Add SSL_(CTX_)set_tls_channel_id_enabled.
This allows a consumer to disable Channel ID (for instance, it may be enabled on the SSL_CTX and later disabled on the SSL) without reaching into the SSL struct directly. Deprecate the old APIs in favor of these. BUG=6 Change-Id: I193bf94bc1f537e1a81602a39fc2b9a73f44c73b Reviewed-on: https://boringssl-review.googlesource.com/12623 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
8db920ad5d
commit
eebd3c88ac
@ -269,7 +269,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
|
|||||||
SSL_set_bio(server, in, out);
|
SSL_set_bio(server, in, out);
|
||||||
SSL_set_accept_state(server);
|
SSL_set_accept_state(server);
|
||||||
SSL_set_max_version(server, TLS1_3_VERSION);
|
SSL_set_max_version(server, TLS1_3_VERSION);
|
||||||
SSL_enable_tls_channel_id(server);
|
SSL_set_tls_channel_id_enabled(server, 1);
|
||||||
|
|
||||||
// Enable ciphers that are off by default.
|
// Enable ciphers that are off by default.
|
||||||
SSL_set_cipher_list(server, "ALL:kCECPQ1:NULL-SHA");
|
SSL_set_cipher_list(server, "ALL:kCECPQ1:NULL-SHA");
|
||||||
|
@ -2511,15 +2511,14 @@ OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
|
|||||||
*
|
*
|
||||||
* See draft-balfanz-tls-channelid-01. */
|
* See draft-balfanz-tls-channelid-01. */
|
||||||
|
|
||||||
/* SSL_CTX_enable_tls_channel_id either configures a TLS server to accept TLS
|
/* SSL_CTX_set_tls_channel_id_enabled configures whether connections associated
|
||||||
* Channel IDs from clients, or configures a client to send TLS Channel IDs to
|
* with |ctx| should enable Channel ID. */
|
||||||
* a server. It returns one. */
|
OPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx,
|
||||||
OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
|
int enabled);
|
||||||
|
|
||||||
/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS
|
/* SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel
|
||||||
* Channel IDs from clients, or configures a client to send TLS Channel IDs to
|
* ID. */
|
||||||
* server. It returns one. */
|
OPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled);
|
||||||
OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
|
|
||||||
|
|
||||||
/* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
|
/* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
|
||||||
* to compatible servers. |private_key| must be a P-256 EC key. It returns one
|
* to compatible servers. |private_key| must be a P-256 EC key. It returns one
|
||||||
@ -3637,6 +3636,12 @@ OPENSSL_EXPORT int SSL_set_min_version(SSL *ssl, uint16_t version);
|
|||||||
/* SSL_set_max_version calls |SSL_set_max_proto_version|. */
|
/* SSL_set_max_version calls |SSL_set_max_proto_version|. */
|
||||||
OPENSSL_EXPORT int SSL_set_max_version(SSL *ssl, uint16_t version);
|
OPENSSL_EXPORT int SSL_set_max_version(SSL *ssl, uint16_t version);
|
||||||
|
|
||||||
|
/* SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|. */
|
||||||
|
OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
|
||||||
|
|
||||||
|
/* SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|. */
|
||||||
|
OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
|
||||||
|
|
||||||
|
|
||||||
/* Private structures.
|
/* Private structures.
|
||||||
*
|
*
|
||||||
|
@ -1937,13 +1937,21 @@ void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) {
|
||||||
|
ctx->tlsext_channel_id_enabled = !!enabled;
|
||||||
|
}
|
||||||
|
|
||||||
int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
|
int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
|
||||||
ctx->tlsext_channel_id_enabled = 1;
|
SSL_CTX_set_tls_channel_id_enabled(ctx, 1);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) {
|
||||||
|
ssl->tlsext_channel_id_enabled = !!enabled;
|
||||||
|
}
|
||||||
|
|
||||||
int SSL_enable_tls_channel_id(SSL *ssl) {
|
int SSL_enable_tls_channel_id(SSL *ssl) {
|
||||||
ssl->tlsext_channel_id_enabled = 1;
|
SSL_set_tls_channel_id_enabled(ssl, 1);
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -981,7 +981,7 @@ static bssl::UniquePtr<SSL_CTX> SetupCtx(const TestConfig *config) {
|
|||||||
SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL);
|
SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
SSL_CTX_enable_tls_channel_id(ssl_ctx.get());
|
SSL_CTX_set_tls_channel_id_enabled(ssl_ctx.get(), 1);
|
||||||
SSL_CTX_set_channel_id_cb(ssl_ctx.get(), ChannelIdCallback);
|
SSL_CTX_set_channel_id_cb(ssl_ctx.get(), ChannelIdCallback);
|
||||||
|
|
||||||
SSL_CTX_set_current_time_cb(ssl_ctx.get(), CurrentTimeCallback);
|
SSL_CTX_set_current_time_cb(ssl_ctx.get(), CurrentTimeCallback);
|
||||||
@ -1520,10 +1520,10 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session,
|
|||||||
}
|
}
|
||||||
if (!config->expected_channel_id.empty() ||
|
if (!config->expected_channel_id.empty() ||
|
||||||
config->enable_channel_id) {
|
config->enable_channel_id) {
|
||||||
SSL_enable_tls_channel_id(ssl.get());
|
SSL_set_tls_channel_id_enabled(ssl.get(), 1);
|
||||||
}
|
}
|
||||||
if (!config->send_channel_id.empty()) {
|
if (!config->send_channel_id.empty()) {
|
||||||
SSL_enable_tls_channel_id(ssl.get());
|
SSL_set_tls_channel_id_enabled(ssl.get(), 1);
|
||||||
if (!config->async) {
|
if (!config->async) {
|
||||||
// The async case will be supplied by |ChannelIdCallback|.
|
// The async case will be supplied by |ChannelIdCallback|.
|
||||||
bssl::UniquePtr<EVP_PKEY> pkey = LoadPrivateKey(config->send_channel_id);
|
bssl::UniquePtr<EVP_PKEY> pkey = LoadPrivateKey(config->send_channel_id);
|
||||||
|
Loading…
Reference in New Issue
Block a user