commit bbaf367969783ab7d9cecc42929c4d6ae584b68f
author David Benjamin <davidben@google.com> Thu Nov 17 10:53:09 2016 +0900
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Thu Nov 17 02:49:19 2016 +0000
tree b7875eb3205a815fd14d9a4185d3fee8e28dd77b
parent a933c38f1af3ad7b03974ca7d7300b9df2162117

Add |SSL_set_retain_only_sha256_of_client_certs|.

Previously the option to retain only the SHA-256 hash of client
certificates could only be set at the |SSL_CTX| level. This change makes
|SSL| objects inherit the setting from the |SSL_CTX|, but allows it to
be overridden on a per-|SSL| basis.

Change-Id: Id435934af3d425d5f008d2f3b9751d1d0884ee55
Reviewed-on: https://boringssl-review.googlesource.com/12182
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

include/openssl/ssl.h

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 6d7ae2f..e39fa89 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3116,6 +3116,14 @@
  * NULL if one has not been negotiated yet or there is no pending handshake. */
 OPENSSL_EXPORT const SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl);
 
+/* SSL_set_retain_only_sha256_of_client_certs, on a server, sets whether only
+ * the SHA-256 hash of peer's certificate should be saved in memory and in the
+ * session. This can save memory, ticket size and session cache space. If
+ * enabled, |SSL_get_peer_certificate| will return NULL after the handshake
+ * completes. See the |peer_sha256| field of |SSL_SESSION| for the hash. */
+OPENSSL_EXPORT void SSL_set_retain_only_sha256_of_client_certs(SSL *ssl,
+                                                               int enable);
+
 /* SSL_CTX_set_retain_only_sha256_of_client_certs, on a server, sets whether
  * only the SHA-256 hash of peer's certificate should be saved in memory and in
  * the session. This can save memory, ticket size and session cache space. If
@@ -4200,6 +4208,11 @@
    * we'll advertise support. */
   unsigned tlsext_channel_id_enabled:1;
 
+  /* retain_only_sha256_of_client_certs is true if we should compute the SHA256
+   * hash of the peer's certificate and then discard it to save memory and
+   * session space. Only effective on the server side. */
+  unsigned retain_only_sha256_of_client_certs:1;
+
   /* TODO(agl): remove once node.js not longer references this. */
   int tlsext_status_type;
 };