grpc 1.53.1 → 1.54.0

data/third_party/boringssl-with-bazel/src/ssl/ssl_session.cc

@@ -214,9 +214,9 @@ UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) {
     }
   }
   if (session->certs != nullptr) {
-    auto buf_up_ref = [](CRYPTO_BUFFER *buf) {
-      CRYPTO_BUFFER_up_ref(buf);
-      return buf;
+    auto buf_up_ref = [](const CRYPTO_BUFFER *buf) {
+      CRYPTO_BUFFER_up_ref(const_cast<CRYPTO_BUFFER *>(buf));
+      return const_cast<CRYPTO_BUFFER*>(buf);
     };
     new_session->certs.reset(sk_CRYPTO_BUFFER_deep_copy(
         session->certs.get(), buf_up_ref, CRYPTO_BUFFER_free));
@@ -1169,20 +1169,31 @@ SSL_SESSION *SSL_magic_pending_session_ptr(void) {
 }
 
 SSL_SESSION *SSL_get_session(const SSL *ssl) {
-  // Once the handshake completes we return the established session. Otherwise
-  // we return the intermediate session, either |session| (for resumption) or
-  // |new_session| if doing a full handshake.
-  if (!SSL_in_init(ssl)) {
+  // Once the initially handshake completes, we return the most recently
+  // established session. In particular, if there is a pending renegotiation, we
+  // do not return information about it until it completes.
+  //
+  // Code in the handshake must either use |hs->new_session| (if updating a
+  // partial session) or |ssl_handshake_session| (if trying to query properties
+  // consistently across TLS 1.2 resumption and other handshakes).
+  if (ssl->s3->established_session != nullptr) {
     return ssl->s3->established_session.get();
   }
+
+  // Otherwise, we must be in the initial handshake.
   SSL_HANDSHAKE *hs = ssl->s3->hs.get();
+  assert(hs != nullptr);
+  assert(!ssl->s3->initial_handshake_complete);
+
+  // Return the 0-RTT session, if in the 0-RTT state. While the handshake has
+  // not actually completed, the public accessors all report properties as if
+  // it has.
   if (hs->early_session) {
     return hs->early_session.get();
   }
-  if (hs->new_session) {
-    return hs->new_session.get();
-  }
-  return ssl->session.get();
+
+  // Otherwise, return the partial session.
+  return (SSL_SESSION *)ssl_handshake_session(hs);
 }
 
 SSL_SESSION *SSL_get1_session(SSL *ssl) {

data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc

@@ -284,7 +284,6 @@ static bool ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
   if (sk_CRYPTO_BUFFER_num(sess->certs.get()) > 0) {
     chain.reset(sk_X509_new_null());
     if (!chain) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       return false;
     }
     if (sess->is_server) {
@@ -292,7 +291,6 @@ static bool ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
       // |SSL_get_peer_cert_chain|.
       chain_without_leaf.reset(sk_X509_new_null());
       if (!chain_without_leaf) {
-        OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
         return false;
       }
     }
@@ -309,11 +307,9 @@ static bool ssl_crypto_x509_session_cache_objects(SSL_SESSION *sess) {
       leaf = UpRef(x509);
     } else if (chain_without_leaf &&
                !PushToStack(chain_without_leaf.get(), UpRef(x509))) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       return false;
     }
     if (!PushToStack(chain.get(), std::move(x509))) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       return false;
     }
   }
@@ -1041,7 +1037,11 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const uint8_t **pp, long length) {
 }
 
 STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *list) {
-  return sk_X509_NAME_deep_copy(list, X509_NAME_dup, X509_NAME_free);
+  // TODO(https://crbug.com/boringssl/407): |X509_NAME_dup| should be const.
+  auto name_dup = [](const X509_NAME *name) {
+    return X509_NAME_dup(const_cast<X509_NAME *>(name));
+  };
+  return sk_X509_NAME_deep_copy(list, name_dup, X509_NAME_free);
 }
 
 static void set_client_CA_list(UniquePtr<STACK_OF(CRYPTO_BUFFER)> *ca_list,
@@ -1100,7 +1100,6 @@ static STACK_OF(X509_NAME) *
 
   UniquePtr<STACK_OF(X509_NAME)> new_cache(sk_X509_NAME_new_null());
   if (!new_cache) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return NULL;
   }
 
@@ -1304,6 +1303,23 @@ int SSL_set1_verify_cert_store(SSL *ssl, X509_STORE *store) {
   return set_cert_store(&ssl->config->cert->verify_store, store, 1);
 }
 
+int SSL_set1_host(SSL *ssl, const char *hostname) {
+  check_ssl_x509_method(ssl);
+  if (!ssl->config) {
+    return 0;
+  }
+  return X509_VERIFY_PARAM_set1_host(ssl->config->param, hostname,
+                                     strlen(hostname));
+}
+
+void SSL_set_hostflags(SSL *ssl, unsigned flags) {
+  check_ssl_x509_method(ssl);
+  if (!ssl->config) {
+    return;
+  }
+  X509_VERIFY_PARAM_set_hostflags(ssl->config->param, flags);
+}
+
 int SSL_alert_from_verify_result(long result) {
   switch (result) {
     case X509_V_ERR_CERT_CHAIN_TOO_LONG:

data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc

@@ -302,7 +302,7 @@ using namespace bssl;
 
 size_t SSL_get_key_block_len(const SSL *ssl) {
   // See |SSL_generate_key_block|.
-  if (SSL_in_init(ssl)) {
+  if (SSL_in_init(ssl) || ssl_protocol_version(ssl) > TLS1_2_VERSION) {
     return 0;
   }
 
@@ -321,7 +321,7 @@ int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) {
   // there are points where read and write states are from different epochs.
   // During a handshake, before ChangeCipherSpec, the encryption states may not
   // match |ssl->s3->client_random| and |ssl->s3->server_random|.
-  if (SSL_in_init(ssl)) {
+  if (SSL_in_init(ssl) || ssl_protocol_version(ssl) > TLS1_2_VERSION) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
     return 0;
   }
@@ -333,16 +333,12 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
                                const char *label, size_t label_len,
                                const uint8_t *context, size_t context_len,
                                int use_context) {
-  // Exporters may be used in False Start and server 0-RTT, where the handshake
-  // has progressed enough. Otherwise, they may not be used during a handshake.
-  if (SSL_in_init(ssl) &&
-      !SSL_in_false_start(ssl) &&
-      !(SSL_is_server(ssl) && SSL_in_early_data(ssl))) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
-    return 0;
-  }
-
-  if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+  // In TLS 1.3, the exporter may be used whenever the secret has been derived.
+  if (ssl->s3->have_version && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+    if (ssl->s3->exporter_secret_len == 0) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
+      return 0;
+    }
     if (!use_context) {
       context = nullptr;
       context_len = 0;
@@ -353,6 +349,13 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
         MakeConstSpan(label, label_len), MakeConstSpan(context, context_len));
   }
 
+  // Exporters may be used in False Start, where the handshake has progressed
+  // enough. Otherwise, they may not be used during a handshake.
+  if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
+    return 0;
+  }
+
   size_t seed_len = 2 * SSL3_RANDOM_SIZE;
   if (use_context) {
     if (context_len >= 1u << 16) {
@@ -363,7 +366,6 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
   }
   Array<uint8_t> seed;
   if (!seed.Init(seed_len)) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return 0;
   }
 

data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc

@@ -58,13 +58,11 @@ bool tls13_get_cert_verify_signature_input(
     enum ssl_cert_verify_context_t cert_verify_context) {
   ScopedCBB cbb;
   if (!CBB_init(cbb.get(), 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return false;
   }
 
   for (size_t i = 0; i < 64; i++) {
     if (!CBB_add_u8(cbb.get(), 0x20)) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       return false;
     }
   }
@@ -80,7 +78,6 @@ bool tls13_get_cert_verify_signature_input(
     static const char kContext[] = "TLS 1.3, Channel ID";
     context = kContext;
   } else {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return false;
   }
 
@@ -88,7 +85,6 @@ bool tls13_get_cert_verify_signature_input(
   if (!CBB_add_bytes(cbb.get(),
                      reinterpret_cast<const uint8_t *>(context.data()),
                      context.size())) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return false;
   }
 
@@ -97,7 +93,6 @@ bool tls13_get_cert_verify_signature_input(
   if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||
       !CBB_add_bytes(cbb.get(), context_hash, context_hash_len) ||
       !CBBFinishArray(cbb.get(), out)) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return false;
   }
 
@@ -186,7 +181,6 @@ bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
   UniquePtr<STACK_OF(CRYPTO_BUFFER)> certs(sk_CRYPTO_BUFFER_new_null());
   if (!certs) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-    OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
     return false;
   }
 
@@ -230,7 +224,6 @@ bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
     if (!buf ||
         !PushToStack(certs.get(), std::move(buf))) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       return false;
     }
 
@@ -475,7 +468,7 @@ bool tls13_add_certificate(SSL_HANDSHAKE *hs) {
                        CRYPTO_BUFFER_len(raw)) ||
         !CBB_flush(&extensions)) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-      return 0;
+      return false;
     }
     ssl->s3->delegated_credential_used = true;
   }
@@ -576,7 +569,6 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {
     return ssl_private_key_failure;
   }
 
-  // Sign the digest.
   CBB child;
   const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
   uint8_t *sig;
@@ -595,40 +587,10 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {
     return ssl_private_key_failure;
   }
 
-  SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
-  Array<uint8_t> spki;
-  if (hints) {
-    ScopedCBB spki_cbb;
-    if (!CBB_init(spki_cbb.get(), 64) ||
-        !EVP_marshal_public_key(spki_cbb.get(), hs->local_pubkey.get()) ||
-        !CBBFinishArray(spki_cbb.get(), &spki)) {
-      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-      return ssl_private_key_failure;
-    }
-  }
-
-  if (hints && !hs->hints_requested &&
-      signature_algorithm == hints->signature_algorithm &&
-      MakeConstSpan(msg) == hints->signature_input &&
-      MakeConstSpan(spki) == hints->signature_spki &&
-      !hints->signature.empty() && hints->signature.size() <= max_sig_len) {
-    // Signature algorithm and input both match. Reuse the signature from hints.
-    sig_len = hints->signature.size();
-    OPENSSL_memcpy(sig, hints->signature.data(), sig_len);
-  } else {
-    enum ssl_private_key_result_t sign_result = ssl_private_key_sign(
-        hs, sig, &sig_len, max_sig_len, signature_algorithm, msg);
-    if (sign_result != ssl_private_key_success) {
-      return sign_result;
-    }
-    if (hints && hs->hints_requested) {
-      hints->signature_algorithm = signature_algorithm;
-      hints->signature_input = std::move(msg);
-      hints->signature_spki = std::move(spki);
-      if (!hints->signature.CopyFrom(MakeSpan(sig, sig_len))) {
-        return ssl_private_key_failure;
-      }
-    }
+  enum ssl_private_key_result_t sign_result = ssl_private_key_sign(
+      hs, sig, &sig_len, max_sig_len, signature_algorithm, msg);
+  if (sign_result != ssl_private_key_success) {
+    return sign_result;
   }
 
   if (!CBB_did_write(&child, sig_len) ||

data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc

@@ -192,11 +192,15 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
   }
 
   // The cipher suite must be one we offered. We currently offer all supported
-  // TLS 1.3 ciphers, so check the version.
+  // TLS 1.3 ciphers unless policy controls limited it. So we check the version
+  // and that it's ok per policy.
   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
   if (cipher == nullptr ||
       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
-      SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
+      SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
+      !ssl_tls13_cipher_meets_policy(
+          SSL_CIPHER_get_value(cipher),
+          ssl->config->only_fips_cipher_suites_in_tls13)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
     return ssl_hs_error;
@@ -372,7 +376,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
   }
 
   // Check the cipher suite, in case this is after HelloRetryRequest.
-  if (SSL_CIPHER_get_value(hs->new_cipher) != server_hello.cipher_suite) {
+  if (SSL_CIPHER_get_protocol_id(hs->new_cipher) != server_hello.cipher_suite) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
     return ssl_hs_error;
@@ -667,7 +671,6 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
   } else {
     hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());
     if (!hs->ca_names) {
-      OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
       return ssl_hs_error;
     }

data/third_party/boringssl-with-bazel/src/ssl/tls13_enc.cc

@@ -364,9 +364,9 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
       !tls13_verify_data(out, out_len, hs->transcript.Digest(),
                          hs->ssl->version, traffic_secret,
                          MakeConstSpan(context_hash, context_hash_len))) {
-    return 0;
+    return false;
   }
-  return 1;
+  return true;
 }
 
 static const char kTLS13LabelResumptionPSK[] = "resumption";

data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc

@@ -66,25 +66,25 @@ static bool resolve_ecdhe_secret(SSL_HANDSHAKE *hs,
   SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
   if (hints && !hs->hints_requested && hints->key_share_group_id == group_id &&
       !hints->key_share_secret.empty()) {
-    // Copy DH secret from hints.
-    if (!hs->ecdh_public_key.CopyFrom(hints->key_share_public_key) ||
+    // Copy the key_share secret from hints.
+    if (!hs->key_share_ciphertext.CopyFrom(hints->key_share_ciphertext) ||
         !secret.CopyFrom(hints->key_share_secret)) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
       return false;
     }
   } else {
-    ScopedCBB public_key;
+    ScopedCBB ciphertext;
     UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
     if (!key_share ||  //
-        !CBB_init(public_key.get(), 32) ||
-        !key_share->Accept(public_key.get(), &secret, &alert, peer_key) ||
-        !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
+        !CBB_init(ciphertext.get(), 32) ||
+        !key_share->Encap(ciphertext.get(), &secret, &alert, peer_key) ||
+        !CBBFinishArray(ciphertext.get(), &hs->key_share_ciphertext)) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
       return false;
     }
     if (hints && hs->hints_requested) {
       hints->key_share_group_id = group_id;
-      if (!hints->key_share_public_key.CopyFrom(hs->ecdh_public_key) ||
+      if (!hints->key_share_ciphertext.CopyFrom(hs->key_share_ciphertext) ||
           !hints->key_share_secret.CopyFrom(secret)) {
         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
         return false;
@@ -116,7 +116,8 @@ static const SSL_CIPHER *choose_tls13_cipher(
 
   const uint16_t version = ssl_protocol_version(ssl);
 
-  return ssl_choose_tls13_cipher(cipher_suites, version, group_id);
+  return ssl_choose_tls13_cipher(cipher_suites, version, group_id,
+                                 ssl->config->only_fips_cipher_suites_in_tls13);
 }
 
 static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
@@ -131,15 +132,12 @@ static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
     return true;
   }
 
-  // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
-  // the client makes several connections before getting a renewal.
-  static const int kNumTickets = 2;
-
   // Rebase the session timestamp so that it is measured from ticket
   // issuance.
   ssl_session_rebase_time(ssl, hs->new_session.get());
 
-  for (int i = 0; i < kNumTickets; i++) {
+  assert(ssl->session_ctx->num_tickets <= kMaxTickets);
+  for (size_t i = 0; i < ssl->session_ctx->num_tickets; i++) {
     UniquePtr<SSL_SESSION> session(
         SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
     if (!session) {
@@ -160,7 +158,8 @@ static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
           ssl->quic_method != nullptr ? 0xffffffff : kMaxEarlyDataAccepted;
     }
 
-    static_assert(kNumTickets < 256, "Too many tickets");
+    static_assert(kMaxTickets < 256, "Too many tickets");
+    assert(i < 256);
     uint8_t nonce[] = {static_cast<uint8_t>(i)};
 
     ScopedCBB cbb;
@@ -658,28 +657,16 @@ static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
     }
 
     // Decrypt the payload with the HPKE context from the first ClientHello.
-    Array<uint8_t> encoded_client_hello_inner;
+    uint8_t alert = SSL_AD_DECODE_ERROR;
     bool unused;
-    if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
-                                  &encoded_client_hello_inner, &unused,
-                                  &client_hello, payload)) {
+    if (!ssl_client_hello_decrypt(hs, &alert, &unused,
+                                  &hs->ech_client_hello_buf, &client_hello,
+                                  payload)) {
       // Decryption failure is fatal in the second ClientHello.
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
-      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
-      return ssl_hs_error;
-    }
-
-    // Recover the ClientHelloInner from the EncodedClientHelloInner.
-    uint8_t alert = SSL_AD_DECODE_ERROR;
-    bssl::Array<uint8_t> client_hello_inner;
-    if (!ssl_decode_client_hello_inner(ssl, &alert, &client_hello_inner,
-                                       encoded_client_hello_inner,
-                                       &client_hello)) {
-      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
       return ssl_hs_error;
     }
-    hs->ech_client_hello_buf = std::move(client_hello_inner);
 
     // Reparse |client_hello| from the buffer owned by |hs|.
     if (!hs->GetClientHello(&msg, &client_hello)) {
@@ -751,12 +738,13 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
 
   SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
   if (hints && !hs->hints_requested &&
-      hints->server_random.size() == random.size()) {
-    OPENSSL_memcpy(random.data(), hints->server_random.data(), random.size());
+      hints->server_random_tls13.size() == random.size()) {
+    OPENSSL_memcpy(random.data(), hints->server_random_tls13.data(),
+                   random.size());
   } else {
     RAND_bytes(random.data(), random.size());
     if (hints && hs->hints_requested &&
-        !hints->server_random.CopyFrom(random)) {
+        !hints->server_random_tls13.CopyFrom(random)) {
       return ssl_hs_error;
     }
   }
@@ -802,7 +790,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
-  hs->ecdh_public_key.Reset();  // No longer needed.
+  hs->key_share_ciphertext.Reset();  // No longer needed.
   if (!ssl->s3->used_hello_retry_request &&
       !ssl->method->add_change_cipher_spec(ssl)) {
     return ssl_hs_error;

data/third_party/boringssl-with-bazel/src/ssl/tls_method.cc

@@ -108,7 +108,7 @@ static bool tls_set_read_state(SSL *ssl, ssl_encryption_level_t level,
     }
   }
 
-  OPENSSL_memset(ssl->s3->read_sequence, 0, sizeof(ssl->s3->read_sequence));
+  ssl->s3->read_sequence = 0;
   ssl->s3->aead_read_ctx = std::move(aead_ctx);
   ssl->s3->read_level = level;
   return true;
@@ -137,7 +137,7 @@ static bool tls_set_write_state(SSL *ssl, ssl_encryption_level_t level,
     }
   }
 
-  OPENSSL_memset(ssl->s3->write_sequence, 0, sizeof(ssl->s3->write_sequence));
+  ssl->s3->write_sequence = 0;
   ssl->s3->aead_write_ctx = std::move(aead_ctx);
   ssl->s3->write_level = level;
   return true;

data/third_party/boringssl-with-bazel/src/ssl/tls_record.cc

@@ -151,17 +151,6 @@ static bool ssl_needs_record_splitting(const SSL *ssl) {
 #endif
 }
 
-bool ssl_record_sequence_update(uint8_t *seq, size_t seq_len) {
-  for (size_t i = seq_len - 1; i < seq_len; i--) {
-    ++seq[i];
-    if (seq[i] != 0) {
-      return true;
-    }
-  }
-  OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
-  return false;
-}
-
 size_t ssl_record_prefix_len(const SSL *ssl) {
   size_t header_len;
   if (SSL_is_dtls(ssl)) {
@@ -286,6 +275,13 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type,
     return skip_early_data(ssl, out_alert, *out_consumed);
   }
 
+  // Ensure the sequence number update does not overflow.
+  if (ssl->s3->read_sequence + 1 == 0) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
+    *out_alert = SSL_AD_INTERNAL_ERROR;
+    return ssl_open_record_error;
+  }
+
   // Decrypt the body in-place.
   if (!ssl->s3->aead_read_ctx->Open(
           out, type, version, ssl->s3->read_sequence, header,
@@ -301,11 +297,7 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type,
   }
 
   ssl->s3->skip_early_data = false;
-
-  if (!ssl_record_sequence_update(ssl->s3->read_sequence, 8)) {
-    *out_alert = SSL_AD_INTERNAL_ERROR;
-    return ssl_open_record_error;
-  }
+  ssl->s3->read_sequence++;
 
   // TLS 1.3 hides the record type inside the encrypted data.
   bool has_padding =
@@ -411,13 +403,19 @@ static bool do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
   out_prefix[4] = ciphertext_len & 0xff;
   Span<const uint8_t> header = MakeSpan(out_prefix, SSL3_RT_HEADER_LENGTH);
 
+  // Ensure the sequence number update does not overflow.
+  if (ssl->s3->write_sequence + 1 == 0) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
+    return false;
+  }
+
   if (!aead->SealScatter(out_prefix + SSL3_RT_HEADER_LENGTH, out, out_suffix,
                          out_prefix[0], record_version, ssl->s3->write_sequence,
-                         header, in, in_len, extra_in, extra_in_len) ||
-      !ssl_record_sequence_update(ssl->s3->write_sequence, 8)) {
+                         header, in, in_len, extra_in, extra_in_len)) {
     return false;
   }
 
+  ssl->s3->write_sequence++;
   ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);
   return true;
 }
@@ -602,86 +600,6 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
   return ssl_open_record_error;
 }
 
-OpenRecordResult OpenRecord(SSL *ssl, Span<uint8_t> *out,
-                            size_t *out_record_len, uint8_t *out_alert,
-                            const Span<uint8_t> in) {
-  // This API is a work in progress and currently only works for TLS 1.2 servers
-  // and below.
-  if (SSL_in_init(ssl) ||
-      SSL_is_dtls(ssl) ||
-      ssl_protocol_version(ssl) > TLS1_2_VERSION) {
-    assert(false);
-    *out_alert = SSL_AD_INTERNAL_ERROR;
-    return OpenRecordResult::kError;
-  }
-
-  Span<uint8_t> plaintext;
-  uint8_t type = 0;
-  const ssl_open_record_t result = tls_open_record(
-      ssl, &type, &plaintext, out_record_len, out_alert, in);
-
-  switch (result) {
-    case ssl_open_record_success:
-      if (type != SSL3_RT_APPLICATION_DATA && type != SSL3_RT_ALERT) {
-        *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
-        return OpenRecordResult::kError;
-      }
-      *out = plaintext;
-      return OpenRecordResult::kOK;
-    case ssl_open_record_discard:
-      return OpenRecordResult::kDiscard;
-    case ssl_open_record_partial:
-      return OpenRecordResult::kIncompleteRecord;
-    case ssl_open_record_close_notify:
-      return OpenRecordResult::kAlertCloseNotify;
-    case ssl_open_record_error:
-      return OpenRecordResult::kError;
-  }
-  assert(false);
-  return OpenRecordResult::kError;
-}
-
-size_t SealRecordPrefixLen(const SSL *ssl, const size_t record_len) {
-  return tls_seal_scatter_prefix_len(ssl, SSL3_RT_APPLICATION_DATA, record_len);
-}
-
-size_t SealRecordSuffixLen(const SSL *ssl, const size_t plaintext_len) {
-  assert(plaintext_len <= SSL3_RT_MAX_PLAIN_LENGTH);
-  size_t suffix_len;
-  if (!tls_seal_scatter_suffix_len(ssl, &suffix_len, SSL3_RT_APPLICATION_DATA,
-                                   plaintext_len)) {
-    assert(false);
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return 0;
-  }
-  assert(suffix_len <= SSL3_RT_MAX_ENCRYPTED_OVERHEAD);
-  return suffix_len;
-}
-
-bool SealRecord(SSL *ssl, const Span<uint8_t> out_prefix,
-                const Span<uint8_t> out, Span<uint8_t> out_suffix,
-                const Span<const uint8_t> in) {
-  // This API is a work in progress and currently only works for TLS 1.2 servers
-  // and below.
-  if (SSL_in_init(ssl) ||
-      SSL_is_dtls(ssl) ||
-      ssl_protocol_version(ssl) > TLS1_2_VERSION) {
-    assert(false);
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return false;
-  }
-
-  if (out_prefix.size() != SealRecordPrefixLen(ssl, in.size()) ||
-      out.size() != in.size() ||
-      out_suffix.size() != SealRecordSuffixLen(ssl, in.size())) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
-    return false;
-  }
-  return tls_seal_scatter_record(ssl, out_prefix.data(), out.data(),
-                                 out_suffix.data(), SSL3_RT_APPLICATION_DATA,
-                                 in.data(), in.size());
-}
-
 BSSL_NAMESPACE_END
 
 using namespace bssl;