diff options
author | David Benjamin <davidben@google.com> | 2021-05-19 13:03:34 -0400 |
---|---|---|
committer | Adam Langley <agl@google.com> | 2021-06-03 20:49:36 +0000 |
commit | 8acec00e9eaf4d69297a67c0c10729470b4bd764 (patch) | |
tree | 6fb240145e223931e36b550969158535eefeda7c /ssl/handshake_server.cc | |
parent | bc4c91ab4655d10b55427ad7d4f1ae21fe2df06b (diff) | |
download | boringssl-8acec00e9eaf4d69297a67c0c10729470b4bd764.zip boringssl-8acec00e9eaf4d69297a67c0c10729470b4bd764.tar.gz boringssl-8acec00e9eaf4d69297a67c0c10729470b4bd764.tar.bz2 |
Manage Channel ID handshake state better.
The channel_id_valid bit is both used for whether channel_id is filled
in (SSL_get_tls_channel_id), and whether this particular handshake will
eventually negotiate Channel ID.
The former means that, if SSL_get_tls_channel_id is called on the
client, we'll return all zeros. Apparently we never fill in channel_id
on the client at all. The latter means the state needs to be reset on
renegotiation because we do not currently forbid renegotiation with
Channel ID (we probably should...), which is the last use of the init
callback for extensions.
Instead, split this into a bit for the handshake and a bit for the
connection. Note this means we actually do not expose or even retain
whether Channel ID was used on the client.
This requires a tweak to the handoff logic, but it should be compatible.
The serialized ssl->s3->channel_id was always a no-op: the handback
happens before the ChannelID message, except in RSA key exchange. But we
forbid Channel ID in RSA key exchange anyway.
Update-Note: SSL_get_tls_channel_id will no longer return all zeros
during the handshake or on the client. I did not find any callers
relying on this.
Change-Id: Icd4b78dd3f311d1c7dfc1cae7d2b86dc7e327a99
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47906
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'ssl/handshake_server.cc')
-rw-r--r-- | ssl/handshake_server.cc | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc index 24dbeae..2d1cc38 100644 --- a/ssl/handshake_server.cc +++ b/ssl/handshake_server.cc @@ -926,7 +926,7 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER); // Only request a certificate if Channel ID isn't negotiated. if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) && - ssl->s3->channel_id_valid) { + hs->channel_id_negotiated) { hs->cert_request = false; } // CertificateRequest may only be sent in certificate-based ciphers. @@ -980,9 +980,9 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { // We only accept ChannelIDs on connections with ECDHE in order to avoid a // known attack while we fix ChannelID itself. - if (ssl->s3->channel_id_valid && + if (hs->channel_id_negotiated && (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) { - ssl->s3->channel_id_valid = false; + hs->channel_id_negotiated = false; } // If this is a resumption and the original handshake didn't support @@ -990,7 +990,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { // session and so cannot resume with ChannelIDs. if (ssl->session != NULL && ssl->session->original_handshake_hash_len == 0) { - ssl->s3->channel_id_valid = false; + hs->channel_id_negotiated = false; } struct OPENSSL_timeval now; @@ -1681,7 +1681,7 @@ static enum ssl_hs_wait_t do_read_next_proto(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - if (!ssl->s3->channel_id_valid) { + if (!hs->channel_id_negotiated) { hs->state = state12_read_client_finished; return ssl_hs_ok; } |