generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)

Browse Source 
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
This commit is contained in:
Scott Deboy
2013-06-18 14:34:38 -07:00
committed by Ben Laurie
parent cda01d55ba
commit 36086186a9
25 changed files with 920 additions and 810 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
ssl/ssl_lib.c
View File

@@ -1840,6 +1840,66 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
else
*len = ssl->s3->alpn_selected_len;
}
int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
unsigned short supp_data_type,
cli_supp_data_first_cb_fn fn1,
cli_supp_data_second_cb_fn fn2, void* arg)
{
size_t i;
cli_supp_data_record* record;
/* Check for duplicates */
for (i=0; i < ctx->cli_supp_data_records_count; i++)
if (supp_data_type == ctx->cli_supp_data_records[i].supp_data_type)
return 0;
ctx->cli_supp_data_records = OPENSSL_realloc(ctx->cli_supp_data_records,
(ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record));
if (!ctx->cli_supp_data_records)
{
ctx->cli_supp_data_records_count = 0;
return 0;
}
ctx->cli_supp_data_records_count++;
record = &ctx->cli_supp_data_records[ctx->cli_supp_data_records_count - 1];
record->supp_data_type = supp_data_type;
record->fn1 = fn1;
record->fn2 = fn2;
record->arg = arg;
return 1;
}
int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
unsigned short supp_data_type,
srv_supp_data_first_cb_fn fn1,
srv_supp_data_second_cb_fn fn2, void* arg)
{
size_t i;
srv_supp_data_record* record;
/* Check for duplicates */
for (i=0; i < ctx->srv_supp_data_records_count; i++)
if (supp_data_type == ctx->srv_supp_data_records[i].supp_data_type)
return 0;
ctx->srv_supp_data_records = OPENSSL_realloc(ctx->srv_supp_data_records,
(ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record));
if (!ctx->srv_supp_data_records)
{
ctx->srv_supp_data_records_count = 0;
return 0;
}
ctx->srv_supp_data_records_count++;
record = &ctx->srv_supp_data_records[ctx->srv_supp_data_records_count - 1];
record->supp_data_type = supp_data_type;
record->fn1 = fn1;
record->fn2 = fn2;
record->arg = arg;
return 1;
}
#endif /* !OPENSSL_NO_TLSEXT */
int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -2043,6 +2103,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->custom_cli_ext_records_count = 0;
ret->custom_srv_ext_records = NULL;
ret->custom_srv_ext_records_count = 0;
ret->cli_supp_data_records = NULL;
ret->cli_supp_data_records_count = 0;
ret->srv_supp_data_records = NULL;
ret->srv_supp_data_records_count = 0;
#ifndef OPENSSL_NO_BUF_FREELISTS
ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -2184,6 +2248,8 @@ void SSL_CTX_free(SSL_CTX *a)
#ifndef OPENSSL_NO_TLSEXT
OPENSSL_free(a->custom_cli_ext_records);
OPENSSL_free(a->custom_srv_ext_records);
OPENSSL_free(a->cli_supp_data_records);
OPENSSL_free(a->srv_supp_data_records);
#endif
#ifndef OPENSSL_NO_ENGINE
if (a->client_cert_engine)
@@ -2621,25 +2687,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
}
#ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length)
{
CERT *c;
int i;
c = s->cert;
i = ssl_get_server_cert_index(s);
if (i == -1)
return NULL;
*authz_length = 0;
if (c->pkeys[i].authz == NULL)
return(NULL);
*authz_length = c->pkeys[i].authz_length;
return c->pkeys[i].authz;
}
int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
size_t *serverinfo_length)
{