diff options
Diffstat (limited to 'app/openssl/ssl/s3_clnt.c')
-rw-r--r-- | app/openssl/ssl/s3_clnt.c | 70 |
1 files changed, 21 insertions, 49 deletions
diff --git a/app/openssl/ssl/s3_clnt.c b/app/openssl/ssl/s3_clnt.c index 486f538b..5e15b75c 100644 --- a/app/openssl/ssl/s3_clnt.c +++ b/app/openssl/ssl/s3_clnt.c @@ -215,12 +215,24 @@ int ssl3_connect(SSL *s) } #endif +// BEGIN android-added +#if 0 +/* Send app data in separate packet, otherwise, some particular site + * (only one site so far) closes the socket. http://b/2511073 + * Note: there is a very small chance that two TCP packets + * could be arriving at server combined into a single TCP packet, + * then trigger that site to break. We haven't encounter that though. + */ +// END android-added if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) { /* Send app data along with CCS/Finished */ s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED; } +// BEGIN android-added +#endif +// END android-added for (;;) { state=s->state; @@ -546,20 +558,7 @@ int ssl3_connect(SSL *s) } else { - /* This is a non-resumption handshake. If it - * involves ChannelID, then record the - * handshake hashes at this point in the - * session so that any resumption of this - * session with ChannelID can sign those - * hashes. */ - if (s->s3->tlsext_channel_id_new) - { - ret = tls1_record_handshake_hashes_for_channel_id(s); - if (ret <= 0) - goto end; - } - if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) - && ssl3_can_cutthrough(s) + if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && SSL_get_cipher_bits(s, NULL) >= 128 && s->s3->previous_server_finished_len == 0 /* no cutthrough on renegotiation (would complicate the state machine) */ ) { @@ -608,7 +607,6 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); @@ -2304,7 +2302,7 @@ int ssl3_get_server_done(SSL *s) int ssl3_send_client_key_exchange(SSL *s) { unsigned char *p,*d; - int n = 0; + int n; unsigned long alg_k; unsigned long alg_a; #ifndef OPENSSL_NO_RSA @@ -2690,13 +2688,6 @@ int ssl3_send_client_key_exchange(SSL *s) unsigned int i; #endif - if (s->session->sess_cert == NULL) - { - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); - SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); - goto err; - } - /* Did we send out the client's * ECDH share for use in premaster * computation as part of client certificate? @@ -3036,7 +3027,7 @@ int ssl3_send_client_key_exchange(SSL *s) } } #endif - else if (!(alg_k & SSL_kPSK) || ((alg_k & SSL_kPSK) && !(alg_a & SSL_aPSK))) + else if (!(alg_k & SSL_kPSK)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); @@ -3500,29 +3491,10 @@ int ssl3_send_channel_id(SSL *s) if (s->state != SSL3_ST_CW_CHANNEL_ID_A) return ssl3_do_write(s, SSL3_RT_HANDSHAKE); - if (!s->tlsext_channel_id_private && s->ctx->channel_id_cb) - { - EVP_PKEY *key = NULL; - s->ctx->channel_id_cb(s, &key); - if (key != NULL) - { - s->tlsext_channel_id_private = key; - } - } - if (!s->tlsext_channel_id_private) - { - s->rwstate=SSL_CHANNEL_ID_LOOKUP; - return (-1); - } - s->rwstate=SSL_NOTHING; - d = (unsigned char *)s->init_buf->data; *(d++)=SSL3_MT_ENCRYPTED_EXTENSIONS; l2n3(2 + 2 + TLSEXT_CHANNEL_ID_SIZE, d); - if (s->s3->tlsext_channel_id_new) - s2n(TLSEXT_TYPE_channel_id_new, d); - else - s2n(TLSEXT_TYPE_channel_id, d); + s2n(TLSEXT_TYPE_channel_id, d); s2n(TLSEXT_CHANNEL_ID_SIZE, d); EVP_MD_CTX_init(&md_ctx); @@ -3533,9 +3505,9 @@ int ssl3_send_channel_id(SSL *s) SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CANNOT_SERIALIZE_PUBLIC_KEY); goto err; } - /* i2d_PublicKey will produce an ANSI X9.62 public key which, for a - * P-256 key, is 0x04 (meaning uncompressed) followed by the x and y - * field elements as 32-byte, big-endian numbers. */ + // i2d_PublicKey will produce an ANSI X9.62 public key which, for a + // P-256 key, is 0x04 (meaning uncompressed) followed by the x and y + // field elements as 32-byte, big-endian numbers. if (public_key_len != 65) { SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_CHANNEL_ID_NOT_P256); @@ -3581,14 +3553,14 @@ int ssl3_send_channel_id(SSL *s) } derp = der_sig; - sig = d2i_ECDSA_SIG(NULL, (const unsigned char**) &derp, sig_len); + sig = d2i_ECDSA_SIG(NULL, (const unsigned char**)&derp, sig_len); if (sig == NULL) { SSLerr(SSL_F_SSL3_SEND_CHANNEL_ID,SSL_R_D2I_ECDSA_SIG); goto err; } - /* The first byte of public_key will be 0x4, denoting an uncompressed key. */ + // The first byte of public_key will be 0x4, denoting an uncompressed key. memcpy(d, public_key + 1, 64); d += 64; memset(d, 0, 2 * 32); |