grpc 1.9.1 → 1.10.0.pre1

data/third_party/boringssl/ssl/{s3_lib.c → s3_lib.cc}

@@ -152,7 +152,6 @@
 #include <string.h>
 
 #include <openssl/buf.h>
-#include <openssl/dh.h>
 #include <openssl/digest.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>
@@ -163,10 +162,18 @@
 #include "internal.h"
 
 
+namespace bssl {
+
 int ssl3_new(SSL *ssl) {
-  SSL3_STATE *s3;
+  UniquePtr<SSLAEADContext> aead_read_ctx =
+      SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
+  UniquePtr<SSLAEADContext> aead_write_ctx =
+      SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
+  if (!aead_read_ctx || !aead_write_ctx) {
+    return 0;
+  }
 
-  s3 = OPENSSL_malloc(sizeof *s3);
+  SSL3_STATE *s3 = (SSL3_STATE *)OPENSSL_malloc(sizeof *s3);
   if (s3 == NULL) {
     return 0;
   }
@@ -178,13 +185,15 @@ int ssl3_new(SSL *ssl) {
     return 0;
   }
 
+  s3->aead_read_ctx = aead_read_ctx.release();
+  s3->aead_write_ctx = aead_write_ctx.release();
   ssl->s3 = s3;
 
-  /* Set the version to the highest supported version.
-   *
-   * TODO(davidben): Move this field into |s3|, have it store the normalized
-   * protocol version, and implement this pre-negotiation quirk in |SSL_version|
-   * at the API boundary rather than in internal state. */
+  // Set the version to the highest supported version.
+  //
+  // TODO(davidben): Move this field into |s3|, have it store the normalized
+  // protocol version, and implement this pre-negotiation quirk in |SSL_version|
+  // at the API boundary rather than in internal state.
   ssl->version = TLS1_2_VERSION;
   return 1;
 }
@@ -201,8 +210,9 @@ void ssl3_free(SSL *ssl) {
   ssl_handshake_free(ssl->s3->hs);
   OPENSSL_free(ssl->s3->next_proto_negotiated);
   OPENSSL_free(ssl->s3->alpn_selected);
-  SSL_AEAD_CTX_free(ssl->s3->aead_read_ctx);
-  SSL_AEAD_CTX_free(ssl->s3->aead_write_ctx);
+  OPENSSL_free(ssl->s3->hostname);
+  Delete(ssl->s3->aead_read_ctx);
+  Delete(ssl->s3->aead_write_ctx);
   BUF_MEM_free(ssl->s3->pending_flight);
 
   OPENSSL_cleanse(ssl->s3, sizeof *ssl->s3);
@@ -218,3 +228,5 @@ const struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(
 
   return ssl->ctx->cipher_list;
 }
+
+}  // namespace bssl

data/third_party/boringssl/ssl/{s3_pkt.c → s3_pkt.cc}

@@ -122,14 +122,16 @@
 #include "internal.h"
 
 
+namespace bssl {
+
 static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len);
 
-/* ssl3_get_record reads a new input record. On success, it places it in
- * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
- * more data is needed. */
+// ssl3_get_record reads a new input record. On success, it places it in
+// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
+// more data is needed.
 static int ssl3_get_record(SSL *ssl) {
 again:
-  switch (ssl->s3->recv_shutdown) {
+  switch (ssl->s3->read_shutdown) {
     case ssl_shutdown_none:
       break;
     case ssl_shutdown_fatal_alert:
@@ -139,12 +141,11 @@ again:
       return 0;
   }
 
-  CBS body;
+  Span<uint8_t> body;
   uint8_t type, alert = SSL_AD_DECODE_ERROR;
   size_t consumed;
-  enum ssl_open_record_t open_ret =
-      tls_open_record(ssl, &type, &body, &consumed, &alert,
-                      ssl_read_buffer(ssl), ssl_read_buffer_len(ssl));
+  enum ssl_open_record_t open_ret = tls_open_record(
+      ssl, &type, &body, &consumed, &alert, ssl_read_buffer(ssl));
   if (open_ret != ssl_open_record_partial) {
     ssl_read_buffer_consume(ssl, consumed);
   }
@@ -157,17 +158,18 @@ again:
       goto again;
     }
 
-    case ssl_open_record_success:
-      if (CBS_len(&body) > 0xffff) {
+    case ssl_open_record_success: {
+      if (body.size() > 0xffff) {
         OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
         return -1;
       }
 
       SSL3_RECORD *rr = &ssl->s3->rrec;
       rr->type = type;
-      rr->length = (uint16_t)CBS_len(&body);
-      rr->data = (uint8_t *)CBS_data(&body);
+      rr->length = static_cast<uint16_t>(body.size());
+      rr->data = body.data();
       return 1;
+    }
 
     case ssl_open_record_discard:
       goto again;
@@ -175,11 +177,10 @@ again:
     case ssl_open_record_close_notify:
       return 0;
 
-    case ssl_open_record_fatal_alert:
-      return -1;
-
     case ssl_open_record_error:
-      ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
+      if (alert != 0) {
+        ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
+      }
       return -1;
   }
 
@@ -188,8 +189,12 @@ again:
   return -1;
 }
 
-int ssl3_write_app_data(SSL *ssl, const uint8_t *buf, int len) {
-  assert(!SSL_in_init(ssl) || SSL_in_false_start(ssl));
+int ssl3_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf,
+                        int len) {
+  assert(ssl_can_write(ssl));
+  assert(!ssl->s3->aead_write_ctx->is_null_cipher());
+
+  *out_needs_handshake = false;
 
   unsigned tot, n, nw;
 
@@ -197,23 +202,36 @@ int ssl3_write_app_data(SSL *ssl, const uint8_t *buf, int len) {
   tot = ssl->s3->wnum;
   ssl->s3->wnum = 0;
 
-  /* Ensure that if we end up with a smaller value of data to write out than
-   * the the original len from a write which didn't complete for non-blocking
-   * I/O and also somehow ended up avoiding the check for this in
-   * ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
-   * end up with (len-tot) as a large number that will then promptly send
-   * beyond the end of the users buffer ... so we trap and report the error in
-   * a way the user will notice. */
+  // Ensure that if we end up with a smaller value of data to write out than
+  // the the original len from a write which didn't complete for non-blocking
+  // I/O and also somehow ended up avoiding the check for this in
+  // ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
+  // end up with (len-tot) as a large number that will then promptly send
+  // beyond the end of the users buffer ... so we trap and report the error in
+  // a way the user will notice.
   if (len < 0 || (size_t)len < tot) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);
     return -1;
   }
 
+  const int is_early_data_write =
+      !ssl->server && SSL_in_early_data(ssl) && ssl->s3->hs->can_early_write;
+
   n = len - tot;
   for (;;) {
-    /* max contains the maximum number of bytes that we can put into a
-     * record. */
+    // max contains the maximum number of bytes that we can put into a record.
     unsigned max = ssl->max_send_fragment;
+    if (is_early_data_write && max > ssl->session->ticket_max_early_data -
+                                         ssl->s3->hs->early_data_written) {
+      max = ssl->session->ticket_max_early_data - ssl->s3->hs->early_data_written;
+      if (max == 0) {
+        ssl->s3->wnum = tot;
+        ssl->s3->hs->can_early_write = false;
+        *out_needs_handshake = true;
+        return -1;
+      }
+    }
+
     if (n > max) {
       nw = max;
     } else {
@@ -226,6 +244,10 @@ int ssl3_write_app_data(SSL *ssl, const uint8_t *buf, int len) {
       return ret;
     }
 
+    if (is_early_data_write) {
+      ssl->s3->hs->early_data_written += ret;
+    }
+
     if (ret == (int)n || (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE)) {
       return tot + ret;
     }
@@ -249,24 +271,17 @@ static int ssl3_write_pending(SSL *ssl, int type, const uint8_t *buf,
   if (ret <= 0) {
     return ret;
   }
+  ssl->s3->wpend_pending = false;
   return ssl->s3->wpend_ret;
 }
 
-/* do_ssl3_write writes an SSL record of the given type. */
+// do_ssl3_write writes an SSL record of the given type.
 static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) {
-  /* If there is still data from the previous record, flush it. */
-  if (ssl_write_buffer_is_pending(ssl)) {
+  // If there is still data from the previous record, flush it.
+  if (ssl->s3->wpend_pending) {
     return ssl3_write_pending(ssl, type, buf, len);
   }
 
-  /* The handshake flight buffer is mutually exclusive with application data.
-   *
-   * TODO(davidben): This will not be true when closure alerts use this. */
-  if (ssl->s3->pending_flight != NULL) {
-    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
-    return -1;
-  }
-
   if (len > SSL3_RT_MAX_PLAIN_LENGTH) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
     return -1;
@@ -276,27 +291,57 @@ static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) {
     return 0;
   }
 
+  size_t flight_len = 0;
+  if (ssl->s3->pending_flight != NULL) {
+    flight_len =
+        ssl->s3->pending_flight->length - ssl->s3->pending_flight_offset;
+  }
+
   size_t max_out = len + SSL_max_seal_overhead(ssl);
-  if (max_out < len) {
+  if (max_out < len || max_out + flight_len < max_out) {
     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
     return -1;
   }
+  max_out += flight_len;
+
   uint8_t *out;
   size_t ciphertext_len;
-  if (!ssl_write_buffer_init(ssl, &out, max_out) ||
-      !tls_seal_record(ssl, out, &ciphertext_len, max_out, type, buf, len)) {
+  if (!ssl_write_buffer_init(ssl, &out, max_out)) {
+    return -1;
+  }
+
+  // Add any unflushed handshake data as a prefix. This may be a KeyUpdate
+  // acknowledgment or 0-RTT key change messages. |pending_flight| must be clear
+  // when data is added to |write_buffer| or it will be written in the wrong
+  // order.
+  if (ssl->s3->pending_flight != NULL) {
+    OPENSSL_memcpy(
+        out, ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,
+        flight_len);
+    BUF_MEM_free(ssl->s3->pending_flight);
+    ssl->s3->pending_flight = NULL;
+    ssl->s3->pending_flight_offset = 0;
+  }
+
+  if (!tls_seal_record(ssl, out + flight_len, &ciphertext_len,
+                       max_out - flight_len, type, buf, len)) {
     return -1;
   }
-  ssl_write_buffer_set_len(ssl, ciphertext_len);
+  ssl_write_buffer_set_len(ssl, flight_len + ciphertext_len);
+
+  // Now that we've made progress on the connection, uncork KeyUpdate
+  // acknowledgments.
+  ssl->s3->key_update_pending = false;
 
-  /* memorize arguments so that ssl3_write_pending can detect bad write retries
-   * later */
+  // Memorize arguments so that ssl3_write_pending can detect bad write retries
+  // later.
   ssl->s3->wpend_tot = len;
   ssl->s3->wpend_buf = buf;
   ssl->s3->wpend_type = type;
   ssl->s3->wpend_ret = len;
+  ssl->s3->wpend_pending = true;
 
-  /* we now just need to write the buffer */
+  // We now just need to write the buffer.
   return ssl3_write_pending(ssl, type, buf, len);
 }
 
@@ -316,27 +361,27 @@ static int consume_record(SSL *ssl, uint8_t *out, int len, int peek) {
     rr->length -= len;
     rr->data += len;
     if (rr->length == 0) {
-      /* The record has been consumed, so we may now clear the buffer. */
+      // The record has been consumed, so we may now clear the buffer.
       ssl_read_buffer_discard(ssl);
     }
   }
   return len;
 }
 
-int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
+int ssl3_read_app_data(SSL *ssl, bool *out_got_handshake, uint8_t *buf, int len,
                        int peek) {
-  assert(!SSL_in_init(ssl));
-  assert(ssl->s3->initial_handshake_complete);
-  *out_got_handshake = 0;
+  assert(ssl_can_read(ssl));
+  assert(!ssl->s3->aead_read_ctx->is_null_cipher());
+  *out_got_handshake = false;
 
   SSL3_RECORD *rr = &ssl->s3->rrec;
 
   for (;;) {
-    /* A previous iteration may have read a partial handshake message. Do not
-     * allow more app data in that case. */
+    // A previous iteration may have read a partial handshake message. Do not
+    // allow more app data in that case.
     int has_hs_data = ssl->init_buf != NULL && ssl->init_buf->length > 0;
 
-    /* Get new packet if necessary. */
+    // Get new packet if necessary.
     if (rr->length == 0 && !has_hs_data) {
       int ret = ssl3_get_record(ssl);
       if (ret <= 0) {
@@ -345,21 +390,49 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
     }
 
     if (has_hs_data || rr->type == SSL3_RT_HANDSHAKE) {
-      /* Post-handshake data prior to TLS 1.3 is always renegotiation, which we
-       * never accept as a server. Otherwise |ssl3_get_message| will send
-       * |SSL_R_EXCESSIVE_MESSAGE_SIZE|. */
+      // If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
+      // by an alert.
+      if (SSL_in_init(ssl)) {
+        OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
+        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+        return -1;
+      }
+
+      // Post-handshake data prior to TLS 1.3 is always renegotiation, which we
+      // never accept as a server. Otherwise |ssl3_get_message| will send
+      // |SSL_R_EXCESSIVE_MESSAGE_SIZE|.
       if (ssl->server && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
         OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
         return -1;
       }
 
-      /* Parse post-handshake handshake messages. */
-      int ret = ssl3_get_message(ssl);
+      // Parse post-handshake handshake messages.
+      int ret = ssl3_read_message(ssl);
       if (ret <= 0) {
         return ret;
       }
-      *out_got_handshake = 1;
+      *out_got_handshake = true;
+      return -1;
+    }
+
+    const int is_early_data_read = ssl->server &&
+                                   ssl->s3->hs != NULL &&
+                                   ssl->s3->hs->can_early_read &&
+                                   ssl3_protocol_version(ssl) >= TLS1_3_VERSION;
+
+    // Handle the end_of_early_data alert.
+    if (rr->type == SSL3_RT_ALERT &&
+        rr->length == 2 &&
+        rr->data[0] == SSL3_AL_WARNING &&
+        rr->data[1] == TLS1_AD_END_OF_EARLY_DATA &&
+        is_early_data_read) {
+      // Consume the record.
+      rr->length = 0;
+      ssl_read_buffer_discard(ssl);
+      // Stop accepting early data.
+      ssl->s3->hs->can_early_read = false;
+      *out_got_handshake = true;
       return -1;
     }
 
@@ -369,11 +442,21 @@ int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
       return -1;
     }
 
+    if (is_early_data_read) {
+      if (rr->length > kMaxEarlyDataAccepted - ssl->s3->hs->early_data_read) {
+        OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MUCH_READ_EARLY_DATA);
+        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
+        return -1;
+      }
+
+      ssl->s3->hs->early_data_read += rr->length;
+    }
+
     if (rr->length != 0) {
       return consume_record(ssl, buf, len, peek);
     }
 
-    /* Discard empty records and loop again. */
+    // Discard empty records and loop again.
   }
 }
 
@@ -399,8 +482,8 @@ int ssl3_read_change_cipher_spec(SSL *ssl) {
     return -1;
   }
 
-  ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data,
-                      rr->length);
+  ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC,
+                      MakeSpan(rr->data, rr->length));
 
   rr->length = 0;
   ssl_read_buffer_discard(ssl);
@@ -408,7 +491,7 @@ int ssl3_read_change_cipher_spec(SSL *ssl) {
 }
 
 void ssl3_read_close_notify(SSL *ssl) {
-  /* Read records until an error or close_notify. */
+  // Read records until an error or close_notify.
   while (ssl3_get_record(ssl) > 0) {
     ;
   }
@@ -418,7 +501,7 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) {
   SSL3_RECORD *rr = &ssl->s3->rrec;
 
   for (;;) {
-    /* Get new packet if necessary. */
+    // Get new packet if necessary.
     if (rr->length == 0) {
       int ret = ssl3_get_record(ssl);
       if (ret <= 0) {
@@ -426,6 +509,17 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) {
       }
     }
 
+    // WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
+    // ServerHello and send the remaining encrypted application data records
+    // as-is. This manifests as an application data record when we expect
+    // handshake. Report a dedicated error code for this case.
+    if (!ssl->server && rr->type == SSL3_RT_APPLICATION_DATA &&
+        ssl->s3->aead_read_ctx->is_null_cipher()) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);
+      ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+      return -1;
+    }
+
     if (rr->type != SSL3_RT_HANDSHAKE) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -436,34 +530,35 @@ int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len) {
       return consume_record(ssl, buf, len, 0 /* consume data */);
     }
 
-    /* Discard empty records and loop again. */
+    // Discard empty records and loop again.
   }
 }
 
 int ssl3_send_alert(SSL *ssl, int level, int desc) {
-  /* It is illegal to send an alert when we've already sent a closing one. */
-  if (ssl->s3->send_shutdown != ssl_shutdown_none) {
+  // It is illegal to send an alert when we've already sent a closing one.
+  if (ssl->s3->write_shutdown != ssl_shutdown_none) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
     return -1;
   }
 
   if (level == SSL3_AL_WARNING && desc == SSL_AD_CLOSE_NOTIFY) {
-    ssl->s3->send_shutdown = ssl_shutdown_close_notify;
+    ssl->s3->write_shutdown = ssl_shutdown_close_notify;
   } else {
     assert(level == SSL3_AL_FATAL);
-    ssl->s3->send_shutdown = ssl_shutdown_fatal_alert;
+    assert(desc != SSL_AD_CLOSE_NOTIFY);
+    ssl->s3->write_shutdown = ssl_shutdown_fatal_alert;
   }
 
   ssl->s3->alert_dispatch = 1;
   ssl->s3->send_alert[0] = level;
   ssl->s3->send_alert[1] = desc;
   if (!ssl_write_buffer_is_pending(ssl)) {
-    /* Nothing is being written out, so the alert may be dispatched
-     * immediately. */
+    // Nothing is being written out, so the alert may be dispatched
+    // immediately.
     return ssl->method->dispatch_alert(ssl);
   }
 
-  /* The alert will be dispatched later. */
+  // The alert will be dispatched later.
   return -1;
 }
 
@@ -474,16 +569,17 @@ int ssl3_dispatch_alert(SSL *ssl) {
   }
   ssl->s3->alert_dispatch = 0;
 
-  /* If the alert is fatal, flush the BIO now. */
+  // If the alert is fatal, flush the BIO now.
   if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
     BIO_flush(ssl->wbio);
   }
 
-  ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert,
-                      2);
+  ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_ALERT, ssl->s3->send_alert);
 
   int alert = (ssl->s3->send_alert[0] << 8) | ssl->s3->send_alert[1];
   ssl_do_info_callback(ssl, SSL_CB_WRITE_ALERT, alert);
 
   return 1;
 }
+
+}  // namespace bssl