Add APIs to query authentication properties of SSL_SESSIONs.
This is so Chromium can verify the session before offering it, rather
than doing it after the handshake (at which point it's too late to punt
the session) as we do today. This should, in turn, allow us to finally
verify certificates off a callback and order it correctly relative to
CertificateRequest in TLS 1.3.
(It will also order "correctly" in TLS 1.2, but this is useless. TLS 1.2
does not bind the CertificateRequest to the certificate at the point the
client needs to act on it.)
Bug: chromium:347402
Change-Id: I0daac2868c97b820aead6c3a7e4dc30d8ba44dc4
Reviewed-on: https://boringssl-review.googlesource.com/28405
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Steven Valdez <svaldez@google.com>
diff --git a/ssl/ssl_session.cc b/ssl/ssl_session.cc
index d8f3bbd..e31df68 100644
--- a/ssl/ssl_session.cc
+++ b/ssl/ssl_session.cc
@@ -922,6 +922,29 @@
return session->certs;
}
+void SSL_SESSION_get0_signed_cert_timestamp_list(const SSL_SESSION *session,
+ const uint8_t **out,
+ size_t *out_len) {
+ if (session->signed_cert_timestamp_list) {
+ *out = CRYPTO_BUFFER_data(session->signed_cert_timestamp_list);
+ *out_len = CRYPTO_BUFFER_len(session->signed_cert_timestamp_list);
+ } else {
+ *out = nullptr;
+ *out_len = 0;
+ }
+}
+
+void SSL_SESSION_get0_ocsp_response(const SSL_SESSION *session,
+ const uint8_t **out, size_t *out_len) {
+ if (session->ocsp_response) {
+ *out = CRYPTO_BUFFER_data(session->ocsp_response);
+ *out_len = CRYPTO_BUFFER_len(session->ocsp_response);
+ } else {
+ *out = nullptr;
+ *out_len = 0;
+ }
+}
+
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
size_t max_out) {
// TODO(davidben): Fix master_key_length's type and remove these casts.
