Google Git
Sign in
boringssl / boringssl.git / 1e859054c31ec7b974e998373e85fadea56d93ad^! / . / ssl / handshake_client.cc
commit1e859054c31ec7b974e998373e85fadea56d93ad[log] [tgz]
authorDavid Benjamin <davidben@google.com>Sun Feb 09 16:04:58 2020 -0500
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Tue Mar 03 17:15:15 2020 +0000
tree8bed48d7df199b3565139339c479c99f2586ed21
parentbfe527fa35735e8e045cbfb42b012e13ca68f9cf [diff] [blame]
Revise QUIC encryption secret APIs.

The original API separated when keys were exported to QUIC from when
they were "active". This means the obligations on QUIC are unclear. For
instance we added SSL_quic_read_level and SSL_quic_write_level to
capture when keys were active, yet QUICHE never used them anyway. It
would be better to defer releasing keys to when they are needed.

In particular, we should align our API with the guidelines in
https://github.com/quicwg/base-drafts/issues/3173.

This means we need separate read and write callbacks, which
unfortunately means the invariants around ACKs must now be covered in
prose.

We'll likely remove SSL_quic_read_level and SSL_quic_write_level in a
later CL as QUIC has no need to know this anymore. (It should simply
feed handshake data to BoringSSL as it sees it and, if we reject it,
report a suitably error.) The notion of a "current" encryption level is
a little odd given the interaction between 0-RTT and
ServerHello..Finished ACKs.

Update-Note: This is an incompatible change to SSL_QUIC_METHOD.
BORINGSSL_API_VERSION can be used to distinguish the two revisions.

Bug: 303
Change-Id: I6c9dca1ae156d26a80c366a4ba969dcb04e65349
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/40127
Reviewed-by: Nick Harper <nharper@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index fa692c5..e64e456 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc

@@ -461,11 +461,6 @@
       !tls13_derive_early_secret(hs)) {
     return ssl_hs_error;
   }
-  if (ssl->quic_method == nullptr &&
-      !tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_seal,
-                             ssl->session.get(), hs->early_traffic_secret())) {
-    return ssl_hs_error;
-  }
 
   // Stash the early data session, so connection properties may be queried out
   // of it.
@@ -496,7 +491,9 @@
 
   // Defer releasing the 0-RTT key to after certificate reverification, so the
   // QUIC implementation does not accidentally write data too early.
-  if (!tls13_set_early_secret_for_quic(hs)) {
+  if (!tls13_set_traffic_key(hs->ssl, ssl_encryption_early_data, evp_aead_seal,
+                             hs->early_session.get(),
+                             hs->early_traffic_secret())) {
     return ssl_hs_error;
   }