Add SSL[_CTX]_get_compliance_policy It turns out to be useful for tests to be able to read this value back. Change-Id: Icf21144c230dc59f7548b7f75749509c8b646b4a Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/74508 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com> Auto-Submit: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index ac492cc..c6db0e8 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h
@@ -5698,11 +5698,20 @@ OPENSSL_EXPORT int SSL_CTX_set_compliance_policy( SSL_CTX *ctx, enum ssl_compliance_policy_t policy); +// SSL_CTX_get_compliance_policy returns the compliance policy configured on +// |ctx|. +OPENSSL_EXPORT enum ssl_compliance_policy_t SSL_CTX_get_compliance_policy( + const SSL_CTX *ctx); + // SSL_set_compliance_policy acts the same as |SSL_CTX_set_compliance_policy|, // but only configures a single |SSL*|. OPENSSL_EXPORT int SSL_set_compliance_policy( SSL *ssl, enum ssl_compliance_policy_t policy); +// SSL_get_compliance_policy returns the compliance policy configured on +// |ssl|. +OPENSSL_EXPORT enum ssl_compliance_policy_t SSL_get_compliance_policy( + const SSL *ssl); // Nodejs compatibility section (hidden). //
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index afc99be..c963224 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc
@@ -263,14 +263,14 @@ ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(); const bssl::Span<const uint16_t> ciphers = - ssl->config->tls13_cipher_policy == ssl_compliance_policy_cnsa_202407 + ssl->config->compliance_policy == ssl_compliance_policy_cnsa_202407 ? bssl::Span<const uint16_t>(kCiphersCNSA) : (has_aes_hw ? bssl::Span<const uint16_t>(kCiphersAESHardware) : bssl::Span<const uint16_t>(kCiphersNoAESHardware)); for (auto cipher : ciphers) { if (!ssl_add_tls13_cipher(&child, cipher, - ssl->config->tls13_cipher_policy)) { + ssl->config->compliance_policy)) { return false; } }
diff --git a/ssl/internal.h b/ssl/internal.h index 7c91643..e3bd3b6 100644 --- a/ssl/internal.h +++ b/ssl/internal.h
@@ -3717,9 +3717,9 @@ // structure for the client to use when negotiating ECH. Array<uint8_t> client_ech_config_list; - // tls13_cipher_policy limits the set of ciphers that can be selected when + // compliance_policy limits the set of ciphers that can be selected when // negotiating a TLS 1.3 connection. - enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none; + enum ssl_compliance_policy_t compliance_policy = ssl_compliance_policy_none; // verify_mode is a bitmask of |SSL_VERIFY_*| values. uint8_t verify_mode = SSL_VERIFY_NONE; @@ -4371,9 +4371,9 @@ int (*legacy_ocsp_callback)(SSL *ssl, void *arg) = nullptr; void *legacy_ocsp_callback_arg = nullptr; - // tls13_cipher_policy limits the set of ciphers that can be selected when + // compliance_policy limits the set of ciphers that can be selected when // negotiating a TLS 1.3 connection. - enum ssl_compliance_policy_t tls13_cipher_policy = ssl_compliance_policy_none; + enum ssl_compliance_policy_t compliance_policy = ssl_compliance_policy_none; // verify_sigalgs, if not empty, is the set of signature algorithms // accepted from the peer in decreasing order of preference.
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index d601695..4ede3ad 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc
@@ -646,7 +646,7 @@ ssl->config->permute_extensions = ctx->permute_extensions; ssl->config->aes_hw_override = ctx->aes_hw_override; ssl->config->aes_hw_override_value = ctx->aes_hw_override_value; - ssl->config->tls13_cipher_policy = ctx->tls13_cipher_policy; + ssl->config->compliance_policy = ctx->compliance_policy; if (!ssl->config->supported_group_list.CopyFrom(ctx->supported_group_list) || !ssl->config->alpn_client_proto_list.CopyFrom( @@ -3297,7 +3297,7 @@ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; static int Configure(SSL_CTX *ctx) { - ctx->tls13_cipher_policy = ssl_compliance_policy_fips_202205; + ctx->compliance_policy = ssl_compliance_policy_fips_202205; return // Section 3.1: @@ -3320,7 +3320,7 @@ } static int Configure(SSL *ssl) { - ssl->config->tls13_cipher_policy = ssl_compliance_policy_fips_202205; + ssl->config->compliance_policy = ssl_compliance_policy_fips_202205; // See |Configure(SSL_CTX)|, above, for reasoning. return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) && @@ -3354,7 +3354,7 @@ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"; static int Configure(SSL_CTX *ctx) { - ctx->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304; + ctx->compliance_policy = ssl_compliance_policy_wpa3_192_202304; return SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION) && SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION) && @@ -3367,7 +3367,7 @@ } static int Configure(SSL *ssl) { - ssl->config->tls13_cipher_policy = ssl_compliance_policy_wpa3_192_202304; + ssl->config->compliance_policy = ssl_compliance_policy_wpa3_192_202304; return SSL_set_min_proto_version(ssl, TLS1_2_VERSION) && SSL_set_max_proto_version(ssl, TLS1_3_VERSION) && @@ -3384,12 +3384,12 @@ namespace cnsa202407 { static int Configure(SSL_CTX *ctx) { - ctx->tls13_cipher_policy = ssl_compliance_policy_cnsa_202407; + ctx->compliance_policy = ssl_compliance_policy_cnsa_202407; return 1; } static int Configure(SSL *ssl) { - ssl->config->tls13_cipher_policy = ssl_compliance_policy_cnsa_202407; + ssl->config->compliance_policy = ssl_compliance_policy_cnsa_202407; return 1; } @@ -3409,6 +3409,10 @@ } } +enum ssl_compliance_policy_t SSL_CTX_get_compliance_policy(const SSL_CTX *ctx) { + return ctx->compliance_policy; +} + int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) { switch (policy) { case ssl_compliance_policy_fips_202205: @@ -3421,3 +3425,7 @@ return 0; } } + +enum ssl_compliance_policy_t SSL_get_compliance_policy(const SSL *ssl) { + return ssl->config->compliance_policy; +}
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index 540e115..cf072a7 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc
@@ -9843,5 +9843,23 @@ ErrorEquals(ERR_get_error(), ERR_LIB_SSL, SSL_R_READ_TIMEOUT_EXPIRED)); } +TEST(SSLTest, SetGetCompliancePolicy) { + bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method())); + EXPECT_EQ(SSL_CTX_get_compliance_policy(ctx.get()), + ssl_compliance_policy_none); + + bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get())); + EXPECT_EQ(SSL_get_compliance_policy(ssl.get()), ssl_compliance_policy_none); + + for (const auto policy : {ssl_compliance_policy_fips_202205, // + ssl_compliance_policy_wpa3_192_202304, // + ssl_compliance_policy_cnsa_202407}) { + SSL_CTX_set_compliance_policy(ctx.get(), policy); + EXPECT_EQ(SSL_CTX_get_compliance_policy(ctx.get()), policy); + SSL_set_compliance_policy(ssl.get(), policy); + EXPECT_EQ(SSL_get_compliance_policy(ssl.get()), policy); + } +} + } // namespace BSSL_NAMESPACE_END
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc index 40877db..f8f2250 100644 --- a/ssl/tls13_client.cc +++ b/ssl/tls13_client.cc
@@ -212,7 +212,7 @@ SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) || SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) || !ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(cipher), - ssl->config->tls13_cipher_policy)) { + ssl->config->compliance_policy)) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error;
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index 2d984d7..afc75d8 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc
@@ -121,7 +121,7 @@ ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(), - version, ssl->config->tls13_cipher_policy); + version, ssl->config->compliance_policy); } static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {