Add SSL_(CTX_)set_tls_channel_id_enabled.

This allows a consumer to disable Channel ID (for instance, it may be enabled on the SSL_CTX and later disabled on the SSL) without reaching into the SSL struct directly. Deprecate the old APIs in favor of these. BUG=6 Change-Id: I193bf94bc1f537e1a81602a39fc2b9a73f44c73b Reviewed-on: https://boringssl-review.googlesource.com/12623 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-12-06 17:43:58 -05:00 · 2016-12-06 17:43:58 -05:00 · eebd3c88ac
commit eebd3c88ac
parent 8db920ad5d
4 changed files with 27 additions and 14 deletions
--- a/fuzz/server.cc
+++ b/fuzz/server.cc
@ -269,7 +269,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
  SSL_set_bio(server, in, out);
  SSL_set_accept_state(server);
  SSL_set_max_version(server, TLS1_3_VERSION);
-  SSL_enable_tls_channel_id(server);
+  SSL_set_tls_channel_id_enabled(server, 1);

  // Enable ciphers that are off by default.
  SSL_set_cipher_list(server, "ALL:kCECPQ1:NULL-SHA");
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -2511,15 +2511,14 @@ OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len,
 *
 * See draft-balfanz-tls-channelid-01. */

-/* SSL_CTX_enable_tls_channel_id either configures a TLS server to accept TLS
- * Channel IDs from clients, or configures a client to send TLS Channel IDs to
- * a server. It returns one. */
-OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
+/* SSL_CTX_set_tls_channel_id_enabled configures whether connections associated
+ * with |ctx| should enable Channel ID. */
+OPENSSL_EXPORT void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx,
+                                                       int enabled);

-/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS
- * Channel IDs from clients, or configures a client to send TLS Channel IDs to
- * server. It returns one. */
-OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
+/* SSL_set_tls_channel_id_enabled configures whether |ssl| should enable Channel
+ * ID. */
+OPENSSL_EXPORT void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled);

 /* SSL_CTX_set1_tls_channel_id configures a TLS client to send a TLS Channel ID
 * to compatible servers. |private_key| must be a P-256 EC key. It returns one
@ -3637,6 +3636,12 @@ OPENSSL_EXPORT int SSL_set_min_version(SSL *ssl, uint16_t version);
 /* SSL_set_max_version calls |SSL_set_max_proto_version|. */
 OPENSSL_EXPORT int SSL_set_max_version(SSL *ssl, uint16_t version);

+/* SSL_CTX_enable_tls_channel_id calls |SSL_CTX_set_tls_channel_id_enabled|. */
+OPENSSL_EXPORT int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx);
+
+/* SSL_enable_tls_channel_id calls |SSL_set_tls_channel_id_enabled|. */
+OPENSSL_EXPORT int SSL_enable_tls_channel_id(SSL *ssl);
+

 /* Private structures.
 *
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -1937,13 +1937,21 @@ void SSL_get0_alpn_selected(const SSL *ssl, const uint8_t **out_data,
 }


+void SSL_CTX_set_tls_channel_id_enabled(SSL_CTX *ctx, int enabled) {
+  ctx->tlsext_channel_id_enabled = !!enabled;
+}
+
 int SSL_CTX_enable_tls_channel_id(SSL_CTX *ctx) {
-  ctx->tlsext_channel_id_enabled = 1;
+  SSL_CTX_set_tls_channel_id_enabled(ctx, 1);
  return 1;
 }

+void SSL_set_tls_channel_id_enabled(SSL *ssl, int enabled) {
+  ssl->tlsext_channel_id_enabled = !!enabled;
+}
+
 int SSL_enable_tls_channel_id(SSL *ssl) {
-  ssl->tlsext_channel_id_enabled = 1;
+  SSL_set_tls_channel_id_enabled(ssl, 1);
  return 1;
 }

--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@ -981,7 +981,7 @@ static bssl::UniquePtr<SSL_CTX> SetupCtx(const TestConfig *config) {
    SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), AlpnSelectCallback, NULL);
  }

-  SSL_CTX_enable_tls_channel_id(ssl_ctx.get());
+  SSL_CTX_set_tls_channel_id_enabled(ssl_ctx.get(), 1);
  SSL_CTX_set_channel_id_cb(ssl_ctx.get(), ChannelIdCallback);

  SSL_CTX_set_current_time_cb(ssl_ctx.get(), CurrentTimeCallback);
@ -1520,10 +1520,10 @@ static bool DoExchange(bssl::UniquePtr<SSL_SESSION> *out_session,
  }
  if (!config->expected_channel_id.empty() ||
      config->enable_channel_id) {
-    SSL_enable_tls_channel_id(ssl.get());
+    SSL_set_tls_channel_id_enabled(ssl.get(), 1);
  }
  if (!config->send_channel_id.empty()) {
-    SSL_enable_tls_channel_id(ssl.get());
+    SSL_set_tls_channel_id_enabled(ssl.get(), 1);
    if (!config->async) {
      // The async case will be supplied by |ChannelIdCallback|.
      bssl::UniquePtr<EVP_PKEY> pkey = LoadPrivateKey(config->send_channel_id);