Support setting per-connection SCT list
Right now the only way to set an SCT list is the per-context function
SSL_CTX_set_signed_cert_timestamp_list. However this assumes that all the
SSLs generated from a SSL_CTX share the same SCT list, which is wrong.
In order to avoid memory duplication in case SSL_CTX has its own list, a
CRYPTO_BUFFER is used for both SSL_CTX and SSL.
Change-Id: Id20e6f128c33cf3e5bff1be390645441be6518c6
Reviewed-on: https://boringssl-review.googlesource.com/13642
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 01aa3e8..e34636e 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -904,6 +904,14 @@
const uint8_t *list,
size_t list_len);
+/* SSL_set_signed_cert_timestamp_list sets the list of signed certificate
+ * timestamps that is sent to clients that request is. The same format as the
+ * one used for |SSL_CTX_set_signed_cert_timestamp_list| applies. The caller
+ * retains ownership of |list|. */
+OPENSSL_EXPORT int SSL_set_signed_cert_timestamp_list(SSL *ctx,
+ const uint8_t *list,
+ size_t list_len);
+
/* SSL_CTX_set_ocsp_response sets the OCSP response that is sent to clients
* which request it. It returns one on success and zero on error. The caller
* retains ownership of |response|. */
@@ -4050,8 +4058,7 @@
EVP_PKEY *tlsext_channel_id_private;
/* Signed certificate timestamp list to be sent to the client, if requested */
- uint8_t *signed_cert_timestamp_list;
- size_t signed_cert_timestamp_list_length;
+ CRYPTO_BUFFER *signed_cert_timestamp_list;
/* OCSP response to be sent to the client, if requested. */
CRYPTO_BUFFER *ocsp_response;
