Google Git
Sign in
boringssl / boringssl / ac8302a092e8e232dbabf5a01eff5dd37671b5c8^! / . / ssl
commitac8302a092e8e232dbabf5a01eff5dd37671b5c8[log] [tgz]
authorDavid Benjamin <davidben@chromium.org>Tue Sep 01 17:18:15 2015 -0400
committerAdam Langley <agl@google.com>Tue Sep 01 22:30:48 2015 +0000
tree7ca0354005cb2f7594c4d2426885430e7c2399dd
parent4f75aaf66100f7ffa4f1fa8440e4a502fa8ce94c [diff]
Don't set need_record_splitting until aead_write_ctx is set.

setup_key_block is called when the first CCS resolves, but for resumptions this
is the incoming CCS (see ssl3_do_change_cipher_spec). Rather than set
need_record_splitting there, it should be set in the write case of
tls1_change_cipher_state.

This fixes a crash from the new record layer code in resumption when
record-splitting is enabled. Tweak the record-splitting tests to cover this
case.

This also fixes a bug where renego from a cipher which does require record
splitting to one which doesn't continues splitting. Since version switches are
not allowed, this can only happen after a renego from CBC to RC4.

Change-Id: Ie4e1b91282b10f13887b51d1199f76be4fbf09ad
Reviewed-on: https://boringssl-review.googlesource.com/5787
Reviewed-by: Adam Langley <agl@google.com>

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index aa6095d..b14f32a 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c

@@ -349,14 +349,26 @@
         s->s3->tmp.new_cipher, key, key_len, mac_secret, mac_secret_len, iv,
         iv_len);
     return s->aead_read_ctx != NULL;
-  } else {
-    SSL_AEAD_CTX_free(s->aead_write_ctx);
-    s->aead_write_ctx = SSL_AEAD_CTX_new(
-        evp_aead_seal, ssl3_version_from_wire(s, s->version),
-        s->s3->tmp.new_cipher, key, key_len, mac_secret, mac_secret_len, iv,
-        iv_len);
-    return s->aead_write_ctx != NULL;
   }
+
+  SSL_AEAD_CTX_free(s->aead_write_ctx);
+  s->aead_write_ctx = SSL_AEAD_CTX_new(
+      evp_aead_seal, ssl3_version_from_wire(s, s->version),
+      s->s3->tmp.new_cipher, key, key_len, mac_secret, mac_secret_len, iv,
+      iv_len);
+  if (s->aead_write_ctx == NULL) {
+    return 0;
+  }
+
+  s->s3->need_record_splitting = 0;
+  if (!SSL_USE_EXPLICIT_IV(s) &&
+      (s->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 &&
+      s->s3->tmp.new_cipher->algorithm_enc != SSL_RC4) {
+    /* Enable 1/n-1 record-splitting to randomize the IV. See
+     * https://www.openssl.org/~bodo/tls-cbc.txt and the BEAST attack. */
+    s->s3->need_record_splitting = 1;
+  }
+  return 1;
 }
 
 int tls1_setup_key_block(SSL *s) {
@@ -426,18 +438,6 @@
     goto err;
   }
 
-  if (!SSL_USE_EXPLICIT_IV(s) &&
-      (s->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0) {
-    /* enable vulnerability countermeasure for CBC ciphers with known-IV
-     * problem (http://www.openssl.org/~bodo/tls-cbc.txt). */
-    s->s3->need_record_splitting = 1;
-
-    if (s->session->cipher != NULL &&
-        s->session->cipher->algorithm_enc == SSL_RC4) {
-      s->s3->need_record_splitting = 0;
-    }
-  }
-
   ret = 1;
 
 err:

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 51ba563..6284ef6 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go

@@ -2161,7 +2161,8 @@
 			MinVersion:   VersionTLS10,
 			CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
 		},
-		messageLen: -1, // read until EOF
+		messageLen:    -1, // read until EOF
+		resumeSession: true,
 		flags: []string{
 			"-async",
 			"-write-different-record-sizes",