kris
/
boringssl
1
0
Fork 0
Código Incidencias 0 Pull Requests 0 Lanzamientos 0 Wiki Actividad
Explorar el Código

Use SSL_MODE_SEND_FALLBACK_SCSV. 

Upstream settled in this API, and it's also the one that we expect
internally and that third_party code will expect.

Change-Id: Id7af68cf0af1f2e4d9defd37bda2218d70e2aa7b
Reviewed-on: https://boringssl-review.googlesource.com/3542
Reviewed-by: Adam Langley <agl@google.com>
kris/onging/CECPQ3_patch15
Adam Langley hace 9 años
padre
93531bd70f
commit
5f0efe06e1
Se han modificado 4 ficheros con 14 adiciones y 19 borrados
Dividir vista
Opciones de diferencias
Mostrar estadísticas Descargar archivo de parche Descargar archivo de diferencias
  1. +10
    -9
      include/openssl/ssl.h
  2. +0
    -5
      ssl/s3_lib.c
  3. +1
    -1
      ssl/ssl_lib.c
  4. +3
    -4
      ssl/test/bssl_shim.cc

+ 10
- 9
include/openssl/ssl.h Ver fichero

@@ -494,6 +494,16 @@ typedef struct timeval OPENSSL_timeval;
* session resumption is used for a given SSL*. */
#define SSL_MODE_NO_SESSION_CREATION 0x00000200L

/* SSL_MODE_SEND_SERVERHELLO_TIME sends TLS_FALLBACK_SCSV in the ClientHello.
* To be set only by applications that reconnect with a downgraded protocol
* version; see https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-05
* for details.
*
* DO NOT ENABLE THIS if your application attempts a normal handshake. Only use
* this in explicit fallback retries, following the guidance in
* draft-ietf-tls-downgrade-scsv-05. */
#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000400L

/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they
* cannot be used to clear bits. */

@@ -1328,10 +1338,6 @@ struct ssl_st {
* 2 if we are a server and are inside a handshake
* (i.e. not just sending a HelloRequest) */

/* fallback_scsv is non-zero iff we are sending the TLS_FALLBACK_SCSV cipher
* suite value. Only applies to a client. */
char fallback_scsv;

/* fastradio_padding, if true, causes ClientHellos to be padded to 1024
* bytes. This ensures that the cellular radio is fast forwarded to DCH (high
* data rate) state in 3G networks. */
@@ -1618,8 +1624,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_CTRL_GET_CHANNEL_ID 118
#define SSL_CTRL_SET_CHANNEL_ID 119

#define SSL_CTRL_FALLBACK_SCSV 120

/* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
* timeout in progress, it sets |*((OPENSSL_timeval*)arg)| to the time remaining
* and returns one. Otherwise, it returns zero.
@@ -1796,9 +1800,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
#define SSL_get0_ec_point_formats(s, plst) \
SSL_ctrl(s, SSL_CTRL_GET_EC_POINT_FORMATS, 0, (char *)plst)

#define SSL_enable_fallback_scsv(s) \
SSL_ctrl(s, SSL_CTRL_FALLBACK_SCSV, 0, NULL)

OPENSSL_EXPORT int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
OPENSSL_EXPORT int SSL_CTX_set_cipher_list_tls11(SSL_CTX *, const char *str);
OPENSSL_EXPORT SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);


+ 0
- 5
ssl/s3_lib.c Ver fichero

@@ -967,11 +967,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);
return 64;

case SSL_CTRL_FALLBACK_SCSV:
s->fallback_scsv = 1;
ret = 1;
break;

default:
break;
}


+ 1
- 1
ssl/ssl_lib.c Ver fichero

@@ -1411,7 +1411,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, uint8_t *p) {
s2n(SSL3_CK_SCSV & 0xffff, p);
}

if (s->fallback_scsv) {
if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
s2n(SSL3_CK_FALLBACK_SCSV & 0xffff, p);
}



+ 3
- 4
ssl/test/bssl_shim.cc Ver fichero

@@ -406,10 +406,9 @@ static bool DoExchange(ScopedSSL_SESSION *out_session, SSL_CTX *ssl_ctx,
return false;
}

if (config->fallback_scsv) {
if (!SSL_enable_fallback_scsv(ssl.get())) {
return false;
}
if (config->fallback_scsv &&
!SSL_set_mode(ssl.get(), SSL_MODE_SEND_FALLBACK_SCSV)) {
return false;
}
if (config->async) {
// TODO(davidben): Also test |s->ctx->client_cert_cb| on the client and


Escribir Vista previa
Cargando…
Cancelar
Guardar