grpc 1.66.0 → 1.67.0.pre1

data/third_party/boringssl-with-bazel/src/ssl/extensions.cc

@@ -207,6 +207,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) {
 static bool is_post_quantum_group(uint16_t id) {
   switch (id) {
     case SSL_GROUP_X25519_KYBER768_DRAFT00:
+    case SSL_GROUP_X25519_MLKEM768:
       return true;
     default:
       return false;
@@ -3794,6 +3795,7 @@ static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
       return true;
 
     default:
+      hs->should_ack_sni = ssl->s3->hostname != nullptr;
       return true;
   }
 }

data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc

@@ -244,23 +244,36 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
   // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
   // hardware support.
   if (hs->max_version >= TLS1_3_VERSION) {
+    static const uint16_t kCiphersNoAESHardware[] = {
+        TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
+        TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
+        TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
+    };
+    static const uint16_t kCiphersAESHardware[] = {
+        TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
+        TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
+        TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
+    };
+    static const uint16_t kCiphersCNSA[] = {
+        TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
+        TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
+        TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
+    };
+
     const bool has_aes_hw = ssl->config->aes_hw_override
                                 ? ssl->config->aes_hw_override_value
                                 : EVP_has_aes_hardware();
-
-    if ((!has_aes_hw &&  //
-         !ssl_add_tls13_cipher(&child,
-                               TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
-                               ssl->config->tls13_cipher_policy)) ||
-        !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff,
-                              ssl->config->tls13_cipher_policy) ||
-        !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff,
-                              ssl->config->tls13_cipher_policy) ||
-        (has_aes_hw &&  //
-         !ssl_add_tls13_cipher(&child,
-                               TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
-                               ssl->config->tls13_cipher_policy))) {
-      return false;
+    const bssl::Span<const uint16_t> ciphers =
+        ssl->config->tls13_cipher_policy == ssl_compliance_policy_cnsa_202407
+            ? bssl::Span<const uint16_t>(kCiphersCNSA)
+            : (has_aes_hw ? bssl::Span<const uint16_t>(kCiphersAESHardware)
+                          : bssl::Span<const uint16_t>(kCiphersNoAESHardware));
+
+    for (auto cipher : ciphers) {
+      if (!ssl_add_tls13_cipher(&child, cipher,
+                                ssl->config->tls13_cipher_policy)) {
+        return false;
+      }
     }
   }
 
@@ -372,9 +385,13 @@ bool ssl_add_client_hello(SSL_HANDSHAKE *hs) {
 static bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version,
                                  uint8_t *out_alert,
                                  const ParsedServerHello &server_hello) {
+  uint16_t legacy_version = TLS1_2_VERSION;
+  if (SSL_is_dtls(hs->ssl)) {
+    legacy_version = DTLS1_2_VERSION;
+  }
   // If the outer version is not TLS 1.2, use it.
   // TODO(davidben): This function doesn't quite match the RFC8446 formulation.
-  if (server_hello.legacy_version != TLS1_2_VERSION) {
+  if (server_hello.legacy_version != legacy_version) {
     *out_version = server_hello.legacy_version;
     return true;
   }
@@ -509,25 +526,28 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
-  // Never send a session ID in QUIC. QUIC uses TLS 1.3 at a minimum and
-  // disables TLS 1.3 middlebox compatibility mode.
-  if (ssl->quic_method == nullptr) {
-    const bool has_id_session = ssl->session != nullptr &&
-                                ssl->session->session_id_length > 0 &&
-                                ssl->session->ticket.empty();
-    const bool has_ticket_session =
-        ssl->session != nullptr && !ssl->session->ticket.empty();
-    if (has_id_session) {
-      hs->session_id_len = ssl->session->session_id_length;
-      OPENSSL_memcpy(hs->session_id, ssl->session->session_id,
-                     hs->session_id_len);
-    } else if (has_ticket_session || hs->max_version >= TLS1_3_VERSION) {
-      // Send a random session ID. TLS 1.3 always sends one, and TLS 1.2 session
-      // tickets require a placeholder value to signal resumption.
-      hs->session_id_len = sizeof(hs->session_id);
-      if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
-        return ssl_hs_error;
-      }
+  const bool has_id_session = ssl->session != nullptr &&
+                              ssl->session->session_id_length > 0 &&
+                              ssl->session->ticket.empty();
+  const bool has_ticket_session =
+      ssl->session != nullptr && !ssl->session->ticket.empty();
+  // TLS 1.2 session tickets require a placeholder value to signal resumption.
+  const bool ticket_session_requires_random_id =
+      has_ticket_session &&
+      ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION;
+  // Compatibility mode sends a random session ID. Compatibility mode is
+  // enabled for TLS 1.3, but not when it's run over QUIC or DTLS.
+  const bool enable_compatibility_mode = hs->max_version >= TLS1_3_VERSION &&
+                                         ssl->quic_method == nullptr &&
+                                         !SSL_is_dtls(hs->ssl);
+  if (has_id_session) {
+    hs->session_id_len = ssl->session->session_id_length;
+    OPENSSL_memcpy(hs->session_id, ssl->session->session_id,
+                   hs->session_id_len);
+  } else if (ticket_session_requires_random_id || enable_compatibility_mode) {
+    hs->session_id_len = sizeof(hs->session_id);
+    if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
+      return ssl_hs_error;
     }
   }
 
@@ -618,10 +638,6 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
 
   assert(SSL_is_dtls(ssl));
 
-  // When implementing DTLS 1.3, we need to handle the interactions between
-  // HelloVerifyRequest, DTLS 1.3's HelloVerifyRequest removal, and ECH.
-  assert(hs->max_version < TLS1_3_VERSION);
-
   SSLMessage msg;
   if (!ssl->method->get_message(ssl, &msg)) {
     return ssl_hs_read_message;
@@ -632,6 +648,12 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
     return ssl_hs_ok;
   }
 
+  // TODO(crbug.com/boringssl/715): At the point when we read an HVR, we don't
+  // know whether the connection is DTLS 1.2 (or earlier) or DTLS 1.3 - that's
+  // determined when we read the supported_versions in the ServerHello. If we
+  // receive HVR and then the ServerHello selects DTLS 1.3, that is an error and
+  // we should close the connection.
+
   CBS hello_verify_request = msg.body, cookie;
   uint16_t server_version;
   if (!CBS_get_u16(&hello_verify_request, &server_version) ||
@@ -716,6 +738,15 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
+  // TODO(crbug.com/boringssl/715): Check that if the server picked DTLS 1.3,
+  // that it didn't also previously send an HVR, as that is not allowed by RFC
+  // 9147. (DTLS 1.25 still uses HVR instead of HRR.) Also add a runner test to
+  // test that we handle that case properly.
+  //
+  // See
+  // https://boringssl-review.googlesource.com/c/boringssl/+/68027/3/ssl/handshake_client.cc
+  // for an example of what this check might look like.
+
   assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
   if (!ssl->s3->have_version) {
     ssl->version = server_version;

data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc

@@ -613,6 +613,9 @@ static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,
   if (!ssl_client_hello_get_extension(client_hello, &sni,
                                       TLSEXT_TYPE_server_name)) {
     // No SNI extension to parse.
+    //
+    // Clear state in case we previously extracted SNI from ClientHelloOuter.
+    ssl->s3->hostname.reset();
     return true;
   }
 
@@ -649,8 +652,6 @@ static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,
     return false;
   }
   ssl->s3->hostname.reset(raw);
-
-  hs->should_ack_sni = true;
   return true;
 }
 
@@ -686,7 +687,10 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
   }
 
   uint8_t alert = SSL_AD_DECODE_ERROR;
-  if (!decrypt_ech(hs, &alert, &client_hello)) {
+  // We check for rejection status in case we've rewound the state machine after
+  // determining `ClientHelloInner` is invalid.
+  if (ssl->s3->ech_status != ssl_ech_rejected &&
+      !decrypt_ech(hs, &alert, &client_hello)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return ssl_hs_error;
   }
@@ -722,6 +726,13 @@ static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) {
       case ssl_select_cert_retry:
         return ssl_hs_certificate_selection_pending;
 
+      case ssl_select_cert_disable_ech:
+        hs->ech_client_hello_buf.Reset();
+        hs->ech_keys = nullptr;
+        hs->state = state12_read_client_hello;
+        ssl->s3->ech_status = ssl_ech_rejected;
+        return ssl_hs_ok;
+
       case ssl_select_cert_error:
         // Connection rejected.
         OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);

data/third_party/boringssl-with-bazel/src/ssl/internal.h

@@ -155,6 +155,7 @@
 #include <utility>
 
 #include <openssl/aead.h>
+#include <openssl/aes.h>
 #include <openssl/curve25519.h>
 #include <openssl/err.h>
 #include <openssl/hpke.h>
@@ -811,6 +812,16 @@ bool tls1_prf(const EVP_MD *digest, Span<uint8_t> out,
 
 // Encryption layer.
 
+class RecordNumberEncrypter {
+ public:
+  virtual ~RecordNumberEncrypter() = default;
+  static constexpr bool kAllowUniquePtr = true;
+
+  virtual size_t KeySize() = 0;
+  virtual bool SetKey(Span<const uint8_t> key) = 0;
+  virtual bool GenerateMask(Span<uint8_t> out, Span<const uint8_t> sample) = 0;
+};
+
 // SSLAEADContext contains information about an AEAD that is being used to
 // encrypt an SSL connection.
 class SSLAEADContext {
@@ -916,6 +927,17 @@ class SSLAEADContext {
 
   bool GetIV(const uint8_t **out_iv, size_t *out_iv_len) const;
 
+  RecordNumberEncrypter *GetRecordNumberEncrypter() {
+    return rn_encrypter_.get();
+  }
+
+  // GenerateRecordNumberMask computes the mask used for DTLS 1.3 record number
+  // encryption (RFC 9147 section 4.2.3), writing it to |out|. The |out| buffer
+  // must be sized to AES_BLOCK_SIZE. The |sample| buffer must be at least 16
+  // bytes, as required by the AES and ChaCha20 cipher suites in RFC 9147. Extra
+  // bytes in |sample| will be ignored.
+  bool GenerateRecordNumberMask(Span<uint8_t> out, Span<const uint8_t> sample);
+
  private:
   // GetAdditionalData returns the additional data, writing into |storage| if
   // necessary.
@@ -924,6 +946,8 @@ class SSLAEADContext {
                                         uint64_t seqnum, size_t plaintext_len,
                                         Span<const uint8_t> header);
 
+  void CreateRecordNumberEncrypter();
+
   const SSL_CIPHER *cipher_;
   ScopedEVP_AEAD_CTX ctx_;
   // fixed_nonce_ contains any bytes of the nonce that are fixed for all
@@ -932,6 +956,7 @@ class SSLAEADContext {
   uint8_t fixed_nonce_len_ = 0, variable_nonce_len_ = 0;
   // version_ is the wire version that should be used with this AEAD.
   uint16_t version_;
+  UniquePtr<RecordNumberEncrypter> rn_encrypter_;
   // is_dtls_ is whether DTLS is being used with this AEAD.
   bool is_dtls_;
   // variable_nonce_included_in_record_ is true if the variable nonce
@@ -951,6 +976,45 @@ class SSLAEADContext {
   bool ad_is_header_ : 1;
 };
 
+class AESRecordNumberEncrypter : public RecordNumberEncrypter {
+ public:
+  bool SetKey(Span<const uint8_t> key) override;
+  bool GenerateMask(Span<uint8_t> out, Span<const uint8_t> sample) override;
+
+ private:
+  AES_KEY key_;
+};
+
+class AES128RecordNumberEncrypter : public AESRecordNumberEncrypter {
+ public:
+  size_t KeySize() override;
+};
+
+class AES256RecordNumberEncrypter : public AESRecordNumberEncrypter {
+ public:
+  size_t KeySize() override;
+};
+
+class ChaChaRecordNumberEncrypter : public RecordNumberEncrypter {
+ public:
+  size_t KeySize() override;
+  bool SetKey(Span<const uint8_t> key) override;
+  bool GenerateMask(Span<uint8_t> out, Span<const uint8_t> sample) override;
+
+ private:
+  static const size_t kKeySize = 32;
+  uint8_t key_[kKeySize];
+};
+
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+class NullRecordNumberEncrypter : public RecordNumberEncrypter {
+ public:
+  size_t KeySize() override;
+  bool SetKey(Span<const uint8_t> key) override;
+  bool GenerateMask(Span<uint8_t> out, Span<const uint8_t> sample) override;
+};
+#endif  // BORINGSSL_UNSAFE_FUZZER_MODE
+
 
 // DTLS replay bitmap.
 
@@ -965,6 +1029,17 @@ struct DTLS1_BITMAP {
   uint64_t max_seq_num = 0;
 };
 
+// reconstruct_seqnum takes the low order bits of a record sequence number from
+// the wire and reconstructs the full sequence number. It does so using the
+// algorithm described in section 4.2.2 of RFC 9147, where |wire_seq| is the
+// low bits of the sequence number as seen on the wire, |seq_mask| is a bitmask
+// of 8 or 16 1 bits corresponding to the length of the sequence number on the
+// wire, and |max_valid_seqnum| is the largest sequence number of a record
+// successfully deprotected in this epoch. This function returns the sequence
+// number that is numerically closest to one plus |max_valid_seqnum| that when
+// bitwise and-ed with |seq_mask| equals |wire_seq|.
+OPENSSL_EXPORT uint64_t reconstruct_seqnum(uint16_t wire_seq, uint64_t seq_mask,
+                                           uint64_t max_valid_seqnum);
 
 // Record layer.
 
@@ -1018,17 +1093,9 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type,
                                         size_t *out_consumed,
                                         uint8_t *out_alert, Span<uint8_t> in);
 
-// ssl_seal_align_prefix_len returns the length of the prefix before the start
-// of the bulk of the ciphertext when sealing a record with |ssl|. Callers may
-// use this to align buffers.
-//
-// Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte
-// record and is the offset into second record's ciphertext. Thus sealing a
-// small record may result in a smaller output than this value.
-//
-// TODO(davidben): Is this alignment valuable? Record-splitting makes this a
-// mess.
-size_t ssl_seal_align_prefix_len(const SSL *ssl);
+// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
+// state needs record-splitting and zero otherwise.
+bool ssl_needs_record_splitting(const SSL *ssl);
 
 // tls_seal_record seals a new record of type |type| and body |in| and writes it
 // to |out|. At most |max_out| bytes will be written. It returns true on success
@@ -1036,7 +1103,7 @@ size_t ssl_seal_align_prefix_len(const SSL *ssl);
 // 1/n-1 record splitting and may write two records concatenated.
 //
 // For a large record, the bulk of the ciphertext will begin
-// |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may
+// |tls_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may
 // improve performance. It writes at most |in_len| + |SSL_max_seal_overhead|
 // bytes to |out|.
 //
@@ -1044,6 +1111,10 @@ size_t ssl_seal_align_prefix_len(const SSL *ssl);
 bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
                      uint8_t type, const uint8_t *in, size_t in_len);
 
+// dtls_record_header_write_len returns the length of the record header that
+// will be written at |epoch|.
+size_t dtls_record_header_write_len(const SSL *ssl, uint16_t epoch);
+
 // dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
 // record.
 size_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch);
@@ -1444,7 +1515,8 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
 // tls13_derive_session_psk calculates the PSK for this session based on the
 // resumption master secret and |nonce|. It returns true on success, and false
 // on failure.
-bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce);
+bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce,
+                              bool is_dtls);
 
 // tls13_write_psk_binder calculates the PSK binder value over |transcript| and
 // |msg|, and replaces the last bytes of |msg| with the resulting value. It
@@ -2939,7 +3011,23 @@ struct SSL3_STATE {
 };
 
 // lengths of messages
-#define DTLS1_RT_HEADER_LENGTH 13
+#define DTLS1_RT_MAX_HEADER_LENGTH 13
+
+// DTLS_PLAINTEXT_RECORD_HEADER_LENGTH is the length of the DTLS record header
+// for plaintext records (in DTLS 1.3) or DTLS versions <= 1.2.
+#define DTLS_PLAINTEXT_RECORD_HEADER_LENGTH 13
+
+// DTLS1_3_RECORD_HEADER_LENGTH is the length of the DTLS 1.3 record header
+// sent by BoringSSL for encrypted records. Note that received encrypted DTLS
+// 1.3 records might have a different length header.
+#define DTLS1_3_RECORD_HEADER_WRITE_LENGTH 5
+
+static_assert(DTLS1_RT_MAX_HEADER_LENGTH >= DTLS_PLAINTEXT_RECORD_HEADER_LENGTH,
+              "DTLS1_RT_MAX_HEADER_LENGTH must not be smaller than defined "
+              "record header lengths");
+static_assert(DTLS1_RT_MAX_HEADER_LENGTH >= DTLS1_3_RECORD_HEADER_WRITE_LENGTH,
+              "DTLS1_RT_MAX_HEADER_LENGTH must not be smaller than defined "
+              "record header lengths");
 
 #define DTLS1_HM_HEADER_LENGTH 12
 
@@ -3019,6 +3107,11 @@ struct DTLS1_STATE {
   uint64_t last_write_sequence = 0;
   UniquePtr<SSLAEADContext> last_aead_write_ctx;
 
+
+  // In DTLS 1.3, this contains the write AEAD for the initial encryption level.
+  // TODO(crbug.com/boringssl/715): Drop this when it is no longer needed.
+  UniquePtr<SSLAEADContext> initial_aead_write_ctx;
+
   // incoming_messages is a ring buffer of incoming handshake messages that have
   // yet to be processed. The front of the ring buffer is message number
   // |handshake_read_seq|, at position |handshake_read_seq| %

data/third_party/boringssl-with-bazel/src/ssl/s3_both.cc

@@ -659,36 +659,60 @@ void tls_next_message(SSL *ssl) {
   }
 }
 
-// CipherScorer produces a "score" for each possible cipher suite offered by
-// the client.
+namespace {
+
 class CipherScorer {
  public:
-  CipherScorer(bool has_aes_hw) : aes_is_fine_(has_aes_hw) {}
+  using Score = int;
+  static constexpr Score kMinScore = 0;
 
-  typedef std::tuple<bool, bool> Score;
+  virtual ~CipherScorer() = default;
 
-  // MinScore returns a |Score| that will compare less than the score of all
-  // cipher suites.
-  Score MinScore() const {
-    return Score(false, false);
-  }
+  virtual Score Evaluate(const SSL_CIPHER *cipher) const = 0;
+};
+
+// AesHwCipherScorer scores cipher suites based on whether AES is supported in
+// hardware.
+class AesHwCipherScorer : public CipherScorer {
+ public:
+  explicit AesHwCipherScorer(bool has_aes_hw) : aes_is_fine_(has_aes_hw) {}
+
+  virtual ~AesHwCipherScorer() override = default;
 
-  Score Evaluate(const SSL_CIPHER *a) const {
-    return Score(
+  Score Evaluate(const SSL_CIPHER *a) const override {
+    return
         // Something is always preferable to nothing.
-        true,
+        1 +
         // Either AES is fine, or else ChaCha20 is preferred.
-        aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305);
+        ((aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305) ? 1 : 0);
   }
 
  private:
   const bool aes_is_fine_;
 };
 
+// CNsaCipherScorer prefers AES-256-GCM over AES-128-GCM over anything else.
+class CNsaCipherScorer : public CipherScorer {
+ public:
+  virtual ~CNsaCipherScorer() override = default;
+
+  Score Evaluate(const SSL_CIPHER *a) const override {
+    if (a->id == TLS1_3_CK_AES_256_GCM_SHA384) {
+      return 3;
+    } else if (a->id == TLS1_3_CK_AES_128_GCM_SHA256) {
+      return 2;
+    }
+    return 1;
+  }
+};
+
+}
+
 bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,
                                    enum ssl_compliance_policy_t policy) {
   switch (policy) {
     case ssl_compliance_policy_none:
+    case ssl_compliance_policy_cnsa_202407:
       return true;
 
     case ssl_compliance_policy_fips_202205:
@@ -728,8 +752,12 @@ const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,
   }
 
   const SSL_CIPHER *best = nullptr;
-  CipherScorer scorer(has_aes_hw);
-  CipherScorer::Score best_score = scorer.MinScore();
+  AesHwCipherScorer aes_hw_scorer(has_aes_hw);
+  CNsaCipherScorer cnsa_scorer;
+  CipherScorer *const scorer = (policy == ssl_compliance_policy_cnsa_202407)
+                                   ? static_cast<CipherScorer*>(&cnsa_scorer)
+                                   : static_cast<CipherScorer*>(&aes_hw_scorer);
+  CipherScorer::Score best_score = CipherScorer::kMinScore;
 
   while (CBS_len(&cipher_suites) > 0) {
     uint16_t cipher_suite;
@@ -750,7 +778,7 @@ const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw,
       continue;
     }
 
-    const CipherScorer::Score candidate_score = scorer.Evaluate(candidate);
+    const CipherScorer::Score candidate_score = scorer->Evaluate(candidate);
     // |candidate_score| must be larger to displace the current choice. That way
     // the client's order controls between ciphers with an equal score.
     if (candidate_score > best_score) {

data/third_party/boringssl-with-bazel/src/ssl/s3_pkt.cc

@@ -198,6 +198,26 @@ int tls_write_app_data(SSL *ssl, bool *out_needs_handshake,
   }
 }
 
+// tls_seal_align_prefix_len returns the length of the prefix before the start
+// of the bulk of the ciphertext when sealing a record with |ssl|. Callers may
+// use this to align buffers.
+//
+// Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte
+// record and is the offset into second record's ciphertext. Thus sealing a
+// small record may result in a smaller output than this value.
+//
+// TODO(davidben): Is this alignment valuable? Record-splitting makes this a
+// mess.
+static size_t tls_seal_align_prefix_len(const SSL *ssl) {
+  size_t ret =
+      SSL3_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen();
+  if (ssl_needs_record_splitting(ssl)) {
+    ret += SSL3_RT_HEADER_LENGTH;
+    ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
+  }
+  return ret;
+}
+
 // do_tls_write writes an SSL record of the given type. On success, it sets
 // |*out_bytes_written| to number of bytes successfully written and returns one.
 // On error, it returns a value <= 0 from the underlying |BIO|.
@@ -265,7 +285,7 @@ static int do_tls_write(SSL *ssl, size_t *out_bytes_written, uint8_t type,
     return 1;
   }
 
-  if (!buf->EnsureCap(pending_flight.size() + ssl_seal_align_prefix_len(ssl),
+  if (!buf->EnsureCap(pending_flight.size() + tls_seal_align_prefix_len(ssl),
                       max_out)) {
     return -1;
   }

data/third_party/boringssl-with-bazel/src/ssl/ssl_aead_ctx.cc

@@ -18,6 +18,7 @@
 #include <string.h>
 
 #include <openssl/aead.h>
+#include <openssl/chacha.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
@@ -44,6 +45,7 @@ SSLAEADContext::SSLAEADContext(uint16_t version_arg, bool is_dtls_arg,
       omit_length_in_ad_(false),
       ad_is_header_(false) {
   OPENSSL_memset(fixed_nonce_, 0, sizeof(fixed_nonce_));
+  CreateRecordNumberEncrypter();
 }
 
 SSLAEADContext::~SSLAEADContext() {}
@@ -145,6 +147,23 @@ UniquePtr<SSLAEADContext> SSLAEADContext::Create(
   return aead_ctx;
 }
 
+void SSLAEADContext::CreateRecordNumberEncrypter() {
+  if (!cipher_) {
+    return;
+  }
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+  rn_encrypter_ = MakeUnique<NullRecordNumberEncrypter>();
+#else
+  if (cipher_->algorithm_enc == SSL_AES128GCM) {
+    rn_encrypter_ = MakeUnique<AES128RecordNumberEncrypter>();
+  } else if (cipher_->algorithm_enc == SSL_AES256GCM) {
+    rn_encrypter_ = MakeUnique<AES256RecordNumberEncrypter>();
+  } else if (cipher_->algorithm_enc == SSL_CHACHA20POLY1305) {
+    rn_encrypter_ = MakeUnique<ChaChaRecordNumberEncrypter>();
+  }
+#endif  // BORINGSSL_UNSAFE_FUZZER_MODE
+}
+
 UniquePtr<SSLAEADContext> SSLAEADContext::CreatePlaceholderForQUIC(
     uint16_t version, const SSL_CIPHER *cipher) {
   return MakeUnique<SSLAEADContext>(version, false, cipher);
@@ -175,7 +194,7 @@ uint16_t SSLAEADContext::RecordVersion() const {
     return version_;
   }
 
-  return TLS1_2_VERSION;
+  return is_dtls_ ? DTLS1_2_VERSION : TLS1_2_VERSION;
 }
 
 size_t SSLAEADContext::ExplicitNonceLen() const {
@@ -427,4 +446,70 @@ bool SSLAEADContext::GetIV(const uint8_t **out_iv, size_t *out_iv_len) const {
          EVP_AEAD_CTX_get_iv(ctx_.get(), out_iv, out_iv_len);
 }
 
+bool SSLAEADContext::GenerateRecordNumberMask(Span<uint8_t> out,
+                                              Span<const uint8_t> sample) {
+  if (!rn_encrypter_) {
+    return false;
+  }
+  return rn_encrypter_->GenerateMask(out, sample);
+}
+
+size_t AES128RecordNumberEncrypter::KeySize() { return 16; }
+
+size_t AES256RecordNumberEncrypter::KeySize() { return 32; }
+
+bool AESRecordNumberEncrypter::SetKey(Span<const uint8_t> key) {
+  return AES_set_encrypt_key(key.data(), key.size() * 8, &key_) == 0;
+}
+
+bool AESRecordNumberEncrypter::GenerateMask(Span<uint8_t> out,
+                                            Span<const uint8_t> sample) {
+  if (sample.size() < AES_BLOCK_SIZE || out.size() != AES_BLOCK_SIZE) {
+    return false;
+  }
+  AES_encrypt(sample.data(), out.data(), &key_);
+  return true;
+}
+
+size_t ChaChaRecordNumberEncrypter::KeySize() { return kKeySize; }
+
+bool ChaChaRecordNumberEncrypter::SetKey(Span<const uint8_t> key) {
+  if (key.size() != kKeySize) {
+    return false;
+  }
+  OPENSSL_memcpy(key_, key.data(), key.size());
+  return true;
+}
+
+bool ChaChaRecordNumberEncrypter::GenerateMask(Span<uint8_t> out,
+                                               Span<const uint8_t> sample) {
+  Array<uint8_t> zeroes;
+  if (!zeroes.Init(out.size())) {
+    return false;
+  }
+  OPENSSL_memset(zeroes.data(), 0, zeroes.size());
+  // RFC 9147 section 4.2.3 uses the first 4 bytes of the sample as the counter
+  // and the next 12 bytes as the nonce. If we have less than 4+12=16 bytes in
+  // the sample, then we'll read past the end of the |sample| buffer.
+  if (sample.size() < 16) {
+    return false;
+  }
+  uint32_t counter = CRYPTO_load_u32_be(sample.data());
+  Span<const uint8_t> nonce = sample.subspan(4);
+  CRYPTO_chacha_20(out.data(), zeroes.data(), zeroes.size(), key_, nonce.data(),
+                   counter);
+  return true;
+}
+
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+size_t NullRecordNumberEncrypter::KeySize() { return 0; }
+bool NullRecordNumberEncrypter::SetKey(Span<const uint8_t> key) { return true; }
+
+bool NullRecordNumberEncrypter::GenerateMask(Span<uint8_t> out,
+                                             Span<const uint8_t> sample) {
+  OPENSSL_memset(out.data(), 0, out.size());
+  return true;
+}
+#endif  // BORINGSSL_UNSAFE_FUZZER_MODE
+
 BSSL_NAMESPACE_END