Output a ClientHello during handoff. This will allow edge servers to pass judgement on the ClientHello before completing the handoff process. This also means that edge servers will now enforce ClientHello well-formedness — previously that check didn't occur until the handshaker tried to parse the handoff submission. Change-Id: I9804ac0224632b4b4381c1a81f434d188e0b9376 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35584 Commit-Queue: Adam Langley <agl@google.com> Reviewed-by: David Benjamin <davidben@google.com>

commit: c9827e073f64e353c4891ecc2c73721882543ee0 [log] [tgz]
author: Adam Langley <alangley@gmail.com> Fri Apr 12 14:46:50 2019 -0700
committer: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Mon Apr 15 22:29:15 2019 +0000
tree: 77f6c5cefc2d42708c64dd3f32d6ec959e161e35
parent: 2e26348e258e244293ce4633eb23a3c1f1c74933 [diff] [blame]
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc
index cb4e9d1..4622ad0 100644
--- a/ssl/handshake_server.cc
+++ b/ssl/handshake_server.cc

@@ -515,10 +515,6 @@
     return ssl_hs_error;
   }
 
-  if (hs->config->handoff) {
-    return ssl_hs_handoff;
-  }
-
   SSL_CLIENT_HELLO client_hello;
   if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -526,6 +522,10 @@
     return ssl_hs_error;
   }
 
+  if (hs->config->handoff) {
+    return ssl_hs_handoff;
+  }
+
   // Run the early callback.
   if (ssl->ctx->select_certificate_cb != NULL) {
     switch (ssl->ctx->select_certificate_cb(&client_hello)) {
commit	c9827e073f64e353c4891ecc2c73721882543ee0	[log] [tgz]
author	Adam Langley <alangley@gmail.com>	Fri Apr 12 14:46:50 2019 -0700
committer	CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>	Mon Apr 15 22:29:15 2019 +0000
tree	77f6c5cefc2d42708c64dd3f32d6ec959e161e35
parent	2e26348e258e244293ce4633eb23a3c1f1c74933 [diff] [blame]