boringssl/include/openssl
Adam Langley ba5934b77f Tighten up EMS resumption behaviour.
The client and server both have to decide on behaviour when resuming a
session where the EMS state of the session doesn't match the EMS state
as exchanged in the handshake.

                        Original handshake
      |  No                                         Yes
------+--------------------------------------------------------------
      |
R     |  Server: ok [1]                     Server: abort [3]
e  No |  Client: ok [2]                     Client: abort [4]
s     |
u     |
m     |
e     |
  Yes |  Server: don't resume                   No problem
      |  Client: abort; server
      |    shouldn't have resumed

[1] Servers want to accept legacy clients. The draft[5] says that
resumptions SHOULD be rejected so that Triple-Handshake can't be done,
but we'll rather enforce that EMS was used when using tls-unique etc.

[2] The draft[5] says that even the initial handshake should be aborted
if the server doesn't support EMS, but we need to be able to talk to the
world.

[3] This is a very weird case where a client has regressed without
flushing the session cache. Hopefully we can be strict and reject these.

[4] This can happen when a server-farm shares a session cache but
frontends are not all updated at once. If Chrome is strict here then
hopefully we can prevent any servers from existing that will try to
resume an EMS session that they don't understand. OpenSSL appears to be
ok here: https://www.ietf.org/mail-archive/web/tls/current/msg16570.html

[5] https://tools.ietf.org/html/draft-ietf-tls-session-hash-05#section-5.2

BUG=492200

Change-Id: Ie1225a3960d49117b05eefa5a36263d8e556e467
Reviewed-on: https://boringssl-review.googlesource.com/4981
Reviewed-by: Adam Langley <agl@google.com>
2015-06-03 22:05:50 +00:00
..
aead.h AEAD: allow _cleanup after failed _init. 2015-05-11 23:18:43 +00:00
aes.h Compatibility changes for wpa_supplicant and OpenSSH. 2015-04-14 20:18:28 +00:00
asn1_mac.h Prune away (almost) all of asn1_mac.h 2015-04-08 20:42:57 +00:00
asn1.h Support Trusty, an embedded platform. 2015-05-08 18:34:55 +00:00
asn1t.h Remove last references to named locks. 2015-05-20 19:18:30 +00:00
base64.h Various documentation fixes. 2015-01-14 21:50:50 +00:00
base.h Support Trusty, an embedded platform. 2015-05-08 18:34:55 +00:00
bio.h Add |BIO_read_asn1| to read a single ASN.1 object. 2015-05-27 15:21:56 -07:00
blowfish.h Add decrepit, initially containing CAST and Blowfish. 2015-04-06 16:58:45 -07:00
bn.h Fix off-by-one in BN_rand 2015-05-27 22:03:05 +00:00
buf.h Reset all the error codes. 2015-02-11 23:12:08 +00:00
buffer.h Add buffer.h for compatibility. 2015-05-12 00:09:57 +00:00
bytestring.h Don't accept tag number 31 (long form identifier octets) in CBB_add_asn1. 2015-02-03 11:03:59 -08:00
cast.h Add decrepit, initially containing CAST and Blowfish. 2015-04-06 16:58:45 -07:00
chacha.h
cipher.h Fix some malloc test crashs. 2015-05-21 18:00:10 +00:00
cmac.h Add support for CMAC (RFC 4493). 2015-05-07 21:13:41 +00:00
conf.h Eliminate unnecessary includes from low-level crypto modules. 2015-04-13 20:49:18 +00:00
cpu.h Never set RC4_CHAR. 2015-02-20 23:59:59 +00:00
crypto.h Fix |SSLeay|. 2015-05-20 17:44:44 +00:00
des.h Implement |DES_ede2_cbc_encrypt|. 2015-05-20 18:36:01 +00:00
dh.h Convert reference counts in crypto/ 2015-05-20 19:15:26 +00:00
digest.h Add |EVP_get_digestbyname|. 2015-06-03 21:34:07 +00:00
dsa.h Convert reference counts in crypto/ 2015-05-20 19:15:26 +00:00
dtls1.h Opaquify DTLS structs. 2015-05-08 18:02:02 +00:00
ec_key.h Compatibility changes for wpa_supplicant and OpenSSH. 2015-04-14 20:18:28 +00:00
ec.h Support arbitrary elliptic curve groups. 2015-05-15 00:59:37 +00:00
ecdh.h Reset all the error codes. 2015-02-11 23:12:08 +00:00
ecdsa.h Remove TODO about removing ECDSA_do_sign/ECDSA_do_verify. 2015-04-07 00:07:19 +00:00
engine.h Convert reference counts in crypto/ 2015-05-20 19:15:26 +00:00
err.h Define compatibility function |ERR_remove_state|. 2015-05-12 19:06:18 +00:00
evp.h EVP_Digest*Update, EVP_DigestFinal, and HMAC_Update can never fail. 2015-06-01 22:17:10 +00:00
ex_data.h Remove hash table lookups from ex_data. 2015-04-15 23:59:35 +00:00
hkdf.h Implement HKDF. 2014-12-18 20:13:06 +00:00
hmac.h Remove HMAC_CTX_set_flags. 2015-06-02 01:07:07 +00:00
lhash_macros.h Remove hash table lookups from ex_data. 2015-04-15 23:59:35 +00:00
lhash.h Remove hash table lookups from ex_data. 2015-04-15 23:59:35 +00:00
md4.h Add digest_test with tests for all existing EVP_MDs. 2014-11-06 01:49:03 +00:00
md5.h Readd MD4. 2014-08-26 21:51:48 +00:00
mem.h Eliminate unnecessary includes from low-level crypto modules. 2015-04-13 20:49:18 +00:00
modes.h
obj_mac.h Remove fake RLE compression OID. 2015-05-27 21:49:39 +00:00
obj.h Reset all the error codes. 2015-02-11 23:12:08 +00:00
objects.h
opensslfeatures.h Remove remaining remnants of RIPEMD-160 support. 2015-03-17 21:03:42 +00:00
opensslv.h Get version-related functions from crypto.h rather than ssl.h. 2015-05-20 22:58:14 +00:00
ossl_typ.h
pem.h Implement |PEM_def_callback| and call it where appropriate. 2015-06-03 17:58:44 +00:00
pkcs7.h
pkcs8.h Eliminate unnecessary includes from low-level crypto modules. 2015-04-13 20:49:18 +00:00
pkcs12.h
poly1305.h Always write the Poly1305 tag to an aligned buffer. 2015-01-14 23:38:25 +00:00
pqueue.h Export pqueue functions. 2014-09-03 21:38:19 +00:00
rand.h Add no-op |RAND_load_file| function for compatibility. 2015-05-12 00:36:11 +00:00
rc4.h Fix up whitespace in headers for doc.go. 2015-04-08 17:32:55 -07:00
rsa.h Convert reference counts in crypto/ 2015-05-20 19:15:26 +00:00
safestack.h Rename safe_stack.h to safestack.h. 2015-02-20 23:33:48 +00:00
sha.h Low-level hash 'final' functions cannot fail. 2015-06-01 22:14:01 +00:00
srtp.h Store SRTP_PROTECTION_PROFILES as const. 2015-01-14 22:10:08 +00:00
ssl2.h Rename ssl_locl.h to internal.h 2015-04-10 22:14:09 +00:00
ssl3.h Remove renegotiation deferral logic. 2015-05-21 20:50:43 +00:00
ssl23.h Reformat SSL/TLS headers. 2015-01-26 20:23:09 +00:00
ssl.h Tighten up EMS resumption behaviour. 2015-06-03 22:05:50 +00:00
stack_macros.h Add sk_deep_copy and its macro. 2015-02-13 10:59:10 -08:00
stack.h Fix a couple of issues with building with strict C99. 2015-03-18 21:17:40 +00:00
thread.h Readd CRYPTO_{LOCK|UNLOCK|READ|WRITE}. 2015-05-27 15:48:29 -07:00
time_support.h Eliminate unnecessary includes from low-level crypto modules. 2015-04-13 20:49:18 +00:00
tls1.h Opaquify DTLS structs. 2015-05-08 18:02:02 +00:00
type_check.h Try to fix MSVC and __STDC_VERSION__ again. 2015-05-20 13:42:12 -07:00
x509_vfy.h Remove remaining calls to the old lock functions. 2015-05-20 19:18:13 +00:00
x509.h Convert reference counts in crypto/ 2015-05-20 19:15:26 +00:00
x509v3.h Remove spurious declarations of |X509V3_EXT_conf| and friends. 2015-05-05 00:22:59 +00:00