generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Backport more ENGINE SSL client auth code to 0.9.8.

Browse Source
This commit is contained in:
Dr. Stephen Henson
2008-06-04 18:35:27 +00:00
parent aa03989791
commit 4aefb1dd98
6 changed files with 60 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ssl/d1_clnt.c
View File

@@ -1095,8 +1095,7 @@ int dtls1_send_client_certificate(SSL *s)
* ssl->rwstate=SSL_X509_LOOKUP; return(-1); * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
* We then get retied later */ * We then get retied later */
i=0; i=0;
if (s->ctx->client_cert_cb != NULL) i = ssl_do_client_cert_cb(s, &x509, &pkey);
i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
if (i < 0) if (i < 0)
{ {
s->rwstate=SSL_X509_LOOKUP; s->rwstate=SSL_X509_LOOKUP;

24
ssl/s3_clnt.c
View File

@@ -134,6 +134,9 @@
#include <openssl/dh.h> #include <openssl/dh.h>
#endif #endif
#include <openssl/bn.h> #include <openssl/bn.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
static SSL_METHOD *ssl3_get_client_method(int ver); static SSL_METHOD *ssl3_get_client_method(int ver);
static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b); static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
@@ -2448,8 +2451,7 @@ int ssl3_send_client_certificate(SSL *s)
* ssl->rwstate=SSL_X509_LOOKUP; return(-1); * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
* We then get retied later */ * We then get retied later */
i=0; i=0;
if (s->ctx->client_cert_cb != NULL) i = ssl_do_client_cert_cb(s, &x509, &pkey);
i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
if (i < 0) if (i < 0)
{ {
s->rwstate=SSL_X509_LOOKUP; s->rwstate=SSL_X509_LOOKUP;
@@ -2716,3 +2718,21 @@ static int ssl3_check_finished(SSL *s)
return 1; return 1;
} }
#endif #endif
int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
{
int i = 0;
#ifndef OPENSSL_NO_ENGINE
if (s->ctx->client_cert_engine)
{
i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
SSL_get_client_CA_list(s),
px509, ppkey, NULL, NULL, NULL);
if (i != 0)
return i;
}
#endif
if (s->ctx->client_cert_cb)
i = s->ctx->client_cert_cb(s,px509,ppkey);
return i;
}

11
ssl/ssl.h
View File

@@ -757,6 +757,12 @@ struct ssl_ctx_st
int quiet_shutdown; int quiet_shutdown;
#ifndef OPENSSL_ENGINE
/* Engine to pass requests for client certs to
*/
ENGINE *client_cert_engine;
#endif
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
/* TLS extensions servername callback */ /* TLS extensions servername callback */
int (*tlsext_servername_callback)(SSL*, int *, void *); int (*tlsext_servername_callback)(SSL*, int *, void *);
@@ -826,6 +832,9 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,
void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val); void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
#ifndef OPENSSL_NO_ENGINE
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
#endif
void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)); void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)); void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
@@ -1752,6 +1761,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168 #define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY 168
#define SSL_F_SSL_CTX_NEW 169 #define SSL_F_SSL_CTX_NEW 169
#define SSL_F_SSL_CTX_SET_CIPHER_LIST 269 #define SSL_F_SSL_CTX_SET_CIPHER_LIST 269
#define SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE 278
#define SSL_F_SSL_CTX_SET_PURPOSE 226 #define SSL_F_SSL_CTX_SET_PURPOSE 226
#define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219
#define SSL_F_SSL_CTX_SET_SSL_VERSION 170 #define SSL_F_SSL_CTX_SET_SSL_VERSION 170
@@ -1932,6 +1942,7 @@ void ERR_load_SSL_strings(void);
#define SSL_R_NO_CIPHERS_SPECIFIED 183 #define SSL_R_NO_CIPHERS_SPECIFIED 183
#define SSL_R_NO_CIPHER_LIST 184 #define SSL_R_NO_CIPHER_LIST 184
#define SSL_R_NO_CIPHER_MATCH 185 #define SSL_R_NO_CIPHER_MATCH 185
#define SSL_R_NO_CLIENT_CERT_METHOD 317
#define SSL_R_NO_CLIENT_CERT_RECEIVED 186 #define SSL_R_NO_CLIENT_CERT_RECEIVED 186
#define SSL_R_NO_COMPRESSION_SPECIFIED 187 #define SSL_R_NO_COMPRESSION_SPECIFIED 187
#define SSL_R_NO_METHOD_SPECIFIED 188 #define SSL_R_NO_METHOD_SPECIFIED 188

4
ssl/ssl_err.c
View File

@@ -1,6 +1,6 @@
/* ssl/ssl_err.c */ /* ssl/ssl_err.c */
/* ==================================================================== /* ====================================================================
* Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -191,6 +191,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"}, {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
{ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"}, {ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
{ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_CIPHER_LIST), "SSL_CTX_set_cipher_list"},
{ERR_FUNC(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE), "SSL_CTX_SET_CLIENT_CERT_ENGINE"},
{ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_PURPOSE), "SSL_CTX_set_purpose"},
{ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"},
{ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"},
@@ -374,6 +375,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
{ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"}, {ERR_REASON(SSL_R_NO_CIPHERS_SPECIFIED) ,"no ciphers specified"},
{ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"}, {ERR_REASON(SSL_R_NO_CIPHER_LIST) ,"no cipher list"},
{ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"}, {ERR_REASON(SSL_R_NO_CIPHER_MATCH) ,"no cipher match"},
{ERR_REASON(SSL_R_NO_CLIENT_CERT_METHOD) ,"no client cert method"},
{ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"}, {ERR_REASON(SSL_R_NO_CLIENT_CERT_RECEIVED),"no client cert received"},
{ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"}, {ERR_REASON(SSL_R_NO_COMPRESSION_SPECIFIED),"no compression specified"},
{ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"}, {ERR_REASON(SSL_R_NO_METHOD_SPECIFIED) ,"no method specified"},

1
ssl/ssl_locl.h
View File

@@ -874,6 +874,7 @@ int ssl3_get_new_session_ticket(SSL *s);
int ssl3_get_cert_status(SSL *s); int ssl3_get_cert_status(SSL *s);
int ssl3_get_server_done(SSL *s); int ssl3_get_server_done(SSL *s);
int ssl3_send_client_verify(SSL *s); int ssl3_send_client_verify(SSL *s);
int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
int ssl3_send_client_certificate(SSL *s); int ssl3_send_client_certificate(SSL *s);
int ssl3_send_client_key_exchange(SSL *s); int ssl3_send_client_key_exchange(SSL *s);
int ssl3_get_key_exchange(SSL *s); int ssl3_get_key_exchange(SSL *s);

22
ssl/ssl_sess.c
View File

@@ -59,6 +59,9 @@
#include <stdio.h> #include <stdio.h>
#include <openssl/lhash.h> #include <openssl/lhash.h>
#include <openssl/rand.h> #include <openssl/rand.h>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
#include "ssl_locl.h" #include "ssl_locl.h"
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -870,6 +873,25 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK
return ctx->client_cert_cb; return ctx->client_cert_cb;
} }
#ifndef OPENSSL_NO_ENGINE
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
{
if (!ENGINE_init(e))
{
SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
return 0;
}
if(!ENGINE_get_ssl_client_cert_function(e))
{
SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
ENGINE_finish(e);
return 0;
}
ctx->client_cert_engine = e;
return 1;
}
#endif
void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
{ {