diff options
author | David Benjamin <davidben@google.com> | 2023-05-26 22:03:30 -0400 |
---|---|---|
committer | Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-05-31 15:24:16 +0000 |
commit | 6cf98208371e5c2c8b9d34ce3b8c452ea90e2963 (patch) | |
tree | 7538382943080ee97ab515110e38bc084fe081fe /fuzz/ssl_ctx_api.cc | |
parent | 335523a2c456e7444297ed0786e65771839931c3 (diff) | |
download | boringssl-6cf98208371e5c2c8b9d34ce3b8c452ea90e2963.zip boringssl-6cf98208371e5c2c8b9d34ce3b8c452ea90e2963.tar.gz boringssl-6cf98208371e5c2c8b9d34ce3b8c452ea90e2963.tar.bz2 |
Align NIDs vs group IDs in TLS group APIs
Right now we use NIDs to configure the group list, but group IDs (the
TLS codepoints) to return the negotiated group. The NIDs come from
OpenSSL, while the group ID was original our API. OpenSSL has since
added SSL_get_negotiated_group, but we don't implement it.
To add Kyber to QUIC, we'll need to add an API for configuring groups to
QUICHE. Carrying over our inconsistency into QUICHE's public API would
be unfortunate, so let's use this as the time to align things.
We could either align with OpenSSL and say NIDs are now the group
representation at the public API, or we could add a parallel group ID
API. (Or we could make a whole new SSL_NAMED_GROUP object to pattern
after SSL_CIPHER, which isn't wrong, but is even more new APIs.)
Aligning with OpenSSL would be fewer APIs, but NIDs aren't a great
representation. The numbers are ad-hoc and even diverge a bit between
OpenSSL and BoringSSL. The TLS codepoints are better to export out to
callers. Also QUICHE has exported the negotiated group using the
codepoints, so the natural solution would be to use codepoints on input
too.
Thus, this CL adds SSL_CTX_set1_group_ids and SSL_set1_group_ids. It
also rearranges the API docs slightly to put the group ID ones first,
and leaves a little note about the NID representation before introducing
those.
While I'm here, I've added SSL_get_negotiated_group. NGINX seems to use
it when available, so we may as well fill in that unnecessary
compatibility hole.
Bug: chromium:1442377
Change-Id: I47ca8ae52c274133f28da9893aed7fc70f942bf8
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60208
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'fuzz/ssl_ctx_api.cc')
-rw-r--r-- | fuzz/ssl_ctx_api.cc | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/fuzz/ssl_ctx_api.cc b/fuzz/ssl_ctx_api.cc index f7c1f73..bbf7c71 100644 --- a/fuzz/ssl_ctx_api.cc +++ b/fuzz/ssl_ctx_api.cc @@ -417,6 +417,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { SSL_CTX_set1_groups(ctx, groups.data(), groups.size()); }, [](SSL_CTX *ctx, CBS *cbs) { + std::vector<uint16_t> groups; + if (!GetVector(&groups, cbs)) { + return; + } + SSL_CTX_set1_group_ids(ctx, groups.data(), groups.size()); + }, + [](SSL_CTX *ctx, CBS *cbs) { std::string groups; if (!GetString(&groups, cbs)) { return; |