Move the PQ-experiment signal to SSL_CTX.
In the case where I need it, it's easier for it to be on the context
rather than on each connection.
Change-Id: I5da2929ae6825d6b3151ccabb813cb8ad16416a1
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36746
Commit-Queue: Adam Langley <agl@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 690a388..9285b3f 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3044,7 +3044,7 @@
// signaling bit. These functions should not be used without explicit permission
// from BoringSSL-team.
-OPENSSL_EXPORT int SSL_enable_pq_experiment_signal(SSL *ssl);
+OPENSSL_EXPORT void SSL_CTX_enable_pq_experiment_signal(SSL_CTX *ctx);
OPENSSL_EXPORT int SSL_pq_experiment_signal_seen(const SSL *ssl);
diff --git a/ssl/internal.h b/ssl/internal.h
index 2598058..85b8112 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -2588,11 +2588,6 @@
// jdk11_workaround is whether to disable TLS 1.3 for JDK 11 clients, as a
// workaround for https://bugs.openjdk.java.net/browse/JDK-8211806.
bool jdk11_workaround : 1;
-
- // pq_experiment_signal indicates that an empty extension should be sent
- // (for clients) or echoed (for servers) to indicate participation in an
- // experiment of post-quantum key exchanges.
- bool pq_experiment_signal : 1;
};
// From RFC 8446, used in determining PSK modes.
@@ -3193,6 +3188,11 @@
// If enable_early_data is true, early data can be sent and accepted.
bool enable_early_data : 1;
+ // pq_experiment_signal indicates that an empty extension should be sent
+ // (for clients) or echoed (for servers) to indicate participation in an
+ // experiment of post-quantum key exchanges.
+ bool pq_experiment_signal : 1;
+
private:
~ssl_ctx_st();
friend void SSL_CTX_free(SSL_CTX *);
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index 45ed62f..00ee7da 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -569,7 +569,8 @@
false_start_allowed_without_alpn(false),
ignore_tls13_downgrade(false),
handoff(false),
- enable_early_data(false) {
+ enable_early_data(false),
+ pq_experiment_signal(false) {
CRYPTO_MUTEX_init(&lock);
CRYPTO_new_ex_data(&ex_data);
}
@@ -734,8 +735,7 @@
handoff(false),
shed_handshake_config(false),
ignore_tls13_downgrade(false),
- jdk11_workaround(false),
- pq_experiment_signal(false) {
+ jdk11_workaround(false) {
assert(ssl);
}
@@ -1246,12 +1246,8 @@
return ssl_send_alert_impl(ssl, SSL3_AL_FATAL, alert);
}
-int SSL_enable_pq_experiment_signal(SSL *ssl) {
- if (!ssl->config) {
- return 0;
- }
- ssl->config->pq_experiment_signal = true;
- return 1;
+void SSL_CTX_enable_pq_experiment_signal(SSL_CTX *ctx) {
+ ctx->pq_experiment_signal = true;
}
int SSL_pq_experiment_signal_seen(const SSL *ssl) {
diff --git a/ssl/t1_lib.cc b/ssl/t1_lib.cc
index c05e2c6..88685c8 100644
--- a/ssl/t1_lib.cc
+++ b/ssl/t1_lib.cc
@@ -2894,7 +2894,7 @@
static bool ext_pq_experiment_signal_add_clienthello(SSL_HANDSHAKE *hs,
CBB *out) {
- if (hs->config->pq_experiment_signal &&
+ if (hs->ssl->ctx->pq_experiment_signal &&
(!CBB_add_u16(out, TLSEXT_TYPE_pq_experiment_signal) ||
!CBB_add_u16(out, 0))) {
return false;
@@ -2910,7 +2910,7 @@
return true;
}
- if (!hs->config->pq_experiment_signal || CBS_len(contents) != 0) {
+ if (!hs->ssl->ctx->pq_experiment_signal || CBS_len(contents) != 0) {
return false;
}
@@ -2929,7 +2929,7 @@
return false;
}
- if (hs->ssl->config->pq_experiment_signal) {
+ if (hs->ssl->ctx->pq_experiment_signal) {
hs->ssl->s3->pq_experiment_signal_seen = true;
}
diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc
index 8de81f5..19f94ba 100644
--- a/ssl/test/test_config.cc
+++ b/ssl/test/test_config.cc
@@ -1346,6 +1346,10 @@
SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_CIPHER_SERVER_PREFERENCE);
}
+ if (enable_pq_experiment_signal) {
+ SSL_CTX_enable_pq_experiment_signal(ssl_ctx.get());
+ }
+
return ssl_ctx;
}
@@ -1716,11 +1720,5 @@
}
}
- if (enable_pq_experiment_signal &&
- !SSL_enable_pq_experiment_signal(ssl.get())) {
- fprintf(stderr, "SSL_enable_pq_experiment_signal failed.\n");
- return nullptr;
- }
-
return ssl;
}