Google Git
Sign in
boringssl / boringssl.git / 8acec00e9eaf4d69297a67c0c10729470b4bd764^! / . / ssl / tls13_client.cc
commit8acec00e9eaf4d69297a67c0c10729470b4bd764[log] [tgz]
authorDavid Benjamin <davidben@google.com>Wed May 19 13:03:34 2021 -0400
committerAdam Langley <agl@google.com>Thu Jun 03 20:49:36 2021 +0000
tree6fb240145e223931e36b550969158535eefeda7c
parentbc4c91ab4655d10b55427ad7d4f1ae21fe2df06b [diff] [blame]
Manage Channel ID handshake state better.

The channel_id_valid bit is both used for whether channel_id is filled
in (SSL_get_tls_channel_id), and whether this particular handshake will
eventually negotiate Channel ID.

The former means that, if SSL_get_tls_channel_id is called on the
client, we'll return all zeros. Apparently we never fill in channel_id
on the client at all. The latter means the state needs to be reset on
renegotiation because we do not currently forbid renegotiation with
Channel ID (we probably should...), which is the last use of the init
callback for extensions.

Instead, split this into a bit for the handshake and a bit for the
connection. Note this means we actually do not expose or even retain
whether Channel ID was used on the client.

This requires a tweak to the handoff logic, but it should be compatible.
The serialized ssl->s3->channel_id was always a no-op: the handback
happens before the ChannelID message, except in RSA key exchange. But we
forbid Channel ID in RSA key exchange anyway.

Update-Note: SSL_get_tls_channel_id will no longer return all zeros
during the handshake or on the client. I did not find any callers
relying on this.

Change-Id: Icd4b78dd3f311d1c7dfc1cae7d2b86dc7e327a99
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/47906
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 8ba6b4d..bac37ff 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc

@@ -503,7 +503,7 @@
     }
     // Channel ID is incompatible with 0-RTT. The ALPS extension should be
     // negotiated implicitly.
-    if (ssl->s3->channel_id_valid ||
+    if (hs->channel_id_negotiated ||
         hs->new_session->has_application_settings) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
@@ -820,7 +820,7 @@
   hs->can_release_private_key = true;
 
   // Send a Channel ID assertion if necessary.
-  if (ssl->s3->channel_id_valid) {
+  if (hs->channel_id_negotiated) {
     if (!ssl_do_channel_id_callback(hs)) {
       hs->tls13_state = state_complete_second_flight;
       return ssl_hs_error;