Move the PQ-experiment signal to SSL_CTX. In the case where I need it, it's easier for it to be on the context rather than on each connection. Change-Id: I5da2929ae6825d6b3151ccabb813cb8ad16416a1 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36746 Commit-Queue: Adam Langley <agl@google.com> Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 690a388..9285b3f 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -3044,7 +3044,7 @@ // signaling bit. These functions should not be used without explicit permission // from BoringSSL-team. -OPENSSL_EXPORT int SSL_enable_pq_experiment_signal(SSL *ssl); +OPENSSL_EXPORT void SSL_CTX_enable_pq_experiment_signal(SSL_CTX *ctx); OPENSSL_EXPORT int SSL_pq_experiment_signal_seen(const SSL *ssl);
diff --git a/ssl/internal.h b/ssl/internal.h index 2598058..85b8112 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -2588,11 +2588,6 @@ // jdk11_workaround is whether to disable TLS 1.3 for JDK 11 clients, as a // workaround for https://bugs.openjdk.java.net/browse/JDK-8211806. bool jdk11_workaround : 1; - - // pq_experiment_signal indicates that an empty extension should be sent - // (for clients) or echoed (for servers) to indicate participation in an - // experiment of post-quantum key exchanges. - bool pq_experiment_signal : 1; }; // From RFC 8446, used in determining PSK modes. @@ -3193,6 +3188,11 @@ // If enable_early_data is true, early data can be sent and accepted. bool enable_early_data : 1; + // pq_experiment_signal indicates that an empty extension should be sent + // (for clients) or echoed (for servers) to indicate participation in an + // experiment of post-quantum key exchanges. + bool pq_experiment_signal : 1; + private: ~ssl_ctx_st(); friend void SSL_CTX_free(SSL_CTX *);
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index 45ed62f..00ee7da 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc
@@ -569,7 +569,8 @@ false_start_allowed_without_alpn(false), ignore_tls13_downgrade(false), handoff(false), - enable_early_data(false) { + enable_early_data(false), + pq_experiment_signal(false) { CRYPTO_MUTEX_init(&lock); CRYPTO_new_ex_data(&ex_data); } @@ -734,8 +735,7 @@ handoff(false), shed_handshake_config(false), ignore_tls13_downgrade(false), - jdk11_workaround(false), - pq_experiment_signal(false) { + jdk11_workaround(false) { assert(ssl); } @@ -1246,12 +1246,8 @@ return ssl_send_alert_impl(ssl, SSL3_AL_FATAL, alert); } -int SSL_enable_pq_experiment_signal(SSL *ssl) { - if (!ssl->config) { - return 0; - } - ssl->config->pq_experiment_signal = true; - return 1; +void SSL_CTX_enable_pq_experiment_signal(SSL_CTX *ctx) { + ctx->pq_experiment_signal = true; } int SSL_pq_experiment_signal_seen(const SSL *ssl) {
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc index c05e2c6..88685c8 100644 --- a/ssl/t1_lib.cc +++ b/ssl/t1_lib.cc
@@ -2894,7 +2894,7 @@ static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) { - if (hs->config->pq_experiment_signal && + if (hs->ssl->ctx->pq_experiment_signal && (!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) || !CBB_add_u16(out, 0))) { return false; @@ -2910,7 +2910,7 @@ return true; } - if (!hs->config->pq_experiment_signal || CBS_len(contents) != 0) { + if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) { return false; } @@ -2929,7 +2929,7 @@ return false; } - if (hs->ssl->config->pq_experiment_signal) { + if (hs->ssl->ctx->pq_experiment_signal) { hs->ssl->s3->pq_experiment_signal_seen = true; }
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index 8de81f5..19f94ba 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc
@@ -1346,6 +1346,10 @@ SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE); } + if (enable_pq_experiment_signal) { + SSL_CTX_enable_pq_experiment_signal(ssl_ctx.get()); + } + return ssl_ctx; } @@ -1716,11 +1720,5 @@ } } - if (enable_pq_experiment_signal && - !SSL_enable_pq_experiment_signal(ssl.get())) { - fprintf(stderr, "SSL_enable_pq_experiment_signal failed.\n"); - return nullptr; - } - return ssl; }