kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Support enabling early data on SSL 

This moves the early data switch to CERT to make this
|SSL_set_SSL_CTX|-proof.

Change-Id: Icca96e76636d87578deb24b2d507cabee7e46a4a
Reviewed-on: https://boringssl-review.googlesource.com/14545
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
kris/onging/CECPQ3_patch15
Alessandro Ghedini 7 years ago
committed by CQ bot account: commit-bot@chromium.org
parent
faa539f877
commit
67bb45f44b
8 changed files with 20 additions and 10 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +5
    -4
      include/openssl/ssl.h
  2. +1
    -1
      ssl/custom_extensions.c
  3. +3
    -0
      ssl/internal.h
  4. +2
    -0
      ssl/ssl_cert.c
  5. +5
    -1
      ssl/ssl_lib.c
  6. +1
    -1
      ssl/t1_lib.c
  7. +1
    -1
      ssl/tls13_client.c
  8. +2
    -2
      ssl/tls13_server.c

+ 5
- 4
include/openssl/ssl.h View File

@@ -3095,6 +3095,11 @@ OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
* fully implemented. */
OPENSSL_EXPORT void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled);

/* SSL_set_early_data_enabled sets whether early data is allowed to be used
* with resumptions using |ssl|. See |SSL_CTX_set_early_data_enabled| for more
* information. */
OPENSSL_EXPORT void SSL_set_early_data_enabled(SSL *ssl, int enabled);

/* SSL_early_data_accepted returns whether early data was accepted on the
* handshake performed by |ssl|. */
OPENSSL_EXPORT int SSL_early_data_accepted(const SSL *ssl);
@@ -4254,10 +4259,6 @@ struct ssl_ctx_st {
* shutdown. */
unsigned quiet_shutdown:1;

/* If enable_early_data is non-zero, early data can be sent and accepted over
* new connections. */
unsigned enable_early_data:1;

/* ocsp_stapling_enabled is only used by client connections and indicates
* whether OCSP stapling will be requested. */
unsigned ocsp_stapling_enabled:1;


+ 1
- 1
ssl/custom_extensions.c View File

@@ -69,7 +69,7 @@ static int custom_ext_add_hello(SSL_HANDSHAKE *hs, CBB *extensions) {
return 1;
}

if (ssl->ctx->enable_early_data) {
if (ssl->cert->enable_early_data) {
/* TODO(svaldez): Support Custom Extensions with 0-RTT. For now the caller
* is expected not to configure both together.
* https://crbug.com/boringssl/173. */


+ 3
- 0
ssl/internal.h View File

@@ -1371,6 +1371,9 @@ typedef struct cert_st {
* ticket key. Only sessions with a matching value will be accepted. */
uint8_t sid_ctx_length;
uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];

/* If enable_early_data is non-zero, early data can be sent and accepted. */
unsigned enable_early_data:1;
} CERT;

/* SSL_METHOD is a compatibility structure to support the legacy version-locked


+ 2
- 0
ssl/ssl_cert.c View File

@@ -204,6 +204,8 @@ CERT *ssl_cert_dup(CERT *cert) {
ret->sid_ctx_length = cert->sid_ctx_length;
OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx));

ret->enable_early_data = cert->enable_early_data;

return ret;

err:


+ 5
- 1
ssl/ssl_lib.c View File

@@ -832,7 +832,11 @@ int SSL_send_fatal_alert(SSL *ssl, uint8_t alert) {
}

void SSL_CTX_set_early_data_enabled(SSL_CTX *ctx, int enabled) {
ctx->enable_early_data = !!enabled;
ctx->cert->enable_early_data = !!enabled;
}

void SSL_set_early_data_enabled(SSL *ssl, int enabled) {
ssl->cert->enable_early_data = !!enabled;
}

int SSL_early_data_accepted(const SSL *ssl) {


+ 1
- 1
ssl/t1_lib.c View File

@@ -2095,7 +2095,7 @@ static int ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
session_version < TLS1_3_VERSION ||
ssl->session->ticket_max_early_data == 0 ||
hs->received_hello_retry_request ||
!ssl->ctx->enable_early_data) {
!ssl->cert->enable_early_data) {
return 1;
}



+ 1
- 1
ssl/tls13_client.c View File

@@ -704,7 +704,7 @@ int tls13_process_new_session_ticket(SSL *ssl) {
goto err;
}

if (have_early_data_info && ssl->ctx->enable_early_data) {
if (have_early_data_info && ssl->cert->enable_early_data) {
if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||
CBS_len(&early_data_info) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);


+ 2
- 2
ssl/tls13_server.c View File

@@ -167,7 +167,7 @@ static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
goto err;
}

if (ssl->ctx->enable_early_data) {
if (ssl->cert->enable_early_data) {
session->ticket_max_early_data = kMaxEarlyDataAccepted;

CBB early_data_info;
@@ -355,7 +355,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
hs->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);

if (/* Early data must be acceptable for this ticket. */
ssl->ctx->enable_early_data &&
ssl->cert->enable_early_data &&
session->ticket_max_early_data != 0 &&
/* The client must have offered early data. */
hs->early_data_offered &&


Write Preview
Loading…
Cancel
Save