Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
(cherry picked from commit 36086186a9)
Conflicts:
Configure
apps/s_client.c
apps/s_server.c
ssl/ssl.h
ssl/ssl3.h
ssl/ssltest.c
This commit is contained in:
Scott Deboy
137
apps/s_client.c
137
apps/s_client.c
@@ -203,7 +203,6 @@ static int c_debug=0;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
static int c_tlsextdebug=0;
|
||||
static int c_status_req=0;
|
||||
static int c_proof_debug=0;
|
||||
#endif
|
||||
static int c_msg=0;
|
||||
static int c_showcerts=0;
|
||||
@@ -215,7 +214,8 @@ static void sc_usage(void);
|
||||
static void print_stuff(BIO *berr,SSL *con,int full);
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
static int ocsp_resp_cb(SSL *s, void *arg);
|
||||
static int audit_proof_cb(SSL *s, void *arg);
|
||||
static int c_auth = 0;
|
||||
static int c_auth_require_reneg = 0;
|
||||
#endif
|
||||
static BIO *bio_c_out=NULL;
|
||||
static BIO *bio_c_msg=NULL;
|
||||
@@ -223,6 +223,35 @@ static int c_quiet=0;
|
||||
static int c_ign_eof=0;
|
||||
static int c_brief=0;
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
|
||||
static const unsigned char *most_recent_supplemental_data;
|
||||
static size_t most_recent_supplemental_data_length;
|
||||
|
||||
static int server_provided_server_authz = 0;
|
||||
static int server_provided_client_authz = 0;
|
||||
|
||||
static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
|
||||
|
||||
static int suppdata_cb(SSL *s, unsigned short supp_data_type,
|
||||
const unsigned char *in,
|
||||
unsigned short inlen, int *al,
|
||||
void *arg);
|
||||
|
||||
static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
|
||||
const unsigned char **out,
|
||||
unsigned short *outlen, void *arg);
|
||||
|
||||
static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
|
||||
const unsigned char **out, unsigned short *outlen,
|
||||
void *arg);
|
||||
|
||||
static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
|
||||
const unsigned char *in,
|
||||
unsigned short inlen, int *al,
|
||||
void *arg);
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
/* Default PSK identity and key */
|
||||
static char *psk_identity="Client_identity";
|
||||
@@ -365,15 +394,14 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
|
||||
BIO_printf(bio_err," -status - request certificate status from server\n");
|
||||
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
||||
BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n");
|
||||
BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
|
||||
BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
|
||||
BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
|
||||
#endif
|
||||
# ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
|
||||
# endif
|
||||
BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
|
||||
#endif
|
||||
#endif
|
||||
BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
||||
BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
|
||||
BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
|
||||
@@ -822,8 +850,10 @@ static char *jpake_secret = NULL;
|
||||
c_tlsextdebug=1;
|
||||
else if (strcmp(*argv,"-status") == 0)
|
||||
c_status_req=1;
|
||||
else if (strcmp(*argv,"-proof_debug") == 0)
|
||||
c_proof_debug=1;
|
||||
else if (strcmp(*argv,"-auth") == 0)
|
||||
c_auth = 1;
|
||||
else if (strcmp(*argv,"-auth_require_reneg") == 0)
|
||||
c_auth_require_reneg = 1;
|
||||
#endif
|
||||
#ifdef WATT32
|
||||
else if (strcmp(*argv,"-wdebug") == 0)
|
||||
@@ -1397,9 +1427,12 @@ bad:
|
||||
}
|
||||
|
||||
#endif
|
||||
if (c_proof_debug)
|
||||
SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,
|
||||
audit_proof_cb);
|
||||
if (c_auth)
|
||||
{
|
||||
SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
|
||||
SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
|
||||
SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
|
||||
}
|
||||
#endif
|
||||
|
||||
con=SSL_new(ctx);
|
||||
@@ -2392,26 +2425,76 @@ static int ocsp_resp_cb(SSL *s, void *arg)
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int audit_proof_cb(SSL *s, void *arg)
|
||||
static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
|
||||
const unsigned char *in,
|
||||
unsigned short inlen, int *al,
|
||||
void *arg)
|
||||
{
|
||||
const unsigned char *proof;
|
||||
size_t proof_len;
|
||||
size_t i;
|
||||
SSL_SESSION *sess = SSL_get_session(s);
|
||||
|
||||
proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
|
||||
&proof_len);
|
||||
if (proof != NULL)
|
||||
if (TLSEXT_TYPE_server_authz == ext_type)
|
||||
{
|
||||
BIO_printf(bio_c_out, "Audit proof: ");
|
||||
for (i = 0; i < proof_len; ++i)
|
||||
BIO_printf(bio_c_out, "%02X", proof[i]);
|
||||
BIO_printf(bio_c_out, "\n");
|
||||
server_provided_server_authz = (memchr(in,
|
||||
TLSEXT_AUTHZDATAFORMAT_dtcp,
|
||||
inlen) != NULL);
|
||||
}
|
||||
else
|
||||
|
||||
if (TLSEXT_TYPE_client_authz == ext_type)
|
||||
{
|
||||
BIO_printf(bio_c_out, "No audit proof found.\n");
|
||||
server_provided_client_authz = (memchr(in,
|
||||
TLSEXT_AUTHZDATAFORMAT_dtcp,
|
||||
inlen) != NULL);
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
|
||||
const unsigned char **out, unsigned short *outlen,
|
||||
void *arg)
|
||||
{
|
||||
if (c_auth)
|
||||
{
|
||||
if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
|
||||
{
|
||||
*out = auth_ext_data;
|
||||
*outlen = 1;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
//no auth extension to send
|
||||
return -1;
|
||||
}
|
||||
|
||||
static int suppdata_cb(SSL *s, unsigned short supp_data_type,
|
||||
const unsigned char *in,
|
||||
unsigned short inlen, int *al,
|
||||
void *arg)
|
||||
{
|
||||
if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
|
||||
{
|
||||
most_recent_supplemental_data = in;
|
||||
most_recent_supplemental_data_length = inlen;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
|
||||
const unsigned char **out,
|
||||
unsigned short *outlen, void *arg)
|
||||
{
|
||||
unsigned char *result;
|
||||
if (c_auth && server_provided_client_authz && server_provided_server_authz)
|
||||
{
|
||||
if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
|
||||
{
|
||||
result = OPENSSL_malloc(10);
|
||||
memcpy(result, "5432154321", 10);
|
||||
*out = result;
|
||||
*outlen = 10;
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
//no supplemental data to send
|
||||
return -1;
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user