Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / 6d0d00e090b753250659b9a2d67dab7467257900^! / . / src / ssl / s3_pkt.c
commit6d0d00e090b753250659b9a2d67dab7467257900[log] [tgz]
authorRobert Sloan <varomodt@google.com>Mon Mar 27 07:13:07 2017 -0700
committerRobert Sloan <varomodt@google.com>Mon Mar 27 14:04:02 2017 -0700
treec478b31bb734b02e26a264d7c1b45e49c5593acc
parent8ecb7cdb5c51e9ce89a04ed0f5285ce646b8b7eb [diff] [blame]
external/boringssl: Sync to bbfe603519bc54fbc4c8dd87efe1ed385df550b4.

This includes the following changes:

https://boringssl.googlesource.com/boringssl/+log/2d05568a7b7bc62affbd13ea97a81b5829b99794..bbfe603519bc54fbc4c8dd87efe1ed385df550b4

Test: BoringSSL CTS Presubmits.
Change-Id: I78ec99cd34bebca1f864e4daaaedeec6bc1db3f0

diff --git a/src/ssl/s3_pkt.c b/src/ssl/s3_pkt.c
index 2f919ca..c2d30ca 100644
--- a/src/ssl/s3_pkt.c
+++ b/src/ssl/s3_pkt.c

@@ -189,7 +189,7 @@
 }
 
 int ssl3_write_app_data(SSL *ssl, const uint8_t *buf, int len) {
-  assert(!SSL_in_init(ssl) || SSL_in_false_start(ssl));
+  assert(ssl_can_write(ssl));
 
   unsigned tot, n, nw;
 
@@ -325,10 +325,11 @@
 
 int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
                        int peek) {
-  assert(!SSL_in_init(ssl));
-  assert(ssl->s3->initial_handshake_complete);
+  assert(ssl_can_read(ssl));
   *out_got_handshake = 0;
 
+  ssl->method->release_current_message(ssl, 0 /* don't free buffer */);
+
   SSL3_RECORD *rr = &ssl->s3->rrec;
 
   for (;;) {
@@ -345,6 +346,14 @@
     }
 
     if (has_hs_data || rr->type == SSL3_RT_HANDSHAKE) {
+      /* If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
+       * by an alert. */
+      if (SSL_in_init(ssl)) {
+        OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
+        ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+        return -1;
+      }
+
       /* Post-handshake data prior to TLS 1.3 is always renegotiation, which we
        * never accept as a server. Otherwise |ssl3_get_message| will send
        * |SSL_R_EXCESSIVE_MESSAGE_SIZE|. */
@@ -363,6 +372,24 @@
       return -1;
     }
 
+    /* Handle the end_of_early_data alert. */
+    if (rr->type == SSL3_RT_ALERT &&
+        rr->length == 2 &&
+        rr->data[0] == SSL3_AL_WARNING &&
+        rr->data[1] == TLS1_AD_END_OF_EARLY_DATA &&
+        ssl->server &&
+        ssl->s3->hs != NULL &&
+        ssl->s3->hs->can_early_read &&
+        ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
+      /* Consume the record. */
+      rr->length = 0;
+      ssl_read_buffer_discard(ssl);
+      /* Stop accepting early data. */
+      ssl->s3->hs->can_early_read = 0;
+      *out_got_handshake = 1;
+      return -1;
+    }
+
     if (rr->type != SSL3_RT_APPLICATION_DATA) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);