Google Git
Sign in
boringssl / boringssl.git / ee0716f386190d2bfb105a0db7400df4915773a1^! / . / ssl / tls13_client.cc
commitee0716f386190d2bfb105a0db7400df4915773a1[log] [tgz]
authorDavid Benjamin <davidben@google.com>Tue Nov 19 14:16:28 2019 +0800
committerCQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>Wed Nov 27 15:49:42 2019 +0000
treeffccc007b6d0ad10a4092d0c27bb19644d554dc2
parentfd32089f476f682c153376234dfc2be5251dd942 [diff] [blame]
Defer early keys to QUIC clients to after certificate reverification.

On a client using SSL_CTX_set_reverify_on_resume, we currently release
the early data keys before reverification rather than afterwards. This
means the QUIC implementation needs to watch for SSL_do_handshake's
return value before using the keys we've released. It is better to be
robust, so defer releasing the keys in the first place.

To avoid oddities around TCP and QUIC differences, tweak the 0-RTT cert
reverification to not send an alert on error. Sending such an alert
under early data is somewhat questionable given the server may not be
able to read it anyway.

Bug: 303
Change-Id: I42c16f9f046322d0b03cb0b425e11471f2fbe52a
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38885
Reviewed-by: Nick Harper <nharper@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index fa3f3a6..8bb3339 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc

@@ -593,7 +593,7 @@
 
 static enum ssl_hs_wait_t do_server_certificate_reverify(
     SSL_HANDSHAKE *hs) {
-  switch (ssl_reverify_peer_cert(hs)) {
+  switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {
     case ssl_verify_ok:
       break;
     case ssl_verify_invalid: