Revert "Update BoringSSL to 4dfd5af70191b068aebe567b8e29ce108cee85ce."

This reverts commit 93f1324.

Reason for revert: asm build failure for ia32 mac (e.g., simarm)

Original change's description:
> Update BoringSSL to 4dfd5af70191b068aebe567b8e29ce108cee85ce.
> 
> Update usage of PKCS12_parse to PKCS12_get_key_and_certs, since the former changed behavior when the PKCS12 has no private key.
> 
> Change-Id: I040c1a17e2994ac66cf03ad1efa80e423136cdbd
> Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/116828
> Reviewed-by: Jonas Termansen <[email protected]>
> Reviewed-by: Zach Anderson <[email protected]>
> Commit-Queue: Ryan Macnak <[email protected]>

[email protected],[email protected],[email protected]

Change-Id: I85e9c4e5bd457b72c7df4986a127c169329c178c
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/117921
Reviewed-by: Ryan Macnak <[email protected]>
Commit-Queue: Ryan Macnak <[email protected]>

Author: rmacnak-google

DEPS

@@ -59,8 +59,8 @@ vars = {
   "bazel_worker_tag": "bazel_worker-v0.1.20",
   "benchmark_harness_tag": "81641290dea44c34138a109a37e215482f405f81",
   "boolean_selector_tag" : "1.0.4",
-  "boringssl_gen_rev": "b9e27cff1ff0803e97ab1f88764a83be4aa94a6d",
-  "boringssl_rev" : "4dfd5af70191b068aebe567b8e29ce108cee85ce",
+  "boringssl_gen_rev": "bbf52f18f425e29b1185f2f6753bec02ed8c5880",
+  "boringssl_rev" : "702e2b6d3831486535e958f262a05c75a5cb312e",
   "charcode_tag": "v1.1.2",
   "chrome_rev" : "19997",
   "cli_util_rev" : "4ad7ccbe3195fd2583b30f86a86697ef61e80f41",

runtime/bin/secure_socket_utils.h

@@ -102,9 +102,6 @@ class ScopedMemBIO {
     return bio_;
   }
 
-  uint8_t* data() { return bytes_; }
-  intptr_t length() { return bytes_len_; }
-
  private:
   Dart_Handle object_;
   uint8_t* bytes_;

runtime/bin/security_context.cc

@@ -165,19 +165,30 @@ Dart_Handle X509Helper::WrappedX509Certificate(X509* certificate) {
 }
 
 static int SetTrustedCertificatesBytesPKCS12(SSL_CTX* context,
-                                             ScopedMemBIO* bio,
+                                             BIO* bio,
                                              const char* password) {
-  CBS cbs;
-  CBS_init(&cbs, bio->data(), bio->length());
+  ScopedPKCS12 p12(d2i_PKCS12_bio(bio, NULL));
+  if (p12.get() == NULL) {
+    return 0;
+  }
 
   EVP_PKEY* key = NULL;
-  ScopedX509Stack cert_stack(sk_X509_new_null());
-  int status = PKCS12_get_key_and_certs(&key, cert_stack.get(), &cbs, password);
+  X509* cert = NULL;
+  STACK_OF(X509)* ca_certs = NULL;
+  int status = PKCS12_parse(p12.get(), password, &key, &cert, &ca_certs);
   if (status == 0) {
     return status;
   }
 
+  ScopedX509Stack cert_stack(ca_certs);
   X509_STORE* store = SSL_CTX_get_cert_store(context);
+  status = X509_STORE_add_cert(store, cert);
+  // X509_STORE_add_cert increments the reference count of cert on success.
+  X509_free(cert);
+  if (status == 0) {
+    return status;
+  }
+
   X509* ca;
   while ((ca = sk_X509_shift(cert_stack.get())) != NULL) {
     status = X509_STORE_add_cert(store, ca);
@@ -223,7 +234,8 @@ void SSLCertContext::SetTrustedCertificatesBytes(Dart_Handle cert_bytes,
       if (SecureSocketUtils::NoPEMStartLine()) {
         ERR_clear_error();
         BIO_reset(bio.bio());
-        status = SetTrustedCertificatesBytesPKCS12(context(), &bio, password);
+        status =
+            SetTrustedCertificatesBytesPKCS12(context(), bio.bio(), password);
       }
     } else {
       // The PEM file was successfully parsed.
@@ -235,14 +247,25 @@ void SSLCertContext::SetTrustedCertificatesBytes(Dart_Handle cert_bytes,
 }
 
 static int SetClientAuthoritiesPKCS12(SSL_CTX* context,
-                                      ScopedMemBIO* bio,
+                                      BIO* bio,
                                       const char* password) {
-  CBS cbs;
-  CBS_init(&cbs, bio->data(), bio->length());
+  ScopedPKCS12 p12(d2i_PKCS12_bio(bio, NULL));
+  if (p12.get() == NULL) {
+    return 0;
+  }
 
   EVP_PKEY* key = NULL;
-  ScopedX509Stack cert_stack(sk_X509_new_null());
-  int status = PKCS12_get_key_and_certs(&key, cert_stack.get(), &cbs, password);
+  X509* cert = NULL;
+  STACK_OF(X509)* ca_certs = NULL;
+  int status = PKCS12_parse(p12.get(), password, &key, &cert, &ca_certs);
+  if (status == 0) {
+    return status;
+  }
+
+  ScopedX509Stack cert_stack(ca_certs);
+  status = SSL_CTX_add_client_CA(context, cert);
+  // SSL_CTX_add_client_CA increments the reference count of cert on success.
+  X509_free(cert);
   if (status == 0) {
     return status;
   }
@@ -274,13 +297,13 @@ static int SetClientAuthoritiesPEM(SSL_CTX* context, BIO* bio) {
 }
 
 static int SetClientAuthorities(SSL_CTX* context,
-                                ScopedMemBIO* bio,
+                                BIO* bio,
                                 const char* password) {
-  int status = SetClientAuthoritiesPEM(context, bio->bio());
+  int status = SetClientAuthoritiesPEM(context, bio);
   if (status == 0) {
     if (SecureSocketUtils::NoPEMStartLine()) {
       ERR_clear_error();
-      BIO_reset(bio->bio());
+      BIO_reset(bio);
       status = SetClientAuthoritiesPKCS12(context, bio, password);
     }
   } else {
@@ -296,7 +319,7 @@ void SSLCertContext::SetClientAuthoritiesBytes(
   int status;
   {
     ScopedMemBIO bio(client_authorities_bytes);
-    status = SetClientAuthorities(context(), &bio, password);
+    status = SetClientAuthorities(context(), bio.bio(), password);
   }
 
   SecureSocketUtils::CheckStatus(status, "TlsException",
@@ -520,31 +543,35 @@ void SSLCertContext::SetAlpnProtocolList(Dart_Handle protocols_handle,
 }
 
 static int UseChainBytesPKCS12(SSL_CTX* context,
-                               ScopedMemBIO* bio,
+                               BIO* bio,
                                const char* password) {
-  CBS cbs;
-  CBS_init(&cbs, bio->data(), bio->length());
+  ScopedPKCS12 p12(d2i_PKCS12_bio(bio, NULL));
+  if (p12.get() == NULL) {
+    return 0;
+  }
 
   EVP_PKEY* key = NULL;
-  ScopedX509Stack certs(sk_X509_new_null());
-  int status = PKCS12_get_key_and_certs(&key, certs.get(), &cbs, password);
+  X509* cert = NULL;
+  STACK_OF(X509)* ca_certs = NULL;
+  int status = PKCS12_parse(p12.get(), password, &key, &cert, &ca_certs);
   if (status == 0) {
     return status;
   }
 
-  X509* ca = sk_X509_shift(certs.get());
-  status = SSL_CTX_use_certificate(context, ca);
+  ScopedX509 x509(cert);
+  ScopedX509Stack certs(ca_certs);
+  status = SSL_CTX_use_certificate(context, x509.get());
   if (ERR_peek_error() != 0) {
     // Key/certificate mismatch doesn't imply status is 0.
     status = 0;
   }
-  X509_free(ca);
   if (status == 0) {
     return status;
   }
 
   SSL_CTX_clear_chain_certs(context);
 
+  X509* ca;
   while ((ca = sk_X509_shift(certs.get())) != NULL) {
     status = SSL_CTX_add0_chain_cert(context, ca);
     // SSL_CTX_add0_chain_cert does not inc ref count, so don't free unless the
@@ -593,14 +620,12 @@ static int UseChainBytesPEM(SSL_CTX* context, BIO* bio) {
   return SecureSocketUtils::NoPEMStartLine() ? status : 0;
 }
 
-static int UseChainBytes(SSL_CTX* context,
-                         ScopedMemBIO* bio,
-                         const char* password) {
-  int status = UseChainBytesPEM(context, bio->bio());
+static int UseChainBytes(SSL_CTX* context, BIO* bio, const char* password) {
+  int status = UseChainBytesPEM(context, bio);
   if (status == 0) {
     if (SecureSocketUtils::NoPEMStartLine()) {
       ERR_clear_error();
-      BIO_reset(bio->bio());
+      BIO_reset(bio);
       status = UseChainBytesPKCS12(context, bio, password);
     }
   } else {
@@ -613,7 +638,7 @@ static int UseChainBytes(SSL_CTX* context,
 int SSLCertContext::UseCertificateChainBytes(Dart_Handle cert_chain_bytes,
                                              const char* password) {
   ScopedMemBIO bio(cert_chain_bytes);
-  return UseChainBytes(context(), &bio, password);
+  return UseChainBytes(context(), bio.bio(), password);
 }
 
 static X509* GetX509Certificate(Dart_NativeArguments args) {