Another batch of bools.
Change-Id: I5a7688b6e635e7ee6fc16173f9919bff16c4d59d
Reviewed-on: https://boringssl-review.googlesource.com/31604
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/ssl/dtls_record.cc b/ssl/dtls_record.cc
index 3950ae2..992fb52 100644
--- a/ssl/dtls_record.cc
+++ b/ssl/dtls_record.cc
@@ -137,13 +137,13 @@
// dtls1_bitmap_should_discard returns one if |seq_num| has been seen in
// |bitmap| or is stale. Otherwise it returns zero.
-static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap,
- const uint8_t seq_num[8]) {
+static bool dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap,
+ const uint8_t seq_num[8]) {
const unsigned kWindowSize = sizeof(bitmap->map) * 8;
uint64_t seq_num_u = to_u64_be(seq_num);
if (seq_num_u > bitmap->max_seq_num) {
- return 0;
+ return false;
}
uint64_t idx = bitmap->max_seq_num - seq_num_u;
return idx >= kWindowSize || (bitmap->map & (((uint64_t)1) << idx));
@@ -291,14 +291,14 @@
get_write_aead(ssl, use_epoch)->ExplicitNonceLen();
}
-int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
- uint8_t type, const uint8_t *in, size_t in_len,
- enum dtls1_use_epoch_t use_epoch) {
+bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
+ uint8_t type, const uint8_t *in, size_t in_len,
+ enum dtls1_use_epoch_t use_epoch) {
const size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);
if (buffers_alias(in, in_len, out, max_out) &&
(max_out < prefix || out + prefix != in)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
- return 0;
+ return false;
}
// Determine the parameters for the current epoch.
@@ -314,7 +314,7 @@
if (max_out < DTLS1_RT_HEADER_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
- return 0;
+ return false;
}
out[0] = type;
@@ -330,7 +330,7 @@
size_t ciphertext_len;
if (!aead->CiphertextLen(&ciphertext_len, in_len, 0)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
- return 0;
+ return false;
}
out[11] = ciphertext_len >> 8;
out[12] = ciphertext_len & 0xff;
@@ -341,13 +341,13 @@
max_out - DTLS1_RT_HEADER_LENGTH, type, record_version,
&out[3] /* seq */, header, in, in_len) ||
!ssl_record_sequence_update(&seq[2], 6)) {
- return 0;
+ return false;
}
assert(ciphertext_len == len_copy);
*out_len = DTLS1_RT_HEADER_LENGTH + ciphertext_len;
ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);
- return 1;
+ return true;
}
BSSL_NAMESPACE_END
diff --git a/ssl/internal.h b/ssl/internal.h
index 98ce6e0..7ba23ef 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -522,7 +522,7 @@
bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
size_t *out_mac_secret_len,
size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,
- uint16_t version, int is_dtls);
+ uint16_t version, bool is_dtls);
// ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and
// |cipher|.
@@ -659,7 +659,7 @@
// resulting object, depending on |direction|. |version| is the normalized
// protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef.
static UniquePtr<SSLAEADContext> Create(enum evp_aead_direction_t direction,
- uint16_t version, int is_dtls,
+ uint16_t version, bool is_dtls,
const SSL_CIPHER *cipher,
Span<const uint8_t> enc_key,
Span<const uint8_t> mac_key,
@@ -797,8 +797,8 @@
// Record layer.
// ssl_record_sequence_update increments the sequence number in |seq|. It
-// returns one on success and zero on wraparound.
-int ssl_record_sequence_update(uint8_t *seq, size_t seq_len);
+// returns true on success and false on wraparound.
+bool ssl_record_sequence_update(uint8_t *seq, size_t seq_len);
// ssl_record_prefix_len returns the length of the prefix before the ciphertext
// of a record for |ssl|.
@@ -863,9 +863,9 @@
size_t ssl_seal_align_prefix_len(const SSL *ssl);
// tls_seal_record seals a new record of type |type| and body |in| and writes it
-// to |out|. At most |max_out| bytes will be written. It returns one on success
-// and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1
-// record splitting and may write two records concatenated.
+// to |out|. At most |max_out| bytes will be written. It returns true on success
+// and false on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC
+// 1/n-1 record splitting and may write two records concatenated.
//
// For a large record, the bulk of the ciphertext will begin
// |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may
@@ -873,8 +873,8 @@
// bytes to |out|.
//
// |in| and |out| may not alias.
-int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
- uint8_t type, const uint8_t *in, size_t in_len);
+bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
+ uint8_t type, const uint8_t *in, size_t in_len);
enum dtls1_use_epoch_t {
dtls1_use_previous_epoch,
@@ -893,9 +893,9 @@
// which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out|
// may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
// ahead of |out|.
-int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
- uint8_t type, const uint8_t *in, size_t in_len,
- enum dtls1_use_epoch_t use_epoch);
+bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
+ uint8_t type, const uint8_t *in, size_t in_len,
+ enum dtls1_use_epoch_t use_epoch);
// ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
// state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
@@ -907,9 +907,8 @@
// Private key operations.
-// ssl_has_private_key returns one if |cfg| has a private key configured and
-// zero otherwise.
-int ssl_has_private_key(const SSL_CONFIG *cfg);
+// ssl_has_private_key returns whether |cfg| has a private key configured.
+bool ssl_has_private_key(const SSL_CONFIG *cfg);
// ssl_private_key_* perform the corresponding operation on
// |SSL_PRIVATE_KEY_METHOD|. If there is a custom private key configured, they
@@ -990,14 +989,14 @@
};
// ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it
-// sets |*out_group_id| to the group ID and returns one. Otherwise, it returns
-// zero.
-int ssl_nid_to_group_id(uint16_t *out_group_id, int nid);
+// sets |*out_group_id| to the group ID and returns true. Otherwise, it returns
+// false.
+bool ssl_nid_to_group_id(uint16_t *out_group_id, int nid);
-// ssl_name_to_group_id looks up the group corresponding to the |name| string
-// of length |len|. On success, it sets |*out_group_id| to the group ID and
-// returns one. Otherwise, it returns zero.
-int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len);
+// ssl_name_to_group_id looks up the group corresponding to the |name| string of
+// length |len|. On success, it sets |*out_group_id| to the group ID and returns
+// true. Otherwise, it returns false.
+bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len);
// Handshake messages.
@@ -1146,9 +1145,9 @@
// Certificate functions.
-// ssl_has_certificate returns one if a certificate and private key are
-// configured and zero otherwise.
-int ssl_has_certificate(const SSL_CONFIG *cfg);
+// ssl_has_certificate returns whether a certificate and private key are
+// configured.
+bool ssl_has_certificate(const SSL_CONFIG *cfg);
// ssl_parse_cert_chain parses a certificate list from |cbs| in the format used
// by a TLS Certificate message. On success, it advances |cbs| and returns
@@ -1169,14 +1168,14 @@
// ssl_add_cert_chain adds |hs->ssl|'s certificate chain to |cbb| in the format
// used by a TLS Certificate message. If there is no certificate chain, it emits
-// an empty certificate list. It returns one on success and zero on error.
-int ssl_add_cert_chain(SSL_HANDSHAKE *hs, CBB *cbb);
+// an empty certificate list. It returns true on success and false on error.
+bool ssl_add_cert_chain(SSL_HANDSHAKE *hs, CBB *cbb);
// ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509
-// certificate in |in| and returns one if doesn't specify a key usage or, if it
-// does, if it includes digitalSignature. Otherwise it pushes to the error
-// queue and returns zero.
-int ssl_cert_check_digital_signature_key_usage(const CBS *in);
+// certificate in |in| and returns true if doesn't specify a key usage or, if it
+// does, if it includes digitalSignature. Otherwise it pushes to the error queue
+// and returns false.
+bool ssl_cert_check_digital_signature_key_usage(const CBS *in);
// ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509
// certificate in |in|. It returns an allocated |EVP_PKEY| or else returns
@@ -1195,80 +1194,80 @@
bool ssl_has_client_CAs(const SSL_CONFIG *cfg);
// ssl_add_client_CA_list adds the configured CA list to |cbb| in the format
-// used by a TLS CertificateRequest message. It returns one on success and zero
-// on error.
-int ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb);
+// used by a TLS CertificateRequest message. It returns true on success and
+// false on error.
+bool ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb);
// ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as
// a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes
// an error on the error queue.
-int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
+bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
const CRYPTO_BUFFER *leaf);
// ssl_on_certificate_selected is called once the certificate has been selected.
// It finalizes the certificate and initializes |hs->local_pubkey|. It returns
-// one on success and zero on error.
-int ssl_on_certificate_selected(SSL_HANDSHAKE *hs);
+// true on success and false on error.
+bool ssl_on_certificate_selected(SSL_HANDSHAKE *hs);
// TLS 1.3 key derivation.
// tls13_init_key_schedule initializes the handshake hash and key derivation
// state, and incorporates the PSK. The cipher suite and PRF hash must have been
-// selected at this point. It returns one on success and zero on error.
-int tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
- size_t psk_len);
+// selected at this point. It returns true on success and false on error.
+bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
+ size_t psk_len);
// tls13_init_early_key_schedule initializes the handshake hash and key
// derivation state from the resumption secret and incorporates the PSK to
// derive the early secrets. It returns one on success and zero on error.
-int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
- size_t psk_len);
+bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
+ size_t psk_len);
// tls13_advance_key_schedule incorporates |in| into the key schedule with
-// HKDF-Extract. It returns one on success and zero on error.
-int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
+// HKDF-Extract. It returns true on success and false on error.
+bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
size_t len);
// tls13_set_traffic_key sets the read or write traffic keys to
-// |traffic_secret|. It returns one on success and zero on error.
-int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
- const uint8_t *traffic_secret,
- size_t traffic_secret_len);
+// |traffic_secret|. It returns true on success and false on error.
+bool tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
+ const uint8_t *traffic_secret,
+ size_t traffic_secret_len);
-// tls13_derive_early_secrets derives the early traffic secret. It returns one
-// on success and zero on error.
-int tls13_derive_early_secrets(SSL_HANDSHAKE *hs);
+// tls13_derive_early_secrets derives the early traffic secret. It returns true
+// on success and false on error.
+bool tls13_derive_early_secrets(SSL_HANDSHAKE *hs);
// tls13_derive_handshake_secrets derives the handshake traffic secret. It
-// returns one on success and zero on error.
-int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs);
+// returns true on success and false on error.
+bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs);
// tls13_rotate_traffic_key derives the next read or write traffic secret. It
-// returns one on success and zero on error.
-int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction);
+// returns true on success and false on error.
+bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction);
// tls13_derive_application_secrets derives the initial application data traffic
// and exporter secrets based on the handshake transcripts and |master_secret|.
-// It returns one on success and zero on error.
-int tls13_derive_application_secrets(SSL_HANDSHAKE *hs);
+// It returns true on success and false on error.
+bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs);
// tls13_derive_resumption_secret derives the |resumption_secret|.
-int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs);
+bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs);
// tls13_export_keying_material provides an exporter interface to use the
// |exporter_secret|.
-int tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
- Span<const uint8_t> secret,
- Span<const char> label,
- Span<const uint8_t> context);
+bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
+ Span<const uint8_t> secret,
+ Span<const char> label,
+ Span<const uint8_t> context);
// tls13_finished_mac calculates the MAC of the handshake transcript to verify
// the integrity of the Finished message, and stores the result in |out| and
-// length in |out_len|. |is_server| is 1 if this is for the Server Finished and
-// 0 for the Client Finished.
-int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
- int is_server);
+// length in |out_len|. |is_server| is true if this is for the Server Finished
+// and false for the Client Finished.
+bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
+ bool is_server);
// tls13_derive_session_psk calculates the PSK for this session based on the
// resumption master secret and |nonce|. It returns true on success, and false
@@ -1276,15 +1275,15 @@
bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce);
// tls13_write_psk_binder calculates the PSK binder value and replaces the last
-// bytes of |msg| with the resulting value. It returns 1 on success, and 0 on
-// failure.
-int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len);
+// bytes of |msg| with the resulting value. It returns true on success, and
+// false on failure.
+bool tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len);
-// tls13_verify_psk_binder verifies that the handshake transcript, truncated
-// up to the binders has a valid signature using the value of |session|'s
-// resumption secret. It returns 1 on success, and 0 on failure.
-int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
- const SSLMessage &msg, CBS *binders);
+// tls13_verify_psk_binder verifies that the handshake transcript, truncated up
+// to the binders has a valid signature using the value of |session|'s
+// resumption secret. It returns true on success, and false on failure.
+bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
+ const SSLMessage &msg, CBS *binders);
// Handshake functions.
@@ -2476,14 +2475,14 @@
UniquePtr<CERT> ssl_cert_dup(CERT *cert);
void ssl_cert_clear_certs(CERT *cert);
-int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer);
-int ssl_is_key_type_supported(int key_type);
-// ssl_compare_public_and_private_key returns one if |pubkey| is the public
-// counterpart to |privkey|. Otherwise it returns zero and pushes a helpful
+bool ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer);
+bool ssl_is_key_type_supported(int key_type);
+// ssl_compare_public_and_private_key returns true if |pubkey| is the public
+// counterpart to |privkey|. Otherwise it returns false and pushes a helpful
// message on the error queue.
-int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
+bool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
const EVP_PKEY *privkey);
-int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey);
+bool ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey);
int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server);
int ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out, const SSL_SESSION *session);
int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx);
diff --git a/ssl/ssl_aead_ctx.cc b/ssl/ssl_aead_ctx.cc
index 6a25780..335f6f4 100644
--- a/ssl/ssl_aead_ctx.cc
+++ b/ssl/ssl_aead_ctx.cc
@@ -55,7 +55,7 @@
}
UniquePtr<SSLAEADContext> SSLAEADContext::Create(
- enum evp_aead_direction_t direction, uint16_t version, int is_dtls,
+ enum evp_aead_direction_t direction, uint16_t version, bool is_dtls,
const SSL_CIPHER *cipher, Span<const uint8_t> enc_key,
Span<const uint8_t> mac_key, Span<const uint8_t> fixed_iv) {
const EVP_AEAD *aead;
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index 3f3a1c5..37d6501 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc
@@ -289,10 +289,10 @@
return 1;
}
-int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
+bool ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
switch (check_leaf_cert_and_privkey(buffer.get(), cert->privatekey.get())) {
case leaf_cert_and_privkey_error:
- return 0;
+ return false;
case leaf_cert_and_privkey_mismatch:
// don't fail for a cert/key mismatch, just free current private key
// (when switching to a different cert & key, first this function should
@@ -308,23 +308,23 @@
if (cert->chain != nullptr) {
CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain.get(), 0));
sk_CRYPTO_BUFFER_set(cert->chain.get(), 0, buffer.release());
- return 1;
+ return true;
}
cert->chain.reset(sk_CRYPTO_BUFFER_new_null());
if (cert->chain == nullptr) {
- return 0;
+ return false;
}
if (!PushToStack(cert->chain.get(), std::move(buffer))) {
cert->chain.reset();
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-int ssl_has_certificate(const SSL_CONFIG *cfg) {
+bool ssl_has_certificate(const SSL_CONFIG *cfg) {
return cfg->cert->chain != nullptr &&
sk_CRYPTO_BUFFER_value(cfg->cert->chain.get(), 0) != nullptr &&
ssl_has_private_key(cfg);
@@ -394,7 +394,7 @@
return true;
}
-int ssl_add_cert_chain(SSL_HANDSHAKE *hs, CBB *cbb) {
+bool ssl_add_cert_chain(SSL_HANDSHAKE *hs, CBB *cbb) {
if (!ssl_has_certificate(hs->config)) {
return CBB_add_u24(cbb, 0);
}
@@ -402,7 +402,7 @@
CBB certs;
if (!CBB_add_u24_length_prefixed(cbb, &certs)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return false;
}
STACK_OF(CRYPTO_BUFFER) *chain = hs->config->cert->chain.get();
@@ -414,7 +414,7 @@
CRYPTO_BUFFER_len(buffer)) ||
!CBB_flush(&certs)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return false;
}
}
@@ -424,7 +424,7 @@
// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
// subjectPublicKeyInfo.
-static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
+static bool ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
/* From RFC 5280, section 4.1
* Certificate ::= SEQUENCE {
* tbsCertificate TBSCertificate,
@@ -460,10 +460,10 @@
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
// subject
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {
- return 0;
+ return false;
}
- return 1;
+ return true;
}
UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in) {
@@ -476,47 +476,42 @@
return UniquePtr<EVP_PKEY>(EVP_parse_public_key(&tbs_cert));
}
-int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
- const EVP_PKEY *privkey) {
+bool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
+ const EVP_PKEY *privkey) {
if (EVP_PKEY_is_opaque(privkey)) {
// We cannot check an opaque private key and have to trust that it
// matches.
- return 1;
+ return true;
}
- int ret = 0;
-
switch (EVP_PKEY_cmp(pubkey, privkey)) {
case 1:
- ret = 1;
- break;
+ return true;
case 0:
OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);
- break;
+ return false;
case -1:
OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);
- break;
+ return false;
case -2:
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
- break;
- default:
- assert(0);
- break;
+ return false;
}
- return ret;
+ assert(0);
+ return false;
}
-int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {
+bool ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {
if (privkey == nullptr) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
- return 0;
+ return false;
}
if (cert->chain == nullptr ||
sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) == nullptr) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
- return 0;
+ return false;
}
CBS cert_cbs;
@@ -525,13 +520,13 @@
UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);
if (!pubkey) {
OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
- return 0;
+ return false;
}
return ssl_compare_public_and_private_key(pubkey.get(), privkey);
}
-int ssl_cert_check_digital_signature_key_usage(const CBS *in) {
+bool ssl_cert_check_digital_signature_key_usage(const CBS *in) {
CBS buf = *in;
CBS tbs_cert, outer_extensions;
@@ -551,17 +546,17 @@
&tbs_cert, &outer_extensions, &has_extensions,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
- return 0;
+ return false;
}
if (!has_extensions) {
- return 1;
+ return true;
}
CBS extensions;
if (!CBS_get_asn1(&outer_extensions, &extensions, CBS_ASN1_SEQUENCE)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
- return 0;
+ return false;
}
while (CBS_len(&extensions) > 0) {
@@ -573,7 +568,7 @@
!CBS_get_asn1(&extension, &contents, CBS_ASN1_OCTETSTRING) ||
CBS_len(&extension) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
- return 0;
+ return false;
}
static const uint8_t kKeyUsageOID[3] = {0x55, 0x1d, 0x0f};
@@ -587,26 +582,26 @@
if (!CBS_get_asn1(&contents, &bit_string, CBS_ASN1_BITSTRING) ||
CBS_len(&contents) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
- return 0;
+ return false;
}
// This is the KeyUsage extension. See
// https://tools.ietf.org/html/rfc5280#section-4.2.1.3
if (!CBS_is_valid_asn1_bitstring(&bit_string)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
- return 0;
+ return false;
}
if (!CBS_asn1_bitstring_has_bit(&bit_string, 0)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);
- return 0;
+ return false;
}
- return 1;
+ return true;
}
// No KeyUsage extension found.
- return 1;
+ return true;
}
UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
@@ -666,10 +661,10 @@
return sk_CRYPTO_BUFFER_num(names) > 0;
}
-int ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb) {
+bool ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb) {
CBB child, name_cbb;
if (!CBB_add_u16_length_prefixed(cbb, &child)) {
- return 0;
+ return false;
}
const STACK_OF(CRYPTO_BUFFER) *names = hs->config->client_CA.get();
@@ -684,21 +679,21 @@
if (!CBB_add_u16_length_prefixed(&child, &name_cbb) ||
!CBB_add_bytes(&name_cbb, CRYPTO_BUFFER_data(name),
CRYPTO_BUFFER_len(name))) {
- return 0;
+ return false;
}
}
return CBB_flush(cbb);
}
-int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
- const CRYPTO_BUFFER *leaf) {
+bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
+ const CRYPTO_BUFFER *leaf) {
assert(ssl_protocol_version(hs->ssl) < TLS1_3_VERSION);
// Check the certificate's type matches the cipher.
if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);
- return 0;
+ return false;
}
// Check key usages for all key types but RSA. This is needed to distinguish
@@ -711,7 +706,7 @@
CBS leaf_cbs;
CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));
if (!ssl_cert_check_digital_signature_key_usage(&leaf_cbs)) {
- return 0;
+ return false;
}
}
@@ -724,22 +719,22 @@
!tls1_check_group_id(hs, group_id) ||
EC_KEY_get_conv_form(ec_key) != POINT_CONVERSION_UNCOMPRESSED) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECC_CERT);
- return 0;
+ return false;
}
}
- return 1;
+ return true;
}
-int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
+bool ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!ssl_has_certificate(hs->config)) {
// Nothing to do.
- return 1;
+ return true;
}
if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(hs)) {
- return 0;
+ return false;
}
CBS leaf;
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
index 1e5320c..0ed91d6 100644
--- a/ssl/ssl_cipher.cc
+++ b/ssl/ssl_cipher.cc
@@ -559,13 +559,13 @@
bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
size_t *out_mac_secret_len,
size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,
- uint16_t version, int is_dtls) {
+ uint16_t version, bool is_dtls) {
*out_aead = NULL;
*out_mac_secret_len = 0;
*out_fixed_iv_len = 0;
- const int is_tls12 = version == TLS1_2_VERSION && !is_dtls;
- const int is_tls13 = version == TLS1_3_VERSION && !is_dtls;
+ const bool is_tls12 = version == TLS1_2_VERSION && !is_dtls;
+ const bool is_tls13 = version == TLS1_3_VERSION && !is_dtls;
if (cipher->algorithm_mac == SSL_AEAD) {
if (cipher->algorithm_enc == SSL_AES128GCM) {
@@ -649,7 +649,7 @@
}
}
-static bool is_cipher_list_separator(char c, int is_strict) {
+static bool is_cipher_list_separator(char c, bool is_strict) {
if (c == ':') {
return true;
}
diff --git a/ssl/ssl_key_share.cc b/ssl/ssl_key_share.cc
index 866da67..8466eab 100644
--- a/ssl/ssl_key_share.cc
+++ b/ssl/ssl_key_share.cc
@@ -266,30 +266,30 @@
Finish(out_secret, out_alert, peer_key);
}
-int ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {
+bool ssl_nid_to_group_id(uint16_t *out_group_id, int nid) {
for (const auto &group : kNamedGroups) {
if (group.nid == nid) {
*out_group_id = group.group_id;
- return 1;
+ return true;
}
}
- return 0;
+ return false;
}
-int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {
+bool ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len) {
for (const auto &group : kNamedGroups) {
if (len == strlen(group.name) &&
!strncmp(group.name, name, len)) {
*out_group_id = group.group_id;
- return 1;
+ return true;
}
if (len == strlen(group.alias) &&
!strncmp(group.alias, name, len)) {
*out_group_id = group.group_id;
- return 1;
+ return true;
}
}
- return 0;
+ return false;
}
BSSL_NAMESPACE_END
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc
index b2f8177..e716c9a 100644
--- a/ssl/ssl_privkey.cc
+++ b/ssl/ssl_privkey.cc
@@ -71,26 +71,26 @@
BSSL_NAMESPACE_BEGIN
-int ssl_is_key_type_supported(int key_type) {
+bool ssl_is_key_type_supported(int key_type) {
return key_type == EVP_PKEY_RSA || key_type == EVP_PKEY_EC ||
key_type == EVP_PKEY_ED25519;
}
-static int ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) {
+static bool ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) {
if (!ssl_is_key_type_supported(pkey->type)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
- return 0;
+ return false;
}
if (cert->chain != nullptr &&
sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) != nullptr &&
// Sanity-check that the private key and the certificate match.
!ssl_cert_check_private_key(cert, pkey)) {
- return 0;
+ return false;
}
cert->privatekey = UpRef(pkey);
- return 1;
+ return true;
}
typedef struct {
@@ -98,29 +98,30 @@
int pkey_type;
int curve;
const EVP_MD *(*digest_func)(void);
- char is_rsa_pss;
+ bool is_rsa_pss;
} SSL_SIGNATURE_ALGORITHM;
static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = {
- {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1, 0},
- {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1, 0},
- {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, 0},
- {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 0},
- {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 0},
+ {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1,
+ false},
+ {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1, false},
+ {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, false},
+ {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, false},
+ {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, false},
- {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, 1},
- {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, 1},
- {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, 1},
+ {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, true},
+ {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, true},
+ {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, true},
- {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, 0},
+ {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, false},
{SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1,
- &EVP_sha256, 0},
+ &EVP_sha256, false},
{SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384,
- 0},
+ false},
{SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512,
- 0},
+ false},
- {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, NULL, 0},
+ {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr, false},
};
static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) {
@@ -132,22 +133,22 @@
return NULL;
}
-int ssl_has_private_key(const SSL_CONFIG *cfg) {
+bool ssl_has_private_key(const SSL_CONFIG *cfg) {
return cfg->cert->privatekey != nullptr || cfg->cert->key_method != nullptr;
}
-static int pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
- uint16_t sigalg) {
+static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey,
+ uint16_t sigalg) {
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
if (alg == NULL ||
EVP_PKEY_id(pkey) != alg->pkey_type) {
- return 0;
+ return false;
}
if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
// RSA keys may only be used with RSA-PSS.
if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {
- return 0;
+ return false;
}
// EC keys have a curve requirement.
@@ -155,18 +156,18 @@
(alg->curve == NID_undef ||
EC_GROUP_get_curve_name(
EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) {
- return 0;
+ return false;
}
}
- return 1;
+ return true;
}
-static int setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey, uint16_t sigalg,
- int is_verify) {
+static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
+ uint16_t sigalg, bool is_verify) {
if (!pkey_supports_algorithm(ssl, pkey, sigalg)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE);
- return 0;
+ return false;
}
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
@@ -174,20 +175,20 @@
EVP_PKEY_CTX *pctx;
if (is_verify) {
if (!EVP_DigestVerifyInit(ctx, &pctx, digest, NULL, pkey)) {
- return 0;
+ return false;
}
} else if (!EVP_DigestSignInit(ctx, &pctx, digest, NULL, pkey)) {
- return 0;
+ return false;
}
if (alg->is_rsa_pss) {
if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) ||
!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1 /* salt len = hash len */)) {
- return 0;
+ return false;
}
}
- return 1;
+ return true;
}
enum ssl_private_key_result_t ssl_private_key_sign(
@@ -212,7 +213,7 @@
*out_len = max_out;
ScopedEVP_MD_CTX ctx;
if (!setup_ctx(ssl, ctx.get(), hs->config->cert->privatekey.get(), sigalg,
- 0 /* sign */) ||
+ false /* sign */) ||
!EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) {
return ssl_private_key_failure;
}
@@ -223,7 +224,7 @@
uint16_t sigalg, EVP_PKEY *pkey,
Span<const uint8_t> in) {
ScopedEVP_MD_CTX ctx;
- return setup_ctx(ssl, ctx.get(), pkey, sigalg, 1 /* verify */) &&
+ return setup_ctx(ssl, ctx.get(), pkey, sigalg, true /* verify */) &&
EVP_DigestVerify(ctx.get(), signature.data(), signature.size(),
in.data(), in.size());
}
diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc
index e451838..5e1f19a 100644
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc
@@ -32,10 +32,10 @@
BSSL_NAMESPACE_BEGIN
-static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,
+static bool init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,
const SSL_CIPHER *cipher) {
if (!hs->transcript.InitHash(version, cipher)) {
- return 0;
+ return false;
}
hs->hash_len = hs->transcript.DigestLen();
@@ -43,13 +43,13 @@
// Initialize the secret to the zero key.
OPENSSL_memset(hs->secret, 0, hs->hash_len);
- return 1;
+ return true;
}
-int tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
- size_t psk_len) {
+bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
+ size_t psk_len) {
if (!init_key_schedule(hs, ssl_protocol_version(hs->ssl), hs->new_cipher)) {
- return 0;
+ return false;
}
hs->transcript.FreeBuffer();
@@ -57,8 +57,8 @@
psk_len, hs->secret, hs->hash_len);
}
-int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
- size_t psk_len) {
+bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,
+ size_t psk_len) {
SSL *const ssl = hs->ssl;
return init_key_schedule(hs, ssl_session_protocol_version(ssl->session.get()),
ssl->session->cipher) &&
@@ -66,10 +66,11 @@
psk_len, hs->secret, hs->hash_len);
}
-static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest,
- const uint8_t *secret, size_t secret_len,
- const char *label, size_t label_len,
- const uint8_t *hash, size_t hash_len, size_t len) {
+static bool hkdf_expand_label(uint8_t *out, const EVP_MD *digest,
+ const uint8_t *secret, size_t secret_len,
+ const char *label, size_t label_len,
+ const uint8_t *hash, size_t hash_len,
+ size_t len) {
static const char kTLS13LabelVersion[] = "tls13 ";
ScopedCBB cbb;
@@ -85,7 +86,7 @@
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
!CBB_add_bytes(&child, hash, hash_len) ||
!CBBFinishArray(cbb.get(), &hkdf_label)) {
- return 0;
+ return false;
}
return HKDF_expand(out, len, digest, secret, secret_len, hkdf_label.data(),
@@ -94,20 +95,20 @@
static const char kTLS13LabelDerived[] = "derived";
-int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
- size_t len) {
+bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
+ size_t len) {
uint8_t derive_context[EVP_MAX_MD_SIZE];
unsigned derive_context_len;
if (!EVP_Digest(nullptr, 0, derive_context, &derive_context_len,
hs->transcript.Digest(), nullptr)) {
- return 0;
+ return false;
}
if (!hkdf_expand_label(hs->secret, hs->transcript.Digest(), hs->secret,
hs->hash_len, kTLS13LabelDerived,
strlen(kTLS13LabelDerived), derive_context,
derive_context_len, hs->hash_len)) {
- return 0;
+ return false;
}
return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), in,
@@ -116,13 +117,13 @@
// derive_secret derives a secret of length |len| and writes the result in |out|
// with the given label and the current base secret and most recently-saved
-// handshake context. It returns one on success and zero on error.
-static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,
- const char *label, size_t label_len) {
+// handshake context. It returns true on success and false on error.
+static bool derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,
+ const char *label, size_t label_len) {
uint8_t context_hash[EVP_MAX_MD_SIZE];
size_t context_hash_len;
if (!hs->transcript.GetHash(context_hash, &context_hash_len)) {
- return 0;
+ return false;
}
return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret,
@@ -130,15 +131,15 @@
context_hash_len, len);
}
-int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
- const uint8_t *traffic_secret,
- size_t traffic_secret_len) {
+bool tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
+ const uint8_t *traffic_secret,
+ size_t traffic_secret_len) {
const SSL_SESSION *session = SSL_get_session(ssl);
uint16_t version = ssl_session_protocol_version(session);
if (traffic_secret_len > 0xff) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
- return 0;
+ return false;
}
// Look up cipher suite properties.
@@ -146,7 +147,7 @@
size_t discard;
if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,
version, SSL_is_dtls(ssl))) {
- return 0;
+ return false;
}
const EVP_MD *digest = ssl_session_get_digest(session);
@@ -156,7 +157,7 @@
uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len, "key",
3, NULL, 0, key_len)) {
- return 0;
+ return false;
}
// Derive the IV.
@@ -164,7 +165,7 @@
uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];
if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, "iv",
2, NULL, 0, iv_len)) {
- return 0;
+ return false;
}
UniquePtr<SSLAEADContext> traffic_aead =
@@ -172,16 +173,16 @@
session->cipher, MakeConstSpan(key, key_len),
Span<const uint8_t>(), MakeConstSpan(iv, iv_len));
if (!traffic_aead) {
- return 0;
+ return false;
}
if (direction == evp_aead_open) {
if (!ssl->method->set_read_state(ssl, std::move(traffic_aead))) {
- return 0;
+ return false;
}
} else {
if (!ssl->method->set_write_state(ssl, std::move(traffic_aead))) {
- return 0;
+ return false;
}
}
@@ -196,7 +197,7 @@
ssl->s3->write_traffic_secret_len = traffic_secret_len;
}
- return 1;
+ return true;
}
@@ -209,7 +210,7 @@
static const char kTLS13LabelClientApplicationTraffic[] = "c ap traffic";
static const char kTLS13LabelServerApplicationTraffic[] = "s ap traffic";
-int tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {
+bool tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!derive_secret(hs, hs->early_traffic_secret, hs->hash_len,
kTLS13LabelClientEarlyTraffic,
@@ -219,13 +220,13 @@
!derive_secret(hs, ssl->s3->early_exporter_secret, hs->hash_len,
kTLS13LabelEarlyExporter,
strlen(kTLS13LabelEarlyExporter))) {
- return 0;
+ return false;
}
ssl->s3->early_exporter_secret_len = hs->hash_len;
- return 1;
+ return true;
}
-int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
+bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
return derive_secret(hs, hs->client_handshake_secret, hs->hash_len,
kTLS13LabelClientHandshakeTraffic,
@@ -239,7 +240,7 @@
hs->server_handshake_secret, hs->hash_len);
}
-int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
+bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
ssl->s3->exporter_secret_len = hs->hash_len;
return derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len,
@@ -260,7 +261,7 @@
static const char kTLS13LabelApplicationTraffic[] = "traffic upd";
-int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
+bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
uint8_t *secret;
size_t secret_len;
if (direction == evp_aead_open) {
@@ -275,7 +276,7 @@
if (!hkdf_expand_label(
secret, digest, secret, secret_len, kTLS13LabelApplicationTraffic,
strlen(kTLS13LabelApplicationTraffic), NULL, 0, secret_len)) {
- return 0;
+ return false;
}
return tls13_set_traffic_key(ssl, direction, secret, secret_len);
@@ -283,10 +284,10 @@
static const char kTLS13LabelResumption[] = "res master";
-int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {
+bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {
if (hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return false;
}
hs->new_session->master_key_length = hs->hash_len;
return derive_secret(hs, hs->new_session->master_key,
@@ -298,23 +299,23 @@
// tls13_verify_data sets |out| to be the HMAC of |context| using a derived
// Finished key for both Finished messages and the PSK binder.
-static int tls13_verify_data(const EVP_MD *digest, uint16_t version,
- uint8_t *out, size_t *out_len,
- const uint8_t *secret, size_t hash_len,
- uint8_t *context, size_t context_len) {
+static bool tls13_verify_data(const EVP_MD *digest, uint16_t version,
+ uint8_t *out, size_t *out_len,
+ const uint8_t *secret, size_t hash_len,
+ uint8_t *context, size_t context_len) {
uint8_t key[EVP_MAX_MD_SIZE];
unsigned len;
if (!hkdf_expand_label(key, digest, secret, hash_len, kTLS13LabelFinished,
strlen(kTLS13LabelFinished), NULL, 0, hash_len) ||
HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {
- return 0;
+ return false;
}
*out_len = len;
- return 1;
+ return true;
}
-int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
- int is_server) {
+bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
+ bool is_server) {
const uint8_t *traffic_secret;
if (is_server) {
traffic_secret = hs->server_handshake_secret;
@@ -345,14 +346,14 @@
static const char kTLS13LabelExportKeying[] = "exporter";
-int tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
- Span<const uint8_t> secret,
- Span<const char> label,
- Span<const uint8_t> context) {
+bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,
+ Span<const uint8_t> secret,
+ Span<const char> label,
+ Span<const uint8_t> context) {
if (secret.empty()) {
assert(0);
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return false;
}
const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));
@@ -378,21 +379,21 @@
static const char kTLS13LabelPSKBinder[] = "res binder";
-static int tls13_psk_binder(uint8_t *out, uint16_t version,
- const EVP_MD *digest, uint8_t *psk, size_t psk_len,
- uint8_t *context, size_t context_len,
- size_t hash_len) {
+static bool tls13_psk_binder(uint8_t *out, uint16_t version,
+ const EVP_MD *digest, uint8_t *psk, size_t psk_len,
+ uint8_t *context, size_t context_len,
+ size_t hash_len) {
uint8_t binder_context[EVP_MAX_MD_SIZE];
unsigned binder_context_len;
if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {
- return 0;
+ return false;
}
uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};
size_t early_secret_len;
if (!HKDF_extract(early_secret, &early_secret_len, digest, psk, hash_len,
NULL, 0)) {
- return 0;
+ return false;
}
uint8_t binder_key[EVP_MAX_MD_SIZE] = {0};
@@ -402,20 +403,20 @@
binder_context, binder_context_len, hash_len) ||
!tls13_verify_data(digest, version, out, &len, binder_key, hash_len,
context, context_len)) {
- return 0;
+ return false;
}
- return 1;
+ return true;
}
-int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {
+bool tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {
SSL *const ssl = hs->ssl;
const EVP_MD *digest = ssl_session_get_digest(ssl->session.get());
size_t hash_len = EVP_MD_size(digest);
if (len < hash_len + 3) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return false;
}
ScopedEVP_MD_CTX ctx;
@@ -427,7 +428,7 @@
hs->transcript.buffer().size()) ||
!EVP_DigestUpdate(ctx.get(), msg, len - hash_len - 3) ||
!EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {
- return 0;
+ return false;
}
uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};
@@ -435,21 +436,21 @@
ssl->session->master_key,
ssl->session->master_key_length, context, context_len,
hash_len)) {
- return 0;
+ return false;
}
OPENSSL_memcpy(msg + len - hash_len, verify_data, hash_len);
- return 1;
+ return true;
}
-int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
- const SSLMessage &msg, CBS *binders) {
+bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
+ const SSLMessage &msg, CBS *binders) {
size_t hash_len = hs->transcript.DigestLen();
// The message must be large enough to exclude the binders.
if (CBS_len(&msg.raw) < CBS_len(binders) + 2) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return false;
}
// Hash a ClientHello prefix up to the binders. This includes the header. For
@@ -459,7 +460,7 @@
unsigned context_len;
if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2,
context, &context_len, hs->transcript.Digest(), NULL)) {
- return 0;
+ return false;
}
uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};
@@ -470,21 +471,21 @@
// We only consider the first PSK, so compare against the first binder.
!CBS_get_u8_length_prefixed(binders, &binder)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ return false;
}
- int binder_ok =
+ bool binder_ok =
CBS_len(&binder) == hash_len &&
CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- binder_ok = 1;
+ binder_ok = true;
#endif
if (!binder_ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
- return 0;
+ return false;
}
- return 1;
+ return true;
}
BSSL_NAMESPACE_END
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index b1940d8..0d82d68 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -716,7 +716,7 @@
size_t finished_len;
if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,
- 0 /* client */)) {
+ false /* client */)) {
return ssl_hs_error;
}
diff --git a/ssl/tls_record.cc b/ssl/tls_record.cc
index 452b0cf..c1f9e7f 100644
--- a/ssl/tls_record.cc
+++ b/ssl/tls_record.cc
@@ -140,26 +140,26 @@
// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
// state needs record-splitting and zero otherwise.
-static int ssl_needs_record_splitting(const SSL *ssl) {
+static bool ssl_needs_record_splitting(const SSL *ssl) {
#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
return !ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->ProtocolVersion() < TLS1_1_VERSION &&
(ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher());
#else
- return 0;
+ return false;
#endif
}
-int ssl_record_sequence_update(uint8_t *seq, size_t seq_len) {
+bool ssl_record_sequence_update(uint8_t *seq, size_t seq_len) {
for (size_t i = seq_len - 1; i < seq_len; i--) {
++seq[i];
if (seq[i] != 0) {
- return 1;
+ return true;
}
}
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
- return 0;
+ return false;
}
size_t ssl_record_prefix_len(const SSL *ssl) {
@@ -373,9 +373,9 @@
return ssl_open_record_success;
}
-static int do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
- uint8_t *out_suffix, uint8_t type, const uint8_t *in,
- const size_t in_len) {
+static bool do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
+ uint8_t *out_suffix, uint8_t type, const uint8_t *in,
+ const size_t in_len) {
SSLAEADContext *aead = ssl->s3->aead_write_ctx.get();
uint8_t *extra_in = NULL;
size_t extra_in_len = 0;
@@ -390,7 +390,7 @@
if (!aead->SuffixLen(&suffix_len, in_len, extra_in_len) ||
!aead->CiphertextLen(&ciphertext_len, in_len, extra_in_len)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
- return 0;
+ return false;
}
assert(in == out || !buffers_alias(in, in_len, out, in_len));
@@ -415,11 +415,11 @@
out_prefix[0], record_version, ssl->s3->write_sequence,
header, in, in_len, extra_in, extra_in_len) ||
!ssl_record_sequence_update(ssl->s3->write_sequence, 8)) {
- return 0;
+ return false;
}
ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header);
- return 1;
+ return true;
}
static size_t tls_seal_scatter_prefix_len(const SSL *ssl, uint8_t type,
@@ -464,7 +464,7 @@
// returns one on success and zero on error. If enabled,
// |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
// may write two records concatenated.
-static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
+static bool tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
uint8_t *out_suffix, uint8_t type,
const uint8_t *in, size_t in_len) {
if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
@@ -478,13 +478,13 @@
if (!do_seal_record(ssl, out_prefix, split_body, split_suffix, type, in,
1)) {
- return 0;
+ return false;
}
size_t split_record_suffix_len;
if (!ssl->s3->aead_write_ctx->SuffixLen(&split_record_suffix_len, 1, 0)) {
assert(false);
- return 0;
+ return false;
}
const size_t split_record_len = prefix_len + 1 + split_record_suffix_len;
assert(SSL3_RT_HEADER_LENGTH + ssl_cipher_get_record_split_len(
@@ -496,24 +496,25 @@
uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH];
if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1,
in_len - 1)) {
- return 0;
+ return false;
}
assert(tls_seal_scatter_prefix_len(ssl, type, in_len) ==
split_record_len + SSL3_RT_HEADER_LENGTH - 1);
OPENSSL_memcpy(out_prefix + split_record_len, tmp_prefix,
SSL3_RT_HEADER_LENGTH - 1);
OPENSSL_memcpy(out, tmp_prefix + SSL3_RT_HEADER_LENGTH - 1, 1);
- return 1;
+ return true;
}
return do_seal_record(ssl, out_prefix, out, out_suffix, type, in, in_len);
}
-int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out_len,
- uint8_t type, const uint8_t *in, size_t in_len) {
+bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len,
+ size_t max_out_len, uint8_t type, const uint8_t *in,
+ size_t in_len) {
if (buffers_alias(in, in_len, out, max_out_len)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT);
- return 0;
+ return false;
}
const size_t prefix_len = tls_seal_scatter_prefix_len(ssl, type, in_len);
@@ -524,22 +525,22 @@
if (in_len + prefix_len < in_len ||
prefix_len + in_len + suffix_len < prefix_len + in_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
- return 0;
+ return false;
}
if (max_out_len < in_len + prefix_len + suffix_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);
- return 0;
+ return false;
}
uint8_t *prefix = out;
uint8_t *body = out + prefix_len;
uint8_t *suffix = body + in_len;
if (!tls_seal_scatter_record(ssl, prefix, body, suffix, type, in, in_len)) {
- return 0;
+ return false;
}
*out_len = prefix_len + in_len + suffix_len;
- return 1;
+ return true;
}
enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,