Update BoringSSL to 4dfd5af70191b068aebe567b8e29ce108cee85ce.

Update usage of PKCS12_parse to PKCS12_get_key_and_certs, since the former changed behavior when the PKCS12 has no private key.

Change-Id: I040c1a17e2994ac66cf03ad1efa80e423136cdbd
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/116828
Reviewed-by: Jonas Termansen <[email protected]>
Reviewed-by: Zach Anderson <[email protected]>
Commit-Queue: Ryan Macnak <[email protected]>

Author: rmacnak-google

DEPS

@@ -59,8 +59,8 @@ vars = {
   "bazel_worker_tag": "bazel_worker-v0.1.20",
   "benchmark_harness_tag": "81641290dea44c34138a109a37e215482f405f81",
   "boolean_selector_tag" : "1.0.4",
-  "boringssl_gen_rev": "bbf52f18f425e29b1185f2f6753bec02ed8c5880",
-  "boringssl_rev" : "702e2b6d3831486535e958f262a05c75a5cb312e",
+  "boringssl_gen_rev": "b9e27cff1ff0803e97ab1f88764a83be4aa94a6d",
+  "boringssl_rev" : "4dfd5af70191b068aebe567b8e29ce108cee85ce",
   "charcode_tag": "v1.1.2",
   "chrome_rev" : "19997",
   "cli_util_rev" : "4ad7ccbe3195fd2583b30f86a86697ef61e80f41",

runtime/bin/secure_socket_utils.h

@@ -102,6 +102,9 @@ class ScopedMemBIO {
     return bio_;
   }
 
+  uint8_t* data() { return bytes_; }
+  intptr_t length() { return bytes_len_; }
+
  private:
   Dart_Handle object_;
   uint8_t* bytes_;

runtime/bin/security_context.cc

@@ -165,30 +165,19 @@ Dart_Handle X509Helper::WrappedX509Certificate(X509* certificate) {
 }
 
 static int SetTrustedCertificatesBytesPKCS12(SSL_CTX* context,
-                                             BIO* bio,
+                                             ScopedMemBIO* bio,
                                              const char* password) {
-  ScopedPKCS12 p12(d2i_PKCS12_bio(bio, NULL));
-  if (p12.get() == NULL) {
-    return 0;
-  }
+  CBS cbs;
+  CBS_init(&cbs, bio->data(), bio->length());
 
   EVP_PKEY* key = NULL;
-  X509* cert = NULL;
-  STACK_OF(X509)* ca_certs = NULL;
-  int status = PKCS12_parse(p12.get(), password, &key, &cert, &ca_certs);
+  ScopedX509Stack cert_stack(sk_X509_new_null());
+  int status = PKCS12_get_key_and_certs(&key, cert_stack.get(), &cbs, password);
   if (status == 0) {
     return status;
   }
 
-  ScopedX509Stack cert_stack(ca_certs);
   X509_STORE* store = SSL_CTX_get_cert_store(context);
-  status = X509_STORE_add_cert(store, cert);
-  // X509_STORE_add_cert increments the reference count of cert on success.
-  X509_free(cert);
-  if (status == 0) {
-    return status;
-  }
-
   X509* ca;
   while ((ca = sk_X509_shift(cert_stack.get())) != NULL) {
     status = X509_STORE_add_cert(store, ca);
@@ -234,8 +223,7 @@ void SSLCertContext::SetTrustedCertificatesBytes(Dart_Handle cert_bytes,
       if (SecureSocketUtils::NoPEMStartLine()) {
         ERR_clear_error();
         BIO_reset(bio.bio());
-        status =
-            SetTrustedCertificatesBytesPKCS12(context(), bio.bio(), password);
+        status = SetTrustedCertificatesBytesPKCS12(context(), &bio, password);
       }
     } else {
       // The PEM file was successfully parsed.
@@ -247,25 +235,14 @@ void SSLCertContext::SetTrustedCertificatesBytes(Dart_Handle cert_bytes,
 }
 
 static int SetClientAuthoritiesPKCS12(SSL_CTX* context,
-                                      BIO* bio,
+                                      ScopedMemBIO* bio,
                                       const char* password) {
-  ScopedPKCS12 p12(d2i_PKCS12_bio(bio, NULL));
-  if (p12.get() == NULL) {
-    return 0;
-  }
+  CBS cbs;
+  CBS_init(&cbs, bio->data(), bio->length());
 
   EVP_PKEY* key = NULL;
-  X509* cert = NULL;
-  STACK_OF(X509)* ca_certs = NULL;
-  int status = PKCS12_parse(p12.get(), password, &key, &cert, &ca_certs);
-  if (status == 0) {
-    return status;
-  }
-
-  ScopedX509Stack cert_stack(ca_certs);
-  status = SSL_CTX_add_client_CA(context, cert);
-  // SSL_CTX_add_client_CA increments the reference count of cert on success.
-  X509_free(cert);
+  ScopedX509Stack cert_stack(sk_X509_new_null());
+  int status = PKCS12_get_key_and_certs(&key, cert_stack.get(), &cbs, password);
   if (status == 0) {
     return status;
   }
@@ -297,13 +274,13 @@ static int SetClientAuthoritiesPEM(SSL_CTX* context, BIO* bio) {
 }
 
 static int SetClientAuthorities(SSL_CTX* context,
-                                BIO* bio,
+                                ScopedMemBIO* bio,
                                 const char* password) {
-  int status = SetClientAuthoritiesPEM(context, bio);
+  int status = SetClientAuthoritiesPEM(context, bio->bio());
   if (status == 0) {
     if (SecureSocketUtils::NoPEMStartLine()) {
       ERR_clear_error();
-      BIO_reset(bio);
+      BIO_reset(bio->bio());
       status = SetClientAuthoritiesPKCS12(context, bio, password);
     }
   } else {
@@ -319,7 +296,7 @@ void SSLCertContext::SetClientAuthoritiesBytes(
   int status;
   {
     ScopedMemBIO bio(client_authorities_bytes);
-    status = SetClientAuthorities(context(), bio.bio(), password);
+    status = SetClientAuthorities(context(), &bio, password);
   }
 
   SecureSocketUtils::CheckStatus(status, "TlsException",
@@ -543,35 +520,31 @@ void SSLCertContext::SetAlpnProtocolList(Dart_Handle protocols_handle,
 }
 
 static int UseChainBytesPKCS12(SSL_CTX* context,
-                               BIO* bio,
+                               ScopedMemBIO* bio,
                                const char* password) {
-  ScopedPKCS12 p12(d2i_PKCS12_bio(bio, NULL));
-  if (p12.get() == NULL) {
-    return 0;
-  }
+  CBS cbs;
+  CBS_init(&cbs, bio->data(), bio->length());
 
   EVP_PKEY* key = NULL;
-  X509* cert = NULL;
-  STACK_OF(X509)* ca_certs = NULL;
-  int status = PKCS12_parse(p12.get(), password, &key, &cert, &ca_certs);
+  ScopedX509Stack certs(sk_X509_new_null());
+  int status = PKCS12_get_key_and_certs(&key, certs.get(), &cbs, password);
   if (status == 0) {
     return status;
   }
 
-  ScopedX509 x509(cert);
-  ScopedX509Stack certs(ca_certs);
-  status = SSL_CTX_use_certificate(context, x509.get());
+  X509* ca = sk_X509_shift(certs.get());
+  status = SSL_CTX_use_certificate(context, ca);
   if (ERR_peek_error() != 0) {
     // Key/certificate mismatch doesn't imply status is 0.
     status = 0;
   }
+  X509_free(ca);
   if (status == 0) {
     return status;
   }
 
   SSL_CTX_clear_chain_certs(context);
 
-  X509* ca;
   while ((ca = sk_X509_shift(certs.get())) != NULL) {
     status = SSL_CTX_add0_chain_cert(context, ca);
     // SSL_CTX_add0_chain_cert does not inc ref count, so don't free unless the
@@ -620,12 +593,14 @@ static int UseChainBytesPEM(SSL_CTX* context, BIO* bio) {
   return SecureSocketUtils::NoPEMStartLine() ? status : 0;
 }
 
-static int UseChainBytes(SSL_CTX* context, BIO* bio, const char* password) {
-  int status = UseChainBytesPEM(context, bio);
+static int UseChainBytes(SSL_CTX* context,
+                         ScopedMemBIO* bio,
+                         const char* password) {
+  int status = UseChainBytesPEM(context, bio->bio());
   if (status == 0) {
     if (SecureSocketUtils::NoPEMStartLine()) {
       ERR_clear_error();
-      BIO_reset(bio);
+      BIO_reset(bio->bio());
       status = UseChainBytesPKCS12(context, bio, password);
     }
   } else {
@@ -638,7 +613,7 @@ static int UseChainBytes(SSL_CTX* context, BIO* bio, const char* password) {
 int SSLCertContext::UseCertificateChainBytes(Dart_Handle cert_chain_bytes,
                                              const char* password) {
   ScopedMemBIO bio(cert_chain_bytes);
-  return UseChainBytes(context(), bio.bio(), password);
+  return UseChainBytes(context(), &bio, password);
 }
 
 static X509* GetX509Certificate(Dart_NativeArguments args) {