hs->early_data_offered && !hs->ssl->early_data_accepted) {
return ssl_hs_ok;
}
@@ -734,11 +734,11 @@ static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!hs->cert_request) {
/* OpenSSL returns X509_V_OK when no certificates are requested. This is
* classed by them as a bug, but it's assumed by at least NGINX. */
// OpenSSL returns X509_V_OK when no certificates are requested. This is
// classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;

/* Skip this state. */
// Skip this state.
hs->tls13_state = state_read_channel_id;
return ssl_hs_ok;
}
@@ -764,7 +764,7 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(
SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
/* Skip this state. */
// Skip this state.
hs->tls13_state = state_read_channel_id;
return ssl_hs_ok;
}
@@ -824,10 +824,10 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
/* If early data was accepted, we've already computed the client Finished
* and derived the resumption secret. */
// If early data was accepted, we've already computed the client Finished
// and derived the resumption secret.
!tls13_process_finished(hs, msg, ssl->early_data_accepted) ||
/* evp_aead_seal keys have already been switched. */
// evp_aead_seal keys have already been switched.
!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
hs->hash_len)) {
return ssl_hs_error;
@@ -839,10 +839,10 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

/* We send post-handshake tickets as part of the handshake in 1-RTT. */
// We send post-handshake tickets as part of the handshake in 1-RTT.
hs->tls13_state = state_send_new_session_ticket;
} else {
/* We already sent half-RTT tickets. */
// We already sent half-RTT tickets.
hs->tls13_state = state_done;
}

@@ -851,8 +851,8 @@ static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
}

static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
/* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
* session ticket. */
// If the client doesn't accept resumption with PSK_DHE_KE, don't send a
// session ticket.
if (!hs->accept_psk_mode) {
hs->tls13_state = state_done;
return ssl_hs_ok;


+ 10
- 10
ssl/tls_method.cc Visa fil

@@ -70,15 +70,15 @@ namespace bssl {
static int ssl3_supports_cipher(const SSL_CIPHER *cipher) { return 1; }

static void ssl3_on_handshake_complete(SSL *ssl) {
/* The handshake should have released its final message. */
// The handshake should have released its final message.
assert(!ssl->s3->has_message);

/* During the handshake, |init_buf| is retained. Release if it there is no
* excess in it.
*
* TODO(davidben): The second check is always true but will not be once we
* switch to copying the entire handshake record. Replace this comment with an
* explanation when that happens and a TODO to reject it. */
// During the handshake, |init_buf| is retained. Release if it there is no
// excess in it.
//
// TODO(davidben): The second check is always true but will not be once we
// switch to copying the entire handshake record. Replace this comment with an
// explanation when that happens and a TODO to reject it.
if (ssl->init_buf != NULL && ssl->init_buf->length == 0) {
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;
@@ -87,7 +87,7 @@ static void ssl3_on_handshake_complete(SSL *ssl) {

static int ssl3_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
if (ssl->s3->rrec.length != 0) {
/* There may not be unprocessed record data at a cipher change. */
// There may not be unprocessed record data at a cipher change.
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
return 0;
@@ -212,7 +212,7 @@ const SSL_METHOD *TLS_with_buffers_method(void) {
return &kMethod;
}

/* Legacy version-locked methods. */
// Legacy version-locked methods.

const SSL_METHOD *TLSv1_2_method(void) {
static const SSL_METHOD kMethod = {
@@ -250,7 +250,7 @@ const SSL_METHOD *SSLv3_method(void) {
return &kMethod;
}

/* Legacy side-specific methods. */
// Legacy side-specific methods.

const SSL_METHOD *TLSv1_2_server_method(void) {
return TLSv1_2_method();


+ 55
- 55
ssl/tls_record.cc Visa fil

@@ -121,25 +121,25 @@

namespace bssl {

/* kMaxEmptyRecords is the number of consecutive, empty records that will be
* processed. Without this limit an attacker could send empty records at a
* faster rate than we can process and cause record processing to loop
* forever. */
// kMaxEmptyRecords is the number of consecutive, empty records that will be
// processed. Without this limit an attacker could send empty records at a
// faster rate than we can process and cause record processing to loop
// forever.
static const uint8_t kMaxEmptyRecords = 32;

/* kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
* will be skipped. Without this limit an attacker could send records at a
* faster rate than we can process and cause trial decryption to loop forever.
* This value should be slightly above kMaxEarlyDataAccepted, which is measured
* in plaintext. */
// kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
// will be skipped. Without this limit an attacker could send records at a
// faster rate than we can process and cause trial decryption to loop forever.
// This value should be slightly above kMaxEarlyDataAccepted, which is measured
// in plaintext.
static const size_t kMaxEarlyDataSkipped = 16384;

/* kMaxWarningAlerts is the number of consecutive warning alerts that will be
* processed. */
// kMaxWarningAlerts is the number of consecutive warning alerts that will be
// processed.
static const uint8_t kMaxWarningAlerts = 4;

/* ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
* state needs record-splitting and zero otherwise. */
// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
// state needs record-splitting and zero otherwise.
static int ssl_needs_record_splitting(const SSL *ssl) {
#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
return !ssl->s3->aead_write_ctx->is_null_cipher() &&
@@ -195,7 +195,7 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
CBS cbs;
CBS_init(&cbs, in, in_len);

/* Decode the record header. */
// Decode the record header.
uint8_t type;
uint16_t version, ciphertext_len;
if (!CBS_get_u8(&cbs, &type) ||
@@ -207,14 +207,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,

int version_ok;
if (ssl->s3->aead_read_ctx->is_null_cipher()) {
/* Only check the first byte. Enforcing beyond that can prevent decoding
* version negotiation failure alerts. */
// Only check the first byte. Enforcing beyond that can prevent decoding
// version negotiation failure alerts.
version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
} else if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
/* Earlier versions of TLS switch the record version. */
// Earlier versions of TLS switch the record version.
version_ok = version == ssl->version;
} else {
/* Starting TLS 1.3, the version field is frozen at {3, 1}. */
// Starting TLS 1.3, the version field is frozen at {3, 1}.
version_ok = version == TLS1_VERSION;
}

@@ -224,14 +224,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
return ssl_open_record_error;
}

/* Check the ciphertext length. */
// Check the ciphertext length.
if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
return ssl_open_record_error;
}

/* Extract the body. */
// Extract the body.
CBS body;
if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) {
*out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len;
@@ -243,15 +243,15 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,

*out_consumed = in_len - CBS_len(&cbs);

/* Skip early data received when expecting a second ClientHello if we rejected
* 0RTT. */
// Skip early data received when expecting a second ClientHello if we rejected
// 0RTT.
if (ssl->s3->skip_early_data &&
ssl->s3->aead_read_ctx->is_null_cipher() &&
type == SSL3_RT_APPLICATION_DATA) {
goto skipped_data;
}

/* Decrypt the body in-place. */
// Decrypt the body in-place.
if (!ssl->s3->aead_read_ctx->Open(out, type, version, ssl->s3->read_sequence,
(uint8_t *)CBS_data(&body),
CBS_len(&body))) {
@@ -272,10 +272,10 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
return ssl_open_record_error;
}

/* TLS 1.3 hides the record type inside the encrypted data. */
// TLS 1.3 hides the record type inside the encrypted data.
if (!ssl->s3->aead_read_ctx->is_null_cipher() &&
ssl->s3->aead_read_ctx->version() >= TLS1_3_VERSION) {
/* The outer record type is always application_data. */
// The outer record type is always application_data.
if (type != SSL3_RT_APPLICATION_DATA) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -291,14 +291,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
} while (type == 0);
}

/* Check the plaintext length. */
// Check the plaintext length.
if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
return ssl_open_record_error;
}

/* Limit the number of consecutive empty records. */
// Limit the number of consecutive empty records.
if (CBS_len(out) == 0) {
ssl->s3->empty_record_count++;
if (ssl->s3->empty_record_count > kMaxEmptyRecords) {
@@ -306,14 +306,14 @@ enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
return ssl_open_record_error;
}
/* Apart from the limit, empty records are returned up to the caller. This
* allows the caller to reject records of the wrong type. */
// Apart from the limit, empty records are returned up to the caller. This
// allows the caller to reject records of the wrong type.
} else {
ssl->s3->empty_record_count = 0;
}

if (type == SSL3_RT_ALERT) {
/* Return end_of_early_data alerts as-is for the caller to process. */
// Return end_of_early_data alerts as-is for the caller to process.
if (CBS_len(out) == 2 &&
CBS_data(out)[0] == SSL3_AL_WARNING &&
CBS_data(out)[1] == TLS1_AD_END_OF_EARLY_DATA) {
@@ -351,7 +351,7 @@ static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
size_t extra_in_len = 0;
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
/* TLS 1.3 hides the actual record type inside the encrypted data. */
// TLS 1.3 hides the actual record type inside the encrypted data.
extra_in = &type;
extra_in_len = 1;
}
@@ -379,10 +379,10 @@ static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
out_prefix[0] = type;
}

/* The TLS record-layer version number is meaningless and, starting in
* TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0
* ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version
* to change after version negotiation. */
// The TLS record-layer version number is meaningless and, starting in
// TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0
// ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version
// to change after version negotiation.
uint16_t wire_version = TLS1_VERSION;
if (ssl->s3->hs != NULL && ssl->s3->hs->max_version == SSL3_VERSION) {
wire_version = SSL3_VERSION;
@@ -413,10 +413,10 @@ static size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type,
size_t ret = SSL3_RT_HEADER_LENGTH;
if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
ssl_needs_record_splitting(ssl)) {
/* In the case of record splitting, the 1-byte record (of the 1/n-1 split)
* will be placed in the prefix, as will four of the five bytes of the
* record header for the main record. The final byte will replace the first
* byte of the plaintext that was used in the small record. */
// In the case of record splitting, the 1-byte record (of the 1/n-1 split)
// will be placed in the prefix, as will four of the five bytes of the
// record header for the main record. The final byte will replace the first
// byte of the plaintext that was used in the small record.
ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
ret += SSL3_RT_HEADER_LENGTH - 1;
} else {
@@ -430,26 +430,26 @@ static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len,
size_t extra_in_len = 0;
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
/* TLS 1.3 adds an extra byte for encrypted record type. */
// TLS 1.3 adds an extra byte for encrypted record type.
extra_in_len = 1;
}
if (type == SSL3_RT_APPLICATION_DATA && // clang-format off
in_len > 1 &&
ssl_needs_record_splitting(ssl)) {
/* With record splitting enabled, the first byte gets sealed into a separate
* record which is written into the prefix. */
// With record splitting enabled, the first byte gets sealed into a separate
// record which is written into the prefix.
in_len -= 1;
}
return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len);
}

/* tls_seal_scatter_record seals a new record of type |type| and body |in| and
* splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
* |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
* bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It
* returns one on success and zero on error. If enabled,
* |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
* may write two records concatenated. */
// tls_seal_scatter_record seals a new record of type |type| and body |in| and
// splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
// |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
// bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It
// returns one on success and zero on error. If enabled,
// |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
// may write two records concatenated.
static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
uint8_t *out_suffix, uint8_t type,
const uint8_t *in, size_t in_len) {
@@ -458,7 +458,7 @@ static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0);
const size_t prefix_len = SSL3_RT_HEADER_LENGTH;

/* Write the 1-byte fragment into |out_prefix|. */
// Write the 1-byte fragment into |out_prefix|.
uint8_t *split_body = out_prefix + prefix_len;
uint8_t *split_suffix = split_body + 1;

@@ -477,8 +477,8 @@ static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
ssl->s3->aead_write_ctx->cipher()) ==
split_record_len);

/* Write the n-1-byte fragment. The header gets split between |out_prefix|
* (header[:-1]) and |out| (header[-1:]). */
// Write the n-1-byte fragment. The header gets split between |out_prefix|
// (header[:-1]) and |out| (header[-1:]).
uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH];
if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1,
in_len - 1)) {
@@ -530,7 +530,7 @@ int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,

enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
const uint8_t *in, size_t in_len) {
/* Alerts records may not contain fragmented or multiple alerts. */
// Alerts records may not contain fragmented or multiple alerts.
if (in_len != 2) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
@@ -551,7 +551,7 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
return ssl_open_record_close_notify;
}

/* Warning alerts do not exist in TLS 1.3. */
// Warning alerts do not exist in TLS 1.3.
if (ssl->s3->have_version &&
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
*out_alert = SSL_AD_DECODE_ERROR;
@@ -677,7 +677,7 @@ size_t SSL_max_seal_overhead(const SSL *ssl) {

size_t ret = SSL3_RT_HEADER_LENGTH;
ret += ssl->s3->aead_write_ctx->MaxOverhead();
/* TLS 1.3 needs an extra byte for the encrypted record type. */
// TLS 1.3 needs an extra byte for the encrypted record type.
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
ret += 1;


Skriv Förhandsgranska
Laddar…
Avbryt
Spara