Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API Tests exercising the new supplemental data registration and callback api can be found in ssltest.c. Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
This commit is contained in:
Scott Deboy
123
ssl/ssl.h
123
ssl/ssl.h
@@ -433,6 +433,58 @@ typedef struct {
|
||||
custom_srv_ext_second_cb_fn fn2;
|
||||
void *arg;
|
||||
} custom_srv_ext_record;
|
||||
|
||||
/* Callbacks and structures for handling Supplemental Data:
|
||||
* srv_supp_data_first_cb_fn - server sends Supplemental Data
|
||||
* srv_supp_data_second_cb_fn - server receives Supplemental Data
|
||||
* cli_supp_data_first_cb_fn - client receives Supplemental Data
|
||||
* cli_supp_data_second_cb_fn - client sends Supplemental Data
|
||||
*
|
||||
* All these functions return nonzero on success. Zero will terminate
|
||||
* the handshake (and return a specific TLS Fatal alert, if the function
|
||||
* declaration has an "al" parameter). -1 for the "sending" functions
|
||||
* will result in no supplemental data entry being added to the
|
||||
* supplemental data message for the provided supplemental data type.
|
||||
*
|
||||
* "supp_data_type" is a Supplemental Data Type from 0-65535.
|
||||
* "in" is a pointer to TLS "supplemental_data_entry" being provided to the cb.
|
||||
* "out" is used by the callback to return a pointer to "supplemental data"
|
||||
* which OpenSSL will later copy into the TLS handshake. The contents
|
||||
* of this buffer should not be changed until the handshake is complete.
|
||||
* "inlen" and "outlen" are Supplemental Data lengths from 0-65535.
|
||||
* "al" is a TLS "AlertDescription" from 0-255 which WILL be sent as a
|
||||
* fatal TLS alert, if the callback returns zero.
|
||||
*/
|
||||
typedef int (*srv_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type,
|
||||
const unsigned char **out,
|
||||
unsigned short *outlen, void *arg);
|
||||
typedef int (*srv_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type,
|
||||
const unsigned char *in,
|
||||
unsigned short inlen, int *al,
|
||||
void *arg);
|
||||
|
||||
typedef int (*cli_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type,
|
||||
const unsigned char *in,
|
||||
unsigned short inlen, int *al,
|
||||
void *arg);
|
||||
typedef int (*cli_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type,
|
||||
const unsigned char **out,
|
||||
unsigned short *outlen, void *arg);
|
||||
|
||||
typedef struct {
|
||||
unsigned short supp_data_type;
|
||||
srv_supp_data_first_cb_fn fn1;
|
||||
srv_supp_data_second_cb_fn fn2;
|
||||
void *arg;
|
||||
} srv_supp_data_record;
|
||||
|
||||
typedef struct {
|
||||
unsigned short supp_data_type;
|
||||
cli_supp_data_first_cb_fn fn1;
|
||||
cli_supp_data_second_cb_fn fn2;
|
||||
void *arg;
|
||||
} cli_supp_data_record;
|
||||
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_SSL_INTERN
|
||||
@@ -596,13 +648,6 @@ struct ssl_session_st
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
char *srp_username;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
/* Used by client: the proof for this session.
|
||||
* We store it outside the sess_cert structure, since the proof
|
||||
* is received before the certificate. */
|
||||
unsigned char *audit_proof;
|
||||
size_t audit_proof_length;
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -1138,14 +1183,17 @@ struct ssl_ctx_st
|
||||
size_t tlsext_ellipticcurvelist_length;
|
||||
unsigned char *tlsext_ellipticcurvelist;
|
||||
# endif /* OPENSSL_NO_EC */
|
||||
int (*tlsext_authz_server_audit_proof_cb)(SSL *s, void *arg);
|
||||
void *tlsext_authz_server_audit_proof_cb_arg;
|
||||
|
||||
/* Arrays containing the callbacks for custom TLS Extensions. */
|
||||
custom_cli_ext_record *custom_cli_ext_records;
|
||||
size_t custom_cli_ext_records_count;
|
||||
custom_srv_ext_record *custom_srv_ext_records;
|
||||
size_t custom_srv_ext_records_count;
|
||||
|
||||
/* Arrays containing the callbacks for Supplemental Data. */
|
||||
cli_supp_data_record *cli_supp_data_records;
|
||||
size_t cli_supp_data_records_count;
|
||||
srv_supp_data_record *srv_supp_data_records;
|
||||
size_t srv_supp_data_records_count;
|
||||
};
|
||||
|
||||
#endif
|
||||
@@ -1291,6 +1339,31 @@ int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type,
|
||||
int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
|
||||
custom_srv_ext_first_cb_fn fn1,
|
||||
custom_srv_ext_second_cb_fn fn2, void *arg);
|
||||
|
||||
/* Register callbacks to handle Supplemental Data as client or server.
|
||||
*
|
||||
* For SSL_CTX_set_srv_supp_data, a NULL srv_supp_data_first_cb_fn results in no supplemental data
|
||||
* being sent by the server for that TLS extension.
|
||||
* A NULL srv_supp_data_second_cb_fn results in no supplemental data
|
||||
* being received by the server for that TLS extension.
|
||||
*
|
||||
* For SSL_CTX_set_cli_supp_data, a NULL cli_supp_data_first_cb_fn results in no supplemental data
|
||||
* being received by the client for that TLS extension.
|
||||
* A NULL cli_supp_data_second_cb_fn results in no supplemental data
|
||||
* being sent by the client for that TLS extension.
|
||||
*
|
||||
* Returns nonzero on success. You cannot register twice for the same supp_data_type.
|
||||
*/
|
||||
int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
|
||||
unsigned short supp_data_type,
|
||||
srv_supp_data_first_cb_fn fn1,
|
||||
srv_supp_data_second_cb_fn fn2, void *arg);
|
||||
|
||||
int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
|
||||
unsigned short supp_data_type,
|
||||
cli_supp_data_first_cb_fn fn1,
|
||||
cli_supp_data_second_cb_fn fn2, void *arg);
|
||||
|
||||
#endif
|
||||
|
||||
#define SSL_NOTHING 1
|
||||
@@ -1812,9 +1885,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
|
||||
#define SSL_CTRL_GET_TLS_EXT_HEARTBEAT_PENDING 86
|
||||
#define SSL_CTRL_SET_TLS_EXT_HEARTBEAT_NO_REQUESTS 87
|
||||
#endif
|
||||
/* Callback for verifying audit proofs (client only) */
|
||||
#define SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB 95
|
||||
#define SSL_CTRL_SET_TLSEXT_AUTHZ_SERVER_AUDIT_PROOF_CB_ARG 96
|
||||
#endif /* OPENSSL_NO_TLSEXT */
|
||||
|
||||
#define DTLS_CTRL_GET_TIMEOUT 73
|
||||
@@ -2052,17 +2122,6 @@ int SSL_use_certificate(SSL *ssl, X509 *x);
|
||||
int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
/* Set authz data for the current active cert. */
|
||||
int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz, size_t authz_length);
|
||||
int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length);
|
||||
/* Get the authz of type 'type' associated with the current active cert. */
|
||||
const unsigned char *SSL_CTX_get_authz_data(SSL_CTX *ctx, unsigned char type,
|
||||
size_t *data_length);
|
||||
#ifndef OPENSSL_NO_STDIO
|
||||
int SSL_CTX_use_authz_file(SSL_CTX *ctx, const char *file);
|
||||
int SSL_use_authz_file(SSL *ssl, const char *file);
|
||||
#endif
|
||||
|
||||
/* Set serverinfo data for the current active cert. */
|
||||
int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
|
||||
size_t serverinfo_length);
|
||||
@@ -2116,10 +2175,6 @@ int SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
|
||||
#ifndef OPENSSL_NO_BIO
|
||||
int SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
unsigned char *SSL_SESSION_get_tlsext_authz_server_audit_proof(SSL_SESSION *s,
|
||||
size_t *proof_length);
|
||||
#endif
|
||||
void SSL_SESSION_free(SSL_SESSION *ses);
|
||||
int i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
|
||||
int SSL_set_session(SSL *to, SSL_SESSION *session);
|
||||
@@ -2454,8 +2509,6 @@ void ERR_load_SSL_strings(void);
|
||||
/* Error codes for the SSL functions. */
|
||||
|
||||
/* Function codes. */
|
||||
#define SSL_F_AUTHZ_FIND_DATA 330
|
||||
#define SSL_F_AUTHZ_VALIDATE 323
|
||||
#define SSL_F_CHECK_SUITEB_CIPHER_LIST 335
|
||||
#define SSL_F_CLIENT_CERTIFICATE 100
|
||||
#define SSL_F_CLIENT_FINISHED 167
|
||||
@@ -2499,7 +2552,6 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_GET_SERVER_HELLO 109
|
||||
#define SSL_F_GET_SERVER_VERIFY 110
|
||||
#define SSL_F_I2D_SSL_SESSION 111
|
||||
#define SSL_F_READ_AUTHZ 329
|
||||
#define SSL_F_READ_N 112
|
||||
#define SSL_F_REQUEST_CERTIFICATE 113
|
||||
#define SSL_F_SERVER_FINISH 239
|
||||
@@ -2605,7 +2657,6 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
|
||||
#define SSL_F_SSL_CTX_SET_SSL_VERSION 170
|
||||
#define SSL_F_SSL_CTX_SET_TRUST 229
|
||||
#define SSL_F_SSL_CTX_USE_AUTHZ 324
|
||||
#define SSL_F_SSL_CTX_USE_CERTIFICATE 171
|
||||
#define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172
|
||||
#define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220
|
||||
@@ -2646,7 +2697,6 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_SSL_SESSION_PRINT_FP 190
|
||||
#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
|
||||
#define SSL_F_SSL_SESS_CERT_NEW 225
|
||||
#define SSL_F_SSL_SET_AUTHZ 325
|
||||
#define SSL_F_SSL_SET_CERT 191
|
||||
#define SSL_F_SSL_SET_CIPHER_LIST 271
|
||||
#define SSL_F_SSL_SET_FD 192
|
||||
@@ -2663,7 +2713,6 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243
|
||||
#define SSL_F_SSL_UNDEFINED_FUNCTION 197
|
||||
#define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244
|
||||
#define SSL_F_SSL_USE_AUTHZ 328
|
||||
#define SSL_F_SSL_USE_CERTIFICATE 198
|
||||
#define SSL_F_SSL_USE_CERTIFICATE_ASN1 199
|
||||
#define SSL_F_SSL_USE_CERTIFICATE_FILE 200
|
||||
@@ -2683,18 +2732,19 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_F_TLS1_ENC 210
|
||||
#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314
|
||||
#define SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA 326
|
||||
#define SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA 336
|
||||
#define SSL_F_TLS1_HEARTBEAT 315
|
||||
#define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275
|
||||
#define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276
|
||||
#define SSL_F_TLS1_PRF 284
|
||||
#define SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA 327
|
||||
#define SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA 333
|
||||
#define SSL_F_TLS1_SETUP_KEY_BLOCK 211
|
||||
#define SSL_F_WRITE_PENDING 212
|
||||
|
||||
/* Reason codes. */
|
||||
#define SSL_R_APP_DATA_IN_HANDSHAKE 100
|
||||
#define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
|
||||
#define SSL_R_AUTHZ_DATA_TOO_LARGE 375
|
||||
#define SSL_R_BAD_ALERT_RECORD 101
|
||||
#define SSL_R_BAD_AUTHENTICATION_TYPE 102
|
||||
#define SSL_R_BAD_CHANGE_CIPHER_SPEC 103
|
||||
@@ -2786,8 +2836,6 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_ILLEGAL_PADDING 283
|
||||
#define SSL_R_ILLEGAL_SUITEB_DIGEST 380
|
||||
#define SSL_R_INCONSISTENT_COMPRESSION 340
|
||||
#define SSL_R_INVALID_AUDIT_PROOF 371
|
||||
#define SSL_R_INVALID_AUTHZ_DATA 374
|
||||
#define SSL_R_INVALID_CHALLENGE_LENGTH 158
|
||||
#define SSL_R_INVALID_COMMAND 280
|
||||
#define SSL_R_INVALID_COMPRESSION_ALGORITHM 341
|
||||
@@ -2975,7 +3023,6 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_UNEXPECTED_RECORD 245
|
||||
#define SSL_R_UNINITIALIZED 276
|
||||
#define SSL_R_UNKNOWN_ALERT_TYPE 246
|
||||
#define SSL_R_UNKNOWN_AUTHZ_DATA_TYPE 372
|
||||
#define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247
|
||||
#define SSL_R_UNKNOWN_CIPHER_RETURNED 248
|
||||
#define SSL_R_UNKNOWN_CIPHER_TYPE 249
|
||||
|
||||
Reference in New Issue
Block a user