From c2807582fd86fa68d7b0c2675f25a38530719608 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@chromium.org>
Date: Tue, 28 Apr 2015 00:19:50 -0400
Subject: [PATCH] Promote channel ID macros to proper functions.

BUG=404754

Change-Id: I002d4602720e207f92a985d90f0d58e89562affa
Reviewed-on: https://boringssl-review.googlesource.com/4569
Reviewed-by: Adam Langley <agl@google.com>
---
 crypto/err/ssl.errordata |  2 +
 include/openssl/ssl.h    | 55 +++++++++++++++------------
 ssl/s3_lib.c             | 80 +++++++++++++++++++++-------------------
 3 files changed, 77 insertions(+), 60 deletions(-)

diff --git a/crypto/err/ssl.errordata b/crypto/err/ssl.errordata
index 767d0787..7dbe199f 100644
--- a/crypto/err/ssl.errordata
+++ b/crypto/err/ssl.errordata
@@ -1,5 +1,6 @@
 SSL,function,100,SSL_CTX_check_private_key
 SSL,function,101,SSL_CTX_new
+SSL,function,272,SSL_CTX_set1_tls_channel_id
 SSL,function,102,SSL_CTX_set_cipher_list
 SSL,function,103,SSL_CTX_set_cipher_list_tls11
 SSL,function,104,SSL_CTX_set_session_id_context
@@ -32,6 +33,7 @@ SSL,function,128,SSL_new
 SSL,function,129,SSL_peek
 SSL,function,130,SSL_read
 SSL,function,131,SSL_renegotiate
+SSL,function,273,SSL_set1_tls_channel_id
 SSL,function,132,SSL_set_cipher_list
 SSL,function,133,SSL_set_fd
 SSL,function,134,SSL_set_rfd
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 14fa04d2..9edc859e 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1024,11 +1024,6 @@ OPENSSL_EXPORT LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
  * session cache. */
 OPENSSL_EXPORT size_t SSL_CTX_sess_number(const SSL_CTX *ctx);
 
-/* SSL_CTX_enable_tls_channel_id configures a TLS server to accept TLS client
- * IDs from clients. Returns 1 on success. */
-#define SSL_CTX_enable_tls_channel_id(ctx) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_CHANNEL_ID, 0, NULL)
-
 OPENSSL_EXPORT void SSL_CTX_sess_set_new_cb(
     SSL_CTX *ctx, int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess));
 OPENSSL_EXPORT int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
@@ -1610,10 +1605,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_CTRL_GET_CHAIN_CERTS 115
 #define SSL_CTRL_SELECT_CURRENT_CERT 116
 
-#define SSL_CTRL_CHANNEL_ID 117
-#define SSL_CTRL_GET_CHANNEL_ID 118
-#define SSL_CTRL_SET_CHANNEL_ID 119
-
 /* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
  * timeout in progress, it sets |*out| to the time remaining and returns one.
  * Otherwise, it returns zero.
@@ -1672,26 +1663,34 @@ OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key);
  * recommended.) */
 OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key);
 
+/* SSL_CTX_enable_tls_channel_id either configures a TLS server to accept TLS
+ * client IDs from clients, or configures a client to send TLS client IDs to
+ * a server. It returns one. */
+OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
+
 /* SSL_enable_tls_channel_id either configures a TLS server to accept TLS
  * client IDs from clients, or configure a client to send TLS client IDs to
- * server. Returns 1 on success. */
-#define SSL_enable_tls_channel_id(s) SSL_ctrl(s, SSL_CTRL_CHANNEL_ID, 0, NULL)
+ * server. It returns one. */
+OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
+
+/* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
+ * to compatible servers. |private_key| must be a P-256 EC key. It returns one
+ * on success and zero on error. */
+OPENSSL_EXPORT int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx,
+                                               EVP_PKEY *private_key);
 
 /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
- * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on
- * success. */
-#define SSL_set1_tls_channel_id(s, private_key) \
-  SSL_ctrl(s, SSL_CTRL_SET_CHANNEL_ID, 0, (void *)private_key)
-#define SSL_CTX_set1_tls_channel_id(ctx, private_key) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_CHANNEL_ID, 0, (void *)private_key)
+ * compatible servers. |private_key| must be a P-256 EC key. It returns one on
+ * success and zero on error. */
+OPENSSL_EXPORT int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key);
 
 /* SSL_get_tls_channel_id gets the client's TLS Channel ID from a server SSL*
- * and copies up to the first |channel_id_len| bytes into |channel_id|. The
- * Channel ID consists of the client's P-256 public key as an (x,y) pair where
- * each is a 32-byte, big-endian field element. Returns 0 if the client didn't
- * offer a Channel ID and the length of the complete Channel ID otherwise. */
-#define SSL_get_tls_channel_id(ctx, channel_id, channel_id_len) \
-  SSL_ctrl(ctx, SSL_CTRL_GET_CHANNEL_ID, channel_id_len, (void *)channel_id)
+ * and copies up to the first |max_out| bytes into |out|. The Channel ID
+ * consists of the client's P-256 public key as an (x,y) pair where each is a
+ * 32-byte, big-endian field element. It returns 0 if the client didn't offer a
+ * Channel ID and the length of the complete Channel ID otherwise. */
+OPENSSL_EXPORT size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out,
+                                             size_t max_out);
 
 #define SSL_CTX_add_extra_chain_cert(ctx, x509) \
   SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)x509)
@@ -2422,6 +2421,9 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 #define SSL_CTRL_GET_RI_SUPPORT doesnt_exist
 #define SSL_CTRL_CLEAR_OPTIONS doesnt_exist
 #define SSL_CTRL_CLEAR_MODE doesnt_exist
+#define SSL_CTRL_CHANNEL_ID doesnt_exist
+#define SSL_CTRL_GET_CHANNEL_ID doesnt_exist
+#define SSL_CTRL_SET_CHANNEL_ID doesnt_exist
 
 #define SSL_CTX_need_tmp_RSA SSL_CTX_need_tmp_RSA
 #define SSL_need_tmp_RSA SSL_need_tmp_RSA
@@ -2469,6 +2471,11 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 #define SSL_clear_options SSL_clear_options
 #define SSL_CTX_clear_mode SSL_CTX_clear_mode
 #define SSL_clear_mode SSL_clear_mode
+#define SSL_CTX_enable_tls_channel_id SSL_CTX_enable_tls_channel_id
+#define SSL_enable_tls_channel_id SSL_enable_tls_channel_id
+#define SSL_set1_tls_channel_id SSL_set1_tls_channel_id
+#define SSL_CTX_set1_tls_channel_id SSL_CTX_set1_tls_channel_id
+#define SSL_get_tls_channel_id SSL_get_tls_channel_id
 
 
 #if defined(__cplusplus)
@@ -2666,6 +2673,8 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 #define SSL_F_SSL_CTX_set_tmp_ecdh 269
 #define SSL_F_SSL_set_tmp_dh 270
 #define SSL_F_SSL_set_tmp_ecdh 271
+#define SSL_F_SSL_CTX_set1_tls_channel_id 272
+#define SSL_F_SSL_set1_tls_channel_id 273
 #define SSL_R_APP_DATA_IN_HANDSHAKE 100
 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101
 #define SSL_R_BAD_ALERT 102
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 63ceba86..fc3a3a6f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -643,6 +643,49 @@ int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
   return 1;
 }
 
+int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
+  ctx->tlsext_channel_id_enabled = 1;
+  return 1;
+}
+
+int SSL_enable_tls_channel_id(SSL *ssl) {
+  ssl->tlsext_channel_id_enabled = 1;
+  return 1;
+}
+
+int SSL_CTX_set1_tls_channel_id(SSL_CTX *ctx, EVP_PKEY *private_key) {
+  ctx->tlsext_channel_id_enabled = 1;
+  if (EVP_PKEY_id(private_key) != EVP_PKEY_EC ||
+      EVP_PKEY_bits(private_key) != 256) {
+    OPENSSL_PUT_ERROR(SSL, SSL_CTX_set1_tls_channel_id,
+                      SSL_R_CHANNEL_ID_NOT_P256);
+    return 0;
+  }
+  EVP_PKEY_free(ctx->tlsext_channel_id_private);
+  ctx->tlsext_channel_id_private = EVP_PKEY_dup(private_key);
+  return 1;
+}
+
+int SSL_set1_tls_channel_id(SSL *ssl, EVP_PKEY *private_key) {
+  ssl->tlsext_channel_id_enabled = 1;
+  if (EVP_PKEY_id(private_key) != EVP_PKEY_EC ||
+      EVP_PKEY_bits(private_key) != 256) {
+    OPENSSL_PUT_ERROR(SSL, SSL_set1_tls_channel_id, SSL_R_CHANNEL_ID_NOT_P256);
+    return 0;
+  }
+  EVP_PKEY_free(ssl->tlsext_channel_id_private);
+  ssl->tlsext_channel_id_private = EVP_PKEY_dup(private_key);
+  return 1;
+}
+
+size_t SSL_get_tls_channel_id(SSL *ssl, uint8_t *out, size_t max_out) {
+  if (!ssl->s3->tlsext_channel_id_valid) {
+    return 0;
+  }
+  memcpy(out, ssl->s3->tlsext_channel_id, (max_out < 64) ? max_out : 64);
+  return 64;
+}
+
 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
   int ret = 0;
 
@@ -786,29 +829,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
       return (int)s->s3->tmp.peer_ecpointformatlist_length;
     }
 
-    case SSL_CTRL_CHANNEL_ID:
-      s->tlsext_channel_id_enabled = 1;
-      ret = 1;
-      break;
-
-    case SSL_CTRL_SET_CHANNEL_ID:
-      s->tlsext_channel_id_enabled = 1;
-      if (EVP_PKEY_bits(parg) != 256) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, SSL_R_CHANNEL_ID_NOT_P256);
-        break;
-      }
-      EVP_PKEY_free(s->tlsext_channel_id_private);
-      s->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY *)parg);
-      ret = 1;
-      break;
-
-    case SSL_CTRL_GET_CHANNEL_ID:
-      if (!s->s3->tlsext_channel_id_valid) {
-        break;
-      }
-      memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);
-      return 64;
-
     default:
       break;
   }
@@ -914,20 +934,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
     case SSL_CTRL_SELECT_CURRENT_CERT:
       return ssl_cert_select_current(ctx->cert, (X509 *)parg);
 
-    case SSL_CTRL_CHANNEL_ID:
-      ctx->tlsext_channel_id_enabled = 1;
-      return 1;
-
-    case SSL_CTRL_SET_CHANNEL_ID:
-      ctx->tlsext_channel_id_enabled = 1;
-      if (EVP_PKEY_bits(parg) != 256) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, SSL_R_CHANNEL_ID_NOT_P256);
-        break;
-      }
-      EVP_PKEY_free(ctx->tlsext_channel_id_private);
-      ctx->tlsext_channel_id_private = EVP_PKEY_dup((EVP_PKEY *)parg);
-      break;
-
     default:
       return 0;
   }