Move early_data_accepted to ssl->s3.
This is connection state, not configuration, so it must live on
ssl->s3, otherwise SSL_clear will be confused.
Change-Id: Id7c87ced5248d3953e37946e2d0673d66bfedb08
Reviewed-on: https://boringssl-review.googlesource.com/24264
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/internal.h b/ssl/internal.h
index 4151d2b..ae0e593 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -2297,6 +2297,9 @@
// wpend_pending is true if we have a pending write outstanding.
bool wpend_pending:1;
+ // early_data_accepted is true if early data was accepted by the server.
+ bool early_data_accepted:1;
+
uint8_t send_alert[2] = {0};
// hs_buf is the buffer of handshake data to process.
@@ -2643,9 +2646,6 @@
// hash of the peer's certificate and then discard it to save memory and
// session space. Only effective on the server side.
bool retain_only_sha256_of_client_certs:1;
-
- // early_data_accepted is true if early data was accepted by the server.
- bool early_data_accepted:1;
};
// From draft-ietf-tls-tls13-18, used in determining PSK modes.
diff --git a/ssl/s3_lib.cc b/ssl/s3_lib.cc
index b925cd7..9a17573 100644
--- a/ssl/s3_lib.cc
+++ b/ssl/s3_lib.cc
@@ -175,7 +175,8 @@
send_connection_binding(false),
tlsext_channel_id_valid(false),
key_update_pending(false),
- wpend_pending(false) {}
+ wpend_pending(false),
+ early_data_accepted(false) {}
SSL3_STATE::~SSL3_STATE() {}
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 6da081e..af4ffc4 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -1187,7 +1187,7 @@
}
int SSL_early_data_accepted(const SSL *ssl) {
- return ssl->early_data_accepted;
+ return ssl->s3->early_data_accepted;
}
void SSL_reset_early_data_reject(SSL *ssl) {
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index 34ad410..814cce1 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -2033,7 +2033,7 @@
return false;
}
- ssl->early_data_accepted = true;
+ ssl->s3->early_data_accepted = true;
return true;
}
@@ -2055,7 +2055,7 @@
}
static bool ext_early_data_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
- if (!hs->ssl->early_data_accepted) {
+ if (!hs->ssl->s3->early_data_accepted) {
return true;
}
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index c230afa..8d46d9f 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -464,7 +464,7 @@
hs->new_session->early_alpn_len = ssl->s3->alpn_selected.size();
}
- if (ssl->early_data_accepted) {
+ if (ssl->s3->early_data_accepted) {
if (hs->early_session->cipher != hs->new_session->cipher ||
MakeConstSpan(hs->early_session->early_alpn,
hs->early_session->early_alpn_len) !=
@@ -484,7 +484,7 @@
ssl->method->next_message(ssl);
hs->tls13_state = state_read_certificate_request;
- if (hs->in_early_data && !ssl->early_data_accepted) {
+ if (hs->in_early_data && !ssl->s3->early_data_accepted) {
return ssl_hs_early_data_rejected;
}
return ssl_hs_ok;
@@ -663,7 +663,7 @@
static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (ssl->early_data_accepted) {
+ if (ssl->s3->early_data_accepted) {
hs->can_early_write = false;
if (ssl_is_draft22(ssl->version)) {
ScopedCBB cbb;
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index af9167c..4651459 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -398,7 +398,7 @@
// The negotiated ALPN must match the one in the ticket.
ssl->s3->alpn_selected ==
MakeConstSpan(session->early_alpn, session->early_alpn_len)) {
- ssl->early_data_accepted = true;
+ ssl->s3->early_data_accepted = true;
}
if (hs->new_session == NULL) {
@@ -457,7 +457,7 @@
return ssl_hs_error;
}
- if (ssl->early_data_accepted) {
+ if (ssl->s3->early_data_accepted) {
if (!tls13_derive_early_secrets(hs)) {
return ssl_hs_error;
}
@@ -469,7 +469,7 @@
bool need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
- ssl->early_data_accepted = false;
+ ssl->s3->early_data_accepted = false;
ssl->s3->skip_early_data = true;
ssl->method->next_message(ssl);
if (ssl_is_draft22(ssl->version) &&
@@ -724,7 +724,7 @@
return ssl_hs_error;
}
- if (ssl->early_data_accepted) {
+ if (ssl->s3->early_data_accepted) {
// If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
// the wire sooner and also avoids triggering a write on |SSL_read| when
// processing the client Finished. This requires computing the client
@@ -772,7 +772,7 @@
static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (ssl->early_data_accepted) {
+ if (ssl->s3->early_data_accepted) {
if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->early_traffic_secret,
hs->hash_len)) {
return ssl_hs_error;
@@ -782,7 +782,8 @@
hs->in_early_data = true;
}
hs->tls13_state = state_process_end_of_early_data;
- return ssl->early_data_accepted ? ssl_hs_read_end_of_early_data : ssl_hs_ok;
+ return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
+ : ssl_hs_ok;
}
static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
@@ -790,7 +791,7 @@
if (hs->early_data_offered) {
// If early data was not accepted, the EndOfEarlyData and ChangeCipherSpec
// message will be in the discarded early data.
- if (hs->ssl->early_data_accepted) {
+ if (hs->ssl->s3->early_data_accepted) {
if (ssl_is_draft22(ssl->version)) {
SSLMessage msg;
if (!ssl->method->get_message(ssl, &msg)) {
@@ -813,8 +814,9 @@
hs->hash_len)) {
return ssl_hs_error;
}
- hs->tls13_state = ssl->early_data_accepted ? state_read_client_finished
- : state_read_client_certificate;
+ hs->tls13_state = ssl->s3->early_data_accepted
+ ? state_read_client_finished
+ : state_read_client_certificate;
return ssl_hs_ok;
}
@@ -913,14 +915,14 @@
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
// If early data was accepted, we've already computed the client Finished
// and derived the resumption secret.
- !tls13_process_finished(hs, msg, ssl->early_data_accepted) ||
+ !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||
// evp_aead_seal keys have already been switched.
!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
hs->hash_len)) {
return ssl_hs_error;
}
- if (!ssl->early_data_accepted) {
+ if (!ssl->s3->early_data_accepted) {
if (!ssl_hash_message(hs, msg) ||
!tls13_derive_resumption_secret(hs)) {
return ssl_hs_error;