diff options
author | Michael Eastwood <mweastwood@google.com> | 2021-09-30 20:13:43 +0000 |
---|---|---|
committer | Michael Eastwood <mweastwood@google.com> | 2021-09-30 20:13:43 +0000 |
commit | 220a654b699665d1048bc909780e4dc976e02197 (patch) | |
tree | 156af58101b7e540cd5c6761e8a821ae5da4ea07 /src/ssl/internal.h | |
parent | 8bb65ff676b006f67cccd75a8f4cd6f8a296409e (diff) | |
download | boringssl-220a654b699665d1048bc909780e4dc976e02197.tar.gz |
Revert "external/boringssl: Sync to 66e61c577d39e757bf491468f651..."
Revert submission 1835013-bssl_update_sep2021
Reason for revert: DroidMonitor: Potential culprit for Bug 201683809 - verifying through Forrest before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Reverted Changes:
I27d7b79e3:Fix wpa_supplicant build with newer BoringSSL
I4f2228ef8:external/boringssl: Sync to 66e61c577d39e757bf4914...
Change-Id: If2184c4aa55b7dc89e037362e4d5cbbea1107ae2
Diffstat (limited to 'src/ssl/internal.h')
-rw-r--r-- | src/ssl/internal.h | 106 |
1 files changed, 43 insertions, 63 deletions
diff --git a/src/ssl/internal.h b/src/ssl/internal.h index ab23d29b..3b7326ae 100644 --- a/src/ssl/internal.h +++ b/src/ssl/internal.h @@ -146,7 +146,6 @@ #include <stdlib.h> -#include <initializer_list> #include <limits> #include <new> #include <type_traits> @@ -694,8 +693,7 @@ class SSLTranscript { // InitHash initializes the handshake hash based on the PRF and contents of // the handshake transcript. Subsequent calls to |Update| will update the // rolling hash. It returns one on success and zero on failure. It is an error - // to call this function after the handshake buffer is released. This may be - // called multiple times to change the hash function. + // to call this function after the handshake buffer is released. bool InitHash(uint16_t version, const SSL_CIPHER *cipher); // UpdateForHelloRetryRequest resets the rolling hash with the @@ -1451,7 +1449,7 @@ struct ECHConfig { Span<const uint8_t> public_name; Span<const uint8_t> cipher_suites; uint16_t kem_id = 0; - uint8_t maximum_name_length = 0; + uint16_t maximum_name_length = 0; uint8_t config_id = 0; }; @@ -1488,10 +1486,6 @@ enum ssl_client_hello_type_t { ssl_client_hello_outer, }; -// ECH_CLIENT_* are types for the ClientHello encrypted_client_hello extension. -#define ECH_CLIENT_OUTER 0 -#define ECH_CLIENT_INNER 1 - // ssl_decode_client_hello_inner recovers the full ClientHelloInner from the // EncodedClientHelloInner |encoded_client_hello_inner| by replacing its // outer_extensions extension with the referenced extensions from the @@ -1503,13 +1497,18 @@ OPENSSL_EXPORT bool ssl_decode_client_hello_inner( Span<const uint8_t> encoded_client_hello_inner, const SSL_CLIENT_HELLO *client_hello_outer); -// ssl_client_hello_decrypt attempts to decrypt the |payload| and writes the -// result to |*out|. |payload| must point into |client_hello_outer|. It returns -// true on success and false on error. On error, it sets |*out_is_decrypt_error| -// to whether the failure was due to a bad ciphertext. -bool ssl_client_hello_decrypt(EVP_HPKE_CTX *hpke_ctx, Array<uint8_t> *out, +// ssl_client_hello_decrypt attempts to decrypt the given |payload| into +// |out_encoded_client_hello_inner|. The decrypted value should be an +// EncodedClientHelloInner. It returns false if any fatal errors occur and true +// otherwise, regardless of whether the decrypt was successful. It sets +// |out_encoded_client_hello_inner| to true if the decryption fails, and false +// otherwise. +bool ssl_client_hello_decrypt(EVP_HPKE_CTX *hpke_ctx, + Array<uint8_t> *out_encoded_client_hello_inner, bool *out_is_decrypt_error, const SSL_CLIENT_HELLO *client_hello_outer, + uint16_t kdf_id, uint16_t aead_id, + uint8_t config_id, Span<const uint8_t> enc, Span<const uint8_t> payload); #define ECH_CONFIRMATION_SIGNAL_LEN 8 @@ -1519,14 +1518,13 @@ bool ssl_client_hello_decrypt(EVP_HPKE_CTX *hpke_ctx, Array<uint8_t> *out, size_t ssl_ech_confirmation_signal_hello_offset(const SSL *ssl); // ssl_ech_accept_confirmation computes the server's ECH acceptance signal, -// writing it to |out|. The transcript portion is the concatenation of -// |transcript| with |msg|. The |ECH_CONFIRMATION_SIGNAL_LEN| bytes from -// |offset| in |msg| are replaced with zeros before hashing. This function -// returns true on success, and false on failure. +// writing it to |out|. The signal is computed by concatenating |transcript| +// with |server_hello|. This function handles the fact that eight bytes of +// |server_hello| need to be replaced with zeros before hashing. It returns true +// on success, and false on failure. bool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span<uint8_t> out, - Span<const uint8_t> client_random, - const SSLTranscript &transcript, bool is_hrr, - Span<const uint8_t> msg, size_t offset); + const SSLTranscript &transcript, + Span<const uint8_t> server_hello); // ssl_is_valid_ech_public_name returns true if |public_name| is a valid ECH // public name and false otherwise. It is exported for testing. @@ -1832,9 +1830,8 @@ struct SSL_HANDSHAKE { // cookie is the value of the cookie received from the server, if any. Array<uint8_t> cookie; - // ech_client_outer contains the outer ECH extension to send in the - // ClientHello, excluding the header and type byte. - Array<uint8_t> ech_client_outer; + // ech_client_bytes contains the ECH extension to send in the ClientHello. + Array<uint8_t> ech_client_bytes; // ech_retry_configs, on the client, contains the retry configs from the // server as a serialized ECHConfigList. @@ -1942,9 +1939,13 @@ struct SSL_HANDSHAKE { // influence the handshake on match. UniquePtr<SSL_HANDSHAKE_HINTS> hints; - // ech_is_inner, on the server, indicates whether the ClientHello contained an - // inner ECH extension. - bool ech_is_inner : 1; + // ech_present, on the server, indicates whether the ClientHello contained an + // encrypted_client_hello extension. + bool ech_present : 1; + + // ech_is_inner_present, on the server, indicates whether the ClientHello + // contained an ech_is_inner extension. + bool ech_is_inner_present : 1; // ech_authenticated_reject, on the client, indicates whether an ECH rejection // handshake has been authenticated. @@ -2162,22 +2163,6 @@ bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs, // flight. It returns true on success and false on error. bool ssl_add_client_hello(SSL_HANDSHAKE *hs); -struct ParsedServerHello { - CBS raw; - uint16_t legacy_version = 0; - CBS random; - CBS session_id; - uint16_t cipher_suite = 0; - uint8_t compression_method = 0; - CBS extensions; -}; - -// ssl_parse_server_hello parses |msg| as a ServerHello. On success, it writes -// the result to |*out| and returns true. Otherwise, it returns false and sets -// |*out_alert| to an alert to send to the peer. -bool ssl_parse_server_hello(ParsedServerHello *out, uint8_t *out_alert, - const SSLMessage &msg); - enum ssl_cert_verify_context_t { ssl_cert_verify_server, ssl_cert_verify_client, @@ -2219,25 +2204,19 @@ bool ssl_get_local_application_settings(const SSL_HANDSHAKE *hs, bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello); -struct SSLExtension { - SSLExtension(uint16_t type_arg, bool allowed_arg = true) - : type(type_arg), allowed(allowed_arg), present(false) { - CBS_init(&data, nullptr, 0); - } - +struct SSL_EXTENSION_TYPE { uint16_t type; - bool allowed; - bool present; - CBS data; + bool *out_present; + CBS *out_data; }; // ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances -// it. It writes the parsed extensions to pointers in |extensions|. On success, -// it fills in the |present| and |data| fields and returns true. Otherwise, it -// sets |*out_alert| to an alert to send and returns false. Unknown extensions -// are rejected unless |ignore_unknown| is true. +// it. It writes the parsed extensions to pointers denoted by |ext_types|. On +// success, it fills in the |out_present| and |out_data| fields and returns +// true. Otherwise, it sets |*out_alert| to an alert to send and returns false. +// Unknown extensions are rejected unless |ignore_unknown| is true. bool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, - std::initializer_list<SSLExtension *> extensions, + Span<const SSL_EXTENSION_TYPE> ext_types, bool ignore_unknown); // ssl_verify_peer_cert verifies the peer certificate for |hs|. @@ -2276,9 +2255,6 @@ bool ssl_log_secret(const SSL *ssl, const char *label, OPENSSL_EXPORT bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out, Span<const uint8_t> body); -bool ssl_parse_client_hello_with_trailing_data(const SSL *ssl, CBS *cbs, - SSL_CLIENT_HELLO *out); - bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello, CBS *out, uint16_t extension_type); @@ -2339,7 +2315,7 @@ bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert, #define TLSEXT_CHANNEL_ID_SIZE 128 -// From RFC 4492, used in encoding the curve type in ECParameters +// From RFC4492, used in encoding the curve type in ECParameters #define NAMED_CURVE_TYPE 3 struct CERT { @@ -3316,15 +3292,19 @@ bool tls1_set_curves_list(Array<uint16_t> *out_group_ids, const char *curves); // ClientHello extension was the pre_shared_key extension and needs a PSK binder // filled in. The caller should then update |out| and, if applicable, // |out_encoded| with the binder after completing the whole message. +// +// If |omit_ech_len| is non-zero, the ECH extension is omitted, but padding is +// computed as if there were an extension of length |omit_ech_len|. This is used +// to compute ClientHelloOuterAAD. bool ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, CBB *out_encoded, bool *out_needs_psk_binder, - ssl_client_hello_type_t type, - size_t header_len); + ssl_client_hello_type_t type, size_t header_len, + size_t omit_ech_len); bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out); bool ssl_parse_clienthello_tlsext(SSL_HANDSHAKE *hs, const SSL_CLIENT_HELLO *client_hello); -bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, const CBS *extensions); +bool ssl_parse_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs); #define tlsext_tick_md EVP_sha256 |