Roll BoringSSL 306e520:aac2f6a

This is https://codereview.chromium.org/835193005 rolled a little further and
with some additional changes:

It fixes the FallbackSCSV tests to no longer be a no-op. It also accounts for
BoringSSL's handling of a handshake_failure in response to a ClientHello to
match NSS's behavior and our test expectations. See https://crbug.com/446505
for details.

Summary of changes available at:
https://boringssl.googlesource.com/boringssl/+log/306e520..aac2f6a

BUG=446505

Review URL: https://codereview.chromium.org/834313002

Cr-Commit-Position: refs/heads/master@{#310144}

6 files changed, 39 insertions, 17 deletions

diff --git a/DEPS b/DEPS
index 07150f4..75691b4 100644
--- a/DEPS
+++ b/DEPS
@@ -76,7 +76,7 @@ vars = {
   # Three lines of non-changing comments so that
   # the commit queue can handle CLs rolling BoringSSL
   # and whatever else without interference from each other.
-  'boringssl_revision': '306e520cda7d2f0afee9ba634dae629f994b096c',
+  'boringssl_revision': 'aac2f6a6a00921499ed85787aace287724fbc07e',
   # Three lines of non-changing comments so that
   # the commit queue can handle CLs rolling nss
   # and whatever else without interference from each other.
diff --git a/net/ssl/openssl_ssl_util.cc b/net/ssl/openssl_ssl_util.cc
index 9fb83a4..eabf35d 100644
--- a/net/ssl/openssl_ssl_util.cc
+++ b/net/ssl/openssl_ssl_util.cc
@@ -118,13 +118,8 @@ int MapOpenSSLErrorSSL(uint32_t error_code) {
     case SSL_R_INVALID_TICKET_KEYS_LENGTH:
     // SSL_do_handshake reports this error when the server responds to a
     // ClientHello with a fatal close_notify alert.
-    case SSL_AD_REASON_OFFSET + SSL_AD_CLOSE_NOTIFY:
+    case SSL_R_SSLV3_ALERT_CLOSE_NOTIFY:
     case SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE:
-    // TODO(joth): SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the
-    // server after receiving ClientHello if there's no common supported cipher.
-    // Ideally we'd map that specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH
-    // to match the NSS implementation. See also http://goo.gl/oMtZW
-    case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE:
     case SSL_R_SSLV3_ALERT_NO_CERTIFICATE:
     case SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER:
     case SSL_R_TLSV1_ALERT_DECODE_ERROR:
@@ -139,8 +134,20 @@ int MapOpenSSLErrorSSL(uint32_t error_code) {
       // The only way that the certificate verify callback can fail is if
       // the leaf certificate changed during a renegotiation.
       return ERR_SSL_SERVER_CERT_CHANGED;
-    case SSL_AD_REASON_OFFSET + SSL3_AD_INAPPROPRIATE_FALLBACK:
+    case SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK:
       return ERR_SSL_INAPPROPRIATE_FALLBACK;
+    // SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE may be returned from the server after
+    // receiving ClientHello if there's no common supported cipher. Map that
+    // specific case to ERR_SSL_VERSION_OR_CIPHER_MISMATCH to match the NSS
+    // implementation. See https://goo.gl/oMtZW and https://crbug.com/446505.
+    case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE: {
+      uint32_t previous = ERR_peek_error();
+      if (previous != 0 && ERR_GET_LIB(previous) == ERR_LIB_SSL &&
+          ERR_GET_REASON(previous) == SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO) {
+        return ERR_SSL_VERSION_OR_CIPHER_MISMATCH;
+      }
+      return ERR_SSL_PROTOCOL_ERROR;
+    }
     default:
       LOG(WARNING) << "Unmapped error reason: " << ERR_GET_REASON(error_code);
       return ERR_SSL_PROTOCOL_ERROR;
diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 58597fe..c3bc166 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -7686,10 +7686,10 @@ TEST_F(HTTPSFallbackTest, TLSv1FallbackReset) {
 TEST_F(HTTPSFallbackTest, FallbackSCSV) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
-  // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger
+  // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger
   // a version fallback.
   ssl_options.tls_intolerant =
-      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1;
   // Have the server process TLS_FALLBACK_SCSV so that version fallback
   // connections are rejected.
   ssl_options.fallback_scsv_enabled = true;
@@ -7708,10 +7708,10 @@ TEST_F(HTTPSFallbackTest, FallbackSCSV) {
 TEST_F(HTTPSFallbackTest, FallbackSCSVClosed) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_OK);
-  // Configure HTTPS server to be intolerant of TLS >= 1.0 in order to trigger
+  // Configure HTTPS server to be intolerant of TLS >= 1.1 in order to trigger
   // a version fallback.
   ssl_options.tls_intolerant =
-      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_ALL;
+      SpawnedTestServer::SSLOptions::TLS_INTOLERANT_TLS1_1;
   ssl_options.tls_intolerance_type =
       SpawnedTestServer::SSLOptions::TLS_INTOLERANCE_CLOSE;
   // Have the server process TLS_FALLBACK_SCSV so that version fallback
diff --git a/third_party/boringssl/boringssl.gypi b/third_party/boringssl/boringssl.gypi
index af009d7..5fd17d6 100644
--- a/third_party/boringssl/boringssl.gypi
+++ b/third_party/boringssl/boringssl.gypi
@@ -151,6 +151,8 @@
       'src/crypto/evp/sign.c',
       'src/crypto/ex_data.c',
       'src/crypto/ex_data_impl.c',
+      'src/crypto/hkdf/hkdf.c',
+      'src/crypto/hkdf/hkdf_error.c',
       'src/crypto/hmac/hmac.c',
       'src/crypto/lhash/lhash.c',
       'src/crypto/md4/md4.c',
@@ -287,11 +289,6 @@
       'src/ssl/d1_srtp.c',
       'src/ssl/d1_srvr.c',
       'src/ssl/pqueue/pqueue.c',
-      'src/ssl/s23_clnt.c',
-      'src/ssl/s23_lib.c',
-      'src/ssl/s23_meth.c',
-      'src/ssl/s23_pkt.c',
-      'src/ssl/s23_srvr.c',
       'src/ssl/s3_both.c',
       'src/ssl/s3_cbc.c',
       'src/ssl/s3_clnt.c',
diff --git a/third_party/boringssl/boringssl_tests.gypi b/third_party/boringssl/boringssl_tests.gypi
index cf2aff4..100fb1b 100644
--- a/third_party/boringssl/boringssl_tests.gypi
+++ b/third_party/boringssl/boringssl_tests.gypi
@@ -202,6 +202,19 @@
       'msvs_disabled_warnings': [ 4267, ],
     },
     {
+      'target_name': 'boringssl_hkdf_test',
+      'type': 'executable',
+      'dependencies': [
+        'boringssl.gyp:boringssl',
+      ],
+      'sources': [
+        'src/crypto/hkdf/hkdf_test.c',
+      ],
+      # TODO(davidben): Fix size_t truncations in BoringSSL.
+      # https://crbug.com/429039
+      'msvs_disabled_warnings': [ 4267, ],
+    },
+    {
       'target_name': 'boringssl_hmac_test',
       'type': 'executable',
       'dependencies': [
@@ -324,6 +337,7 @@
       'boringssl_evp_test',
       'boringssl_example_mul',
       'boringssl_gcm_test',
+      'boringssl_hkdf_test',
       'boringssl_hmac_test',
       'boringssl_lhash_test',
       'boringssl_pkcs12_test',
diff --git a/third_party/boringssl/boringssl_unittest.cc b/third_party/boringssl/boringssl_unittest.cc
index 6d54ad2..f7e475d 100644
--- a/third_party/boringssl/boringssl_unittest.cc
+++ b/third_party/boringssl/boringssl_unittest.cc
@@ -234,3 +234,7 @@ TEST(BoringSSL, SSL) {
 TEST(BoringSSL, PQueue) {
   TestSimple("pqueue_test");
 }
+
+TEST(BoringSSL, HKDF) {                                                        
+  TestSimple("hkdf_test");                                                     
+}