Add an API to record use of delegated credential
Change-Id: Ie964dee5ff9f8c6d43208dd1d3947d9b427ea27d
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36424
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 4586bdb..34b354c 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3100,6 +3100,10 @@
SSL *ssl, CRYPTO_BUFFER *dc, EVP_PKEY *pkey,
const SSL_PRIVATE_KEY_METHOD *key_method);
+// SSL_delegated_credential_used returns one if a delegated credential was used
+// and zero otherwise.
+OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl);
+
// QUIC integration.
//
diff --git a/ssl/internal.h b/ssl/internal.h
index c7f6a5e..f03271e 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -2221,6 +2221,10 @@
// session_reused indicates whether a session was resumed.
bool session_reused : 1;
+ // delegated_credential_used is whether we presented a delegated credential to
+ // the peer.
+ bool delegated_credential_used : 1;
+
bool send_connection_binding : 1;
// In a client, this means that the server supported Channel ID and that a
diff --git a/ssl/s3_lib.cc b/ssl/s3_lib.cc
index 0e0770c..b6d905d 100644
--- a/ssl/s3_lib.cc
+++ b/ssl/s3_lib.cc
@@ -172,6 +172,7 @@
has_message(false),
initial_handshake_complete(false),
session_reused(false),
+ delegated_credential_used(false),
send_connection_binding(false),
channel_id_valid(false),
key_update_pending(false),
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
index 54df38f..b565a35 100644
--- a/ssl/ssl_cert.cc
+++ b/ssl/ssl_cert.cc
@@ -1010,3 +1010,7 @@
return cert_set_dc(ssl->config->cert.get(), dc, pkey, key_method);
}
+
+int SSL_delegated_credential_used(const SSL *ssl) {
+ return ssl->s3->delegated_credential_used;
+}
diff --git a/ssl/test/bssl_shim.cc b/ssl/test/bssl_shim.cc
index 89b4ba5..98da2ec 100644
--- a/ssl/test/bssl_shim.cc
+++ b/ssl/test/bssl_shim.cc
@@ -665,6 +665,13 @@
return false;
}
+ if (config->expect_delegated_credential_used !=
+ !!SSL_delegated_credential_used(ssl)) {
+ fprintf(stderr,
+ "Got %s delegated credential usage, but wanted opposite. \n",
+ SSL_delegated_credential_used(ssl) ? "" : "no");
+ return false;
+ }
return true;
}
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 7dd0def..ee09faf 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -15480,6 +15480,7 @@
},
flags: []string{
"-delegated-credential", ecdsaFlagValue,
+ "-expect-delegated-credential-used",
},
})
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 4a25b1a..98e0440 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -148,6 +148,8 @@
{"-server-preference", &TestConfig::server_preference},
{"-export-traffic-secrets", &TestConfig::export_traffic_secrets},
{"-key-update", &TestConfig::key_update},
+ {"-expect-delegated-credential-used",
+ &TestConfig::expect_delegated_credential_used},
};
const Flag<std::string> kStringFlags[] = {
diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h
index 195ffc9..fc2dded 100644
--- a/ssl/test/test_config.h
+++ b/ssl/test/test_config.h
@@ -173,6 +173,7 @@
bool server_preference = false;
bool export_traffic_secrets = false;
bool key_update = false;
+ bool expect_delegated_credential_used = false;
std::string delegated_credential;
std::string expect_early_data_reason;
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
index bd0bb4f..2a290f4 100644
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@@ -497,6 +497,7 @@
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
+ ssl->s3->delegated_credential_used = true;
}
for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain.get()); i++) {
