grpc 1.69.0 → 1.70.1

data/third_party/boringssl-with-bazel/src/ssl/ssl_transcript.cc

@@ -144,7 +144,7 @@
 
 BSSL_NAMESPACE_BEGIN
 
-SSLTranscript::SSLTranscript() {}
+SSLTranscript::SSLTranscript(bool is_dtls) : is_dtls_(is_dtls) {}
 
 SSLTranscript::~SSLTranscript() {}
 
@@ -159,25 +159,81 @@ bool SSLTranscript::Init() {
 }
 
 bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) {
+  version_ = version;
   const EVP_MD *md = ssl_get_handshake_digest(version, cipher);
   if (Digest() == md) {
     // No need to re-hash the buffer.
     return true;
   }
-  return EVP_DigestInit_ex(hash_.get(), md, nullptr) &&
-         EVP_DigestUpdate(hash_.get(), buffer_->data, buffer_->length);
+  if (!HashBuffer(hash_.get(), md)) {
+    return false;
+  }
+  if (is_dtls_ && version_ >= TLS1_3_VERSION) {
+    // In DTLS 1.3, prior to the call to InitHash, the message (if present) in
+    // the buffer has the DTLS 1.2 header. After the call to InitHash, the TLS
+    // 1.3 header is written by SSLTranscript::Update. If the buffer isn't freed
+    // here, it would have a mix of different header formats and using it would
+    // yield wrong results. However, there's no need for the buffer once the
+    // version and the digest for the cipher suite are known, so the buffer is
+    // freed here to avoid potential misuse of the SSLTranscript object.
+    FreeBuffer();
+  }
+  return true;
 }
 
-void SSLTranscript::FreeBuffer() {
-  buffer_.reset();
-}
+bool SSLTranscript::HashBuffer(EVP_MD_CTX *ctx, const EVP_MD *digest) const {
+  if (!EVP_DigestInit_ex(ctx, digest, nullptr)) {
+    return false;
+  }
+  if (!is_dtls_ || version_ < TLS1_3_VERSION) {
+    return EVP_DigestUpdate(ctx, buffer_->data, buffer_->length);
+  }
+
+  // If the version is DTLS 1.3 and we still have a buffer, then there should be
+  // at most a single DTLSHandshake message in the buffer, for the ClientHello.
+  // On the server side, the version (DTLS 1.3) and cipher suite are chosen in
+  // response to the first ClientHello, and InitHash is called before that
+  // ClientHello is added to the SSLTranscript, so the buffer is empty if this
+  // SSLTranscript is on the server.
+  if (buffer_->length == 0) {
+    return true;
+  }
 
-size_t SSLTranscript::DigestLen() const {
-  return EVP_MD_size(Digest());
+  // On the client side, we can receive either a ServerHello or
+  // HelloRetryRequest in response to the ClientHello. Regardless of which
+  // message we receive, the client code calls InitHash before updating the
+  // transcript with that message, so the ClientHello is the only message in the
+  // buffer. In DTLS 1.3, we need to skip the message_seq, fragment_offset, and
+  // fragment_length fields from the DTLSHandshake message in the buffer. The
+  // structure of a DTLSHandshake message is as follows (RFC 9147, section 5.2):
+  //
+  //   struct {
+  //       HandshakeType msg_type;    /* handshake type */
+  //       uint24 length;             /* bytes in message */
+  //       uint16 message_seq;        /* DTLS-required field */
+  //       uint24 fragment_offset;    /* DTLS-required field */
+  //       uint24 fragment_length;    /* DTLS-required field */
+  //       select (msg_type) {
+  //         /* omitted for brevity */
+  //       } body;
+  //   } DTLSHandshake;
+  CBS buf, header;
+  CBS_init(&buf, reinterpret_cast<uint8_t *>(buffer_->data), buffer_->length);
+  if (!CBS_get_bytes(&buf, &header, 4) ||                             //
+      !CBS_skip(&buf, 8) ||                                           //
+      !EVP_DigestUpdate(ctx, CBS_data(&header), CBS_len(&header)) ||  //
+      !EVP_DigestUpdate(ctx, CBS_data(&buf), CBS_len(&buf))) {
+    return false;
+  }
+  return true;
 }
 
+void SSLTranscript::FreeBuffer() { buffer_.reset(); }
+
+size_t SSLTranscript::DigestLen() const { return EVP_MD_size(Digest()); }
+
 const EVP_MD *SSLTranscript::Digest() const {
-  return EVP_MD_CTX_md(hash_.get());
+  return EVP_MD_CTX_get0_md(hash_.get());
 }
 
 bool SSLTranscript::UpdateForHelloRetryRequest() {
@@ -193,8 +249,8 @@ bool SSLTranscript::UpdateForHelloRetryRequest() {
   const uint8_t header[4] = {SSL3_MT_MESSAGE_HASH, 0, 0,
                              static_cast<uint8_t>(hash_len)};
   if (!EVP_DigestInit_ex(hash_.get(), Digest(), nullptr) ||
-      !Update(header) ||
-      !Update(MakeConstSpan(old_hash, hash_len))) {
+      !AddToBufferOrHash(header) ||
+      !AddToBufferOrHash(MakeConstSpan(old_hash, hash_len))) {
     return false;
   }
   return true;
@@ -209,8 +265,7 @@ bool SSLTranscript::CopyToHashContext(EVP_MD_CTX *ctx,
   }
 
   if (buffer_) {
-    return EVP_DigestInit_ex(ctx, digest, nullptr) &&
-           EVP_DigestUpdate(ctx, buffer_->data, buffer_->length);
+    return HashBuffer(ctx, digest);
   }
 
   OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -218,9 +273,30 @@ bool SSLTranscript::CopyToHashContext(EVP_MD_CTX *ctx,
 }
 
 bool SSLTranscript::Update(Span<const uint8_t> in) {
+  if (!is_dtls_ || version_ < TLS1_3_VERSION) {
+    return AddToBufferOrHash(in);
+  }
+  if (in.size() < DTLS1_HM_HEADER_LENGTH) {
+    return false;
+  }
+  // The message passed into Update is the whole Handshake or DTLSHandshake
+  // message, including the msg_type and length. In DTLS, the DTLSHandshake
+  // message also has message_seq, fragment_offset, and fragment_length
+  // fields. In DTLS 1.3, those fields are omitted so that the same
+  // transcript format as TLS 1.3 is used. This means we write the 1-byte
+  // msg_type, 3-byte length, then skip 2+3+3 bytes for the DTLS-specific
+  // fields that get omitted.
+  if (!AddToBufferOrHash(in.subspan(0, 4)) ||
+      !AddToBufferOrHash(in.subspan(12))) {
+    return false;
+  }
+  return true;
+}
+
+bool SSLTranscript::AddToBufferOrHash(Span<const uint8_t> in) {
   // Depending on the state of the handshake, either the handshake buffer may be
   // active, the rolling hash, or both.
-  if (buffer_ &&
+  if (buffer_ &&  //
       !BUF_MEM_append(buffer_.get(), in.data(), in.size())) {
     return false;
   }
@@ -259,8 +335,7 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
   }
 
   static const size_t kFinishedLen = 12;
-  if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen),
-                MakeConstSpan(session->secret, session->secret_length), label,
+  if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen), session->secret, label,
                 MakeConstSpan(digest, digest_len), {})) {
     return false;
   }

data/third_party/boringssl-with-bazel/src/ssl/ssl_versions.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2017, Google Inc.
+/* Copyright 2017 The BoringSSL Authors
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -22,8 +22,8 @@
 #include <openssl/err.h>
 #include <openssl/span.h>
 
-#include "internal.h"
 #include "../crypto/internal.h"
+#include "internal.h"
 
 
 BSSL_NAMESPACE_BEGIN
@@ -46,7 +46,7 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) {
       *out = TLS1_2_VERSION;
       return true;
 
-    case DTLS1_3_EXPERIMENTAL_VERSION:
+    case DTLS1_3_VERSION:
       *out = TLS1_3_VERSION;
       return true;
 
@@ -66,7 +66,7 @@ static const uint16_t kTLSVersions[] = {
 };
 
 static const uint16_t kDTLSVersions[] = {
-    DTLS1_3_EXPERIMENTAL_VERSION,
+    DTLS1_3_VERSION,
     DTLS1_2_VERSION,
     DTLS1_VERSION,
 };
@@ -90,7 +90,7 @@ bool ssl_method_supports_version(const SSL_PROTOCOL_METHOD *method,
 // The following functions map between API versions and wire versions. The
 // public API works on wire versions.
 
-static const char* kUnknownVersion = "unknown";
+static const char *kUnknownVersion = "unknown";
 
 struct VersionInfo {
   uint16_t version;
@@ -104,7 +104,7 @@ static const VersionInfo kVersionNames[] = {
     {TLS1_VERSION, "TLSv1"},
     {DTLS1_VERSION, "DTLSv1"},
     {DTLS1_2_VERSION, "DTLSv1.2"},
-    {DTLS1_3_EXPERIMENTAL_VERSION, "DTLSv1.3"},
+    {DTLS1_3_VERSION, "DTLSv1.3"},
 };
 
 static const char *ssl_version_to_string(uint16_t version) {
@@ -116,9 +116,7 @@ static const char *ssl_version_to_string(uint16_t version) {
   return kUnknownVersion;
 }
 
-static uint16_t wire_version_to_api(uint16_t version) {
-  return version;
-}
+static uint16_t wire_version_to_api(uint16_t version) { return version; }
 
 // api_version_to_wire maps |version| to some representative wire version.
 static bool api_version_to_wire(uint16_t *out, uint16_t version) {
@@ -158,6 +156,8 @@ static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
 static bool set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
                             uint16_t version) {
   // Zero is interpreted as the default maximum version.
+  // TODO(crbug.com/42290594): Enable DTLS 1.3 by default, after it's
+  // successfully shipped in WebRTC.
   if (version == 0) {
     *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_3_VERSION;
     return true;
@@ -198,7 +198,7 @@ bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
   }
 
   // QUIC requires TLS 1.3.
-  if (hs->ssl->quic_method && min_version < TLS1_3_VERSION) {
+  if (SSL_is_quic(hs->ssl) && min_version < TLS1_3_VERSION) {
     min_version = TLS1_3_VERSION;
   }
 
@@ -234,7 +234,7 @@ bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
     // If there is a disabled version after the first enabled one, all versions
     // after it are implicitly disabled.
     if (any_enabled) {
-      max_version = kProtocolVersions[i-1].version;
+      max_version = kProtocolVersions[i - 1].version;
       break;
     }
   }
@@ -250,18 +250,32 @@ bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version,
 }
 
 static uint16_t ssl_version(const SSL *ssl) {
-  // In early data, we report the predicted version.
+  // In early data, we report the predicted version. Note it is possible that we
+  // have a predicted version and a *different* true version. This means 0-RTT
+  // has been rejected, but until the reject has reported to the application and
+  // applied with |SSL_reset_early_data_reject|, we continue reporting a
+  // self-consistent connection.
   if (SSL_in_early_data(ssl) && !ssl->server) {
     return ssl->s3->hs->early_session->ssl_version;
   }
-  return ssl->version;
+  if (ssl->s3->version != 0) {
+    return ssl->s3->version;
+  }
+  // The TLS versions has not yet been negotiated. Historically, we would return
+  // (D)TLS 1.2, so preserve that behavior.
+  return SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION;
+}
+
+bool ssl_has_final_version(const SSL *ssl) {
+  return ssl->s3->version != 0 &&
+         (ssl->s3->hs == nullptr || !ssl->s3->hs->is_early_version);
 }
 
 uint16_t ssl_protocol_version(const SSL *ssl) {
-  assert(ssl->s3->have_version);
+  assert(ssl->s3->version != 0);
   uint16_t version;
-  if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
-    // |ssl->version| will always be set to a valid version.
+  if (!ssl_protocol_version_from_wire(&version, ssl->s3->version)) {
+    // |ssl->s3->version| will always be set to a valid version.
     assert(0);
     return 0;
   }

data/third_party/boringssl-with-bazel/src/ssl/ssl_x509.cc

@@ -149,8 +149,8 @@
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 
-#include "internal.h"
 #include "../crypto/internal.h"
+#include "internal.h"
 
 
 BSSL_NAMESPACE_BEGIN
@@ -198,11 +198,11 @@ static void ssl_crypto_x509_cert_flush_cached_chain(CERT *cert) {
 // which case no change to |cert->chain| is made. It preverses the existing
 // leaf from |cert->chain|, if any.
 static bool ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) {
-  cert->default_credential->ClearIntermediateCerts();
+  cert->legacy_credential->ClearIntermediateCerts();
   for (X509 *x509 : chain) {
     UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
     if (!buffer ||
-        !cert->default_credential->AppendIntermediateCert(std::move(buffer))) {
+        !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) {
       return false;
     }
   }
@@ -342,20 +342,21 @@ static bool ssl_crypto_x509_session_verify_cert_chain(SSL_SESSION *session,
   size_t name_len;
   SSL_get0_ech_name_override(ssl, &name, &name_len);
   UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());
-  if (!ctx ||
-      !X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) ||
-      !X509_STORE_CTX_set_ex_data(ctx.get(),
-                                  SSL_get_ex_data_X509_STORE_CTX_idx(), ssl) ||
+  if (!ctx ||                                                             //
+      !X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) ||  //
+      !X509_STORE_CTX_set_ex_data(
+          ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), ssl) ||  //
       // We need to inherit the verify parameters. These can be determined by
       // the context: if its a server it will verify SSL client certificates or
       // vice versa.
-      !X509_STORE_CTX_set_default(ctx.get(),
-                                  ssl->server ? "ssl_client" : "ssl_server") ||
+      !X509_STORE_CTX_set_default(
+          ctx.get(),
+          ssl->server ? "ssl_client" : "ssl_server") ||  //
       // Anything non-default in "param" should overwrite anything in the ctx.
       !X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()),
-                              hs->config->param) ||
+                              hs->config->param) ||  //
       // ClientHelloOuter connections use a different name.
-      (name_len != 0 &&
+      (name_len != 0 &&  //
        !X509_VERIFY_PARAM_set1_host(X509_STORE_CTX_get0_param(ctx.get()), name,
                                     name_len))) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
@@ -412,10 +413,10 @@ static void ssl_crypto_x509_ssl_config_free(SSL_CONFIG *cfg) {
 }
 
 static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
-  // Only build a chain if the feature isn't disabled, the default credential
+  // Only build a chain if the feature isn't disabled, the legacy credential
   // exists but has no intermediates configured.
   SSL *ssl = hs->ssl;
-  SSL_CREDENTIAL *cred = hs->config->cert->default_credential.get();
+  SSL_CREDENTIAL *cred = hs->config->cert->legacy_credential.get();
   if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || !cred->IsComplete() ||
       sk_CRYPTO_BUFFER_num(cred->chain.get()) != 1) {
     return true;
@@ -467,24 +468,24 @@ static void ssl_crypto_x509_ssl_ctx_free(SSL_CTX *ctx) {
 }
 
 const SSL_X509_METHOD ssl_crypto_x509_method = {
-  ssl_crypto_x509_check_client_CA_list,
-  ssl_crypto_x509_cert_clear,
-  ssl_crypto_x509_cert_free,
-  ssl_crypto_x509_cert_dup,
-  ssl_crypto_x509_cert_flush_cached_chain,
-  ssl_crypto_x509_cert_flush_cached_leaf,
-  ssl_crypto_x509_session_cache_objects,
-  ssl_crypto_x509_session_dup,
-  ssl_crypto_x509_session_clear,
-  ssl_crypto_x509_session_verify_cert_chain,
-  ssl_crypto_x509_hs_flush_cached_ca_names,
-  ssl_crypto_x509_ssl_new,
-  ssl_crypto_x509_ssl_config_free,
-  ssl_crypto_x509_ssl_flush_cached_client_CA,
-  ssl_crypto_x509_ssl_auto_chain_if_needed,
-  ssl_crypto_x509_ssl_ctx_new,
-  ssl_crypto_x509_ssl_ctx_free,
-  ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,
+    ssl_crypto_x509_check_client_CA_list,
+    ssl_crypto_x509_cert_clear,
+    ssl_crypto_x509_cert_free,
+    ssl_crypto_x509_cert_dup,
+    ssl_crypto_x509_cert_flush_cached_chain,
+    ssl_crypto_x509_cert_flush_cached_leaf,
+    ssl_crypto_x509_session_cache_objects,
+    ssl_crypto_x509_session_dup,
+    ssl_crypto_x509_session_clear,
+    ssl_crypto_x509_session_verify_cert_chain,
+    ssl_crypto_x509_hs_flush_cached_ca_names,
+    ssl_crypto_x509_ssl_new,
+    ssl_crypto_x509_ssl_config_free,
+    ssl_crypto_x509_ssl_flush_cached_client_CA,
+    ssl_crypto_x509_ssl_auto_chain_if_needed,
+    ssl_crypto_x509_ssl_ctx_new,
+    ssl_crypto_x509_ssl_ctx_free,
+    ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,
 };
 
 BSSL_NAMESPACE_END
@@ -636,10 +637,8 @@ void SSL_set_verify_depth(SSL *ssl, int depth) {
   X509_VERIFY_PARAM_set_depth(ssl->config->param, depth);
 }
 
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
-                                      int (*cb)(X509_STORE_CTX *store_ctx,
-                                                void *arg),
-                                      void *arg) {
+void SSL_CTX_set_cert_verify_callback(
+    SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *store_ctx, void *arg), void *arg) {
   check_ssl_ctx_x509_method(ctx);
   ctx->app_verify_callback = cb;
   ctx->app_verify_arg = arg;
@@ -720,9 +719,8 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) {
 static int ssl_cert_cache_leaf_cert(CERT *cert) {
   assert(cert->x509_method);
 
-  const SSL_CREDENTIAL *cred = cert->default_credential.get();
-  if (cert->x509_leaf != NULL ||
-      cred->chain == NULL) {
+  const SSL_CREDENTIAL *cred = cert->legacy_credential.get();
+  if (cert->x509_leaf != NULL || cred->chain == NULL) {
     return 1;
   }
 
@@ -736,7 +734,7 @@ static int ssl_cert_cache_leaf_cert(CERT *cert) {
 }
 
 static X509 *ssl_cert_get0_leaf(CERT *cert) {
-  if (cert->x509_leaf == NULL &&
+  if (cert->x509_leaf == NULL &&  //
       !ssl_cert_cache_leaf_cert(cert)) {
     return NULL;
   }
@@ -755,7 +753,7 @@ X509 *SSL_get_certificate(const SSL *ssl) {
 
 X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) {
   check_ssl_ctx_x509_method(ctx);
-  MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock));
+  MutexWriteLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
   return ssl_cert_get0_leaf(ctx->cert.get());
 }
 
@@ -764,7 +762,7 @@ static int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) {
 
   UniquePtr<CRYPTO_BUFFER> buffer = x509_to_buffer(x509);
   if (!buffer ||
-      !cert->default_credential->AppendIntermediateCert(std::move(buffer))) {
+      !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) {
     return 0;
   }
 
@@ -867,9 +865,8 @@ int SSL_clear_chain_certs(SSL *ssl) {
 static int ssl_cert_cache_chain_certs(CERT *cert) {
   assert(cert->x509_method);
 
-  const SSL_CREDENTIAL *cred = cert->default_credential.get();
-  if (cert->x509_chain != nullptr ||
-      cred->chain == nullptr ||
+  const SSL_CREDENTIAL *cred = cert->legacy_credential.get();
+  if (cert->x509_chain != nullptr || cred->chain == nullptr ||
       sk_CRYPTO_BUFFER_num(cred->chain.get()) < 2) {
     return 1;
   }
@@ -882,7 +879,7 @@ static int ssl_cert_cache_chain_certs(CERT *cert) {
   for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cred->chain.get()); i++) {
     CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(cred->chain.get(), i);
     UniquePtr<X509> x509(X509_parse_from_buffer(buffer));
-    if (!x509 ||
+    if (!x509 ||  //
         !PushToStack(chain.get(), std::move(x509))) {
       return 0;
     }
@@ -894,7 +891,7 @@ static int ssl_cert_cache_chain_certs(CERT *cert) {
 
 int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {
   check_ssl_ctx_x509_method(ctx);
-  MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock));
+  MutexWriteLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
   if (!ssl_cert_cache_chain_certs(ctx->cert.get())) {
     *out_chain = NULL;
     return 0;
@@ -995,8 +992,7 @@ static void set_client_CA_list(UniquePtr<STACK_OF(CRYPTO_BUFFER)> *ca_list,
 
     UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(outp, len, pool));
     OPENSSL_free(outp);
-    if (!buffer ||
-        !PushToStack(buffers.get(), std::move(buffer))) {
+    if (!buffer || !PushToStack(buffers.get(), std::move(buffer))) {
       return;
     }
   }
@@ -1021,9 +1017,8 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) {
   sk_X509_NAME_pop_free(name_list, X509_NAME_free);
 }
 
-static STACK_OF(X509_NAME) *
-    buffer_names_to_x509(const STACK_OF(CRYPTO_BUFFER) *names,
-                         STACK_OF(X509_NAME) **cached) {
+static STACK_OF(X509_NAME) *buffer_names_to_x509(
+    const STACK_OF(CRYPTO_BUFFER) *names, STACK_OF(X509_NAME) **cached) {
   if (names == NULL) {
     return NULL;
   }
@@ -1155,7 +1150,7 @@ static int do_client_cert_cb(SSL *ssl, void *arg) {
   // Should only be called during handshake, but check to be sure.
   BSSL_CHECK(ssl->config);
 
-  if (ssl->config->cert->default_credential->IsComplete() ||
+  if (ssl->config->cert->legacy_credential->IsComplete() ||
       ssl->ctx->client_cert_cb == nullptr) {
     return 1;
   }
@@ -1170,7 +1165,7 @@ static int do_client_cert_cb(SSL *ssl, void *arg) {
   UniquePtr<EVP_PKEY> free_pkey(pkey);
 
   if (ret != 0) {
-    if (!SSL_use_certificate(ssl, x509) ||
+    if (!SSL_use_certificate(ssl, x509) ||  //
         !SSL_use_PrivateKey(ssl, pkey)) {
       return 0;
     }
@@ -1179,9 +1174,9 @@ static int do_client_cert_cb(SSL *ssl, void *arg) {
   return 1;
 }
 
-void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl,
-                                                        X509 **out_x509,
-                                                        EVP_PKEY **out_pkey)) {
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
+                                int (*cb)(SSL *ssl, X509 **out_x509,
+                                          EVP_PKEY **out_pkey)) {
   check_ssl_ctx_x509_method(ctx);
   // Emulate the old client certificate callback with the new one.
   SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);

data/third_party/boringssl-with-bazel/src/ssl/t1_enc.cc

@@ -169,7 +169,7 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
                                   const SSL_CIPHER *cipher) {
   const EVP_AEAD *aead = NULL;
   if (!ssl_cipher_get_evp_aead(&aead, out_mac_secret_len, out_iv_len, cipher,
-                               ssl_protocol_version(ssl), SSL_is_dtls(ssl))) {
+                               ssl_protocol_version(ssl))) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
     return false;
   }
@@ -191,14 +191,13 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len,
 
 static bool generate_key_block(const SSL *ssl, Span<uint8_t> out,
                                const SSL_SESSION *session) {
-  auto secret = MakeConstSpan(session->secret, session->secret_length);
   static const char kLabel[] = "key expansion";
   auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1);
 
   const EVP_MD *digest = ssl_session_get_digest(session);
   // Note this function assumes that |session|'s key material corresponds to
   // |ssl->s3->client_random| and |ssl->s3->server_random|.
-  return tls1_prf(digest, out, secret, label, ssl->s3->server_random,
+  return tls1_prf(digest, out, session->secret, label, ssl->s3->server_random,
                   ssl->s3->client_random);
 }
 
@@ -215,7 +214,7 @@ bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
   // Ensure that |key_block_cache| is set up.
   const size_t key_block_size = 2 * (mac_secret_len + key_len + iv_len);
   if (key_block_cache->empty()) {
-    if (!key_block_cache->Init(key_block_size) ||
+    if (!key_block_cache->InitForOverwrite(key_block_size) ||
         !generate_key_block(ssl, MakeSpan(*key_block_cache), session)) {
       return false;
     }
@@ -243,9 +242,8 @@ bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
     iv = iv_override;
   }
 
-  UniquePtr<SSLAEADContext> aead_ctx =
-      SSLAEADContext::Create(direction, ssl->version, SSL_is_dtls(ssl),
-                             session->cipher, key, mac_secret, iv);
+  UniquePtr<SSLAEADContext> aead_ctx = SSLAEADContext::Create(
+      direction, ssl->s3->version, session->cipher, key, mac_secret, iv);
   if (!aead_ctx) {
     return false;
   }
@@ -253,12 +251,12 @@ bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction,
   if (direction == evp_aead_open) {
     return ssl->method->set_read_state(ssl, ssl_encryption_application,
                                        std::move(aead_ctx),
-                                       /*secret_for_quic=*/{});
+                                       /*traffic_secret=*/{});
   }
 
   return ssl->method->set_write_state(ssl, ssl_encryption_application,
                                       std::move(aead_ctx),
-                                      /*secret_for_quic=*/{});
+                                      /*traffic_secret=*/{});
 }
 
 bool tls1_change_cipher_state(SSL_HANDSHAKE *hs,
@@ -267,33 +265,33 @@ bool tls1_change_cipher_state(SSL_HANDSHAKE *hs,
                              ssl_handshake_session(hs), {});
 }
 
-int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
-                                Span<const uint8_t> premaster) {
+bool tls1_generate_master_secret(SSL_HANDSHAKE *hs, Span<uint8_t> out,
+                                 Span<const uint8_t> premaster) {
   static const char kMasterSecretLabel[] = "master secret";
   static const char kExtendedMasterSecretLabel[] = "extended master secret";
+  BSSL_CHECK(out.size() == SSL3_MASTER_SECRET_SIZE);
 
   const SSL *ssl = hs->ssl;
-  auto out_span = MakeSpan(out, SSL3_MASTER_SECRET_SIZE);
   if (hs->extended_master_secret) {
     auto label = MakeConstSpan(kExtendedMasterSecretLabel,
                                sizeof(kExtendedMasterSecretLabel) - 1);
     uint8_t digests[EVP_MAX_MD_SIZE];
     size_t digests_len;
     if (!hs->transcript.GetHash(digests, &digests_len) ||
-        !tls1_prf(hs->transcript.Digest(), out_span, premaster, label,
+        !tls1_prf(hs->transcript.Digest(), out, premaster, label,
                   MakeConstSpan(digests, digests_len), {})) {
-      return 0;
+      return false;
     }
   } else {
     auto label =
         MakeConstSpan(kMasterSecretLabel, sizeof(kMasterSecretLabel) - 1);
-    if (!tls1_prf(hs->transcript.Digest(), out_span, premaster, label,
+    if (!tls1_prf(hs->transcript.Digest(), out, premaster, label,
                   ssl->s3->client_random, ssl->s3->server_random)) {
-      return 0;
+      return false;
     }
   }
 
-  return SSL3_MASTER_SECRET_SIZE;
+  return true;
 }
 
 BSSL_NAMESPACE_END
@@ -334,8 +332,8 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
                                const uint8_t *context, size_t context_len,
                                int use_context) {
   // In TLS 1.3, the exporter may be used whenever the secret has been derived.
-  if (ssl->s3->have_version && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
-    if (ssl->s3->exporter_secret_len == 0) {
+  if (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+    if (ssl->s3->exporter_secret.empty()) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE);
       return 0;
     }
@@ -344,8 +342,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
       context_len = 0;
     }
     return tls13_export_keying_material(
-        ssl, MakeSpan(out, out_len),
-        MakeConstSpan(ssl->s3->exporter_secret, ssl->s3->exporter_secret_len),
+        ssl, MakeSpan(out, out_len), ssl->s3->exporter_secret,
         MakeConstSpan(label, label_len), MakeConstSpan(context, context_len));
   }
 
@@ -365,7 +362,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
     seed_len += 2 + context_len;
   }
   Array<uint8_t> seed;
-  if (!seed.Init(seed_len)) {
+  if (!seed.InitForOverwrite(seed_len)) {
     return 0;
   }
 
@@ -375,12 +372,12 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
   if (use_context) {
     seed[2 * SSL3_RANDOM_SIZE] = static_cast<uint8_t>(context_len >> 8);
     seed[2 * SSL3_RANDOM_SIZE + 1] = static_cast<uint8_t>(context_len);
-    OPENSSL_memcpy(seed.data() + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);
+    OPENSSL_memcpy(seed.data() + 2 * SSL3_RANDOM_SIZE + 2, context,
+                   context_len);
   }
 
   const SSL_SESSION *session = SSL_get_session(ssl);
   const EVP_MD *digest = ssl_session_get_digest(session);
-  return tls1_prf(digest, MakeSpan(out, out_len),
-                  MakeConstSpan(session->secret, session->secret_length),
+  return tls1_prf(digest, MakeSpan(out, out_len), session->secret,
                   MakeConstSpan(label, label_len), seed, {});
 }