kris
/
boringssl
1
0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Toiminta
Selaa lähdekoodia

Move TB state to ssl->s3. 

These are connection state, so they should be reset on SSL_clear.

Change-Id: I861fe52578836615d2719c9e1ff0911c798f336e
Reviewed-on: https://boringssl-review.googlesource.com/27384
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
kris/onging/CECPQ3_patch15
David Benjamin 6 vuotta sitten
committed by CQ bot account: commit-bot@chromium.org
vanhempi
b8b1a9d8de
commit
9f0e7cb314
8 muutettua tiedostoa jossa 25 lisäystä ja 24 poistoa
Jaettu näkymä
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -4
      ssl/handoff.cc
  2. +1
    -1
      ssl/handshake_client.cc
  3. +7
    -7
      ssl/internal.h
  4. +2
    -1
      ssl/s3_lib.cc
  5. +2
    -2
      ssl/ssl_lib.cc
  6. +7
    -7
      ssl/t1_lib.cc
  7. +1
    -1
      ssl/tls13_client.cc
  8. +1
    -1
      ssl/tls13_server.cc

+ 4
- 4
ssl/handoff.cc Näytä tiedosto

@@ -155,8 +155,8 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
hostname_len) ||
!CBB_add_asn1_octet_string(&seq, s3->tlsext_channel_id,
sizeof(s3->tlsext_channel_id)) ||
!CBB_add_asn1_bool(&seq, ssl->token_binding_negotiated) ||
!CBB_add_asn1_uint64(&seq, ssl->negotiated_token_binding_param) ||
!CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) ||
!CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) ||
!CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
!CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
!CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
@@ -274,8 +274,8 @@ bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
s3->hostname.reset(hostname_str);
}

ssl->token_binding_negotiated = token_binding_negotiated;
ssl->negotiated_token_binding_param =
s3->token_binding_negotiated = token_binding_negotiated;
s3->negotiated_token_binding_param =
static_cast<uint8_t>(negotiated_token_binding_param);
s3->hs->next_proto_neg_seen = next_proto_neg_seen;
s3->hs->wait = ssl_hs_flush;


+ 1
- 1
ssl/handshake_client.cc Näytä tiedosto

@@ -740,7 +740,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}

if (ssl->token_binding_negotiated &&
if (ssl->s3->token_binding_negotiated &&
(!hs->extended_master_secret || !ssl->s3->send_connection_binding)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);


+ 7
- 7
ssl/internal.h Näytä tiedosto

@@ -2308,6 +2308,10 @@ struct SSL3_STATE {
// key_update_count is the number of consecutive KeyUpdates received.
uint8_t key_update_count = 0;

// The negotiated Token Binding key parameter. Only valid if
// |token_binding_negotiated| is set.
uint8_t negotiated_token_binding_param = 0;

// skip_early_data instructs the record layer to skip unexpected early data
// messages when 0RTT is rejected.
bool skip_early_data:1;
@@ -2357,6 +2361,9 @@ struct SSL3_STATE {
// fired, were it not a draft.
bool draft_downgrade:1;

// token_binding_negotiated is set if Token Binding was negotiated.
bool token_binding_negotiated:1;

// hs_buf is the buffer of handshake data to process.
UniquePtr<BUF_MEM> hs_buf;

@@ -2680,10 +2687,6 @@ struct SSLConnection {
uint8_t *token_binding_params;
size_t token_binding_params_len;

// The negotiated Token Binding key parameter. Only valid if
// |token_binding_negotiated| is set.
uint8_t negotiated_token_binding_param;

// Contains the QUIC transport params that this endpoint will send.
uint8_t *quic_transport_params;
size_t quic_transport_params_len;
@@ -2715,9 +2718,6 @@ struct SSLConnection {
// we'll advertise support.
bool tlsext_channel_id_enabled:1;

// token_binding_negotiated is set if Token Binding was negotiated.
bool token_binding_negotiated:1;

// retain_only_sha256_of_client_certs is true if we should compute the SHA256
// hash of the peer's certificate and then discard it to save memory and
// session space. Only effective on the server side.


+ 2
- 1
ssl/s3_lib.cc Näytä tiedosto

@@ -177,7 +177,8 @@ SSL3_STATE::SSL3_STATE()
key_update_pending(false),
wpend_pending(false),
early_data_accepted(false),
draft_downgrade(false) {}
draft_downgrade(false),
token_binding_negotiated(false) {}

SSL3_STATE::~SSL3_STATE() {}



+ 2
- 2
ssl/ssl_lib.cc Näytä tiedosto

@@ -2164,11 +2164,11 @@ int SSL_set_token_binding_params(SSL *ssl, const uint8_t *params, size_t len) {
}

int SSL_is_token_binding_negotiated(const SSL *ssl) {
return ssl->token_binding_negotiated;
return ssl->s3->token_binding_negotiated;
}

uint8_t SSL_get_negotiated_token_binding_param(const SSL *ssl) {
return ssl->negotiated_token_binding_param;
return ssl->s3->negotiated_token_binding_param;
}

size_t SSL_get0_certificate_types(SSL *ssl, const uint8_t **out_types) {


+ 7
- 7
ssl/t1_lib.cc Näytä tiedosto

@@ -2528,8 +2528,8 @@ static bool ext_token_binding_parse_serverhello(SSL_HANDSHAKE *hs,

for (size_t i = 0; i < ssl->token_binding_params_len; ++i) {
if (param == ssl->token_binding_params[i]) {
ssl->negotiated_token_binding_param = param;
ssl->token_binding_negotiated = true;
ssl->s3->negotiated_token_binding_param = param;
ssl->s3->token_binding_negotiated = true;
return true;
}
}
@@ -2547,7 +2547,7 @@ static bool select_tb_param(SSL *ssl, Span<const uint8_t> peer_params) {
uint8_t tb_param = ssl->token_binding_params[i];
for (uint8_t peer_param : peer_params) {
if (tb_param == peer_param) {
ssl->negotiated_token_binding_param = tb_param;
ssl->s3->negotiated_token_binding_param = tb_param;
return true;
}
}
@@ -2587,14 +2587,14 @@ static bool ext_token_binding_parse_clienthello(SSL_HANDSHAKE *hs,
return true;
}

ssl->token_binding_negotiated = true;
ssl->s3->token_binding_negotiated = true;
return true;
}

static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;

if (!ssl->token_binding_negotiated) {
if (!ssl->s3->token_binding_negotiated) {
return true;
}

@@ -2603,7 +2603,7 @@ static bool ext_token_binding_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
!CBB_add_u16_length_prefixed(out, &contents) ||
!CBB_add_u16(&contents, hs->negotiated_token_binding_version) ||
!CBB_add_u8_length_prefixed(&contents, &params) ||
!CBB_add_u8(&params, ssl->negotiated_token_binding_param) ||
!CBB_add_u8(&params, ssl->s3->negotiated_token_binding_param) ||
!CBB_flush(out)) {
return false;
}
@@ -3220,7 +3220,7 @@ static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
static int ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;

if (ssl->token_binding_negotiated &&
if (ssl->s3->token_binding_negotiated &&
!(SSL_get_secure_renegotiation_support(ssl) &&
SSL_get_extms_support(ssl))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_TB_WITHOUT_EMS_OR_RI);


+ 1
- 1
ssl/tls13_client.cc Näytä tiedosto

@@ -436,7 +436,7 @@ static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
return ssl_hs_error;
}
if (ssl->s3->tlsext_channel_id_valid || hs->received_custom_extension ||
ssl->token_binding_negotiated) {
ssl->s3->token_binding_negotiated) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
return ssl_hs_error;
}


+ 1
- 1
ssl/tls13_server.cc Näytä tiedosto

@@ -391,7 +391,7 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
// Channel ID is incompatible with 0-RTT.
!ssl->s3->tlsext_channel_id_valid &&
// If Token Binding is negotiated, reject 0-RTT.
!ssl->token_binding_negotiated &&
!ssl->s3->token_binding_negotiated &&
// Custom extensions is incompatible with 0-RTT.
hs->custom_extensions.received == 0 &&
// The negotiated ALPN must match the one in the ticket.


Kirjoita Esikatselu
Ladataan…
Peruuta
Tallenna