Add SSL_(CTX_)set_tls_channel_id_enabled.

This allows a consumer to disable Channel ID (for instance, it may be
enabled on the SSL_CTX and later disabled on the SSL) without reaching
into the SSL struct directly.

Deprecate the old APIs in favor of these.

BUG=6

Change-Id: I193bf94bc1f537e1a81602a39fc2b9a73f44c73b
Reviewed-on: https://boringssl-review.googlesource.com/12623
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-12-06 17:43:58 -05:00 committed by CQ bot account: commit-bot@chromium.org
parent 8db920ad5d
commit eebd3c88ac
4 changed files with 27 additions and 14 deletions

View File

@ -269,7 +269,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
SSL_set_bio(server, in, out); SSL_set_bio(server, in, out);
SSL_set_accept_state(server); SSL_set_accept_state(server);
SSL_set_max_version(server, TLS1_3_VERSION); SSL_set_max_version(server, TLS1_3_VERSION);
SSL_enable_tls_channel_id(server); SSL_set_tls_channel_id_enabled(server, 1);
// Enable ciphers that are off by default. // Enable ciphers that are off by default.
SSL_set_cipher_list(server, "ALL:kCECPQ1:NULL-SHA"); SSL_set_cipher_list(server, "ALL:kCECPQ1:NULL-SHA");

View File

@ -2511,15 +2511,14 @@ OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
* *
* See draft-balfanz-tls-channelid-01. */ * See draft-balfanz-tls-channelid-01. */
/* SSL_CTX_enable_tls_channel_id either configures a TLS server to accept TLS /* SSL_CTX_set_tls_channel_id_enabled configures whether connections associated
* Channel IDs from clients, or configures a client to send TLS Channel IDs to * with |ctx| should enable Channel ID. */
* a server. It returns one. */ OPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx,
OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx); int enabled);
/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS /* SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel
* Channel IDs from clients, or configures a client to send TLS Channel IDs to * ID. */
* server. It returns one. */ OPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled);
OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
/* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID /* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
* to compatible servers. |private_key| must be a P-256 EC key. It returns one * to compatible servers. |private_key| must be a P-256 EC key. It returns one
@ -3637,6 +3636,12 @@ OPENSSL_EXPORT int SSL_set_min_version(SSL *ssl, uint16_t version);
/* SSL_set_max_version calls |SSL_set_max_proto_version|. */ /* SSL_set_max_version calls |SSL_set_max_proto_version|. */
OPENSSL_EXPORT int SSL_set_max_version(SSL *ssl, uint16_t version); OPENSSL_EXPORT int SSL_set_max_version(SSL *ssl, uint16_t version);
/* SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|. */
OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
/* SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|. */
OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
/* Private structures. /* Private structures.
* *

View File

@ -1937,13 +1937,21 @@ void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
} }
void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) {
ctx->tlsext_channel_id_enabled = !!enabled;
}
int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) { int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
ctx->tlsext_channel_id_enabled = 1; SSL_CTX_set_tls_channel_id_enabled(ctx, 1);
return 1; return 1;
} }
void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) {
ssl->tlsext_channel_id_enabled = !!enabled;
}
int SSL_enable_tls_channel_id(SSL *ssl) { int SSL_enable_tls_channel_id(SSL *ssl) {
ssl->tlsext_channel_id_enabled = 1; SSL_set_tls_channel_id_enabled(ssl, 1);
return 1; return 1;
} }

View File

@ -981,7 +981,7 @@ static bssl::UniquePtr<SSL_CTX> SetupCtx(const TestConfig *config) {
SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL); SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL);
} }
SSL_CTX_enable_tls_channel_id(ssl_ctx.get()); SSL_CTX_set_tls_channel_id_enabled(ssl_ctx.get(), 1);
SSL_CTX_set_channel_id_cb(ssl_ctx.get(), ChannelIdCallback); SSL_CTX_set_channel_id_cb(ssl_ctx.get(), ChannelIdCallback);
SSL_CTX_set_current_time_cb(ssl_ctx.get(), CurrentTimeCallback); SSL_CTX_set_current_time_cb(ssl_ctx.get(), CurrentTimeCallback);
@ -1520,10 +1520,10 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session,
} }
if (!config->expected_channel_id.empty() || if (!config->expected_channel_id.empty() ||
config->enable_channel_id) { config->enable_channel_id) {
SSL_enable_tls_channel_id(ssl.get()); SSL_set_tls_channel_id_enabled(ssl.get(), 1);
} }
if (!config->send_channel_id.empty()) { if (!config->send_channel_id.empty()) {
SSL_enable_tls_channel_id(ssl.get()); SSL_set_tls_channel_id_enabled(ssl.get(), 1);
if (!config->async) { if (!config->async) {
// The async case will be supplied by |ChannelIdCallback|. // The async case will be supplied by |ChannelIdCallback|.
bssl::UniquePtr<EVP_PKEY> pkey = LoadPrivateKey(config->send_channel_id); bssl::UniquePtr<EVP_PKEY> pkey = LoadPrivateKey(config->send_channel_id);