Add SSL[_CTX]_get_compliance_policy
It turns out to be useful for tests to be able to read this value back.
Change-Id: Icf21144c230dc59f7548b7f75749509c8b646b4a
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/74508
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index ac492cc..c6db0e8 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -5698,11 +5698,20 @@
OPENSSL_EXPORT int SSL_CTX_set_compliance_policy(
SSL_CTX *ctx, enum ssl_compliance_policy_t policy);
+// SSL_CTX_get_compliance_policy returns the compliance policy configured on
+// |ctx|.
+OPENSSL_EXPORT enum ssl_compliance_policy_t SSL_CTX_get_compliance_policy(
+ const SSL_CTX *ctx);
+
// SSL_set_compliance_policy acts the same as |SSL_CTX_set_compliance_policy|,
// but only configures a single |SSL*|.
OPENSSL_EXPORT int SSL_set_compliance_policy(
SSL *ssl, enum ssl_compliance_policy_t policy);
+// SSL_get_compliance_policy returns the compliance policy configured on
+// |ssl|.
+OPENSSL_EXPORT enum ssl_compliance_policy_t SSL_get_compliance_policy(
+ const SSL *ssl);
// Nodejs compatibility section (hidden).
//
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index afc99be..c963224 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -263,14 +263,14 @@
? ssl->config->aes_hw_override_value
: EVP_has_aes_hardware();
const bssl::Span<const uint16_t> ciphers =
- ssl->config->tls13_cipher_policy == ssl_compliance_policy_cnsa_202407
+ ssl->config->compliance_policy == ssl_compliance_policy_cnsa_202407
? bssl::Span<const uint16_t>(kCiphersCNSA)
: (has_aes_hw ? bssl::Span<const uint16_t>(kCiphersAESHardware)
: bssl::Span<const uint16_t>(kCiphersNoAESHardware));
for (auto cipher : ciphers) {
if (!ssl_add_tls13_cipher(&child, cipher,
- ssl->config->tls13_cipher_policy)) {
+ ssl->config->compliance_policy)) {
return false;
}
}
diff --git a/ssl/internal.h b/ssl/internal.h
index 7c91643..e3bd3b6 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -3717,9 +3717,9 @@
// structure for the client to use when negotiating ECH.
Array<uint8_t> client_ech_config_list;
- // tls13_cipher_policy limits the set of ciphers that can be selected when
+ // compliance_policy limits the set of ciphers that can be selected when
// negotiating a TLS 1.3 connection.
- enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none;
+ enum ssl_compliance_policy_t compliance_policy = ssl_compliance_policy_none;
// verify_mode is a bitmask of |SSL_VERIFY_*| values.
uint8_t verify_mode = SSL_VERIFY_NONE;
@@ -4371,9 +4371,9 @@
int (*legacy_ocsp_callback)(SSL *ssl, void *arg) = nullptr;
void *legacy_ocsp_callback_arg = nullptr;
- // tls13_cipher_policy limits the set of ciphers that can be selected when
+ // compliance_policy limits the set of ciphers that can be selected when
// negotiating a TLS 1.3 connection.
- enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none;
+ enum ssl_compliance_policy_t compliance_policy = ssl_compliance_policy_none;
// verify_sigalgs, if not empty, is the set of signature algorithms
// accepted from the peer in decreasing order of preference.
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index d601695..4ede3ad 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -646,7 +646,7 @@
ssl->config->permute_extensions = ctx->permute_extensions;
ssl->config->aes_hw_override = ctx->aes_hw_override;
ssl->config->aes_hw_override_value = ctx->aes_hw_override_value;
- ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy;
+ ssl->config->compliance_policy = ctx->compliance_policy;
if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) ||
!ssl->config->alpn_client_proto_list.CopyFrom(
@@ -3297,7 +3297,7 @@
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
static int Configure(SSL_CTX *ctx) {
- ctx->tls13_cipher_policy = ssl_compliance_policy_fips_202205;
+ ctx->compliance_policy = ssl_compliance_policy_fips_202205;
return
// Section 3.1:
@@ -3320,7 +3320,7 @@
}
static int Configure(SSL *ssl) {
- ssl->config->tls13_cipher_policy = ssl_compliance_policy_fips_202205;
+ ssl->config->compliance_policy = ssl_compliance_policy_fips_202205;
// See |Configure(SSL_CTX)|, above, for reasoning.
return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
@@ -3354,7 +3354,7 @@
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
static int Configure(SSL_CTX *ctx) {
- ctx->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304;
+ ctx->compliance_policy = ssl_compliance_policy_wpa3_192_202304;
return SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) &&
SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) &&
@@ -3367,7 +3367,7 @@
}
static int Configure(SSL *ssl) {
- ssl->config->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304;
+ ssl->config->compliance_policy = ssl_compliance_policy_wpa3_192_202304;
return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) &&
SSL_set_max_proto_version(ssl, TLS1_3_VERSION) &&
@@ -3384,12 +3384,12 @@
namespace cnsa202407 {
static int Configure(SSL_CTX *ctx) {
- ctx->tls13_cipher_policy = ssl_compliance_policy_cnsa_202407;
+ ctx->compliance_policy = ssl_compliance_policy_cnsa_202407;
return 1;
}
static int Configure(SSL *ssl) {
- ssl->config->tls13_cipher_policy = ssl_compliance_policy_cnsa_202407;
+ ssl->config->compliance_policy = ssl_compliance_policy_cnsa_202407;
return 1;
}
@@ -3409,6 +3409,10 @@
}
}
+enum ssl_compliance_policy_t SSL_CTX_get_compliance_policy(const SSL_CTX *ctx) {
+ return ctx->compliance_policy;
+}
+
int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) {
switch (policy) {
case ssl_compliance_policy_fips_202205:
@@ -3421,3 +3425,7 @@
return 0;
}
}
+
+enum ssl_compliance_policy_t SSL_get_compliance_policy(const SSL *ssl) {
+ return ssl->config->compliance_policy;
+}
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 540e115..cf072a7 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -9843,5 +9843,23 @@
ErrorEquals(ERR_get_error(), ERR_LIB_SSL, SSL_R_READ_TIMEOUT_EXPIRED));
}
+TEST(SSLTest, SetGetCompliancePolicy) {
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ EXPECT_EQ(SSL_CTX_get_compliance_policy(ctx.get()),
+ ssl_compliance_policy_none);
+
+ bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
+ EXPECT_EQ(SSL_get_compliance_policy(ssl.get()), ssl_compliance_policy_none);
+
+ for (const auto policy : {ssl_compliance_policy_fips_202205, //
+ ssl_compliance_policy_wpa3_192_202304, //
+ ssl_compliance_policy_cnsa_202407}) {
+ SSL_CTX_set_compliance_policy(ctx.get(), policy);
+ EXPECT_EQ(SSL_CTX_get_compliance_policy(ctx.get()), policy);
+ SSL_set_compliance_policy(ssl.get(), policy);
+ EXPECT_EQ(SSL_get_compliance_policy(ssl.get()), policy);
+ }
+}
+
} // namespace
BSSL_NAMESPACE_END
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index 40877db..f8f2250 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -212,7 +212,7 @@
SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
!ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(cipher),
- ssl->config->tls13_cipher_policy)) {
+ ssl->config->compliance_policy)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index 2d984d7..afc75d8 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -121,7 +121,7 @@
ssl->config->aes_hw_override
? ssl->config->aes_hw_override_value
: EVP_has_aes_hardware(),
- version, ssl->config->tls13_cipher_policy);
+ version, ssl->config->compliance_policy);
}
static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
