diff options
| author | David Benjamin <davidben@chromium.org> | 2014-11-02 23:06:42 -0500 |
|---|---|---|
| committer | Adam Langley <agl@google.com> | 2014-11-10 23:59:47 +0000 |
| commit | 688d8dfe48bb5510ad6390add0d676729dce8397 (patch) | |
| tree | f2e7c8bf969b53f1cf87b638786d58424f723310 /include | |
| parent | e1b20a013633754378439f041a72c498d29ed413 (diff) | |
| download | boringssl-688d8dfe48bb5510ad6390add0d676729dce8397.zip boringssl-688d8dfe48bb5510ad6390add0d676729dce8397.tar.gz boringssl-688d8dfe48bb5510ad6390add0d676729dce8397.tar.bz2 | |
Remove psk_identity_hint from SSL_SESSION.
There's not much point in retaining the identity hint in the SSL_SESSION. This
avoids the complexity around setting psk_identity hint on either the SSL or the
SSL_SESSION. Introduce a peer_psk_identity_hint for the client to store the one
received from the server.
This changes the semantics of SSL_get_psk_identity_hint; it now only returns
the value configured for the server. The client learns the hint through the
callback. This is compatible with the one use of this API in conscrypt (it
pulls the hint back out to pass to a callback).
Change-Id: I6d9131636b47f13ac5800b4451436a057021054a
Reviewed-on: https://boringssl-review.googlesource.com/2213
Reviewed-by: Adam Langley <agl@google.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/openssl/ssl.h | 10 | ||||
| -rw-r--r-- | include/openssl/ssl3.h | 4 |
2 files changed, 10 insertions, 4 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index a08b412..ab6e7f4 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -377,7 +377,6 @@ struct ssl_session_st unsigned int sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - char *psk_identity_hint; char *psk_identity; /* Used to indicate that session resumption is not allowed. * Applications can also set this bit for a new session via @@ -917,7 +916,10 @@ struct ssl_ctx_st int (*tlsext_status_cb)(SSL *ssl, void *arg); void *tlsext_status_arg; + /* Server-only: psk_identity_hint is the default identity hint to send + * in PSK-based key exchanges. */ char *psk_identity_hint; + unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len); @@ -1305,10 +1307,10 @@ struct ssl_st void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */ - /* PSK identity hint is stored here only to enable setting a hint on an SSL object before an - * SSL_SESSION is associated with it. Once an SSL_SESSION is associated with this SSL object, - * the psk_identity_hint from the session takes precedence over this one. */ + /* Server-only: psk_identity_hint is the identity hint to send in + * PSK-based key exchanges. */ char *psk_identity_hint; + unsigned int (*psk_client_callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len); diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 668b74f..5083167 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -492,6 +492,10 @@ typedef struct ssl3_state_st * doesn't matter if the session that's being resumed didn't * use it to create the master secret initially. */ char extended_master_secret; + + /* Client-only: peer_psk_identity_hint is the psk_identity_hint + * sent by the server when using a PSK key exchange. */ + char *peer_psk_identity_hint; } tmp; /* Connection binding to prevent renegotiation attacks */ |