clang-format all of ssl
A mechanical clang-format -i followed by a fixup of the
affected if statements to include // on the end to preserve
the formatting.
Change-Id: If58fac0e6a2333c7fd1bbece69750dedf944a2f8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/73107
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
Auto-Submit: Bob Beck <bbe@google.com>
diff --git a/ssl/bio_ssl.cc b/ssl/bio_ssl.cc
index fe83450..a02b047 100644
--- a/ssl/bio_ssl.cc
+++ b/ssl/bio_ssl.cc
@@ -12,9 +12,7 @@
#include <openssl/bio.h>
-static SSL *get_ssl(BIO *bio) {
- return reinterpret_cast<SSL *>(bio->ptr);
-}
+static SSL *get_ssl(BIO *bio) { return reinterpret_cast<SSL *>(bio->ptr); }
static int ssl_read(BIO *bio, char *out, int outl) {
SSL *ssl = get_ssl(bio);
@@ -146,9 +144,7 @@
}
}
-static int ssl_new(BIO *bio) {
- return 1;
-}
+static int ssl_new(BIO *bio) { return 1; }
static int ssl_free(BIO *bio) {
SSL *ssl = get_ssl(bio);
diff --git a/ssl/d1_both.cc b/ssl/d1_both.cc
index fd5e6be..2b53b85 100644
--- a/ssl/d1_both.cc
+++ b/ssl/d1_both.cc
@@ -331,7 +331,7 @@
assert(frag->seq == msg_hdr->seq);
// The new fragment must be compatible with the previous fragments from this
// message.
- if (frag->type != msg_hdr->type ||
+ if (frag->type != msg_hdr->type || //
frag->msg_len() != msg_hdr->msg_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
@@ -616,11 +616,11 @@
bool dtls1_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
// Pick a modest size hint to save most of the |realloc| calls.
- if (!CBB_init(cbb, 64) ||
- !CBB_add_u8(cbb, type) ||
- !CBB_add_u24(cbb, 0 /* length (filled in later) */) ||
- !CBB_add_u16(cbb, ssl->d1->handshake_write_seq) ||
- !CBB_add_u24(cbb, 0 /* offset */) ||
+ if (!CBB_init(cbb, 64) || //
+ !CBB_add_u8(cbb, type) || //
+ !CBB_add_u24(cbb, 0 /* length (filled in later) */) || //
+ !CBB_add_u16(cbb, ssl->d1->handshake_write_seq) || //
+ !CBB_add_u24(cbb, 0 /* offset */) || //
!CBB_add_u24_length_prefixed(cbb, body)) {
return false;
}
@@ -655,8 +655,7 @@
if (!is_ccs) {
// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
// on hs.
- if (ssl->s3->hs != NULL &&
- !ssl->s3->hs->transcript.Update(data)) {
+ if (ssl->s3->hs != NULL && !ssl->s3->hs->transcript.Update(data)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return false;
}
@@ -841,11 +840,11 @@
// Assemble the fragment.
size_t frag_start = CBB_len(&cbb);
CBB child;
- if (!CBB_add_u8(&cbb, hdr.type) || //
- !CBB_add_u24(&cbb, hdr.msg_len) || //
- !CBB_add_u16(&cbb, hdr.seq) ||
- !CBB_add_u24(&cbb, range.start) ||
- !CBB_add_u24_length_prefixed(&cbb, &child) ||
+ if (!CBB_add_u8(&cbb, hdr.type) || //
+ !CBB_add_u24(&cbb, hdr.msg_len) || //
+ !CBB_add_u16(&cbb, hdr.seq) || //
+ !CBB_add_u24(&cbb, range.start) || //
+ !CBB_add_u24_length_prefixed(&cbb, &child) || //
!CBB_add_bytes(&child, frag.data(), frag.size()) || //
!CBB_flush(&cbb)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1005,8 +1004,6 @@
return send_flight(ssl);
}
-unsigned int dtls1_min_mtu(void) {
- return kMinMTU;
-}
+unsigned int dtls1_min_mtu(void) { return kMinMTU; }
BSSL_NAMESPACE_END
diff --git a/ssl/d1_lib.cc b/ssl/d1_lib.cc
index 3204b69..29f4796 100644
--- a/ssl/d1_lib.cc
+++ b/ssl/d1_lib.cc
@@ -72,11 +72,11 @@
// DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
// before starting to decrease the MTU.
-#define DTLS1_MTU_TIMEOUTS 2
+#define DTLS1_MTU_TIMEOUTS 2
// DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
// before failing the DTLS handshake.
-#define DTLS1_MAX_TIMEOUTS 12
+#define DTLS1_MAX_TIMEOUTS 12
DTLS1_STATE::DTLS1_STATE()
: has_change_cipher_spec(false),
diff --git a/ssl/d1_pkt.cc b/ssl/d1_pkt.cc
index d11b33f..6069676 100644
--- a/ssl/d1_pkt.cc
+++ b/ssl/d1_pkt.cc
@@ -118,9 +118,9 @@
#include <openssl/bio.h>
#include <openssl/bytestring.h>
-#include <openssl/mem.h>
-#include <openssl/evp.h>
#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/mem.h>
#include <openssl/rand.h>
#include "../crypto/internal.h"
diff --git a/ssl/d1_srtp.cc b/ssl/d1_srtp.cc
index 12c8075..a3e0a79 100644
--- a/ssl/d1_srtp.cc
+++ b/ssl/d1_srtp.cc
@@ -127,18 +127,10 @@
using namespace bssl;
static const SRTP_PROTECTION_PROFILE kSRTPProfiles[] = {
- {
- "SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80,
- },
- {
- "SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32,
- },
- {
- "SRTP_AEAD_AES_128_GCM", SRTP_AEAD_AES_128_GCM,
- },
- {
- "SRTP_AEAD_AES_256_GCM", SRTP_AEAD_AES_256_GCM,
- },
+ {"SRTP_AES128_CM_SHA1_80", SRTP_AES128_CM_SHA1_80},
+ {"SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32},
+ {"SRTP_AEAD_AES_128_GCM", SRTP_AEAD_AES_128_GCM},
+ {"SRTP_AEAD_AES_256_GCM", SRTP_AEAD_AES_256_GCM},
{0, 0},
};
diff --git a/ssl/dtls_method.cc b/ssl/dtls_method.cc
index 9e82333..e2e525f 100644
--- a/ssl/dtls_method.cc
+++ b/ssl/dtls_method.cc
@@ -211,26 +211,14 @@
// Legacy side-specific methods.
-const SSL_METHOD *DTLSv1_2_server_method(void) {
- return DTLSv1_2_method();
-}
+const SSL_METHOD *DTLSv1_2_server_method(void) { return DTLSv1_2_method(); }
-const SSL_METHOD *DTLSv1_server_method(void) {
- return DTLSv1_method();
-}
+const SSL_METHOD *DTLSv1_server_method(void) { return DTLSv1_method(); }
-const SSL_METHOD *DTLSv1_2_client_method(void) {
- return DTLSv1_2_method();
-}
+const SSL_METHOD *DTLSv1_2_client_method(void) { return DTLSv1_2_method(); }
-const SSL_METHOD *DTLSv1_client_method(void) {
- return DTLSv1_method();
-}
+const SSL_METHOD *DTLSv1_client_method(void) { return DTLSv1_method(); }
-const SSL_METHOD *DTLS_server_method(void) {
- return DTLS_method();
-}
+const SSL_METHOD *DTLS_server_method(void) { return DTLS_method(); }
-const SSL_METHOD *DTLS_client_method(void) {
- return DTLS_method();
-}
+const SSL_METHOD *DTLS_client_method(void) { return DTLS_method(); }
diff --git a/ssl/dtls_record.cc b/ssl/dtls_record.cc
index 3d381fb..36676ca 100644
--- a/ssl/dtls_record.cc
+++ b/ssl/dtls_record.cc
@@ -117,8 +117,8 @@
#include <openssl/bytestring.h>
#include <openssl/err.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -505,8 +505,7 @@
return DTLS1_3_RECORD_HEADER_WRITE_LENGTH;
}
-size_t dtls_max_seal_overhead(const SSL *ssl,
- uint16_t epoch) {
+size_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch) {
DTLSWriteEpoch *write_epoch = get_write_epoch(ssl, epoch);
if (write_epoch == nullptr) {
return 0;
diff --git a/ssl/encrypted_client_hello.cc b/ssl/encrypted_client_hello.cc
index f9686fe..abdb27d 100644
--- a/ssl/encrypted_client_hello.cc
+++ b/ssl/encrypted_client_hello.cc
@@ -428,7 +428,7 @@
CBS ech_config(out->raw);
CBS public_name, public_key, cipher_suites, extensions;
- if (!CBS_skip(&ech_config, 2) || // version
+ if (!CBS_skip(&ech_config, 2) || // version
!CBS_get_u16_length_prefixed(&ech_config, &contents) ||
!CBS_get_u8(&contents, &out->config_id) ||
!CBS_get_u16(&contents, &out->kem_id) ||
@@ -576,9 +576,10 @@
assert(kdf_id == EVP_HPKE_HKDF_SHA256);
assert(get_ech_aead(aead_id) != NULL);
- return EVP_HPKE_CTX_setup_recipient(
- ctx, key_.get(), EVP_hpke_hkdf_sha256(), get_ech_aead(aead_id), enc.data(),
- enc.size(), CBB_data(info_cbb.get()), CBB_len(info_cbb.get()));
+ return EVP_HPKE_CTX_setup_recipient(ctx, key_.get(), EVP_hpke_hkdf_sha256(),
+ get_ech_aead(aead_id), enc.data(),
+ enc.size(), CBB_data(info_cbb.get()),
+ CBB_len(info_cbb.get()));
}
bool ssl_is_valid_ech_config_list(Span<const uint8_t> ech_config_list) {
@@ -750,8 +751,7 @@
bssl::ScopedCBB cbb;
CBB enc_cbb, payload_cbb;
uint8_t *payload;
- if (!CBB_init(cbb.get(), 256) ||
- !CBB_add_u16(cbb.get(), kdf_id) ||
+ if (!CBB_init(cbb.get(), 256) || !CBB_add_u16(cbb.get(), kdf_id) ||
!CBB_add_u16(cbb.get(), EVP_HPKE_AEAD_id(aead)) ||
!CBB_add_u8(cbb.get(), config_id) ||
!CBB_add_u16_length_prefixed(cbb.get(), &enc_cbb) ||
@@ -889,7 +889,7 @@
payload_len != payload_span.size()) {
return false;
}
-#endif // BORINGSSL_UNSAFE_FUZZER_MODE
+#endif // BORINGSSL_UNSAFE_FUZZER_MODE
return true;
}
@@ -938,9 +938,9 @@
}
}
-void SSL_get0_ech_retry_configs(
- const SSL *ssl, const uint8_t **out_retry_configs,
- size_t *out_retry_configs_len) {
+void SSL_get0_ech_retry_configs(const SSL *ssl,
+ const uint8_t **out_retry_configs,
+ size_t *out_retry_configs_len) {
const SSL_HANDSHAKE *hs = ssl->s3->hs.get();
if (!hs || !hs->ech_authenticated_reject) {
// It is an error to call this function except in response to
diff --git a/ssl/extensions.cc b/ssl/extensions.cc
index 1845bca..ce90811 100644
--- a/ssl/extensions.cc
+++ b/ssl/extensions.cc
@@ -513,9 +513,7 @@
return true;
}
-static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
- return true;
-}
+static bool dont_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; }
// Server name indication (SNI).
//
@@ -566,7 +564,7 @@
}
static bool ext_sni_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
- if (hs->ssl->s3->session_reused ||
+ if (hs->ssl->s3->session_reused || //
!hs->should_ack_sni) {
return true;
}
@@ -703,8 +701,8 @@
ssl_client_hello_type_t type) {
const SSL *const ssl = hs->ssl;
// Renegotiation indication is not necessary in TLS 1.3.
- if (hs->min_version >= TLS1_3_VERSION ||
- type == ssl_client_hello_inner) {
+ if (hs->min_version >= TLS1_3_VERSION || //
+ type == ssl_client_hello_inner) {
return true;
}
@@ -877,7 +875,7 @@
SSL *const ssl = hs->ssl;
if (contents != NULL) {
- if (ssl_protocol_version(ssl) >= TLS1_3_VERSION ||
+ if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || //
CBS_len(contents) != 0) {
return false;
}
@@ -1186,7 +1184,7 @@
while (CBS_len(contents) != 0) {
CBS proto;
- if (!CBS_get_u8_length_prefixed(contents, &proto) ||
+ if (!CBS_get_u8_length_prefixed(contents, &proto) || //
CBS_len(&proto) == 0) {
return false;
}
@@ -1220,9 +1218,9 @@
return false;
}
- if (contents == NULL ||
- ssl->s3->initial_handshake_complete ||
- ssl->ctx->next_protos_advertised_cb == NULL ||
+ if (contents == NULL || //
+ ssl->s3->initial_handshake_complete || //
+ ssl->ctx->next_protos_advertised_cb == NULL || //
SSL_is_dtls(ssl)) {
return true;
}
@@ -1250,9 +1248,9 @@
}
CBB contents;
- if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) ||
- !CBB_add_u16_length_prefixed(out, &contents) ||
- !CBB_add_bytes(&contents, npa, npa_len) ||
+ if (!CBB_add_u16(out, TLSEXT_TYPE_next_proto_neg) || //
+ !CBB_add_u16_length_prefixed(out, &contents) || //
+ !CBB_add_bytes(&contents, npa, npa_len) || //
!CBB_flush(out)) {
return false;
}
@@ -1414,11 +1412,11 @@
// The extension data consists of a ProtocolNameList which must have
// exactly one ProtocolName. Each of these is length-prefixed.
CBS protocol_name_list, protocol_name;
- if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
- CBS_len(contents) != 0 ||
- !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
+ if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) || //
+ CBS_len(contents) != 0 || //
+ !CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) || //
// Empty protocol names are forbidden.
- CBS_len(&protocol_name) == 0 ||
+ CBS_len(&protocol_name) == 0 || //
CBS_len(&protocol_name_list) != 0) {
return false;
}
@@ -1506,8 +1504,8 @@
hs->next_proto_neg_seen = false;
CBS protocol_name_list;
- if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
- CBS_len(&contents) != 0 ||
+ if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) || //
+ CBS_len(&contents) != 0 || //
!ssl_is_valid_alpn_list(protocol_name_list)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -1665,8 +1663,8 @@
const SSL *const ssl = hs->ssl;
const STACK_OF(SRTP_PROTECTION_PROFILE) *profiles =
SSL_get_srtp_profiles(ssl);
- if (profiles == NULL ||
- sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0 ||
+ if (profiles == NULL || //
+ sk_SRTP_PROTECTION_PROFILE_num(profiles) == 0 || //
!SSL_is_dtls(ssl)) {
return true;
}
@@ -1706,10 +1704,10 @@
assert(SSL_is_dtls(ssl));
CBS profile_ids, srtp_mki;
uint16_t profile_id;
- if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
- !CBS_get_u16(&profile_ids, &profile_id) ||
- CBS_len(&profile_ids) != 0 ||
- !CBS_get_u8_length_prefixed(contents, &srtp_mki) ||
+ if (!CBS_get_u16_length_prefixed(contents, &profile_ids) || //
+ !CBS_get_u16(&profile_ids, &profile_id) || //
+ CBS_len(&profile_ids) != 0 || //
+ !CBS_get_u8_length_prefixed(contents, &srtp_mki) || //
CBS_len(contents) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
return false;
@@ -1789,8 +1787,7 @@
!CBB_add_u16_length_prefixed(out, &contents) ||
!CBB_add_u16_length_prefixed(&contents, &profile_ids) ||
!CBB_add_u16(&profile_ids, ssl->s3->srtp_profile->id) ||
- !CBB_add_u8(&contents, 0 /* empty MKI */) ||
- !CBB_flush(out)) {
+ !CBB_add_u8(&contents, 0 /* empty MKI */) || !CBB_flush(out)) {
return false;
}
@@ -1826,8 +1823,8 @@
return ext_ec_point_add_extension(hs, out);
}
-static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
- CBS *contents) {
+static bool ext_ec_point_parse_serverhello(SSL_HANDSHAKE *hs,
+ uint8_t *out_alert, CBS *contents) {
if (contents == NULL) {
return true;
}
@@ -1854,8 +1851,8 @@
return true;
}
-static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
- CBS *contents) {
+static bool ext_ec_point_parse_clienthello(SSL_HANDSHAKE *hs,
+ uint8_t *out_alert, CBS *contents) {
if (ssl_protocol_version(hs->ssl) >= TLS1_3_VERSION) {
return true;
}
@@ -1961,7 +1958,7 @@
uint8_t *out_alert,
CBS *contents) {
uint16_t psk_id;
- if (!CBS_get_u16(contents, &psk_id) ||
+ if (!CBS_get_u16(contents, &psk_id) || //
CBS_len(contents) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -1993,11 +1990,11 @@
// We only process the first PSK identity since we don't support pure PSK.
CBS identities, binders;
- if (!CBS_get_u16_length_prefixed(contents, &identities) ||
- !CBS_get_u16_length_prefixed(&identities, out_ticket) ||
- !CBS_get_u32(&identities, out_obfuscated_ticket_age) ||
- !CBS_get_u16_length_prefixed(contents, &binders) ||
- CBS_len(&binders) == 0 ||
+ if (!CBS_get_u16_length_prefixed(contents, &identities) || //
+ !CBS_get_u16_length_prefixed(&identities, out_ticket) || //
+ !CBS_get_u32(&identities, out_obfuscated_ticket_age) || //
+ !CBS_get_u16_length_prefixed(contents, &binders) || //
+ CBS_len(&binders) == 0 || //
CBS_len(contents) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -2050,10 +2047,10 @@
}
CBB contents;
- if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
- !CBB_add_u16_length_prefixed(out, &contents) ||
+ if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) || //
+ !CBB_add_u16_length_prefixed(out, &contents) || //
// We only consider the first identity for resumption
- !CBB_add_u16(&contents, 0) ||
+ !CBB_add_u16(&contents, 0) || //
!CBB_flush(out)) {
return false;
}
@@ -2092,8 +2089,8 @@
}
CBS ke_modes;
- if (!CBS_get_u8_length_prefixed(contents, &ke_modes) ||
- CBS_len(&ke_modes) == 0 ||
+ if (!CBS_get_u8_length_prefixed(contents, &ke_modes) || //
+ CBS_len(&ke_modes) == 0 || //
CBS_len(contents) != 0) {
*out_alert = SSL_AD_DECODE_ERROR;
return false;
@@ -2130,8 +2127,8 @@
// send the extension in both ClientHellos. This ensures that, if the server
// handshakes with ClientHelloOuter, it can skip past early data. See
// draft-ietf-tls-esni-13, section 6.1.
- if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_early_data) ||
- !CBB_add_u16(out_compressible, 0) ||
+ if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_early_data) || //
+ !CBB_add_u16(out_compressible, 0) || //
!CBB_flush(out_compressible)) {
return false;
}
@@ -2178,10 +2175,10 @@
}
static bool ext_early_data_parse_clienthello(SSL_HANDSHAKE *hs,
- uint8_t *out_alert, CBS *contents) {
+ uint8_t *out_alert,
+ CBS *contents) {
SSL *const ssl = hs->ssl;
- if (contents == NULL ||
- ssl_protocol_version(ssl) < TLS1_3_VERSION) {
+ if (contents == NULL || ssl_protocol_version(ssl) < TLS1_3_VERSION) {
return true;
}
@@ -2199,8 +2196,8 @@
return true;
}
- if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
- !CBB_add_u16(out, 0) ||
+ if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) || //
+ !CBB_add_u16(out, 0) || //
!CBB_flush(out)) {
return false;
}
@@ -2490,14 +2487,12 @@
// Add a fake group. See RFC 8701.
if (ssl->ctx->grease_enabled &&
- !CBB_add_u16(&groups_bytes,
- ssl_get_grease_value(hs, ssl_grease_group))) {
+ !CBB_add_u16(&groups_bytes, ssl_get_grease_value(hs, ssl_grease_group))) {
return false;
}
for (uint16_t group : tls1_get_grouplist(hs)) {
- if (is_post_quantum_group(group) &&
- hs->max_version < TLS1_3_VERSION) {
+ if (is_post_quantum_group(group) && hs->max_version < TLS1_3_VERSION) {
continue;
}
if (!CBB_add_u16(&groups_bytes, group)) {
@@ -2540,16 +2535,16 @@
}
static bool ext_supported_groups_parse_clienthello(SSL_HANDSHAKE *hs,
- uint8_t *out_alert,
+ uint8_t *out_alert,
CBS *contents) {
if (contents == NULL) {
return true;
}
CBS supported_group_list;
- if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) ||
- CBS_len(&supported_group_list) == 0 ||
- CBS_len(contents) != 0 ||
+ if (!CBS_get_u16_length_prefixed(contents, &supported_group_list) || //
+ CBS_len(&supported_group_list) == 0 || //
+ CBS_len(contents) != 0 || //
!parse_u16_array(&supported_group_list, &hs->peer_supported_group_list)) {
return false;
}
@@ -2567,9 +2562,9 @@
ssl_client_hello_type_t type) {
if (ssl_has_CA_names(hs->config)) {
CBB ca_contents;
- if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_authorities) || //
- !CBB_add_u16_length_prefixed(out, &ca_contents) || //
- !ssl_add_CA_names(hs, &ca_contents) || //
+ if (!CBB_add_u16(out, TLSEXT_TYPE_certificate_authorities) || //
+ !CBB_add_u16_length_prefixed(out, &ca_contents) || //
+ !ssl_add_CA_names(hs, &ca_contents) || //
!CBB_flush(out)) {
return false;
}
@@ -2806,9 +2801,9 @@
// The contents of the extension are the signature algorithms the client will
// accept for a delegated credential.
CBS sigalg_list;
- if (!CBS_get_u16_length_prefixed(contents, &sigalg_list) ||
- CBS_len(&sigalg_list) == 0 ||
- CBS_len(contents) != 0 ||
+ if (!CBS_get_u16_length_prefixed(contents, &sigalg_list) || //
+ CBS_len(&sigalg_list) == 0 || //
+ CBS_len(contents) != 0 || //
!parse_u16_array(&sigalg_list, &hs->peer_delegated_credential_sigalgs)) {
return false;
}
@@ -2867,9 +2862,9 @@
const size_t num_algs = ctx->cert_compression_algs.size();
CBS alg_ids;
- if (!CBS_get_u8_length_prefixed(contents, &alg_ids) ||
- CBS_len(contents) != 0 ||
- CBS_len(&alg_ids) == 0 ||
+ if (!CBS_get_u8_length_prefixed(contents, &alg_ids) || //
+ CBS_len(contents) != 0 || //
+ CBS_len(&alg_ids) == 0 || //
CBS_len(&alg_ids) % 2 == 1) {
return false;
}
@@ -2944,7 +2939,7 @@
ssl_client_hello_type_t type,
bool use_new_codepoint) {
const SSL *const ssl = hs->ssl;
- if (// ALPS requires TLS 1.3.
+ if ( // ALPS requires TLS 1.3.
hs->max_version < TLS1_3_VERSION ||
// Do not offer ALPS without ALPN.
hs->config->alpn_client_proto_list.empty() ||
@@ -2998,8 +2993,7 @@
}
static bool ext_alps_parse_serverhello_impl(SSL_HANDSHAKE *hs,
- uint8_t *out_alert,
- CBS *contents,
+ uint8_t *out_alert, CBS *contents,
bool use_new_codepoint) {
SSL *const ssl = hs->ssl;
if (contents == nullptr) {
@@ -3029,16 +3023,14 @@
return true;
}
-static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs,
- uint8_t *out_alert,
+static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
return ext_alps_parse_serverhello_impl(hs, out_alert, contents,
/*use_new_codepoint=*/true);
}
static bool ext_alps_parse_serverhello_old(SSL_HANDSHAKE *hs,
- uint8_t *out_alert,
- CBS *contents) {
+ uint8_t *out_alert, CBS *contents) {
return ext_alps_parse_serverhello_impl(hs, out_alert, contents,
/*use_new_codepoint=*/false);
}
@@ -3054,7 +3046,7 @@
return true;
}
- if (use_new_codepoint != hs->config->alps_use_new_codepoint) {
+ if (use_new_codepoint != hs->config->alps_use_new_codepoint) {
// Do nothing, we'll send the other codepoint.
return true;
}
@@ -3107,8 +3099,8 @@
// Check if the client supports ALPS with the selected ALPN.
bool found = false;
CBS alps_list;
- if (!CBS_get_u16_length_prefixed(&alps_contents, &alps_list) ||
- CBS_len(&alps_contents) != 0 ||
+ if (!CBS_get_u16_length_prefixed(&alps_contents, &alps_list) || //
+ CBS_len(&alps_contents) != 0 || //
CBS_len(&alps_list) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -3143,192 +3135,192 @@
// kExtensions contains all the supported extensions.
static const struct tls_extension kExtensions[] = {
- {
- TLSEXT_TYPE_server_name,
- ext_sni_add_clienthello,
- ext_sni_parse_serverhello,
- ext_sni_parse_clienthello,
- ext_sni_add_serverhello,
- },
- {
- TLSEXT_TYPE_encrypted_client_hello,
- ext_ech_add_clienthello,
- ext_ech_parse_serverhello,
- ext_ech_parse_clienthello,
- ext_ech_add_serverhello,
- },
- {
- TLSEXT_TYPE_extended_master_secret,
- ext_ems_add_clienthello,
- ext_ems_parse_serverhello,
- ext_ems_parse_clienthello,
- ext_ems_add_serverhello,
- },
- {
- TLSEXT_TYPE_renegotiate,
- ext_ri_add_clienthello,
- ext_ri_parse_serverhello,
- ext_ri_parse_clienthello,
- ext_ri_add_serverhello,
- },
- {
- TLSEXT_TYPE_supported_groups,
- ext_supported_groups_add_clienthello,
- ext_supported_groups_parse_serverhello,
- ext_supported_groups_parse_clienthello,
- dont_add_serverhello,
- },
- {
- TLSEXT_TYPE_ec_point_formats,
- ext_ec_point_add_clienthello,
- ext_ec_point_parse_serverhello,
- ext_ec_point_parse_clienthello,
- ext_ec_point_add_serverhello,
- },
- {
- TLSEXT_TYPE_session_ticket,
- ext_ticket_add_clienthello,
- ext_ticket_parse_serverhello,
- // Ticket extension client parsing is handled in ssl_session.c
- ignore_parse_clienthello,
- ext_ticket_add_serverhello,
- },
- {
- TLSEXT_TYPE_application_layer_protocol_negotiation,
- ext_alpn_add_clienthello,
- ext_alpn_parse_serverhello,
- // ALPN is negotiated late in |ssl_negotiate_alpn|.
- ignore_parse_clienthello,
- ext_alpn_add_serverhello,
- },
- {
- TLSEXT_TYPE_status_request,
- ext_ocsp_add_clienthello,
- ext_ocsp_parse_serverhello,
- ext_ocsp_parse_clienthello,
- ext_ocsp_add_serverhello,
- },
- {
- TLSEXT_TYPE_signature_algorithms,
- ext_sigalgs_add_clienthello,
- forbid_parse_serverhello,
- ext_sigalgs_parse_clienthello,
- dont_add_serverhello,
- },
- {
- TLSEXT_TYPE_next_proto_neg,
- ext_npn_add_clienthello,
- ext_npn_parse_serverhello,
- ext_npn_parse_clienthello,
- ext_npn_add_serverhello,
- },
- {
- TLSEXT_TYPE_certificate_timestamp,
- ext_sct_add_clienthello,
- ext_sct_parse_serverhello,
- ext_sct_parse_clienthello,
- ext_sct_add_serverhello,
- },
- {
- TLSEXT_TYPE_channel_id,
- ext_channel_id_add_clienthello,
- ext_channel_id_parse_serverhello,
- ext_channel_id_parse_clienthello,
- ext_channel_id_add_serverhello,
- },
- {
- TLSEXT_TYPE_srtp,
- ext_srtp_add_clienthello,
- ext_srtp_parse_serverhello,
- ext_srtp_parse_clienthello,
- ext_srtp_add_serverhello,
- },
- {
- TLSEXT_TYPE_key_share,
- ext_key_share_add_clienthello,
- forbid_parse_serverhello,
- ignore_parse_clienthello,
- dont_add_serverhello,
- },
- {
- TLSEXT_TYPE_psk_key_exchange_modes,
- ext_psk_key_exchange_modes_add_clienthello,
- forbid_parse_serverhello,
- ext_psk_key_exchange_modes_parse_clienthello,
- dont_add_serverhello,
- },
- {
- TLSEXT_TYPE_early_data,
- ext_early_data_add_clienthello,
- ext_early_data_parse_serverhello,
- ext_early_data_parse_clienthello,
- ext_early_data_add_serverhello,
- },
- {
- TLSEXT_TYPE_supported_versions,
- ext_supported_versions_add_clienthello,
- forbid_parse_serverhello,
- ignore_parse_clienthello,
- dont_add_serverhello,
- },
- {
- TLSEXT_TYPE_cookie,
- ext_cookie_add_clienthello,
- forbid_parse_serverhello,
- ignore_parse_clienthello,
- dont_add_serverhello,
- },
- {
- TLSEXT_TYPE_quic_transport_parameters,
- ext_quic_transport_params_add_clienthello,
- ext_quic_transport_params_parse_serverhello,
- ext_quic_transport_params_parse_clienthello,
- ext_quic_transport_params_add_serverhello,
- },
- {
- TLSEXT_TYPE_quic_transport_parameters_legacy,
- ext_quic_transport_params_add_clienthello_legacy,
- ext_quic_transport_params_parse_serverhello_legacy,
- ext_quic_transport_params_parse_clienthello_legacy,
- ext_quic_transport_params_add_serverhello_legacy,
- },
- {
- TLSEXT_TYPE_cert_compression,
- cert_compression_add_clienthello,
- cert_compression_parse_serverhello,
- cert_compression_parse_clienthello,
- cert_compression_add_serverhello,
- },
- {
- TLSEXT_TYPE_delegated_credential,
- ext_delegated_credential_add_clienthello,
- forbid_parse_serverhello,
- ext_delegated_credential_parse_clienthello,
- dont_add_serverhello,
- },
- {
- TLSEXT_TYPE_application_settings,
- ext_alps_add_clienthello,
- ext_alps_parse_serverhello,
- // ALPS is negotiated late in |ssl_negotiate_alpn|.
- ignore_parse_clienthello,
- ext_alps_add_serverhello,
- },
- {
- TLSEXT_TYPE_application_settings_old,
- ext_alps_add_clienthello_old,
- ext_alps_parse_serverhello_old,
- // ALPS is negotiated late in |ssl_negotiate_alpn|.
- ignore_parse_clienthello,
- ext_alps_add_serverhello_old,
- },
- {
- TLSEXT_TYPE_certificate_authorities,
- ext_certificate_authorities_add_clienthello,
- forbid_parse_serverhello,
- ext_certificate_authorities_parse_clienthello,
- dont_add_serverhello,
- },
+ {
+ TLSEXT_TYPE_server_name,
+ ext_sni_add_clienthello,
+ ext_sni_parse_serverhello,
+ ext_sni_parse_clienthello,
+ ext_sni_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_encrypted_client_hello,
+ ext_ech_add_clienthello,
+ ext_ech_parse_serverhello,
+ ext_ech_parse_clienthello,
+ ext_ech_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_extended_master_secret,
+ ext_ems_add_clienthello,
+ ext_ems_parse_serverhello,
+ ext_ems_parse_clienthello,
+ ext_ems_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_renegotiate,
+ ext_ri_add_clienthello,
+ ext_ri_parse_serverhello,
+ ext_ri_parse_clienthello,
+ ext_ri_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_supported_groups,
+ ext_supported_groups_add_clienthello,
+ ext_supported_groups_parse_serverhello,
+ ext_supported_groups_parse_clienthello,
+ dont_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_ec_point_formats,
+ ext_ec_point_add_clienthello,
+ ext_ec_point_parse_serverhello,
+ ext_ec_point_parse_clienthello,
+ ext_ec_point_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_session_ticket,
+ ext_ticket_add_clienthello,
+ ext_ticket_parse_serverhello,
+ // Ticket extension client parsing is handled in ssl_session.c
+ ignore_parse_clienthello,
+ ext_ticket_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_application_layer_protocol_negotiation,
+ ext_alpn_add_clienthello,
+ ext_alpn_parse_serverhello,
+ // ALPN is negotiated late in |ssl_negotiate_alpn|.
+ ignore_parse_clienthello,
+ ext_alpn_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_status_request,
+ ext_ocsp_add_clienthello,
+ ext_ocsp_parse_serverhello,
+ ext_ocsp_parse_clienthello,
+ ext_ocsp_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_signature_algorithms,
+ ext_sigalgs_add_clienthello,
+ forbid_parse_serverhello,
+ ext_sigalgs_parse_clienthello,
+ dont_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_next_proto_neg,
+ ext_npn_add_clienthello,
+ ext_npn_parse_serverhello,
+ ext_npn_parse_clienthello,
+ ext_npn_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_certificate_timestamp,
+ ext_sct_add_clienthello,
+ ext_sct_parse_serverhello,
+ ext_sct_parse_clienthello,
+ ext_sct_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_channel_id,
+ ext_channel_id_add_clienthello,
+ ext_channel_id_parse_serverhello,
+ ext_channel_id_parse_clienthello,
+ ext_channel_id_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_srtp,
+ ext_srtp_add_clienthello,
+ ext_srtp_parse_serverhello,
+ ext_srtp_parse_clienthello,
+ ext_srtp_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_key_share,
+ ext_key_share_add_clienthello,
+ forbid_parse_serverhello,
+ ignore_parse_clienthello,
+ dont_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_psk_key_exchange_modes,
+ ext_psk_key_exchange_modes_add_clienthello,
+ forbid_parse_serverhello,
+ ext_psk_key_exchange_modes_parse_clienthello,
+ dont_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_early_data,
+ ext_early_data_add_clienthello,
+ ext_early_data_parse_serverhello,
+ ext_early_data_parse_clienthello,
+ ext_early_data_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_supported_versions,
+ ext_supported_versions_add_clienthello,
+ forbid_parse_serverhello,
+ ignore_parse_clienthello,
+ dont_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_cookie,
+ ext_cookie_add_clienthello,
+ forbid_parse_serverhello,
+ ignore_parse_clienthello,
+ dont_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_quic_transport_parameters,
+ ext_quic_transport_params_add_clienthello,
+ ext_quic_transport_params_parse_serverhello,
+ ext_quic_transport_params_parse_clienthello,
+ ext_quic_transport_params_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_quic_transport_parameters_legacy,
+ ext_quic_transport_params_add_clienthello_legacy,
+ ext_quic_transport_params_parse_serverhello_legacy,
+ ext_quic_transport_params_parse_clienthello_legacy,
+ ext_quic_transport_params_add_serverhello_legacy,
+ },
+ {
+ TLSEXT_TYPE_cert_compression,
+ cert_compression_add_clienthello,
+ cert_compression_parse_serverhello,
+ cert_compression_parse_clienthello,
+ cert_compression_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_delegated_credential,
+ ext_delegated_credential_add_clienthello,
+ forbid_parse_serverhello,
+ ext_delegated_credential_parse_clienthello,
+ dont_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_application_settings,
+ ext_alps_add_clienthello,
+ ext_alps_parse_serverhello,
+ // ALPS is negotiated late in |ssl_negotiate_alpn|.
+ ignore_parse_clienthello,
+ ext_alps_add_serverhello,
+ },
+ {
+ TLSEXT_TYPE_application_settings_old,
+ ext_alps_add_clienthello_old,
+ ext_alps_parse_serverhello_old,
+ // ALPS is negotiated late in |ssl_negotiate_alpn|.
+ ignore_parse_clienthello,
+ ext_alps_add_serverhello_old,
+ },
+ {
+ TLSEXT_TYPE_certificate_authorities,
+ ext_certificate_authorities_add_clienthello,
+ forbid_parse_serverhello,
+ ext_certificate_authorities_parse_clienthello,
+ dont_add_serverhello,
+ },
};
#define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension))
@@ -3643,7 +3635,7 @@
}
// Discard empty extensions blocks before TLS 1.3.
- if (ssl_protocol_version(ssl) < TLS1_3_VERSION &&
+ if (ssl_protocol_version(ssl) < TLS1_3_VERSION && //
CBB_len(&extensions) == 0) {
CBB_discard_child(out);
}
@@ -3991,8 +3983,8 @@
}
if (!HMAC_Init_ex(hmac_ctx.get(), key->hmac_key, sizeof(key->hmac_key),
tlsext_tick_md(), NULL) ||
- !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL,
- key->aes_key, iv.data())) {
+ !EVP_DecryptInit_ex(cipher_ctx.get(), cipher, NULL, key->aes_key,
+ iv.data())) {
return ssl_ticket_aead_error;
}
}
@@ -4206,10 +4198,10 @@
// extensions, but the only one that can be present is Channel ID.
uint16_t extension_type;
CBS channel_id = msg.body, extension;
- if (!CBS_get_u16(&channel_id, &extension_type) ||
- !CBS_get_u16_length_prefixed(&channel_id, &extension) ||
- CBS_len(&channel_id) != 0 ||
- extension_type != TLSEXT_TYPE_channel_id ||
+ if (!CBS_get_u16(&channel_id, &extension_type) || //
+ !CBS_get_u16_length_prefixed(&channel_id, &extension) || //
+ CBS_len(&channel_id) != 0 || //
+ extension_type != TLSEXT_TYPE_channel_id || //
CBS_len(&extension) != TLSEXT_CHANNEL_ID_SIZE) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -4290,12 +4282,12 @@
}
CBB child;
- if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) ||
- !CBB_add_u16_length_prefixed(cbb, &child) ||
- !BN_bn2cbb_padded(&child, 32, x.get()) ||
- !BN_bn2cbb_padded(&child, 32, y.get()) ||
- !BN_bn2cbb_padded(&child, 32, sig->r) ||
- !BN_bn2cbb_padded(&child, 32, sig->s) ||
+ if (!CBB_add_u16(cbb, TLSEXT_TYPE_channel_id) || //
+ !CBB_add_u16_length_prefixed(cbb, &child) || //
+ !BN_bn2cbb_padded(&child, 32, x.get()) || //
+ !BN_bn2cbb_padded(&child, 32, y.get()) || //
+ !BN_bn2cbb_padded(&child, 32, sig->r) || //
+ !BN_bn2cbb_padded(&child, 32, sig->s) || //
!CBB_flush(cbb)) {
return false;
}
@@ -4370,16 +4362,14 @@
// of the SCTs may be empty.
CBS copy = *contents;
CBS sct_list;
- if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
- CBS_len(©) != 0 ||
+ if (!CBS_get_u16_length_prefixed(©, &sct_list) || CBS_len(©) != 0 ||
CBS_len(&sct_list) == 0) {
return false;
}
while (CBS_len(&sct_list) > 0) {
CBS sct;
- if (!CBS_get_u16_length_prefixed(&sct_list, &sct) ||
- CBS_len(&sct) == 0) {
+ if (!CBS_get_u16_length_prefixed(&sct_list, &sct) || CBS_len(&sct) == 0) {
return false;
}
}
diff --git a/ssl/handoff.cc b/ssl/handoff.cc
index d317269..e3cb43d 100644
--- a/ssl/handoff.cc
+++ b/ssl/handoff.cc
@@ -47,7 +47,7 @@
return false;
}
Span<const SSL_CIPHER> all_ciphers = AllCiphers();
- for (const SSL_CIPHER& cipher : all_ciphers) {
+ for (const SSL_CIPHER &cipher : all_ciphers) {
if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
return false;
}
@@ -56,7 +56,7 @@
if (!CBB_add_asn1(out, &groups, CBS_ASN1_OCTETSTRING)) {
return false;
}
- for (const NamedGroup& g : NamedGroups()) {
+ for (const NamedGroup &g : NamedGroups()) {
if (!CBB_add_u16(&groups, g.group_id)) {
return false;
}
@@ -78,8 +78,8 @@
bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
SSL_CLIENT_HELLO *out_hello) {
const SSL3_STATE *const s3 = ssl->s3;
- if (!ssl->server ||
- s3->hs == nullptr ||
+ if (!ssl->server || //
+ s3->hs == nullptr || //
s3->rwstate != SSL_ERROR_HANDOFF) {
return false;
}
@@ -94,8 +94,7 @@
!CBB_add_asn1_octet_string(&seq,
reinterpret_cast<uint8_t *>(s3->hs_buf->data),
s3->hs_buf->length) ||
- !serialize_features(&seq) ||
- !CBB_flush(out) ||
+ !serialize_features(&seq) || !CBB_flush(out) ||
!ssl->method->get_message(ssl, &msg) ||
!ssl_client_hello_init(ssl, out_hello, msg.body)) {
return false;
@@ -106,9 +105,7 @@
bool SSL_decline_handoff(SSL *ssl) {
const SSL3_STATE *const s3 = ssl->s3;
- if (!ssl->server ||
- s3->hs == nullptr ||
- s3->rwstate != SSL_ERROR_HANDOFF) {
+ if (!ssl->server || s3->hs == nullptr || s3->rwstate != SSL_ERROR_HANDOFF) {
return false;
}
@@ -336,11 +333,11 @@
}
size_t read_iv_len = 0;
const uint8_t *read_iv = nullptr;
- if (type == handback_after_handshake &&
- ssl->s3->version == TLS1_VERSION &&
- SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
+ if (type == handback_after_handshake && //
+ ssl->s3->version == TLS1_VERSION && //
+ SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) && //
!s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
- return false;
+ return false;
}
// TODO(mab): make sure everything is serialized.
@@ -470,14 +467,14 @@
}
bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
- if (ssl->do_handshake != nullptr ||
+ if (ssl->do_handshake != nullptr || //
ssl->method->is_dtls) {
return false;
}
SSL3_STATE *const s3 = ssl->s3;
uint64_t handback_version, unused_token_binding_param, cipher, type_u64,
- alps_codepoint;
+ alps_codepoint;
CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
next_proto, alpn, hostname, unused_channel_id, transcript, key_share;
@@ -487,10 +484,10 @@
SSL_SESSION *session = nullptr;
CBS handback_cbs(handback);
- if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
- !CBS_get_asn1_uint64(&seq, &handback_version) ||
- handback_version != kHandbackVersion ||
- !CBS_get_asn1_uint64(&seq, &type_u64) ||
+ if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) || //
+ !CBS_get_asn1_uint64(&seq, &handback_version) || //
+ handback_version != kHandbackVersion || //
+ !CBS_get_asn1_uint64(&seq, &type_u64) || //
type_u64 > handback_max_value) {
return false;
}
@@ -796,8 +793,8 @@
CBS cbs, seq;
CBS_init(&cbs, capabilities, capabilities_len);
UniquePtr<SSL_HANDSHAKE_HINTS> hints = MakeUnique<SSL_HANDSHAKE_HINTS>();
- if (hints == nullptr ||
- !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) ||
+ if (hints == nullptr || //
+ !CBS_get_asn1(&cbs, &seq, CBS_ASN1_SEQUENCE) || //
!apply_remote_features(ssl, &seq)) {
return 0;
}
@@ -881,8 +878,7 @@
// }
// HandshakeHints tags.
-static const CBS_ASN1_TAG kServerRandomTLS13Tag =
- CBS_ASN1_CONTEXT_SPECIFIC | 0;
+static const CBS_ASN1_TAG kServerRandomTLS13Tag = CBS_ASN1_CONTEXT_SPECIFIC | 0;
static const CBS_ASN1_TAG kKeyShareHintTag =
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1;
static const CBS_ASN1_TAG kSignatureHintTag =
@@ -891,8 +887,7 @@
static const CBS_ASN1_TAG kIgnorePSKTag = CBS_ASN1_CONTEXT_SPECIFIC | 4;
static const CBS_ASN1_TAG kCompressCertificateTag =
CBS_ASN1_CONTEXT_SPECIFIC | 5;
-static const CBS_ASN1_TAG kServerRandomTLS12Tag =
- CBS_ASN1_CONTEXT_SPECIFIC | 6;
+static const CBS_ASN1_TAG kServerRandomTLS12Tag = CBS_ASN1_CONTEXT_SPECIFIC | 6;
static const CBS_ASN1_TAG kECDHEHintTag = CBS_ASN1_CONSTRUCTED | 7;
static const CBS_ASN1_TAG kDecryptedTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 8;
static const CBS_ASN1_TAG kRenewTicketTag = CBS_ASN1_CONTEXT_SPECIFIC | 9;
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 2655a6a..776e780 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -326,8 +326,8 @@
}
// Do not send a session ID on renegotiation.
- if (!ssl->s3->initial_handshake_complete &&
- !empty_session_id &&
+ if (!ssl->s3->initial_handshake_complete && //
+ !empty_session_id && //
!CBB_add_bytes(&child, hs->session_id.data(), hs->session_id.size())) {
return false;
}
@@ -407,8 +407,8 @@
return true;
}
- if (!CBS_get_u16(&supported_versions.data, out_version) ||
- CBS_len(&supported_versions.data) != 0) {
+ if (!CBS_get_u16(&supported_versions.data, out_version) || //
+ CBS_len(&supported_versions.data) != 0) {
*out_alert = SSL_AD_DECODE_ERROR;
return false;
}
@@ -584,7 +584,8 @@
return ssl_hs_ok;
}
-static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_early_reverify_server_certificate(
+ SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (ssl->ctx->reverify_on_resume) {
// Don't send an alert on error. The alert would be in the clear, which the
@@ -816,11 +817,11 @@
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
uint32_t mask_a, mask_k;
ssl_get_client_disabled(hs, &mask_a, &mask_k);
- if (cipher == nullptr ||
- (cipher->algorithm_mkey & mask_k) ||
- (cipher->algorithm_auth & mask_a) ||
- SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
- SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
+ if (cipher == nullptr || //
+ (cipher->algorithm_mkey & mask_k) || //
+ (cipher->algorithm_auth & mask_a) || //
+ SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) || //
+ SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) || //
!sk_SSL_CIPHER_find(SSL_get_ciphers(ssl), nullptr, cipher)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -1016,10 +1017,10 @@
CBS certificate_status = msg.body, ocsp_response;
uint8_t status_type;
- if (!CBS_get_u8(&certificate_status, &status_type) ||
- status_type != TLSEXT_STATUSTYPE_ocsp ||
- !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) ||
- CBS_len(&ocsp_response) == 0 ||
+ if (!CBS_get_u8(&certificate_status, &status_type) || //
+ status_type != TLSEXT_STATUSTYPE_ocsp || //
+ !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) || //
+ CBS_len(&ocsp_response) == 0 || //
CBS_len(&certificate_status) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -1547,11 +1548,11 @@
CBB enc_pms;
uint8_t *ptr;
size_t enc_pms_len;
- if (!CBB_add_u16_length_prefixed(&body, &enc_pms) ||
- !CBB_reserve(&enc_pms, &ptr, RSA_size(rsa)) ||
+ if (!CBB_add_u16_length_prefixed(&body, &enc_pms) || //
+ !CBB_reserve(&enc_pms, &ptr, RSA_size(rsa)) || //
!RSA_encrypt(rsa, &enc_pms_len, ptr, RSA_size(rsa), pms.data(),
- pms.size(), RSA_PKCS1_PADDING) ||
- !CBB_did_write(&enc_pms, enc_pms_len) ||
+ pms.size(), RSA_PKCS1_PADDING) || //
+ !CBB_did_write(&enc_pms, enc_pms_len) || //
!CBB_flush(&body)) {
return ssl_hs_error;
}
@@ -1664,7 +1665,7 @@
return ssl_hs_private_key_operation;
}
- if (!CBB_did_write(&child, sig_len) ||
+ if (!CBB_did_write(&child, sig_len) || //
!ssl_add_message_cbb(ssl, cbb.get())) {
return ssl_hs_error;
}
@@ -1734,9 +1735,9 @@
// TLS 1.2 and TLS 1.3, but there are too many TLS 1.2 deployments to
// sacrifice False Start on them. Instead, we rely on the ServerHello.random
// downgrade signal, which we unconditionally enforce.
- if (SSL_is_dtls(ssl) ||
- SSL_version(ssl) != TLS1_2_VERSION ||
- hs->new_cipher->algorithm_mkey != SSL_kECDHE ||
+ if (SSL_is_dtls(ssl) || //
+ SSL_version(ssl) != TLS1_2_VERSION || //
+ hs->new_cipher->algorithm_mkey != SSL_kECDHE || //
hs->new_cipher->algorithm_mac != SSL_AEAD) {
return false;
}
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index 40329c6..bc31305 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc
@@ -167,8 +167,8 @@
#include <openssl/rand.h>
#include <openssl/x509.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -200,8 +200,8 @@
CBS supported_versions, versions;
if (ssl_client_hello_get_extension(client_hello, &supported_versions,
TLSEXT_TYPE_supported_versions)) {
- if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) ||
- CBS_len(&supported_versions) != 0 ||
+ if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) || //
+ CBS_len(&supported_versions) != 0 || //
CBS_len(&versions) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -316,12 +316,12 @@
const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i);
size_t cipher_index;
- if (// Check if the cipher is supported for the current version.
- SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) &&
- ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) &&
+ if ( // Check if the cipher is supported for the current version.
+ SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) && //
+ ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) && //
// Check the cipher is supported for the server configuration.
- (c->algorithm_mkey & mask_k) &&
- (c->algorithm_auth & mask_a) &&
+ (c->algorithm_mkey & mask_k) && //
+ (c->algorithm_auth & mask_a) && //
// Check the cipher is in the |allow| list.
sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
if (in_group_flags != NULL && in_group_flags[i]) {
@@ -503,15 +503,16 @@
// clients implement X25519.
while (CBS_len(&supported_groups) > 0) {
uint16_t group;
- if (!CBS_get_u16(&supported_groups, &group) ||
+ if (!CBS_get_u16(&supported_groups, &group) || //
group == SSL_GROUP_X25519) {
return false;
}
}
- if (// JDK 11 always sends the same contents in signature_algorithms and
- // signature_algorithms_cert. This is unusual: signature_algorithms_cert,
- // if omitted, is treated as if it were signature_algorithms.
+ if ( // JDK 11 always sends the same contents in signature_algorithms and
+ // signature_algorithms_cert. This is unusual:
+ // signature_algorithms_cert, if omitted, is treated as if it were
+ // signature_algorithms.
sigalgs != sigalgs_cert ||
// When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it
// sends status_request. This is unusual: status_request_v2 is not widely
@@ -616,8 +617,8 @@
CBS server_name_list, host_name;
uint8_t name_type;
- if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) ||
- !CBS_get_u8(&server_name_list, &name_type) ||
+ if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) || //
+ !CBS_get_u8(&server_name_list, &name_type) || //
// Although the server_name extension was intended to be extensible to
// new name types and multiple names, OpenSSL 1.0.x had a bug which meant
// different name types will cause an error. Further, RFC 4366 originally
@@ -625,16 +626,16 @@
// adding new name types is no longer feasible.
//
// Act as if the extensibility does not exist to simplify parsing.
- !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
- CBS_len(&server_name_list) != 0 ||
+ !CBS_get_u16_length_prefixed(&server_name_list, &host_name) || //
+ CBS_len(&server_name_list) != 0 || //
CBS_len(&sni) != 0) {
*out_alert = SSL_AD_DECODE_ERROR;
return false;
}
- if (name_type != TLSEXT_NAMETYPE_host_name ||
- CBS_len(&host_name) == 0 ||
- CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
+ if (name_type != TLSEXT_NAMETYPE_host_name || //
+ CBS_len(&host_name) == 0 || //
+ CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || //
CBS_contains_zero_byte(&host_name)) {
*out_alert = SSL_AD_UNRECOGNIZED_NAME;
return false;
@@ -735,7 +736,7 @@
return ssl_hs_error;
default:
- /* fallthrough */;
+ /* fallthrough */;
}
}
@@ -941,7 +942,8 @@
// Assign a session ID if not using session tickets.
if (!hs->ticket_expected &&
(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
- hs->new_session->session_id.ResizeForOverwrite(SSL3_SSL_SESSION_ID_LENGTH);
+ hs->new_session->session_id.ResizeForOverwrite(
+ SSL3_SSL_SESSION_ID_LENGTH);
RAND_bytes(hs->new_session->session_id.data(),
hs->new_session->session_id.size());
}
@@ -1165,9 +1167,9 @@
if (alg_k & SSL_kECDHE) {
assert(hs->new_session->group_id != 0);
hs->key_shares[0] = SSLKeyShare::Create(hs->new_session->group_id);
- if (!hs->key_shares[0] ||
- !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
- !CBB_add_u16(cbb.get(), hs->new_session->group_id) ||
+ if (!hs->key_shares[0] || //
+ !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || //
+ !CBB_add_u16(cbb.get(), hs->new_session->group_id) || //
!CBB_add_u8_length_prefixed(cbb.get(), &child)) {
return ssl_hs_error;
}
@@ -1771,7 +1773,7 @@
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
- !tls1_verify_channel_id(hs, msg) ||
+ !tls1_verify_channel_id(hs, msg) || //
!ssl_hash_message(hs, msg)) {
return ssl_hs_error;
}
@@ -1843,8 +1845,8 @@
}
}
- if (!ssl->method->add_change_cipher_spec(ssl) ||
- !tls1_change_cipher_state(hs, evp_aead_seal) ||
+ if (!ssl->method->add_change_cipher_spec(ssl) || //
+ !tls1_change_cipher_state(hs, evp_aead_seal) || //
!ssl_send_finished(hs)) {
return ssl_hs_error;
}
diff --git a/ssl/internal.h b/ssl/internal.h
index 213704d..97c9ed1 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -241,7 +241,7 @@
//
// Note: unlike |new|, this does not support non-public constructors.
template <typename T, typename... Args>
-T *New(Args &&... args) {
+T *New(Args &&...args) {
void *t = OPENSSL_malloc(sizeof(T));
if (t == nullptr) {
return nullptr;
@@ -272,7 +272,7 @@
// MakeUnique behaves like |std::make_unique| but returns nullptr on allocation
// error.
template <typename T, typename... Args>
-UniquePtr<T> MakeUnique(Args &&... args) {
+UniquePtr<T> MakeUnique(Args &&...args) {
return UniquePtr<T>(New<T>(std::forward<Args>(args)...));
}
@@ -686,7 +686,7 @@
// If we ever need to make this type movable, we could. (The defaults almost
// work except we need |start_| to be reset when moved-from.)
MRUQueue(const MRUQueue &other) = delete;
- MRUQueue &operator=(const MRUQueue &other) = delete;
+ MRUQueue &operator=(const MRUQueue &other) = delete;
bool empty() const { return size() == 0; }
size_t size() const { return storage_.size(); }
@@ -1518,8 +1518,7 @@
// |out_ciphertext|, and sets |*out_secret| to the shared secret. On failure,
// it returns false and sets |*out_alert| to an alert to send to the peer.
virtual bool Encap(CBB *out_ciphertext, Array<uint8_t> *out_secret,
- uint8_t *out_alert,
- Span<const uint8_t> peer_key) = 0;
+ uint8_t *out_alert, Span<const uint8_t> peer_key) = 0;
// Decap decapsulates the symmetric secret in |ciphertext|. On success, it
// returns true and sets |*out_secret| to the shared secret. On failure, it
@@ -1778,7 +1777,7 @@
// a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes
// an error on the error queue.
bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
- const CRYPTO_BUFFER *leaf);
+ const CRYPTO_BUFFER *leaf);
// TLS 1.3 key derivation.
@@ -3753,7 +3752,7 @@
// counterpart to |privkey|. Otherwise it returns false and pushes a helpful
// message on the error queue.
bool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
- const EVP_PKEY *privkey);
+ const EVP_PKEY *privkey);
bool ssl_get_new_session(SSL_HANDSHAKE *hs);
// ssl_encrypt_ticket encrypt a ticket for |session| and writes the result to
diff --git a/ssl/s3_both.cc b/ssl/s3_both.cc
index 4ece96d..4ffc1d8 100644
--- a/ssl/s3_both.cc
+++ b/ssl/s3_both.cc
@@ -122,8 +122,8 @@
#include <openssl/bytestring.h>
#include <openssl/err.h>
#include <openssl/evp.h>
-#include <openssl/mem.h>
#include <openssl/md5.h>
+#include <openssl/mem.h>
#include <openssl/nid.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
@@ -170,8 +170,8 @@
bool tls_init_message(const SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
// Pick a modest size hint to save most of the |realloc| calls.
- if (!CBB_init(cbb, 64) ||
- !CBB_add_u8(cbb, type) ||
+ if (!CBB_init(cbb, 64) || //
+ !CBB_add_u8(cbb, type) || //
!CBB_add_u24_length_prefixed(cbb, body)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
CBB_cleanup(cbb);
@@ -234,7 +234,7 @@
ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg);
// TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
// hs.
- if (ssl->s3->hs != NULL &&
+ if (ssl->s3->hs != NULL && //
!ssl->s3->hs->transcript.Update(msg)) {
return false;
}
@@ -461,8 +461,8 @@
}
// Add the null compression scheme and finish.
- if (!CBB_add_u8(&hello_body, 1) ||
- !CBB_add_u8(&hello_body, 0) ||
+ if (!CBB_add_u8(&hello_body, 1) || //
+ !CBB_add_u8(&hello_body, 0) || //
!CBB_finish(client_hello.get(), NULL, &ssl->s3->hs_buf->length)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_open_record_error;
@@ -484,7 +484,7 @@
uint32_t len;
CBS_init(&cbs, reinterpret_cast<const uint8_t *>(ssl->s3->hs_buf->data),
ssl->s3->hs_buf->length);
- if (!CBS_get_u8(&cbs, &out->type) ||
+ if (!CBS_get_u8(&cbs, &out->type) || //
!CBS_get_u24(&cbs, &len)) {
*out_bytes_needed = 4;
return false;
@@ -573,10 +573,10 @@
// Some dedicated error codes for protocol mixups should the application
// wish to interpret them differently. (These do not overlap with
// ClientHello or V2ClientHello.)
- const char *str = reinterpret_cast<const char*>(in.data());
- if (strncmp("GET ", str, 4) == 0 ||
- strncmp("POST ", str, 5) == 0 ||
- strncmp("HEAD ", str, 5) == 0 ||
+ const char *str = reinterpret_cast<const char *>(in.data());
+ if (strncmp("GET ", str, 4) == 0 || //
+ strncmp("POST ", str, 5) == 0 || //
+ strncmp("HEAD ", str, 5) == 0 || //
strncmp("PUT ", str, 4) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_HTTP_REQUEST);
*out_alert = 0;
@@ -638,8 +638,8 @@
void tls_next_message(SSL *ssl) {
SSLMessage msg;
- if (!tls_get_message(ssl, &msg) ||
- !ssl->s3->hs_buf ||
+ if (!tls_get_message(ssl, &msg) || //
+ !ssl->s3->hs_buf || //
ssl->s3->hs_buf->length < CBS_len(&msg.raw)) {
assert(0);
return;
@@ -706,7 +706,7 @@
}
};
-}
+} // namespace
bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id,
enum ssl_compliance_policy_t policy) {
@@ -754,9 +754,10 @@
const SSL_CIPHER *best = nullptr;
AesHwCipherScorer aes_hw_scorer(has_aes_hw);
CNsaCipherScorer cnsa_scorer;
- CipherScorer *const scorer = (policy == ssl_compliance_policy_cnsa_202407)
- ? static_cast<CipherScorer*>(&cnsa_scorer)
- : static_cast<CipherScorer*>(&aes_hw_scorer);
+ CipherScorer *const scorer =
+ (policy == ssl_compliance_policy_cnsa_202407)
+ ? static_cast<CipherScorer *>(&cnsa_scorer)
+ : static_cast<CipherScorer *>(&aes_hw_scorer);
CipherScorer::Score best_score = CipherScorer::kMinScore;
while (CBS_len(&cipher_suites) > 0) {
diff --git a/ssl/ssl_asn1.cc b/ssl/ssl_asn1.cc
index 3e1e9d6..b13f6b5 100644
--- a/ssl/ssl_asn1.cc
+++ b/ssl/ssl_asn1.cc
@@ -318,16 +318,16 @@
}
}
- if (in->group_id > 0 &&
- (!CBB_add_asn1(&session, &child, kGroupIDTag) ||
+ if (in->group_id > 0 && //
+ (!CBB_add_asn1(&session, &child, kGroupIDTag) || //
!CBB_add_asn1_uint64(&child, in->group_id))) {
return 0;
}
// The certificate chain is only serialized if the leaf's SHA-256 isn't
// serialized instead.
- if (in->certs != NULL &&
- !in->peer_sha256_valid &&
+ if (in->certs != NULL && //
+ !in->peer_sha256_valid && //
sk_CRYPTO_BUFFER_num(in->certs.get()) >= 2) {
if (!CBB_add_asn1(&session, &child, kCertChainTag)) {
return 0;
@@ -525,15 +525,15 @@
CBS session;
uint64_t version, ssl_version;
uint16_t unused;
- if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) ||
- !CBS_get_asn1_uint64(&session, &version) ||
- version != kVersion ||
- !CBS_get_asn1_uint64(&session, &ssl_version) ||
+ if (!CBS_get_asn1(cbs, &session, CBS_ASN1_SEQUENCE) || //
+ !CBS_get_asn1_uint64(&session, &version) || //
+ version != kVersion || //
+ !CBS_get_asn1_uint64(&session, &ssl_version) || //
// Require sessions have versions valid in either TLS or DTLS. The session
// will not be used by the handshake if not applicable, but, for
// simplicity, never parse a session that does not pass
// |ssl_protocol_version_from_wire|.
- ssl_version > UINT16_MAX ||
+ ssl_version > UINT16_MAX || //
!ssl_protocol_version_from_wire(&unused, ssl_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
return nullptr;
@@ -542,8 +542,8 @@
CBS cipher;
uint16_t cipher_value;
- if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) ||
- !CBS_get_u16(&cipher, &cipher_value) ||
+ if (!CBS_get_asn1(&session, &cipher, CBS_ASN1_OCTETSTRING) || //
+ !CBS_get_u16(&cipher, &cipher_value) || //
CBS_len(&cipher) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
return nullptr;
@@ -669,7 +669,7 @@
if (has_peer) {
UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new_from_CBS(&peer, pool));
- if (!buffer ||
+ if (!buffer || //
!PushToStack(ret->certs.get(), std::move(buffer))) {
return nullptr;
}
@@ -695,8 +695,8 @@
int age_add_present;
if (!CBS_get_optional_asn1_octet_string(&session, &age_add, &age_add_present,
kTicketAgeAddTag) ||
- (age_add_present &&
- !CBS_get_u32(&age_add, &ret->ticket_age_add)) ||
+ (age_add_present && //
+ !CBS_get_u32(&age_add, &ret->ticket_age_add)) || //
CBS_len(&age_add) != 0) {
return nullptr;
}
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index 8cfb04a..011d495 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc
@@ -178,7 +178,7 @@
static int cert_set_chain_and_key(
CERT *cert, CRYPTO_BUFFER *const *certs, size_t num_certs,
EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) {
- if (num_certs == 0 ||
+ if (num_certs == 0 || //
(privkey == NULL && privkey_method == NULL)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
@@ -268,7 +268,7 @@
UniquePtr<CRYPTO_BUFFER> buf(
CRYPTO_BUFFER_new_from_CBS(&certificate, pool));
- if (!buf ||
+ if (!buf || //
!PushToStack(chain.get(), std::move(buf))) {
*out_alert = SSL_AD_INTERNAL_ERROR;
return false;
@@ -302,13 +302,14 @@
CBS buf = *in;
CBS toplevel;
- if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) ||
- CBS_len(&buf) != 0 ||
- !CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) ||
+ if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) || //
+ CBS_len(&buf) != 0 || //
+ !CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) || //
// version
!CBS_get_optional_asn1(
out_tbs_cert, NULL, NULL,
- CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
+ CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) || //
+
// serialNumber
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||
// signature algorithm
@@ -330,17 +331,17 @@
CBS toplevel;
CBS cert;
- if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) || //
- CBS_len(&buf) != 0 || //
- !CBS_get_asn1(&toplevel, &cert, CBS_ASN1_SEQUENCE) || //
+ if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) || //
+ CBS_len(&buf) != 0 || //
+ !CBS_get_asn1(&toplevel, &cert, CBS_ASN1_SEQUENCE) || //
// version
!CBS_get_optional_asn1(
&cert, NULL, NULL,
- CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
+ CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) || //
// serialNumber
- !CBS_get_asn1(&cert, NULL, CBS_ASN1_INTEGER) ||
+ !CBS_get_asn1(&cert, NULL, CBS_ASN1_INTEGER) || //
// signature algorithm
- !CBS_get_asn1(&cert, NULL, CBS_ASN1_SEQUENCE) ||
+ !CBS_get_asn1(&cert, NULL, CBS_ASN1_SEQUENCE) || //
// issuer
!CBS_get_asn1_element(&cert, out_dn, CBS_ASN1_SEQUENCE)) {
return false;
@@ -497,7 +498,7 @@
UniquePtr<CRYPTO_BUFFER> buffer(
CRYPTO_BUFFER_new_from_CBS(&distinguished_name, pool));
- if (!buffer ||
+ if (!buffer || //
!PushToStack(ret.get(), std::move(buffer))) {
*out_alert = SSL_AD_INTERNAL_ERROR;
return nullptr;
@@ -528,7 +529,8 @@
static bool marshal_CA_names(const STACK_OF(CRYPTO_BUFFER) *config_names,
const STACK_OF(CRYPTO_BUFFER) *ctx_names,
CBB *cbb) {
- const STACK_OF(CRYPTO_BUFFER) *names = config_names == nullptr ? ctx_names : config_names;
+ const STACK_OF(CRYPTO_BUFFER) *names =
+ config_names == nullptr ? ctx_names : config_names;
CBB child, name_cbb;
if (!CBB_add_u16_length_prefixed(cbb, &child)) {
@@ -551,7 +553,8 @@
}
bool ssl_has_client_CAs(const SSL_CONFIG *cfg) {
- return CA_names_non_empty(cfg->client_CA.get(), cfg->ssl->ctx->client_CA.get());
+ return CA_names_non_empty(cfg->client_CA.get(),
+ cfg->ssl->ctx->client_CA.get());
}
bool ssl_has_CA_names(const SSL_CONFIG *cfg) {
@@ -559,11 +562,13 @@
}
bool ssl_add_client_CA_list(const SSL_HANDSHAKE *hs, CBB *cbb) {
- return marshal_CA_names(hs->config->client_CA.get(), hs->ssl->ctx->client_CA.get(), cbb);
+ return marshal_CA_names(hs->config->client_CA.get(),
+ hs->ssl->ctx->client_CA.get(), cbb);
}
bool ssl_add_CA_names(const SSL_HANDSHAKE *hs, CBB *cbb) {
- return marshal_CA_names(hs->config->CA_names.get(), hs->ssl->ctx->CA_names.get(), cbb);
+ return marshal_CA_names(hs->config->CA_names.get(),
+ hs->ssl->ctx->CA_names.get(), cbb);
}
bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index 48f90a1..220087a 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -149,8 +149,8 @@
#include <openssl/sha.h>
#include <openssl/stack.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -160,14 +160,14 @@
// Cipher 0A
{
- SSL3_TXT_RSA_DES_192_CBC3_SHA,
- "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
- SSL3_CK_RSA_DES_192_CBC3_SHA,
- SSL_kRSA,
- SSL_aRSA_DECRYPT,
- SSL_3DES,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ SSL3_TXT_RSA_DES_192_CBC3_SHA,
+ "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+ SSL3_CK_RSA_DES_192_CBC3_SHA,
+ SSL_kRSA,
+ SSL_aRSA_DECRYPT,
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
@@ -175,290 +175,290 @@
// Cipher 2F
{
- TLS1_TXT_RSA_WITH_AES_128_SHA,
- "TLS_RSA_WITH_AES_128_CBC_SHA",
- TLS1_CK_RSA_WITH_AES_128_SHA,
- SSL_kRSA,
- SSL_aRSA_DECRYPT,
- SSL_AES128,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_RSA_WITH_AES_128_SHA,
+ "TLS_RSA_WITH_AES_128_CBC_SHA",
+ TLS1_CK_RSA_WITH_AES_128_SHA,
+ SSL_kRSA,
+ SSL_aRSA_DECRYPT,
+ SSL_AES128,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// Cipher 35
{
- TLS1_TXT_RSA_WITH_AES_256_SHA,
- "TLS_RSA_WITH_AES_256_CBC_SHA",
- TLS1_CK_RSA_WITH_AES_256_SHA,
- SSL_kRSA,
- SSL_aRSA_DECRYPT,
- SSL_AES256,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_RSA_WITH_AES_256_SHA,
+ "TLS_RSA_WITH_AES_256_CBC_SHA",
+ TLS1_CK_RSA_WITH_AES_256_SHA,
+ SSL_kRSA,
+ SSL_aRSA_DECRYPT,
+ SSL_AES256,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// PSK cipher suites.
// Cipher 8C
{
- TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
- "TLS_PSK_WITH_AES_128_CBC_SHA",
- TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
- SSL_kPSK,
- SSL_aPSK,
- SSL_AES128,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
+ "TLS_PSK_WITH_AES_128_CBC_SHA",
+ TLS1_CK_PSK_WITH_AES_128_CBC_SHA,
+ SSL_kPSK,
+ SSL_aPSK,
+ SSL_AES128,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// Cipher 8D
{
- TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
- "TLS_PSK_WITH_AES_256_CBC_SHA",
- TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
- SSL_kPSK,
- SSL_aPSK,
- SSL_AES256,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
+ "TLS_PSK_WITH_AES_256_CBC_SHA",
+ TLS1_CK_PSK_WITH_AES_256_CBC_SHA,
+ SSL_kPSK,
+ SSL_aPSK,
+ SSL_AES256,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// GCM ciphersuites from RFC 5288
// Cipher 9C
{
- TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
- "TLS_RSA_WITH_AES_128_GCM_SHA256",
- TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
- SSL_kRSA,
- SSL_aRSA_DECRYPT,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_RSA_WITH_AES_128_GCM_SHA256",
+ TLS1_CK_RSA_WITH_AES_128_GCM_SHA256,
+ SSL_kRSA,
+ SSL_aRSA_DECRYPT,
+ SSL_AES128GCM,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA256,
},
// Cipher 9D
{
- TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
- "TLS_RSA_WITH_AES_256_GCM_SHA384",
- TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
- SSL_kRSA,
- SSL_aRSA_DECRYPT,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA384,
+ TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
+ "TLS_RSA_WITH_AES_256_GCM_SHA384",
+ TLS1_CK_RSA_WITH_AES_256_GCM_SHA384,
+ SSL_kRSA,
+ SSL_aRSA_DECRYPT,
+ SSL_AES256GCM,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA384,
},
// TLS 1.3 suites.
// Cipher 1301
{
- TLS1_3_RFC_AES_128_GCM_SHA256,
- "TLS_AES_128_GCM_SHA256",
- TLS1_3_CK_AES_128_GCM_SHA256,
- SSL_kGENERIC,
- SSL_aGENERIC,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_3_RFC_AES_128_GCM_SHA256,
+ "TLS_AES_128_GCM_SHA256",
+ TLS1_3_CK_AES_128_GCM_SHA256,
+ SSL_kGENERIC,
+ SSL_aGENERIC,
+ SSL_AES128GCM,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA256,
},
// Cipher 1302
{
- TLS1_3_RFC_AES_256_GCM_SHA384,
- "TLS_AES_256_GCM_SHA384",
- TLS1_3_CK_AES_256_GCM_SHA384,
- SSL_kGENERIC,
- SSL_aGENERIC,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA384,
+ TLS1_3_RFC_AES_256_GCM_SHA384,
+ "TLS_AES_256_GCM_SHA384",
+ TLS1_3_CK_AES_256_GCM_SHA384,
+ SSL_kGENERIC,
+ SSL_aGENERIC,
+ SSL_AES256GCM,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA384,
},
// Cipher 1303
{
- TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
- "TLS_CHACHA20_POLY1305_SHA256",
- TLS1_3_CK_CHACHA20_POLY1305_SHA256,
- SSL_kGENERIC,
- SSL_aGENERIC,
- SSL_CHACHA20POLY1305,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ "TLS_CHACHA20_POLY1305_SHA256",
+ TLS1_3_CK_CHACHA20_POLY1305_SHA256,
+ SSL_kGENERIC,
+ SSL_aGENERIC,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA256,
},
// Cipher C009
{
- TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
- TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
- SSL_kECDHE,
- SSL_aECDSA,
- SSL_AES128,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+ SSL_kECDHE,
+ SSL_aECDSA,
+ SSL_AES128,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// Cipher C00A
{
- TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
- TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
- SSL_kECDHE,
- SSL_aECDSA,
- SSL_AES256,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+ SSL_kECDHE,
+ SSL_aECDSA,
+ SSL_AES256,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// Cipher C013
{
- TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
- TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
- SSL_kECDHE,
- SSL_aRSA_SIGN,
- SSL_AES128,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+ TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ SSL_kECDHE,
+ SSL_aRSA_SIGN,
+ SSL_AES128,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// Cipher C014
{
- TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
- TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
- SSL_kECDHE,
- SSL_aRSA_SIGN,
- SSL_AES256,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+ TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+ SSL_kECDHE,
+ SSL_aRSA_SIGN,
+ SSL_AES256,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// Cipher C027
{
- TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
- TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
- SSL_kECDHE,
- SSL_aRSA_SIGN,
- SSL_AES128,
- SSL_SHA256,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+ TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ SSL_kECDHE,
+ SSL_aRSA_SIGN,
+ SSL_AES128,
+ SSL_SHA256,
+ SSL_HANDSHAKE_MAC_SHA256,
},
// GCM based TLS v1.2 ciphersuites from RFC 5289
// Cipher C02B
{
- TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
- TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- SSL_kECDHE,
- SSL_aECDSA,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ SSL_kECDHE,
+ SSL_aECDSA,
+ SSL_AES128GCM,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA256,
},
// Cipher C02C
{
- TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
- TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
- SSL_kECDHE,
- SSL_aECDSA,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA384,
+ TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ SSL_kECDHE,
+ SSL_aECDSA,
+ SSL_AES256GCM,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA384,
},
// Cipher C02F
{
- TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
- TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- SSL_kECDHE,
- SSL_aRSA_SIGN,
- SSL_AES128GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+ TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ SSL_kECDHE,
+ SSL_aRSA_SIGN,
+ SSL_AES128GCM,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA256,
},
// Cipher C030
{
- TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
- TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
- SSL_kECDHE,
- SSL_aRSA_SIGN,
- SSL_AES256GCM,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA384,
+ TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+ TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ SSL_kECDHE,
+ SSL_aRSA_SIGN,
+ SSL_AES256GCM,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA384,
},
// ECDHE-PSK cipher suites.
// Cipher C035
{
- TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
- "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
- TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
- SSL_kECDHE,
- SSL_aPSK,
- SSL_AES128,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+ "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
+ TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+ SSL_kECDHE,
+ SSL_aPSK,
+ SSL_AES128,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// Cipher C036
{
- TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
- "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
- TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
- SSL_kECDHE,
- SSL_aPSK,
- SSL_AES256,
- SSL_SHA1,
- SSL_HANDSHAKE_MAC_DEFAULT,
+ TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+ "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
+ TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+ SSL_kECDHE,
+ SSL_aPSK,
+ SSL_AES256,
+ SSL_SHA1,
+ SSL_HANDSHAKE_MAC_DEFAULT,
},
// ChaCha20-Poly1305 cipher suites.
// Cipher CCA8
{
- TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
- TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
- SSL_kECDHE,
- SSL_aRSA_SIGN,
- SSL_CHACHA20POLY1305,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+ TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ SSL_kECDHE,
+ SSL_aRSA_SIGN,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA256,
},
// Cipher CCA9
{
- TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
- TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
- SSL_kECDHE,
- SSL_aECDSA,
- SSL_CHACHA20POLY1305,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
+ TLS1_CK_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ SSL_kECDHE,
+ SSL_aECDSA,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA256,
},
// Cipher CCAB
{
- TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
- "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
- TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
- SSL_kECDHE,
- SSL_aPSK,
- SSL_CHACHA20POLY1305,
- SSL_AEAD,
- SSL_HANDSHAKE_MAC_SHA256,
+ TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+ TLS1_CK_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
+ SSL_kECDHE,
+ SSL_aPSK,
+ SSL_CHACHA20POLY1305,
+ SSL_AEAD,
+ SSL_HANDSHAKE_MAC_SHA256,
},
};
@@ -740,11 +740,11 @@
return true;
}
-bool SSLCipherPreferenceList::Init(const SSLCipherPreferenceList& other) {
+bool SSLCipherPreferenceList::Init(const SSLCipherPreferenceList &other) {
size_t size = sk_SSL_CIPHER_num(other.ciphers.get());
Span<const bool> other_flags(other.in_group_flags, size);
- UniquePtr<STACK_OF(SSL_CIPHER)> other_ciphers(sk_SSL_CIPHER_dup(
- other.ciphers.get()));
+ UniquePtr<STACK_OF(SSL_CIPHER)> other_ciphers(
+ sk_SSL_CIPHER_dup(other.ciphers.get()));
if (!other_ciphers) {
return false;
}
@@ -757,10 +757,10 @@
return;
}
if (!in_group_flags[index] /* last element of group */ && index > 0) {
- in_group_flags[index-1] = false;
+ in_group_flags[index - 1] = false;
}
for (size_t i = index; i < sk_SSL_CIPHER_num(ciphers.get()) - 1; ++i) {
- in_group_flags[i] = in_group_flags[i+1];
+ in_group_flags[i] = in_group_flags[i + 1];
}
sk_SSL_CIPHER_delete(ciphers.get(), index);
}
@@ -1346,9 +1346,9 @@
SSL_CIPHER c;
c.id = 0x03000000L | value;
- return reinterpret_cast<const SSL_CIPHER *>(bsearch(
- &c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER),
- ssl_cipher_id_cmp_void));
+ return reinterpret_cast<const SSL_CIPHER *>(
+ bsearch(&c, kCiphers, OPENSSL_ARRAY_SIZE(kCiphers), sizeof(SSL_CIPHER),
+ ssl_cipher_id_cmp_void));
}
uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
@@ -1474,7 +1474,7 @@
return TLS1_2_VERSION;
}
-static const char* kUnknownCipher = "(NONE)";
+static const char *kUnknownCipher = "(NONE)";
// return the actual cipher being used
const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
diff --git a/ssl/ssl_credential.cc b/ssl/ssl_credential.cc
index b5282b8..eaa8ad7 100644
--- a/ssl/ssl_credential.cc
+++ b/ssl/ssl_credential.cc
@@ -18,8 +18,8 @@
#include <openssl/span.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -27,8 +27,7 @@
// new_leafless_chain returns a fresh stack of buffers set to {nullptr}.
static UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_leafless_chain(void) {
UniquePtr<STACK_OF(CRYPTO_BUFFER)> chain(sk_CRYPTO_BUFFER_new_null());
- if (!chain ||
- !sk_CRYPTO_BUFFER_push(chain.get(), nullptr)) {
+ if (!chain || !sk_CRYPTO_BUFFER_push(chain.get(), nullptr)) {
return nullptr;
}
@@ -240,12 +239,12 @@
bool ssl_credential_st::ChainContainsIssuer(
bssl::Span<const uint8_t> dn) const {
- if (UsesX509()) {
- // TODO(bbe) This is used for matching a chain by CA name for the CA extension.
- // If we require a chain to be present, we could remove any remaining parts
- // of the chain after the found issuer, on the assumption that the peer
- // sending the CA extension has the issuer in their trust store and does not
- // need us to waste bytes on the wire.
+ if (UsesX509()) {
+ // TODO(bbe) This is used for matching a chain by CA name for the CA
+ // extension. If we require a chain to be present, we could remove any
+ // remaining parts of the chain after the found issuer, on the assumption
+ // that the peer sending the CA extension has the issuer in their trust
+ // store and does not need us to waste bytes on the wire.
CBS dn_cbs;
CBS_init(&dn_cbs, dn.data(), dn.size());
for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain.get()); i++) {
@@ -344,8 +343,8 @@
return 1;
}
-int SSL_CREDENTIAL_set1_delegated_credential(
- SSL_CREDENTIAL *cred, CRYPTO_BUFFER *dc) {
+int SSL_CREDENTIAL_set1_delegated_credential(SSL_CREDENTIAL *cred,
+ CRYPTO_BUFFER *dc) {
if (cred->type != SSLCredentialType::kDelegated) {
OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc
index 0342e62..d835559 100644
--- a/ssl/ssl_key_share.cc
+++ b/ssl/ssl_key_share.cc
@@ -33,8 +33,8 @@
#include <openssl/rand.h>
#include <openssl/span.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -423,9 +423,10 @@
return false;
}
-bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {
+bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name,
+ size_t len) {
for (const auto &group : kNamedGroups) {
- if (len == strlen(group.name) &&
+ if (len == strlen(group.name) && //
!strncmp(group.name, name, len)) {
*out_group_id = group.group_id;
return true;
@@ -452,7 +453,7 @@
using namespace bssl;
-const char* SSL_get_group_name(uint16_t group_id) {
+const char *SSL_get_group_name(uint16_t group_id) {
for (const auto &group : kNamedGroups) {
if (group.group_id == group_id) {
return group.name;
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index f52030b..c38a96b 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -154,8 +154,8 @@
#include <openssl/mem.h>
#include <openssl/rand.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
#if defined(OPENSSL_WINDOWS)
#include <sys/timeb.h>
@@ -213,7 +213,7 @@
ERR_clear_system_error();
}
-void ssl_set_read_error(SSL* ssl) {
+void ssl_set_read_error(SSL *ssl) {
ssl->s3->read_shutdown = ssl_shutdown_error;
ssl->s3->read_error.reset(ERR_save_state());
}
@@ -287,7 +287,7 @@
static bool cbb_add_hex_consttime(CBB *cbb, Span<const uint8_t> in) {
uint8_t *out;
-if (!CBB_add_space(cbb, &out, in.size() * 2)) {
+ if (!CBB_add_space(cbb, &out, in.size() * 2)) {
return false;
}
@@ -416,17 +416,15 @@
#endif
}
-void SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on) {
- ctx->handoff = on;
-}
+void SSL_CTX_set_handoff_mode(SSL_CTX *ctx, bool on) { ctx->handoff = on; }
static bool ssl_can_renegotiate(const SSL *ssl) {
if (ssl->server || SSL_is_dtls(ssl)) {
return false;
}
- if (ssl->s3->version != 0 &&
- ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+ if (ssl->s3->version != 0 //
+ && ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
return false;
}
@@ -452,9 +450,9 @@
}
static void ssl_maybe_shed_handshake_config(SSL *ssl) {
- if (ssl->s3->hs != nullptr ||
- ssl->config == nullptr ||
- !ssl->config->shed_handshake_config ||
+ if (ssl->s3->hs != nullptr || //
+ ssl->config == nullptr || //
+ !ssl->config->shed_handshake_config || //
ssl_can_renegotiate(ssl)) {
return;
}
@@ -721,9 +719,7 @@
}
}
-void SSL_free(SSL *ssl) {
- Delete(ssl);
-}
+void SSL_free(SSL *ssl) { Delete(ssl); }
void SSL_set_connect_state(SSL *ssl) {
ssl->server = false;
@@ -735,13 +731,9 @@
ssl->do_handshake = ssl_server_handshake;
}
-void SSL_set0_rbio(SSL *ssl, BIO *rbio) {
- ssl->rbio.reset(rbio);
-}
+void SSL_set0_rbio(SSL *ssl, BIO *rbio) { ssl->rbio.reset(rbio); }
-void SSL_set0_wbio(SSL *ssl, BIO *wbio) {
- ssl->wbio.reset(wbio);
-}
+void SSL_set0_wbio(SSL *ssl, BIO *wbio) { ssl->wbio.reset(wbio); }
void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
// For historical reasons, this function has many different cases in ownership
@@ -804,8 +796,8 @@
} else {
// Clients may receive both Certificate message and a CertificateRequest
// message.
- if (2*ssl->max_cert_list > kDefaultLimit) {
- return 2*ssl->max_cert_list;
+ if (2 * ssl->max_cert_list > kDefaultLimit) {
+ return 2 * ssl->max_cert_list;
}
}
return kDefaultLimit;
@@ -1258,7 +1250,7 @@
void SSL_reset_early_data_reject(SSL *ssl) {
SSL_HANDSHAKE *hs = ssl->s3->hs.get();
- if (hs == NULL ||
+ if (hs == NULL || //
hs->wait != ssl_hs_early_data_rejected) {
abort();
}
@@ -1817,9 +1809,7 @@
ctx->max_cert_list = (uint32_t)max_cert_list;
}
-size_t SSL_get_max_cert_list(const SSL *ssl) {
- return ssl->max_cert_list;
-}
+size_t SSL_get_max_cert_list(const SSL *ssl) { return ssl->max_cert_list; }
void SSL_set_max_cert_list(SSL *ssl, size_t max_cert_list) {
if (max_cert_list > kMaxHandshakeSize) {
@@ -1942,9 +1932,9 @@
}
int SSL_CTX_set_tlsext_ticket_key_cb(
- SSL_CTX *ctx, int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
- EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx,
- int encrypt)) {
+ SSL_CTX *ctx,
+ int (*callback)(SSL *ssl, uint8_t *key_name, uint8_t *iv,
+ EVP_CIPHER_CTX *ctx, HMAC_CTX *hmac_ctx, int encrypt)) {
ctx->ticket_key_cb = callback;
return 1;
}
@@ -2071,13 +2061,9 @@
return ssl_group_id_to_nid(group_id);
}
-int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
- return 1;
-}
+int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) { return 1; }
-int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
- return 1;
-}
+int SSL_set_tmp_dh(SSL *ssl, const DH *dh) { return 1; }
STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx) {
return ctx->cipher_list->ciphers.get();
@@ -2100,7 +2086,7 @@
}
return ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
- : ssl->ctx->cipher_list->ciphers.get();
+ : ssl->ctx->cipher_list->ciphers.get();
}
const char *SSL_get_cipher_list(const SSL *ssl, int n) {
@@ -2336,10 +2322,12 @@
ctx->next_protos_advertised_cb_arg = arg;
}
-void SSL_CTX_set_next_proto_select_cb(
- SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len,
- const uint8_t *in, unsigned in_len, void *arg),
- void *arg) {
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
+ int (*cb)(SSL *ssl, uint8_t **out,
+ uint8_t *out_len,
+ const uint8_t *in,
+ unsigned in_len, void *arg),
+ void *arg) {
ctx->next_proto_select_cb = cb;
ctx->next_proto_select_cb_arg = arg;
}
@@ -2473,9 +2461,8 @@
static int is_p256_key(EVP_PKEY *private_key) {
const EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(private_key);
- return ec_key != NULL &&
- EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) ==
- NID_X9_62_prime256v1;
+ return ec_key != NULL && EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key)) ==
+ NID_X9_62_prime256v1;
}
int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {
@@ -2529,7 +2516,7 @@
}
size_t SSL_get0_peer_delegation_algorithms(const SSL *ssl,
- const uint16_t **out_sigalgs){
+ const uint16_t **out_sigalgs) {
Span<const uint16_t> sigalgs;
if (ssl->s3->hs != nullptr) {
sigalgs = ssl->s3->hs->peer_delegated_credential_sigalgs;
@@ -2651,7 +2638,7 @@
return SSL_in_init(ssl) ? SSL_ST_INIT : SSL_ST_OK;
}
-void SSL_set_state(SSL *ssl, int state) { }
+void SSL_set_state(SSL *ssl, int state) {}
char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int len) {
if (len <= 0) {
@@ -2700,7 +2687,7 @@
CRYPTO_EX_dup *dup_unused,
CRYPTO_EX_free *free_func) {
return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl_ctx, argl, argp,
- free_func);
+ free_func);
}
int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) {
@@ -2807,9 +2794,10 @@
ctx->psk_client_callback = cb;
}
-void SSL_set_psk_server_callback(
- SSL *ssl, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,
- unsigned max_psk_len)) {
+void SSL_set_psk_server_callback(SSL *ssl,
+ unsigned (*cb)(SSL *ssl, const char *identity,
+ uint8_t *psk,
+ unsigned max_psk_len)) {
if (!ssl->config) {
return;
}
@@ -2817,8 +2805,8 @@
}
void SSL_CTX_set_psk_server_callback(
- SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity,
- uint8_t *psk, unsigned max_psk_len)) {
+ SSL_CTX *ctx, unsigned (*cb)(SSL *ssl, const char *identity, uint8_t *psk,
+ unsigned max_psk_len)) {
ctx->psk_server_callback = cb;
}
@@ -2871,9 +2859,7 @@
return !ssl->s3->hs || ssl->s3->hs->can_release_private_key;
}
-int SSL_is_init_finished(const SSL *ssl) {
- return !SSL_in_init(ssl);
-}
+int SSL_is_init_finished(const SSL *ssl) { return !SSL_in_init(ssl); }
int SSL_in_init(const SSL *ssl) {
// This returns false once all the handshake state has been finalized, to
@@ -2890,9 +2876,7 @@
return ssl->s3->hs->in_false_start;
}
-int SSL_cutthrough_complete(const SSL *ssl) {
- return SSL_in_false_start(ssl);
-}
+int SSL_cutthrough_complete(const SSL *ssl) { return SSL_in_false_start(ssl); }
int SSL_is_server(const SSL *ssl) { return ssl->server; }
@@ -3179,8 +3163,8 @@
SSL_SESSION *SSL_process_tls13_new_session_ticket(SSL *ssl, const uint8_t *buf,
size_t buf_len) {
- if (SSL_in_init(ssl) ||
- ssl_protocol_version(ssl) != TLS1_3_VERSION ||
+ if (SSL_in_init(ssl) || //
+ ssl_protocol_version(ssl) != TLS1_3_VERSION || //
ssl->server) {
// Only TLS 1.3 clients are supported.
OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -3190,8 +3174,8 @@
CBS cbs, body;
CBS_init(&cbs, buf, buf_len);
uint8_t type;
- if (!CBS_get_u8(&cbs, &type) ||
- !CBS_get_u24_length_prefixed(&cbs, &body) ||
+ if (!CBS_get_u8(&cbs, &type) || //
+ !CBS_get_u24_length_prefixed(&cbs, &body) || //
CBS_len(&cbs) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
return nullptr;
@@ -3226,8 +3210,8 @@
if (ssl->server) {
SSL_HANDSHAKE *hs = ssl->s3->hs.get();
return hs != nullptr && hs->ocsp_stapling_requested
- ? TLSEXT_STATUSTYPE_ocsp
- : TLSEXT_STATUSTYPE_nothing;
+ ? TLSEXT_STATUSTYPE_ocsp
+ : TLSEXT_STATUSTYPE_nothing;
}
return ssl->config != nullptr && ssl->config->ocsp_stapling_enabled
@@ -3411,12 +3395,11 @@
}
static int Configure(SSL *ssl) {
- ssl->config->tls13_cipher_policy =
- ssl_compliance_policy_cnsa_202407;
+ ssl->config->tls13_cipher_policy = ssl_compliance_policy_cnsa_202407;
return 1;
}
-}
+} // namespace cnsa202407
int SSL_CTX_set_compliance_policy(SSL_CTX *ctx,
enum ssl_compliance_policy_t policy) {
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index 14a8b67..30bf922 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -68,8 +68,8 @@
#include <openssl/mem.h>
#include <openssl/span.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -371,7 +371,7 @@
}
UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
- if (!pkey ||
+ if (!pkey || //
!EVP_PKEY_set1_RSA(pkey.get(), rsa)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);
return 0;
@@ -424,8 +424,7 @@
}
UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
- if (!pkey ||
- !EVP_PKEY_set1_RSA(pkey.get(), rsa)) {
+ if (!pkey || !EVP_PKEY_set1_RSA(pkey.get(), rsa)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_EVP_LIB);
return 0;
}
@@ -701,7 +700,7 @@
for (size_t i = 0; i < num_values; i += 2) {
const int hash_nid = values[i];
- const int pkey_type = values[i+1];
+ const int pkey_type = values[i + 1];
bool found = false;
for (const auto &candidate : kSignatureAlgorithmsMapping) {
@@ -789,7 +788,7 @@
int pkey_type = 0, hash_nid = 0;
// Note that the loop runs to len+1, i.e. it'll process the terminating NUL.
- for (size_t offset = 0; offset < len+1; offset++) {
+ for (size_t offset = 0; offset < len + 1; offset++) {
const unsigned char c = str[offset];
switch (c) {
@@ -808,7 +807,7 @@
if (strcmp(buf, "RSA") == 0) {
pkey_type = EVP_PKEY_RSA;
- } else if (strcmp(buf, "RSA-PSS") == 0 ||
+ } else if (strcmp(buf, "RSA-PSS") == 0 || //
strcmp(buf, "PSS") == 0) {
pkey_type = EVP_PKEY_RSA_PSS;
} else if (strcmp(buf, "ECDSA") == 0) {
diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc
index 16fd453..54ef50e 100644
--- a/ssl/ssl_session.cc
+++ b/ssl/ssl_session.cc
@@ -147,8 +147,8 @@
#include <openssl/mem.h>
#include <openssl/rand.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -179,11 +179,9 @@
session_id = tmp_storage;
}
- uint32_t hash =
- ((uint32_t)session_id[0]) |
- ((uint32_t)session_id[1] << 8) |
- ((uint32_t)session_id[2] << 16) |
- ((uint32_t)session_id[3] << 24);
+ uint32_t hash = ((uint32_t)session_id[0]) | ((uint32_t)session_id[1] << 8) |
+ ((uint32_t)session_id[2] << 16) |
+ ((uint32_t)session_id[3] << 24);
return hash;
}
@@ -214,7 +212,7 @@
if (session->certs != nullptr) {
auto buf_up_ref = [](const CRYPTO_BUFFER *buf) {
CRYPTO_BUFFER_up_ref(const_cast<CRYPTO_BUFFER *>(buf));
- return const_cast<CRYPTO_BUFFER*>(buf);
+ return const_cast<CRYPTO_BUFFER *>(buf);
};
new_session->certs.reset(sk_CRYPTO_BUFFER_deep_copy(
session->certs.get(), buf_up_ref, CRYPTO_BUFFER_free));
@@ -494,7 +492,8 @@
total = session_len;
#else
int len;
- if (!EVP_EncryptUpdate(ctx.get(), ptr + total, &len, session_buf, session_len)) {
+ if (!EVP_EncryptUpdate(ctx.get(), ptr + total, &len, session_buf,
+ session_len)) {
return 0;
}
total += len;
@@ -508,9 +507,9 @@
}
unsigned hlen;
- if (!HMAC_Update(hctx.get(), CBB_data(out), CBB_len(out)) ||
- !CBB_reserve(out, &ptr, EVP_MAX_MD_SIZE) ||
- !HMAC_Final(hctx.get(), ptr, &hlen) ||
+ if (!HMAC_Update(hctx.get(), CBB_data(out), CBB_len(out)) || //
+ !CBB_reserve(out, &ptr, EVP_MAX_MD_SIZE) || //
+ !HMAC_Final(hctx.get(), ptr, &hlen) || //
!CBB_did_write(out, hlen)) {
return 0;
}
@@ -536,8 +535,7 @@
}
size_t out_len;
- if (!method->seal(ssl, ptr, &out_len, max_out, session_buf,
- session_len)) {
+ if (!method->seal(ssl, ptr, &out_len, max_out, session_buf, session_len)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_TICKET_ENCRYPTION_FAILED);
return 0;
}
@@ -550,7 +548,7 @@
}
bool ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out,
- const SSL_SESSION *session) {
+ const SSL_SESSION *session) {
// Serialize the SSL_SESSION to be encoded into the ticket.
uint8_t *session_buf = nullptr;
size_t session_len;
@@ -1001,8 +999,8 @@
return session->x509_peer;
}
-const STACK_OF(CRYPTO_BUFFER) *
- SSL_SESSION_get0_peer_certificates(const SSL_SESSION *session) {
+const STACK_OF(CRYPTO_BUFFER) *SSL_SESSION_get0_peer_certificates(
+ const SSL_SESSION *session) {
return session->certs.get();
}
@@ -1216,8 +1214,8 @@
int SSL_set_session(SSL *ssl, SSL_SESSION *session) {
// SSL_set_session may only be called before the handshake has started.
- if (ssl->s3->initial_handshake_complete ||
- ssl->s3->hs == NULL ||
+ if (ssl->s3->initial_handshake_complete || //
+ ssl->s3->hs == NULL || //
ssl->s3->hs->state != 0) {
abort();
}
@@ -1262,11 +1260,11 @@
static void timeout_doall_arg(SSL_SESSION *session, void *void_param) {
TIMEOUT_PARAM *param = reinterpret_cast<TIMEOUT_PARAM *>(void_param);
- if (param->time == 0 ||
- session->time + session->timeout < session->time ||
+ if (param->time == 0 || //
+ session->time + session->timeout < session->time || //
param->time > (session->time + session->timeout)) {
// TODO(davidben): This can probably just call |remove_session|.
- (void) lh_SSL_SESSION_delete(param->cache, session);
+ (void)lh_SSL_SESSION_delete(param->cache, session);
SSL_SESSION_list_remove(param->ctx, session);
// TODO(https://crbug.com/boringssl/251): Callbacks should not be called
// under a lock.
@@ -1299,8 +1297,9 @@
return ctx->new_session_cb;
}
-void SSL_CTX_sess_set_remove_cb(
- SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *session)) {
+void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
+ void (*cb)(SSL_CTX *ctx,
+ SSL_SESSION *session)) {
ctx->remove_session_cb = cb;
}
@@ -1322,8 +1321,8 @@
return ctx->get_session_cb;
}
-void SSL_CTX_set_info_callback(
- SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int value)) {
+void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,
+ int type, int value)) {
ctx->info_callback = cb;
}
diff --git a/ssl/ssl_stat.cc b/ssl/ssl_stat.cc
index f7e1675..e5d1d28 100644
--- a/ssl/ssl_stat.cc
+++ b/ssl/ssl_stat.cc
@@ -97,9 +97,7 @@
: ssl_client_handshake_state(ssl->s3->hs.get());
}
-const char *SSL_state_string(const SSL *ssl) {
- return "!!!!!!";
-}
+const char *SSL_state_string(const SSL *ssl) { return "!!!!!!"; }
const char *SSL_alert_type_string_long(int value) {
value >>= 8;
@@ -112,13 +110,9 @@
return "unknown";
}
-const char *SSL_alert_type_string(int value) {
- return "!";
-}
+const char *SSL_alert_type_string(int value) { return "!"; }
-const char *SSL_alert_desc_string(int value) {
- return "!!";
-}
+const char *SSL_alert_desc_string(int value) { return "!!"; }
const char *SSL_alert_desc_string_long(int value) {
switch (value & 0xff) {
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index a6e62d4..a47660d 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -28,8 +28,8 @@
#include <openssl/aead.h>
#include <openssl/base64.h>
-#include <openssl/bytestring.h>
#include <openssl/bio.h>
+#include <openssl/bytestring.h>
#include <openssl/cipher.h>
#include <openssl/crypto.h>
#include <openssl/curve25519.h>
@@ -37,15 +37,15 @@
#include <openssl/hmac.h>
#include <openssl/hpke.h>
#include <openssl/pem.h>
+#include <openssl/rand.h>
#include <openssl/sha.h>
#include <openssl/ssl.h>
-#include <openssl/rand.h>
#include <openssl/x509.h>
-#include "internal.h"
#include "../crypto/internal.h"
#include "../crypto/test/file_util.h"
#include "../crypto/test/test_util.h"
+#include "internal.h"
#if defined(OPENSSL_WINDOWS)
// Windows defines struct timeval in winsock2.h.
@@ -347,7 +347,8 @@
},
// Spaces, semi-colons and commas are separators.
{
- "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA ,ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
+ "AES128-SHA: ECDHE-RSA-AES128-GCM-SHA256 AES256-SHA "
+ ",ECDHE-ECDSA-AES128-GCM-SHA256 ; AES128-GCM-SHA256",
{
{TLS1_CK_RSA_WITH_AES_128_SHA, 0},
{TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 0},
@@ -436,93 +437,85 @@
};
static const char *kBadRules[] = {
- // Invalid brackets.
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
- "RSA]",
- "[[RSA]]",
- // Operators inside brackets.
- "[+RSA]",
- // Unknown directive.
- "@BOGUS",
- // Empty cipher lists error at SSL_CTX_set_cipher_list.
- "",
- "BOGUS",
- // COMPLEMENTOFDEFAULT is empty.
- "COMPLEMENTOFDEFAULT",
- // Invalid command.
- "?BAR",
- // Special operators are not allowed if equi-preference groups are used.
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
- "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
- // Opcode supplied, but missing selector.
- "+",
- // Spaces are forbidden in equal-preference groups.
- "[AES128-SHA | AES128-SHA256]",
+ // Invalid brackets.
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256",
+ "RSA]",
+ "[[RSA]]",
+ // Operators inside brackets.
+ "[+RSA]",
+ // Unknown directive.
+ "@BOGUS",
+ // Empty cipher lists error at SSL_CTX_set_cipher_list.
+ "",
+ "BOGUS",
+ // COMPLEMENTOFDEFAULT is empty.
+ "COMPLEMENTOFDEFAULT",
+ // Invalid command.
+ "?BAR",
+ // Special operators are not allowed if equi-preference groups are used.
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:+FOO",
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:!FOO",
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:-FOO",
+ "[ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256]:@STRENGTH",
+ // Opcode supplied, but missing selector.
+ "+",
+ // Spaces are forbidden in equal-preference groups.
+ "[AES128-SHA | AES128-SHA256]",
};
static const char *kMustNotIncludeDeprecated[] = {
- "ALL",
- "DEFAULT",
- "HIGH",
- "FIPS",
- "SHA",
- "SHA1",
- "RSA",
- "SSLv3",
- "TLSv1",
- "TLSv1.2",
+ "ALL", "DEFAULT", "HIGH", "FIPS", "SHA",
+ "SHA1", "RSA", "SSLv3", "TLSv1", "TLSv1.2",
};
-static const char* kShouldIncludeCBCSHA256[] = {
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
- "ALL:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+static const char *kShouldIncludeCBCSHA256[] = {
+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+ "ALL:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
};
static const CurveTest kCurveTests[] = {
- {
- "P-256",
- { SSL_GROUP_SECP256R1 },
- },
- {
- "P-256:X25519Kyber768Draft00",
- { SSL_GROUP_SECP256R1, SSL_GROUP_X25519_KYBER768_DRAFT00 },
- },
- {
- "P-256:X25519MLKEM768",
- { SSL_GROUP_SECP256R1, SSL_GROUP_X25519_MLKEM768 },
- },
+ {
+ "P-256",
+ {SSL_GROUP_SECP256R1},
+ },
+ {
+ "P-256:X25519Kyber768Draft00",
+ {SSL_GROUP_SECP256R1, SSL_GROUP_X25519_KYBER768_DRAFT00},
+ },
+ {
+ "P-256:X25519MLKEM768",
+ {SSL_GROUP_SECP256R1, SSL_GROUP_X25519_MLKEM768},
+ },
- {
- "P-256:P-384:P-521:X25519",
{
- SSL_GROUP_SECP256R1,
- SSL_GROUP_SECP384R1,
- SSL_GROUP_SECP521R1,
- SSL_GROUP_X25519,
+ "P-256:P-384:P-521:X25519",
+ {
+ SSL_GROUP_SECP256R1,
+ SSL_GROUP_SECP384R1,
+ SSL_GROUP_SECP521R1,
+ SSL_GROUP_X25519,
+ },
},
- },
- {
- "prime256v1:secp384r1:secp521r1:x25519",
{
- SSL_GROUP_SECP256R1,
- SSL_GROUP_SECP384R1,
- SSL_GROUP_SECP521R1,
- SSL_GROUP_X25519,
+ "prime256v1:secp384r1:secp521r1:x25519",
+ {
+ SSL_GROUP_SECP256R1,
+ SSL_GROUP_SECP384R1,
+ SSL_GROUP_SECP521R1,
+ SSL_GROUP_X25519,
+ },
},
- },
};
static const char *kBadCurvesLists[] = {
- "",
- ":",
- "::",
- "P-256::X25519",
- "RSA:P-256",
- "P-256:RSA",
- "X25519:P-256:",
- ":X25519:P-256",
+ "",
+ ":",
+ "::",
+ "P-256::X25519",
+ "RSA:P-256",
+ "P-256:RSA",
+ "X25519:P-256:",
+ ":X25519:P-256",
};
static std::string CipherListToString(SSL_CTX *ctx) {
@@ -798,8 +791,9 @@
"g6JqyzYRnOhIZqNtf7gT1Ef+i1pcc/yu2RsyGTirlzQUqpbS66McFAhJtrvlke+D"
"NusdVm/K2rxzY5Dkf3s+Iss9B+1fOHSc4wNQTqGvmO5h8oQ/Eg==";
-// kBadSessionExtraField is a custom serialized SSL_SESSION generated by replacing
-// the final (optional) element of |kCustomSession| with tag number 99.
+// kBadSessionExtraField is a custom serialized SSL_SESSION generated by
+// replacing the final (optional) element of |kCustomSession| with tag
+// number 99.
static const char kBadSessionExtraField[] =
"MIIBdgIBAQICAwMEAsAvBCAG5Q1ndq4Yfmbeo1zwLkNRKmCXGdNgWvGT3cskV0yQ"
"kAQwJlrlzkAWBOWiLj/jJ76D7l+UXoizP2KI2C7I2FccqMmIfFmmkUy32nIJ0mZH"
@@ -1133,8 +1127,8 @@
std::vector<uint8_t> ticket(ticket_len, 'a');
bssl::UniquePtr<SSL_SESSION> session(
SSL_SESSION_from_bytes(der.data(), der.size(), ssl_ctx.get()));
- if (!session ||
- !SSL_SESSION_set_protocol_version(session.get(), version) ||
+ if (!session || //
+ !SSL_SESSION_set_protocol_version(session.get(), version) || //
!SSL_SESSION_set_ticket(session.get(), ticket.data(), ticket.size())) {
return nullptr;
}
@@ -1292,8 +1286,7 @@
char *name, *header;
uint8_t *data;
long data_len;
- if (!PEM_read_bio(bio.get(), &name, &header, &data,
- &data_len)) {
+ if (!PEM_read_bio(bio.get(), &name, &header, &data, &data_len)) {
return nullptr;
}
OPENSSL_free(name);
@@ -1535,9 +1528,9 @@
for (;;) {
int client_ret = SSL_do_handshake(client);
int client_err = SSL_get_error(client, client_ret);
- if (client_err != SSL_ERROR_NONE &&
- client_err != SSL_ERROR_WANT_READ &&
- client_err != SSL_ERROR_WANT_WRITE &&
+ if (client_err != SSL_ERROR_NONE && //
+ client_err != SSL_ERROR_WANT_READ && //
+ client_err != SSL_ERROR_WANT_WRITE && //
client_err != SSL_ERROR_PENDING_TICKET) {
fprintf(stderr, "Client error: %s\n", SSL_error_description(client_err));
return false;
@@ -1545,9 +1538,9 @@
int server_ret = SSL_do_handshake(server);
int server_err = SSL_get_error(server, server_ret);
- if (server_err != SSL_ERROR_NONE &&
- server_err != SSL_ERROR_WANT_READ &&
- server_err != SSL_ERROR_WANT_WRITE &&
+ if (server_err != SSL_ERROR_NONE && //
+ server_err != SSL_ERROR_WANT_READ && //
+ server_err != SSL_ERROR_WANT_WRITE && //
server_err != SSL_ERROR_PENDING_TICKET) {
fprintf(stderr, "Server error: %s\n", SSL_error_description(server_err));
return false;
@@ -1708,8 +1701,7 @@
const uint8_t *data;
size_t len;
if (!SSL_early_callback_ctx_extension_get(
- client_hello, TLSEXT_TYPE_application_settings, &data,
- &len)) {
+ client_hello, TLSEXT_TYPE_application_settings, &data, &len)) {
ADD_FAILURE() << "Could not find alps new codepoint.";
return ssl_select_cert_error;
}
@@ -1810,8 +1802,7 @@
// MakeECHConfig serializes an ECHConfig from |params| and writes it to
// |*out|.
-bool MakeECHConfig(std::vector<uint8_t> *out,
- const ECHConfigParams ¶ms) {
+bool MakeECHConfig(std::vector<uint8_t> *out, const ECHConfigParams ¶ms) {
uint16_t kem_id = params.kem_id == 0
? EVP_HPKE_KEM_id(EVP_HPKE_KEY_kem(params.key))
: params.kem_id;
@@ -1828,13 +1819,13 @@
bssl::ScopedCBB cbb;
CBB contents, child;
- if (!CBB_init(cbb.get(), 64) ||
- !CBB_add_u16(cbb.get(), params.version) ||
- !CBB_add_u16_length_prefixed(cbb.get(), &contents) ||
- !CBB_add_u8(&contents, params.config_id) ||
- !CBB_add_u16(&contents, kem_id) ||
- !CBB_add_u16_length_prefixed(&contents, &child) ||
- !CBB_add_bytes(&child, public_key.data(), public_key.size()) ||
+ if (!CBB_init(cbb.get(), 64) || //
+ !CBB_add_u16(cbb.get(), params.version) || //
+ !CBB_add_u16_length_prefixed(cbb.get(), &contents) || //
+ !CBB_add_u8(&contents, params.config_id) || //
+ !CBB_add_u16(&contents, kem_id) || //
+ !CBB_add_u16_length_prefixed(&contents, &child) || //
+ !CBB_add_bytes(&child, public_key.data(), public_key.size()) || //
!CBB_add_u16_length_prefixed(&contents, &child)) {
return false;
}
@@ -2030,7 +2021,8 @@
truncated.public_key.assign(public_key, public_key + public_key_len - 1);
ASSERT_TRUE(MakeECHConfig(&ech_config, truncated));
EXPECT_FALSE(SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/1,
- ech_config.data(), ech_config.size(), key.get()));
+ ech_config.data(), ech_config.size(),
+ key.get()));
// Adding an ECHConfig with the right public key, but wrong KEM ID, is an
// error.
@@ -2275,10 +2267,10 @@
EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("www.example-.com")));
EXPECT_FALSE(
ssl_is_valid_ech_public_name(str_to_span("no_underscores.example")));
- EXPECT_FALSE(ssl_is_valid_ech_public_name(
- str_to_span("invalid_chars.\x01.example")));
- EXPECT_FALSE(ssl_is_valid_ech_public_name(
- str_to_span("invalid_chars.\xff.example")));
+ EXPECT_FALSE(
+ ssl_is_valid_ech_public_name(str_to_span("invalid_chars.\x01.example")));
+ EXPECT_FALSE(
+ ssl_is_valid_ech_public_name(str_to_span("invalid_chars.\xff.example")));
static const uint8_t kWithNUL[] = {'t', 'e', 's', 't', 0};
EXPECT_FALSE(ssl_is_valid_ech_public_name(kWithNUL));
@@ -2305,12 +2297,11 @@
str_to_span("example.0x0123456789abcdefABCDEF")));
// Adding a non-digit or non-hex character makes it a valid DNS name again.
// Single-component numbers are rejected.
- EXPECT_TRUE(ssl_is_valid_ech_public_name(
- str_to_span("example.1234567890a")));
- EXPECT_TRUE(ssl_is_valid_ech_public_name(
- str_to_span("example.01234567890a")));
- EXPECT_TRUE(ssl_is_valid_ech_public_name(
- str_to_span("example.0x123456789abcdefg")));
+ EXPECT_TRUE(ssl_is_valid_ech_public_name(str_to_span("example.1234567890a")));
+ EXPECT_TRUE(
+ ssl_is_valid_ech_public_name(str_to_span("example.01234567890a")));
+ EXPECT_TRUE(
+ ssl_is_valid_ech_public_name(str_to_span("example.0x123456789abcdefg")));
EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("1")));
EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("01")));
EXPECT_FALSE(ssl_is_valid_ech_public_name(str_to_span("0x01")));
@@ -2606,15 +2597,15 @@
}
static void AppendSession(SSL_SESSION *session, void *arg) {
- std::vector<SSL_SESSION*> *out =
- reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
+ std::vector<SSL_SESSION *> *out =
+ reinterpret_cast<std::vector<SSL_SESSION *> *>(arg);
out->push_back(session);
}
// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
// order.
static bool CacheEquals(SSL_CTX *ctx,
- const std::vector<SSL_SESSION*> &expected) {
+ const std::vector<SSL_SESSION *> &expected) {
// Check the linked list.
SSL_SESSION *ptr = ctx->session_cache_head;
for (SSL_SESSION *session : expected) {
@@ -2634,7 +2625,7 @@
}
// Check the hash table.
- std::vector<SSL_SESSION*> actual, expected_copy;
+ std::vector<SSL_SESSION *> actual, expected_copy;
lh_SSL_SESSION_doall_arg(ctx->sessions, AppendSession, &actual);
expected_copy = expected;
@@ -2991,8 +2982,7 @@
} else {
invalid = {'i', 'n', 'v', 'a', 'l', 'i', 'd'};
}
- bssl::UniquePtr<BIO> rbio(
- BIO_new_mem_buf(invalid.data(), invalid.size()));
+ bssl::UniquePtr<BIO> rbio(BIO_new_mem_buf(invalid.data(), invalid.size()));
ASSERT_TRUE(rbio);
SSL_set0_rbio(ssl.get(), rbio.release());
@@ -4633,7 +4623,7 @@
ASSERT_TRUE(key);
bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
ASSERT_TRUE(leaf);
- std::vector<CRYPTO_BUFFER*> chain = {
+ std::vector<CRYPTO_BUFFER *> chain = {
leaf.get(),
};
@@ -4884,9 +4874,6 @@
// With no CA requested by client, we should fail with only cred1 and cred2
ASSERT_FALSE(ConnectClientAndServer(&client, &server, ctx.get(), ctx.get()));
- //EXPECT_TRUE(BuffersEqual(SSL_get0_peer_certificates(client.get()),
- // {leaf.get(), ca.get()}));
-
// Have the client request a bogus name that will not match
bssl::UniquePtr<CRYPTO_BUFFER> bogus_subject = GetBogusIssuerBuffer();
ASSERT_TRUE(bogus_subject);
@@ -4950,7 +4937,6 @@
ASSERT_TRUE(ConnectClientAndServer(&client5, &server5, ctx.get(), ctx.get()));
EXPECT_TRUE(BuffersEqual(SSL_get0_peer_certificates(client5.get()),
{leaf.get(), ca.get()}));
-
}
TEST(SSLTest, SetChainAndKeyCtx) {
@@ -4968,8 +4954,9 @@
bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
GetChainTestIntermediateBuffer();
ASSERT_TRUE(intermediate);
- std::vector<CRYPTO_BUFFER*> chain = {
- leaf.get(), intermediate.get(),
+ std::vector<CRYPTO_BUFFER *> chain = {
+ leaf.get(),
+ intermediate.get(),
};
ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
chain.size(), key.get(), nullptr));
@@ -5009,14 +4996,14 @@
bssl::UniquePtr<CRYPTO_BUFFER> intermediate =
GetChainTestIntermediateBuffer();
ASSERT_TRUE(intermediate);
- std::vector<CRYPTO_BUFFER*> chain = {
- leaf.get(), intermediate.get(),
+ std::vector<CRYPTO_BUFFER *> chain = {
+ leaf.get(),
+ intermediate.get(),
};
- ASSERT_TRUE(SSL_set_chain_and_key(server.get(), chain.data(),
- chain.size(), key.get(), nullptr));
+ ASSERT_TRUE(SSL_set_chain_and_key(server.get(), chain.data(), chain.size(),
+ key.get(), nullptr));
- ASSERT_EQ(chain.size(),
- sk_CRYPTO_BUFFER_num(SSL_get0_chain(server.get())));
+ ASSERT_EQ(chain.size(), sk_CRYPTO_BUFFER_num(SSL_get0_chain(server.get())));
SSL_set_custom_verify(
client.get(), SSL_VERIFY_PEER,
@@ -5041,7 +5028,7 @@
ASSERT_TRUE(key);
bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
ASSERT_TRUE(leaf);
- std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
+ std::vector<CRYPTO_BUFFER *> chain = {leaf.get()};
ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
chain.size(), key.get(), nullptr));
@@ -5071,7 +5058,7 @@
ASSERT_TRUE(key);
bssl::UniquePtr<CRYPTO_BUFFER> leaf = GetChainTestCertificateBuffer();
ASSERT_TRUE(leaf);
- std::vector<CRYPTO_BUFFER*> chain = { leaf.get() };
+ std::vector<CRYPTO_BUFFER *> chain = {leaf.get()};
ASSERT_TRUE(SSL_CTX_set_chain_and_key(server_ctx.get(), chain.data(),
chain.size(), key.get(), nullptr));
@@ -5211,7 +5198,7 @@
static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr,
CRYPTO_EX_DATA *ad, int index,
long argl, void *argp) {
- delete reinterpret_cast<ssl_test_ticket_aead_state*>(ptr);
+ delete reinterpret_cast<ssl_test_ticket_aead_state *>(ptr);
}
static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT;
@@ -5226,9 +5213,7 @@
return g_ssl_test_ticket_aead_ex_index;
}
-static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) {
- return 1;
-}
+static size_t ssl_test_ticket_aead_max_overhead(SSL *ssl) { return 1; }
static int ssl_test_ticket_aead_seal(SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out_len, const uint8_t *in,
@@ -5287,9 +5272,9 @@
}
static const SSL_TICKET_AEAD_METHOD kSSLTestTicketMethod = {
- ssl_test_ticket_aead_max_overhead,
- ssl_test_ticket_aead_seal,
- ssl_test_ticket_aead_open,
+ ssl_test_ticket_aead_max_overhead,
+ ssl_test_ticket_aead_seal,
+ ssl_test_ticket_aead_open,
};
static void ConnectClientAndServerWithTicketMethod(
@@ -5776,7 +5761,7 @@
SSL_set_alps_use_new_codepoint(client.get(), use_new_alps_codepoint);
ASSERT_TRUE(SSL_set_alpn_protos(client.get(), alpn, sizeof(alpn)) == 0);
ASSERT_TRUE(SSL_add_application_settings(client.get(), proto,
- sizeof(proto), nullptr, 0));
+ sizeof(proto), nullptr, 0));
if (is_resume) {
ASSERT_TRUE(g_last_session);
SSL_set_session(client.get(), g_last_session.get());
@@ -5823,16 +5808,16 @@
SSL_CTX_set_alpn_select_cb(
handshaker_ctx.get(),
[](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
- unsigned in_len, void *arg) -> int {
- return SSL_select_next_proto(
- const_cast<uint8_t **>(out), out_len, in, in_len,
- alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
- ? SSL_TLSEXT_ERR_OK
- : SSL_TLSEXT_ERR_NOACK;
+ unsigned in_len, void *arg) -> int {
+ return SSL_select_next_proto(const_cast<uint8_t **>(out), out_len,
+ in, in_len, alpn,
+ sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
+ ? SSL_TLSEXT_ERR_OK
+ : SSL_TLSEXT_ERR_NOACK;
},
nullptr);
- ASSERT_TRUE(SSL_add_application_settings(handshaker.get(), proto,
- sizeof(proto), alps, sizeof(alps)));
+ ASSERT_TRUE(SSL_add_application_settings(
+ handshaker.get(), proto, sizeof(proto), alps, sizeof(alps)));
ASSERT_TRUE(SSL_apply_handoff(handshaker.get(), handoff));
@@ -5942,7 +5927,7 @@
char buf[8];
snprintf(buf, sizeof(buf) - 1, "0x%02x", v);
- buf[sizeof(buf)-1] = 0;
+ buf[sizeof(buf) - 1] = 0;
ret += std::string(buf);
}
@@ -6189,12 +6174,13 @@
[](SSL *ssl, uint8_t *out_alert) { return ssl_verify_invalid; });
// cert_cb should not be called. Verification should fail first.
- SSL_CTX_set_cert_cb(client_ctx_.get(),
- [](SSL *ssl, void *arg) {
- ADD_FAILURE() << "cert_cb unexpectedly called";
- return 0;
- },
- nullptr);
+ SSL_CTX_set_cert_cb(
+ client_ctx_.get(),
+ [](SSL *ssl, void *arg) {
+ ADD_FAILURE() << "cert_cb unexpectedly called";
+ return 0;
+ },
+ nullptr);
bssl::UniquePtr<SSL> client, server;
EXPECT_FALSE(ConnectClientAndServer(&client, &server, client_ctx_.get(),
@@ -6457,7 +6443,7 @@
}
static void SetValueOnFree(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
- int index, long argl, void *argp) {
+ int index, long argl, void *argp) {
if (ptr != nullptr) {
*static_cast<long *>(ptr) = argl;
}
@@ -6772,8 +6758,7 @@
bool SecretsMatch(ssl_encryption_level_t level) const {
// We only need to check |HasReadSecret| and |HasWriteSecret| on |client_|.
// |PeerSecretsMatch| checks that |server_| is analogously configured.
- return client_.PeerSecretsMatch(level) &&
- client_.HasWriteSecret(level) &&
+ return client_.PeerSecretsMatch(level) && client_.HasWriteSecret(level) &&
(level == ssl_encryption_early_data || client_.HasReadSecret(level));
}
@@ -6825,9 +6810,7 @@
SSL_provide_quic_data(ssl, level, data.data(), data.size());
}
- void AllowOutOfOrderWrites() {
- allow_out_of_order_writes_ = true;
- }
+ void AllowOutOfOrderWrites() { allow_out_of_order_writes_ = true; }
bool CreateClientAndServer() {
client_.reset(SSL_new(client_ctx_.get()));
@@ -6926,8 +6909,7 @@
bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
g_last_session = nullptr;
SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
- if (!CreateClientAndServer() ||
- !CompleteHandshakesForQUIC()) {
+ if (!CreateClientAndServer() || !CompleteHandshakesForQUIC()) {
return nullptr;
}
@@ -7412,11 +7394,12 @@
// Install an asynchronous certificate callback.
bool cert_cb_ok = false;
- SSL_set_cert_cb(server_.get(),
- [](SSL *, void *arg) -> int {
- return *static_cast<bool *>(arg) ? 1 : -1;
- },
- &cert_cb_ok);
+ SSL_set_cert_cb(
+ server_.get(),
+ [](SSL *, void *arg) -> int {
+ return *static_cast<bool *>(arg) ? 1 : -1;
+ },
+ &cert_cb_ok);
for (;;) {
int client_ret = SSL_do_handshake(client_.get());
@@ -8108,7 +8091,7 @@
EXPECT_FALSE(SSL_session_reused(server.get()));
}
-Span<const uint8_t> SessionIDOf(const SSL* ssl) {
+Span<const uint8_t> SessionIDOf(const SSL *ssl) {
const SSL_SESSION *session = SSL_get_session(ssl);
unsigned len;
const uint8_t *data = SSL_SESSION_get_id(session, &len);
@@ -8342,7 +8325,7 @@
// The client should attempt early data with |session|.
bssl::UniquePtr<SSL> client, server;
ASSERT_TRUE(CreateClientAndServer(&client, &server, client_ctx.get(),
- server_ctx.get()));
+ server_ctx.get()));
SSL_set_session(client.get(), session.get());
SSL_set_early_data_enabled(client.get(), 1);
ASSERT_EQ(1, SSL_do_handshake(client.get()));
@@ -8554,20 +8537,20 @@
// success and one on failure.
ASSERT_FALSE(SSL_set_alpn_protos(client_.get(), alpn, sizeof(alpn)));
SSL_CTX_set_alpn_select_cb(
- server_ctx_.get(),
- [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
- unsigned in_len, void *arg) -> int {
- return SSL_select_next_proto(
- const_cast<uint8_t **>(out), out_len, in, in_len,
- alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
- ? SSL_TLSEXT_ERR_OK
- : SSL_TLSEXT_ERR_NOACK;
- },
- nullptr);
+ server_ctx_.get(),
+ [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in,
+ unsigned in_len, void *arg) -> int {
+ return SSL_select_next_proto(const_cast<uint8_t **>(out), out_len, in,
+ in_len, alpn,
+ sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED
+ ? SSL_TLSEXT_ERR_OK
+ : SSL_TLSEXT_ERR_NOACK;
+ },
+ nullptr);
ASSERT_TRUE(SSL_add_application_settings(client_.get(), proto,
- sizeof(proto), nullptr, 0));
- ASSERT_TRUE(SSL_add_application_settings(server_.get(), proto,
- sizeof(proto), alps, sizeof(alps)));
+ sizeof(proto), nullptr, 0));
+ ASSERT_TRUE(SSL_add_application_settings(
+ server_.get(), proto, sizeof(proto), alps, sizeof(alps)));
}
bssl::UniquePtr<SSL_CTX> client_ctx_;
@@ -9131,7 +9114,7 @@
bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
ASSERT_TRUE(stack);
- for (const auto& name : t.existing) {
+ for (const auto &name : t.existing) {
const uint8_t *inp = name.data();
bssl::UniquePtr<X509_NAME> name_obj(
d2i_X509_NAME(nullptr, &inp, name.size()));
@@ -9373,13 +9356,13 @@
ASSERT_TRUE(ctx);
static const uint16_t kInvalidIDs[] = {1234};
- EXPECT_FALSE(SSL_CTX_set1_group_ids(
- ctx.get(), kInvalidIDs, OPENSSL_ARRAY_SIZE(kInvalidIDs)));
+ EXPECT_FALSE(SSL_CTX_set1_group_ids(ctx.get(), kInvalidIDs,
+ OPENSSL_ARRAY_SIZE(kInvalidIDs)));
// This is a valid NID, but it is not a valid group.
static const int kInvalidNIDs[] = {NID_rsaEncryption};
- EXPECT_FALSE(SSL_CTX_set1_groups(
- ctx.get(), kInvalidNIDs, OPENSSL_ARRAY_SIZE(kInvalidNIDs)));
+ EXPECT_FALSE(SSL_CTX_set1_groups(ctx.get(), kInvalidNIDs,
+ OPENSSL_ARRAY_SIZE(kInvalidNIDs)));
}
TEST(SSLTest, NameLists) {
@@ -9400,7 +9383,7 @@
size_t num = t.func(nullptr, 0);
EXPECT_GT(num, 0u);
- std::vector<const char*> list(num);
+ std::vector<const char *> list(num);
EXPECT_EQ(num, t.func(list.data(), list.size()));
// Check the expected values are in the list.
@@ -9480,18 +9463,21 @@
bool has_key;
bool has_chain;
} kTests[] = {
- // If nothing is configured, there is unambiguously no certificate.
- {/*has_cert=*/false, /*has_key=*/false, /*has_chain=*/false},
+ // If nothing is configured, there is unambiguously no certificate.
+ {/*has_cert=*/false, /*has_key=*/false, /*has_chain=*/false},
- // If only one of the key and certificate is configured, it is still treated
- // as if there is no certificate.
- {/*has_cert=*/true, /*has_key=*/false, /*has_chain=*/false},
- {/*has_cert=*/false, /*has_key=*/true, /*has_chain=*/false},
+ // If only one of the key and certificate is configured, it is still
+ // treated
+ // as if there is no certificate.
+ {/*has_cert=*/true, /*has_key=*/false, /*has_chain=*/false},
+ {/*has_cert=*/false, /*has_key=*/true, /*has_chain=*/false},
- // The key and intermediates may be configured, but without a leaf there is
- // no certificate. This case is interesting because we internally store the
- // chain with a somewhat fragile null fist entry.
- {/*has_cert=*/false, /*has_key=*/true, /*has_chain=*/true},
+ // The key and intermediates may be configured, but without a leaf there
+ // is
+ // no certificate. This case is interesting because we internally store
+ // the
+ // chain with a somewhat fragile null fist entry.
+ {/*has_cert=*/false, /*has_key=*/true, /*has_chain=*/true},
};
for (const auto &t : kTests) {
SCOPED_TRACE(testing::Message() << "has_cert = " << t.has_cert);
diff --git a/ssl/ssl_transcript.cc b/ssl/ssl_transcript.cc
index 4d813df..e8e9461 100644
--- a/ssl/ssl_transcript.cc
+++ b/ssl/ssl_transcript.cc
@@ -228,13 +228,9 @@
return true;
}
-void SSLTranscript::FreeBuffer() {
- buffer_.reset();
-}
+void SSLTranscript::FreeBuffer() { buffer_.reset(); }
-size_t SSLTranscript::DigestLen() const {
- return EVP_MD_size(Digest());
-}
+size_t SSLTranscript::DigestLen() const { return EVP_MD_size(Digest()); }
const EVP_MD *SSLTranscript::Digest() const {
return EVP_MD_CTX_md(hash_.get());
@@ -300,7 +296,7 @@
bool SSLTranscript::AddToBufferOrHash(Span<const uint8_t> in) {
// Depending on the state of the handshake, either the handshake buffer may be
// active, the rolling hash, or both.
- if (buffer_ &&
+ if (buffer_ && //
!BUF_MEM_append(buffer_.get(), in.data(), in.size())) {
return false;
}
diff --git a/ssl/ssl_versions.cc b/ssl/ssl_versions.cc
index aaa1a9b..b895855 100644
--- a/ssl/ssl_versions.cc
+++ b/ssl/ssl_versions.cc
@@ -22,8 +22,8 @@
#include <openssl/err.h>
#include <openssl/span.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -90,7 +90,7 @@
// The following functions map between API versions and wire versions. The
// public API works on wire versions.
-static const char* kUnknownVersion = "unknown";
+static const char *kUnknownVersion = "unknown";
struct VersionInfo {
uint16_t version;
@@ -116,9 +116,7 @@
return kUnknownVersion;
}
-static uint16_t wire_version_to_api(uint16_t version) {
- return version;
-}
+static uint16_t wire_version_to_api(uint16_t version) { return version; }
// api_version_to_wire maps |version| to some representative wire version.
static bool api_version_to_wire(uint16_t *out, uint16_t version) {
@@ -234,7 +232,7 @@
// If there is a disabled version after the first enabled one, all versions
// after it are implicitly disabled.
if (any_enabled) {
- max_version = kProtocolVersions[i-1].version;
+ max_version = kProtocolVersions[i - 1].version;
break;
}
}
diff --git a/ssl/ssl_x509.cc b/ssl/ssl_x509.cc
index e121ff8..ed4bcdb 100644
--- a/ssl/ssl_x509.cc
+++ b/ssl/ssl_x509.cc
@@ -149,8 +149,8 @@
#include <openssl/stack.h>
#include <openssl/x509.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -342,20 +342,21 @@
size_t name_len;
SSL_get0_ech_name_override(ssl, &name, &name_len);
UniquePtr<X509_STORE_CTX> ctx(X509_STORE_CTX_new());
- if (!ctx ||
- !X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) ||
- !X509_STORE_CTX_set_ex_data(ctx.get(),
- SSL_get_ex_data_X509_STORE_CTX_idx(), ssl) ||
+ if (!ctx || //
+ !X509_STORE_CTX_init(ctx.get(), verify_store, leaf, cert_chain) || //
+ !X509_STORE_CTX_set_ex_data(
+ ctx.get(), SSL_get_ex_data_X509_STORE_CTX_idx(), ssl) || //
// We need to inherit the verify parameters. These can be determined by
// the context: if its a server it will verify SSL client certificates or
// vice versa.
- !X509_STORE_CTX_set_default(ctx.get(),
- ssl->server ? "ssl_client" : "ssl_server") ||
+ !X509_STORE_CTX_set_default(
+ ctx.get(),
+ ssl->server ? "ssl_client" : "ssl_server") || //
// Anything non-default in "param" should overwrite anything in the ctx.
!X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()),
- hs->config->param) ||
+ hs->config->param) || //
// ClientHelloOuter connections use a different name.
- (name_len != 0 &&
+ (name_len != 0 && //
!X509_VERIFY_PARAM_set1_host(X509_STORE_CTX_get0_param(ctx.get()), name,
name_len))) {
OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB);
@@ -467,24 +468,24 @@
}
const SSL_X509_METHOD ssl_crypto_x509_method = {
- ssl_crypto_x509_check_client_CA_list,
- ssl_crypto_x509_cert_clear,
- ssl_crypto_x509_cert_free,
- ssl_crypto_x509_cert_dup,
- ssl_crypto_x509_cert_flush_cached_chain,
- ssl_crypto_x509_cert_flush_cached_leaf,
- ssl_crypto_x509_session_cache_objects,
- ssl_crypto_x509_session_dup,
- ssl_crypto_x509_session_clear,
- ssl_crypto_x509_session_verify_cert_chain,
- ssl_crypto_x509_hs_flush_cached_ca_names,
- ssl_crypto_x509_ssl_new,
- ssl_crypto_x509_ssl_config_free,
- ssl_crypto_x509_ssl_flush_cached_client_CA,
- ssl_crypto_x509_ssl_auto_chain_if_needed,
- ssl_crypto_x509_ssl_ctx_new,
- ssl_crypto_x509_ssl_ctx_free,
- ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,
+ ssl_crypto_x509_check_client_CA_list,
+ ssl_crypto_x509_cert_clear,
+ ssl_crypto_x509_cert_free,
+ ssl_crypto_x509_cert_dup,
+ ssl_crypto_x509_cert_flush_cached_chain,
+ ssl_crypto_x509_cert_flush_cached_leaf,
+ ssl_crypto_x509_session_cache_objects,
+ ssl_crypto_x509_session_dup,
+ ssl_crypto_x509_session_clear,
+ ssl_crypto_x509_session_verify_cert_chain,
+ ssl_crypto_x509_hs_flush_cached_ca_names,
+ ssl_crypto_x509_ssl_new,
+ ssl_crypto_x509_ssl_config_free,
+ ssl_crypto_x509_ssl_flush_cached_client_CA,
+ ssl_crypto_x509_ssl_auto_chain_if_needed,
+ ssl_crypto_x509_ssl_ctx_new,
+ ssl_crypto_x509_ssl_ctx_free,
+ ssl_crypto_x509_ssl_ctx_flush_cached_client_CA,
};
BSSL_NAMESPACE_END
@@ -636,10 +637,8 @@
X509_VERIFY_PARAM_set_depth(ssl->config->param, depth);
}
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
- int (*cb)(X509_STORE_CTX *store_ctx,
- void *arg),
- void *arg) {
+void SSL_CTX_set_cert_verify_callback(
+ SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *store_ctx, void *arg), void *arg) {
check_ssl_ctx_x509_method(ctx);
ctx->app_verify_callback = cb;
ctx->app_verify_arg = arg;
@@ -735,7 +734,7 @@
}
static X509 *ssl_cert_get0_leaf(CERT *cert) {
- if (cert->x509_leaf == NULL &&
+ if (cert->x509_leaf == NULL && //
!ssl_cert_cache_leaf_cert(cert)) {
return NULL;
}
@@ -754,7 +753,7 @@
X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) {
check_ssl_ctx_x509_method(ctx);
- MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock));
+ MutexWriteLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
return ssl_cert_get0_leaf(ctx->cert.get());
}
@@ -880,7 +879,7 @@
for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cred->chain.get()); i++) {
CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(cred->chain.get(), i);
UniquePtr<X509> x509(X509_parse_from_buffer(buffer));
- if (!x509 ||
+ if (!x509 || //
!PushToStack(chain.get(), std::move(x509))) {
return 0;
}
@@ -892,7 +891,7 @@
int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) {
check_ssl_ctx_x509_method(ctx);
- MutexWriteLock lock(const_cast<CRYPTO_MUTEX*>(&ctx->lock));
+ MutexWriteLock lock(const_cast<CRYPTO_MUTEX *>(&ctx->lock));
if (!ssl_cert_cache_chain_certs(ctx->cert.get())) {
*out_chain = NULL;
return 0;
@@ -993,8 +992,7 @@
UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(outp, len, pool));
OPENSSL_free(outp);
- if (!buffer ||
- !PushToStack(buffers.get(), std::move(buffer))) {
+ if (!buffer || !PushToStack(buffers.get(), std::move(buffer))) {
return;
}
}
@@ -1019,9 +1017,8 @@
sk_X509_NAME_pop_free(name_list, X509_NAME_free);
}
-static STACK_OF(X509_NAME) *
- buffer_names_to_x509(const STACK_OF(CRYPTO_BUFFER) *names,
- STACK_OF(X509_NAME) **cached) {
+static STACK_OF(X509_NAME) *buffer_names_to_x509(
+ const STACK_OF(CRYPTO_BUFFER) *names, STACK_OF(X509_NAME) **cached) {
if (names == NULL) {
return NULL;
}
@@ -1168,7 +1165,7 @@
UniquePtr<EVP_PKEY> free_pkey(pkey);
if (ret != 0) {
- if (!SSL_use_certificate(ssl, x509) ||
+ if (!SSL_use_certificate(ssl, x509) || //
!SSL_use_PrivateKey(ssl, pkey)) {
return 0;
}
@@ -1177,9 +1174,9 @@
return 1;
}
-void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl,
- X509 **out_x509,
- EVP_PKEY **out_pkey)) {
+void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
+ int (*cb)(SSL *ssl, X509 **out_x509,
+ EVP_PKEY **out_pkey)) {
check_ssl_ctx_x509_method(ctx);
// Emulate the old client certificate callback with the new one.
SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);
diff --git a/ssl/t1_enc.cc b/ssl/t1_enc.cc
index fb9ae89..db19a48 100644
--- a/ssl/t1_enc.cc
+++ b/ssl/t1_enc.cc
@@ -372,7 +372,8 @@
if (use_context) {
seed[2 * SSL3_RANDOM_SIZE] = static_cast<uint8_t>(context_len >> 8);
seed[2 * SSL3_RANDOM_SIZE + 1] = static_cast<uint8_t>(context_len);
- OPENSSL_memcpy(seed.data() + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);
+ OPENSSL_memcpy(seed.data() + 2 * SSL3_RANDOM_SIZE + 2, context,
+ context_len);
}
const SSL_SESSION *session = SSL_get_session(ssl);
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
index 676b423..197baaa 100644
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@@ -169,9 +169,9 @@
}
CBS context, certificate_list;
- if (!CBS_get_u8_length_prefixed(&body, &context) ||
- CBS_len(&context) != 0 ||
- !CBS_get_u24_length_prefixed(&body, &certificate_list) ||
+ if (!CBS_get_u8_length_prefixed(&body, &context) || //
+ CBS_len(&context) != 0 || //
+ !CBS_get_u24_length_prefixed(&body, &certificate_list) || //
CBS_len(&body) != 0) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -221,7 +221,7 @@
UniquePtr<CRYPTO_BUFFER> buf(
CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool));
- if (!buf ||
+ if (!buf || //
!PushToStack(certs.get(), std::move(buf))) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return false;
@@ -249,8 +249,7 @@
if (!CBS_get_u8(&status_request.data, &status_type) ||
status_type != TLSEXT_STATUSTYPE_ocsp ||
!CBS_get_u24_length_prefixed(&status_request.data, &ocsp_response) ||
- CBS_len(&ocsp_response) == 0 ||
- CBS_len(&status_request.data) != 0) {
+ CBS_len(&ocsp_response) == 0 || CBS_len(&status_request.data) != 0) {
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
return false;
}
@@ -317,7 +316,8 @@
return true;
}
-bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
+bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs,
+ const SSLMessage &msg) {
SSL *const ssl = hs->ssl;
if (hs->peer_pubkey == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -326,8 +326,8 @@
CBS body = msg.body, signature;
uint16_t signature_algorithm;
- if (!CBS_get_u16(&body, &signature_algorithm) ||
- !CBS_get_u16_length_prefixed(&body, &signature) ||
+ if (!CBS_get_u16(&body, &signature_algorithm) || //
+ !CBS_get_u16_length_prefixed(&body, &signature) || //
CBS_len(&body) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -409,7 +409,7 @@
}
}
- if (// The request context is always empty in the handshake.
+ if ( // The request context is always empty in the handshake.
!CBB_add_u8(body, 0) ||
!CBB_add_u24_length_prefixed(body, &certificate_list)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -588,7 +588,7 @@
return sign_result;
}
- if (!CBB_did_write(&child, sig_len) ||
+ if (!CBB_did_write(&child, sig_len) || //
!ssl_add_message_cbb(ssl, cbb.get())) {
return ssl_private_key_failure;
}
@@ -640,9 +640,9 @@
static bool tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {
CBS body = msg.body;
uint8_t key_update_request;
- if (!CBS_get_u8(&body, &key_update_request) ||
- CBS_len(&body) != 0 ||
- (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED &&
+ if (!CBS_get_u8(&body, &key_update_request) || //
+ CBS_len(&body) != 0 || //
+ (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED && //
key_update_request != SSL_KEY_UPDATE_REQUESTED)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 00215c3..95c3cfd 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -83,7 +83,7 @@
if (level == ssl_encryption_initial) {
bssl::UniquePtr<SSLAEADContext> null_ctx =
SSLAEADContext::CreateNullCipher();
- if (!null_ctx ||
+ if (!null_ctx || //
!ssl->method->set_write_state(ssl, ssl_encryption_initial,
std::move(null_ctx),
/*traffic_secret=*/{})) {
@@ -192,7 +192,7 @@
// Queue up a ChangeCipherSpec for whenever we next send something. This
// will be before the second ClientHello. If we offered early data, this was
// already done.
- if (!hs->early_data_offered &&
+ if (!hs->early_data_offered && //
!ssl->method->add_change_cipher_spec(ssl)) {
return ssl_hs_error;
}
@@ -271,8 +271,8 @@
}
if (cookie.present) {
CBS cookie_value;
- if (!CBS_get_u16_length_prefixed(&cookie.data, &cookie_value) ||
- CBS_len(&cookie_value) == 0 ||
+ if (!CBS_get_u16_length_prefixed(&cookie.data, &cookie_value) || //
+ CBS_len(&cookie_value) == 0 || //
CBS_len(&cookie.data) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
@@ -434,9 +434,9 @@
// Recheck supported_versions, in case this is after HelloRetryRequest.
uint16_t version;
- if (!supported_versions.present ||
- !CBS_get_u16(&supported_versions.data, &version) ||
- CBS_len(&supported_versions.data) != 0 ||
+ if (!supported_versions.present || //
+ !CBS_get_u16(&supported_versions.data, &version) || //
+ CBS_len(&supported_versions.data) != 0 || //
version != ssl->s3->version) {
OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -517,8 +517,8 @@
return ssl_hs_error;
}
- if (!tls13_advance_key_schedule(hs, dhe_secret) ||
- !ssl_hash_message(hs, msg) ||
+ if (!tls13_advance_key_schedule(hs, dhe_secret) || //
+ !ssl_hash_message(hs, msg) || //
!tls13_derive_handshake_secrets(hs)) {
return ssl_hs_error;
}
@@ -557,7 +557,7 @@
}
CBS body = msg.body, extensions;
- if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
+ if (!CBS_get_u16_length_prefixed(&body, &extensions) || //
CBS_len(&body) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc
index 29f07ea..cc716c5 100644
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc
@@ -136,9 +136,9 @@
label, hash);
}
return CRYPTO_tls13_hkdf_expand_label(
- out.data(), out.size(), digest, secret.data(), secret.size(),
- reinterpret_cast<const uint8_t *>(label.data()), label.size(),
- hash.data(), hash.size()) == 1;
+ out.data(), out.size(), digest, secret.data(), secret.size(),
+ reinterpret_cast<const uint8_t *>(label.data()), label.size(),
+ hash.data(), hash.size()) == 1;
}
static const char kTLS13LabelDerived[] = "derived";
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index 709dfd3..73eb3c5 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -99,9 +99,9 @@
static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
CBB *out) {
CBB contents;
- if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
- !CBB_add_u16_length_prefixed(out, &contents) ||
- !CBB_add_u16(&contents, hs->ssl->s3->version) ||
+ if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || //
+ !CBB_add_u16_length_prefixed(out, &contents) || //
+ !CBB_add_u16(&contents, hs->ssl->s3->version) || //
!CBB_flush(out)) {
return 0;
}
@@ -126,8 +126,8 @@
static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
SSL *const ssl = hs->ssl;
- if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a
- // session ticket.
+ if ( // If the client doesn't accept resumption with PSK_DHE_KE, don't send a
+ // session ticket.
!hs->accept_psk_mode ||
// We only implement stateless resumption in TLS 1.3, so skip sending
// tickets if disabled.
@@ -987,8 +987,8 @@
// the wire sooner and also avoids triggering a write on |SSL_read| when
// processing the client Finished. This requires computing the client
// Finished early. See RFC 8446, section 4.6.1.
- static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
- 0, 0};
+ static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 0,
+ 0};
if (ssl->quic_method == nullptr &&
!hs->transcript.Update(kEndOfEarlyData)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1234,8 +1234,8 @@
if (!ssl->method->get_message(ssl, &msg)) {
return ssl_hs_read_message;
}
- if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
- !tls1_verify_channel_id(hs, msg) ||
+ if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || //
+ !tls1_verify_channel_id(hs, msg) || //
!ssl_hash_message(hs, msg)) {
return ssl_hs_error;
}
@@ -1263,7 +1263,7 @@
}
if (!ssl->s3->early_data_accepted) {
- if (!ssl_hash_message(hs, msg) ||
+ if (!ssl_hash_message(hs, msg) || //
!tls13_derive_resumption_secret(hs)) {
return ssl_hs_error;
}
diff --git a/ssl/tls_method.cc b/ssl/tls_method.cc
index 2de7ad1..7b1c21f 100644
--- a/ssl/tls_method.cc
+++ b/ssl/tls_method.cc
@@ -201,24 +201,24 @@
static void ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {}
const SSL_X509_METHOD ssl_noop_x509_method = {
- ssl_noop_x509_check_client_CA_names,
- ssl_noop_x509_clear,
- ssl_noop_x509_free,
- ssl_noop_x509_dup,
- ssl_noop_x509_flush_cached_chain,
- ssl_noop_x509_flush_cached_leaf,
- ssl_noop_x509_session_cache_objects,
- ssl_noop_x509_session_dup,
- ssl_noop_x509_session_clear,
- ssl_noop_x509_session_verify_cert_chain,
- ssl_noop_x509_hs_flush_cached_ca_names,
- ssl_noop_x509_ssl_new,
- ssl_noop_x509_ssl_config_free,
- ssl_noop_x509_ssl_flush_cached_client_CA,
- ssl_noop_x509_ssl_auto_chain_if_needed,
- ssl_noop_x509_ssl_ctx_new,
- ssl_noop_x509_ssl_ctx_free,
- ssl_noop_x509_ssl_ctx_flush_cached_client_CA,
+ ssl_noop_x509_check_client_CA_names,
+ ssl_noop_x509_clear,
+ ssl_noop_x509_free,
+ ssl_noop_x509_dup,
+ ssl_noop_x509_flush_cached_chain,
+ ssl_noop_x509_flush_cached_leaf,
+ ssl_noop_x509_session_cache_objects,
+ ssl_noop_x509_session_dup,
+ ssl_noop_x509_session_clear,
+ ssl_noop_x509_session_verify_cert_chain,
+ ssl_noop_x509_hs_flush_cached_ca_names,
+ ssl_noop_x509_ssl_new,
+ ssl_noop_x509_ssl_config_free,
+ ssl_noop_x509_ssl_flush_cached_client_CA,
+ ssl_noop_x509_ssl_auto_chain_if_needed,
+ ssl_noop_x509_ssl_ctx_new,
+ ssl_noop_x509_ssl_ctx_free,
+ ssl_noop_x509_ssl_ctx_flush_cached_client_CA,
};
BSSL_NAMESPACE_END
@@ -234,9 +234,7 @@
return &kMethod;
}
-const SSL_METHOD *SSLv23_method(void) {
- return TLS_method();
-}
+const SSL_METHOD *SSLv23_method(void) { return TLS_method(); }
const SSL_METHOD *TLS_with_buffers_method(void) {
static const SSL_METHOD kMethod = {
@@ -278,42 +276,22 @@
// Legacy side-specific methods.
-const SSL_METHOD *TLSv1_2_server_method(void) {
- return TLSv1_2_method();
-}
+const SSL_METHOD *TLSv1_2_server_method(void) { return TLSv1_2_method(); }
-const SSL_METHOD *TLSv1_1_server_method(void) {
- return TLSv1_1_method();
-}
+const SSL_METHOD *TLSv1_1_server_method(void) { return TLSv1_1_method(); }
-const SSL_METHOD *TLSv1_server_method(void) {
- return TLSv1_method();
-}
+const SSL_METHOD *TLSv1_server_method(void) { return TLSv1_method(); }
-const SSL_METHOD *TLSv1_2_client_method(void) {
- return TLSv1_2_method();
-}
+const SSL_METHOD *TLSv1_2_client_method(void) { return TLSv1_2_method(); }
-const SSL_METHOD *TLSv1_1_client_method(void) {
- return TLSv1_1_method();
-}
+const SSL_METHOD *TLSv1_1_client_method(void) { return TLSv1_1_method(); }
-const SSL_METHOD *TLSv1_client_method(void) {
- return TLSv1_method();
-}
+const SSL_METHOD *TLSv1_client_method(void) { return TLSv1_method(); }
-const SSL_METHOD *SSLv23_server_method(void) {
- return SSLv23_method();
-}
+const SSL_METHOD *SSLv23_server_method(void) { return SSLv23_method(); }
-const SSL_METHOD *SSLv23_client_method(void) {
- return SSLv23_method();
-}
+const SSL_METHOD *SSLv23_client_method(void) { return SSLv23_method(); }
-const SSL_METHOD *TLS_server_method(void) {
- return TLS_method();
-}
+const SSL_METHOD *TLS_server_method(void) { return TLS_method(); }
-const SSL_METHOD *TLS_client_method(void) {
- return TLS_method();
-}
+const SSL_METHOD *TLS_client_method(void) { return TLS_method(); }
diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc
index bdd6519..0fce5b1 100644
--- a/ssl/tls_record.cc
+++ b/ssl/tls_record.cc
@@ -115,8 +115,8 @@
#include <openssl/err.h>
#include <openssl/mem.h>
-#include "internal.h"
#include "../crypto/internal.h"
+#include "internal.h"
BSSL_NAMESPACE_BEGIN
@@ -204,8 +204,8 @@
// Decode the record header.
uint8_t type;
uint16_t version, ciphertext_len;
- if (!CBS_get_u8(&cbs, &type) ||
- !CBS_get_u16(&cbs, &version) ||
+ if (!CBS_get_u8(&cbs, &type) || //
+ !CBS_get_u16(&cbs, &version) || //
!CBS_get_u16(&cbs, &ciphertext_len)) {
*out_consumed = SSL3_RT_HEADER_LENGTH;
return ssl_open_record_partial;
@@ -260,8 +260,8 @@
// Skip early data received when expecting a second ClientHello if we rejected
// 0RTT.
- if (ssl->s3->skip_early_data &&
- ssl->s3->aead_read_ctx->is_null_cipher() &&
+ if (ssl->s3->skip_early_data && //
+ ssl->s3->aead_read_ctx->is_null_cipher() && //
type == SSL3_RT_APPLICATION_DATA) {
return skip_early_data(ssl, out_alert, *out_consumed);
}
@@ -342,7 +342,7 @@
}
// Handshake messages may not interleave with any other record type.
- if (type != SSL3_RT_HANDSHAKE &&
+ if (type != SSL3_RT_HANDSHAKE && //
tls_has_unprocessed_handshake_data(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
@@ -442,7 +442,8 @@
in_len -= 1;
}
// clang-format on
- return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len);
+ return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len,
+ extra_in_len);
}
// tls_seal_scatter_record seals a new record of type |type| and body |in| and
