diff options
| author | Pete Bentley <prb@google.com> | 2022-05-25 13:22:14 +0100 |
|---|---|---|
| committer | Pete Bentley <prb@google.com> | 2022-05-27 18:10:07 +0000 |
| commit | e6e9a5d015a010d2fab0a13392eca548f7c370cc (patch) | |
| tree | 1b07d03797d64f795b48a55fb7ceaab17532a23b /src/ssl/internal.h | |
| parent | a8f71fcea2b133b323af7c88bc074ccfd09f4fd1 (diff) | |
| download | boringssl-e6e9a5d015a010d2fab0a13392eca548f7c370cc.tar.gz | |
external/boringssl: Sync to 1530333b25589ee4d4d52b10e78ee55dd82f6dcd.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/c9a7dd687987666df5910f2b35fdc8c3d1e5ed05..1530333b25589ee4d4d52b10e78ee55dd82f6dcd
* Remove X509_CRL_METHOD.
Update-Note: APIs relating to X509_CRL_METHOD are removed.
* Clean up ECDSA EVP_PKEY_CTRL_MD validation.
* Add a service indicator for FIPS 140-3.
* Move cmac into the FIPS module boundary.
* Use CMake's C/C++ version features.
* Update build tools.
* Don't leave stray errors in the error queue in X509_print_ex.
* Switch to the CIPD version of CMake on Windows.
* limit the feature macro stuff to __linux__
* Enforce X.509 version invariants more consistently.
Update-Note: Invalid CRL and CSR versions will no longer be accepted.
X509_set_version, etc., no longer allow invalid versions.
* Remove X509_to_X509_REQ.
Update-Note: Removed seemingly unused public API.
* Declare EVP_AEAD_CTX in base.h, like other typedefs.
* Add missing blank line between functions.
* Remove unions in EC_SCALAR and EC_FELEM.
* Implement SSL_CTX_set_num_tickets.
* Add tests for X509_NAME_print_ex.
* acvp: test CTR-DRBG with reseed in modulewrapper.
* Do pending `go fmt` updates.
* acvp: test SHA-512/256 with HMAC, RSA (PSS), and ECDSA.
* Add PSS to the AVCP regcap.
* Drop ACVP support for 3DES.
* Add function to return the name of the FIPS module.
* Support running tests on non-NEON devices.
* Update delocate tests
* Tidy up how ASN1_STRING_print_ex figures out the type.
* Remove the ASN1_TLC cache. It appears to not help performance.
* Fix build for older CMake versions.
* Remove code added to avoid SHA1 weakness.
* Update comment in light of prior change.
* ChaCha20-Poly1305 for Armv8 (AArch64)
* Replace the last strcasecmp with OPENSSL_strcasecmp.
* [build] Fix build with HEAD clang.
* Make calls to the verify callback consistant by calling ctx->verify_cb directly. This removes some temporary variables that would only be used to hold ctx->verify_cb.
* Try to require C11 (in non-MSVC compilers).
Update-Note: If the build fails with an error about C11, remove -std=c99
or -std=gnu99 from your build. Refcounting will get faster.
* Try to require C++14.
Update-Note: C++14 is now required to build BoringSSL. If the build
breaks, make sure your compiler is C++14-capable and is not passing
-std=c++11. If this is causing problems for your project, let us know.
* Reject [UNIVERSAL 0] in DER/BER element parsers.
Update-Note: There are two kinds of impacts I might expect from this
change. The first is BER parsers might be relying on the CBS DER/BER
element parser to pick up EOCs, as our ber.c does. This should be caught
by the most basic unit test and can be fixed by detecting EOCs
externally.
* Add CMake install rules.
* P-256 assembly optimisations for Aarch64.
* hrss: always normalize.
* Use SHA-256 for the FIPS integrity check everywhere.
* Remove unused variable
* Use X509 certificate alias as friendlyName in PKCS12
Bug: 231880827
Bug: 233873228
Test: atest CtsLibcoreTestCases CtsLibcoreOkHttpTestCases
Change-Id: I748d8d55ffab4ea4441648307a797e7b709b6def
Diffstat (limited to 'src/ssl/internal.h')
| -rw-r--r-- | src/ssl/internal.h | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/ssl/internal.h b/src/ssl/internal.h index 0087e7f7..fbf97453 100644 --- a/src/ssl/internal.h +++ b/src/ssl/internal.h @@ -216,7 +216,7 @@ void Delete(T *t) { // may be C structs which require a |BORINGSSL_MAKE_DELETER| registration. namespace internal { template <typename T> -struct DeleterImpl<T, typename std::enable_if<T::kAllowUniquePtr>::type> { +struct DeleterImpl<T, std::enable_if_t<T::kAllowUniquePtr>> { static void Free(T *t) { Delete(t); } }; } // namespace internal @@ -2056,6 +2056,11 @@ struct SSL_HANDSHAKE { uint8_t grease_seed[ssl_grease_last_index + 1] = {0}; }; +// kMaxTickets is the maximum number of tickets to send immediately after the +// handshake. We use a one-byte ticket nonce, and there is no point in sending +// so many tickets. +constexpr size_t kMaxTickets = 16; + UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl); // ssl_check_message_type checks if |msg| has type |type|. If so it returns @@ -3416,6 +3421,11 @@ struct ssl_ctx_st { // and is further constrainted by |SSL_OP_NO_*|. uint16_t conf_min_version = 0; + // num_tickets is the number of tickets to send immediately after the TLS 1.3 + // handshake. TLS 1.3 recommends single-use tickets so, by default, issue two + /// in case the client makes several connections before getting a renewal. + uint8_t num_tickets = 2; + // quic_method is the method table corresponding to the QUIC hooks. const SSL_QUIC_METHOD *quic_method = nullptr; |