Cross Reference: /external/boringssl/src/ssl/handshake

History log of /external/boringssl/src/ssl/handshake_client.cc
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
882b6c0b2f90afb318f4d0ea6a463dcfecf85abf	29-Aug-2017	David Benjamin <davidben@google.com>	Don't reauthenticate on renegotiation. We currently forbid the server certificate from changing on renegotiation. This means re-verifying the certificate is pointless and indeed the callback being called again seems to surprise consumers more than anything else. Carry over the initial handshake's SCT lists and OCSP responses (don't enforce they don't change since the server may have, say, picked up new OCSP responses in the meantime), ignore new ones received on renegotiation, and don't bother redoing verification. For our purposes, TLS 1.2 renegotiation is an overcomplicated TLS 1.3 KeyUpdate + post-handshake auth. The server is not allowed to change identity. This is a cherry-pick of https://boringssl-review.googlesource.com/19665 and https://boringssl-review.googlesource.com/19684 to resolve a Conscrypt bug. The new certificate verify logic in Conscrypt did not account for renegotiation needing to verify the new certificate, long-standing behavior of OpenSSL and BoringSSL. However, since BoringSSL does not allow the server certificate to change on renegotiation due to 3-SHAKE, this behavior is unnecessary and it was cleanest to stop calling the callback. Exempt-From-Owner-Approval: flooey is on vacation Merged-In: I615af59fe8af4c56e6cf83a364c0fd69be70c415 Merged-In: I41df37881b9c2228b9a7b3569f1532f3b0dcbaea Bug: 64827202 Change-Id: Ie97fc68ad992db2dbde7ba4af519757200a199f3 /external/boringssl/src/ssl/handshake_client.cc
96123c01b8c872945004ea9a2c7a1e7c7bf13823	29-Aug-2017	David Benjamin <davidben@google.com>	Mark renego-established sessions not resumable. We do not call the new_session callback on renego, but a consumer using SSL_get_session may still attempt to resume such a session. Leave the not_resumable flag unset. Also document this renegotiation restriction. This is a cherry-pick of https://boringssl-review.googlesource.com/19664 from BoringSSL, in preparation for cherry-picking https://boringssl-review.googlesource.com/19665. Exempt-From-Owner-Approval: flooey is on vacation Merged-In: I615af59fe8af4c56e6cf83a364c0fd69be70c415 Merged-In: I41df37881b9c2228b9a7b3569f1532f3b0dcbaea Bug: 64827202 Change-Id: Ic81acb033d8166a6bd00edcbfa06157af12f98aa /external/boringssl/src/ssl/handshake_client.cc
a12bf4695c4916207f946efafd9728eb941e3f0a	17-Jul-2017	Robert Sloan <varomodt@google.com>	external/boringssl: Sync to 14308731e5446a73ac2258688a9688b524483cb6. This includes the following changes: https://boringssl.googlesource.com/boringssl/+log/ee7aa02744a78bf4630913b1c83d0fe36aa45efc..14308731e5446a73ac2258688a9688b524483cb6 Test: BoringSSL CTS Presubmits. Change-Id: I73bf80fa018c2a65ca9842f1c2f95d64586bdffc /external/boringssl/src/ssl/handshake_client.cc