diff options
author | Ben Laurie <ben@openssl.org> | 2012-05-30 10:10:58 +0000 |
---|---|---|
committer | Ben Laurie <ben@openssl.org> | 2012-05-30 10:10:58 +0000 |
commit | a9e1c50bb09a110d4774e6710f9322344684fa2d (patch) | |
tree | e030d9ea1f33d1c7d310e8ceba621e77e59b988b /apps | |
parent | 03c1d9f99d95e19d4940aae8587808924cab486a (diff) |
RFC 5878 support.
Diffstat (limited to 'apps')
-rw-r--r-- | apps/s_apps.h | 4 | ||||
-rw-r--r-- | apps/s_cb.c | 26 | ||||
-rw-r--r-- | apps/s_client.c | 30 | ||||
-rw-r--r-- | apps/s_server.c | 51 |
4 files changed, 97 insertions, 14 deletions
diff --git a/apps/s_apps.h b/apps/s_apps.h index 5de65329a9..4effcd21d7 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -156,6 +156,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, STACK_OF(X509) *chain); +# ifndef OPENSSL_NO_TLSEXT +int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, + unsigned char *authz, size_t authz_length); +# endif int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index b21a4283df..c07066b6b6 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -237,8 +237,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) /* If we are using DSA, we can copy the parameters from * the private key */ - - + + /* Now we know that a key and cert have been set against * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) @@ -251,9 +251,9 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) } int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, - STACK_OF(X509) *chain) + STACK_OF(X509) *chain) { - if (cert == NULL) + if (cert == NULL) return 1; if (SSL_CTX_use_certificate(ctx,cert) <= 0) { @@ -261,16 +261,16 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, ERR_print_errors(bio_err); return 0; } - if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) - { - BIO_printf(bio_err,"error setting private key\n"); - ERR_print_errors(bio_err); - return 0; - } - - /* Now we know that a key and cert have been set against - * the SSL context */ + if (SSL_CTX_use_PrivateKey(ctx,key) <= 0) + { + BIO_printf(bio_err,"error setting private key\n"); + ERR_print_errors(bio_err); + return 0; + } + + /* Now we know that a key and cert have been set against + * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) { BIO_printf(bio_err,"Private key does not match the certificate public key\n"); diff --git a/apps/s_client.c b/apps/s_client.c index 16f1ac37db..8cbb46e540 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -202,6 +202,7 @@ static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; static int c_status_req=0; +static int c_proof_debug=0; #endif static int c_msg=0; static int c_showcerts=0; @@ -213,6 +214,7 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); +static int audit_proof_cb(SSL *s, void *arg); #endif static BIO *bio_c_out=NULL; static int c_quiet=0; @@ -357,6 +359,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); + BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n"); # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif @@ -731,6 +734,8 @@ int MAIN(int argc, char **argv) c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) c_status_req=1; + else if (strcmp(*argv,"-proof_debug") == 0) + c_proof_debug=1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) @@ -1212,6 +1217,9 @@ bad: } #endif + if (c_proof_debug) + SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx, + audit_proof_cb); #endif con=SSL_new(ctx); @@ -2147,4 +2155,26 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; } +static int audit_proof_cb(SSL *s, void *arg) + { + const unsigned char *proof; + size_t proof_len; + size_t i; + SSL_SESSION *sess = SSL_get_session(s); + + proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess, + &proof_len); + if (proof != NULL) + { + BIO_printf(bio_c_out, "Audit proof: "); + for (i = 0; i < proof_len; ++i) + BIO_printf(bio_c_out, "%02X", proof[i]); + BIO_printf(bio_c_out, "\n"); + } + else + { + BIO_printf(bio_c_out, "No audit proof found.\n"); + } + return 1; + } #endif diff --git a/apps/s_server.c b/apps/s_server.c index bb791e08e7..762757bf00 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -313,6 +313,12 @@ static long socket_mtu; static int cert_chain = 0; #endif +#ifndef OPENSSL_NO_TLSEXT +static BIO *authz_in = NULL; +static const char *s_authz_file = NULL; +static unsigned char *authz = NULL; +static size_t authz_length; +#endif #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; @@ -473,6 +479,7 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); + BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ @@ -1044,6 +1051,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_cert_file= *(++argv); } +#ifndef OPENSSL_NO_TLSEXT + else if (strcmp(*argv,"-authz") == 0) + { + if (--argc < 1) goto bad; + s_authz_file = *(++argv); + } +#endif else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -1490,7 +1504,34 @@ bad: next_proto.data = NULL; } # endif -#endif + if (s_authz_file != NULL) + { + /* Allow authzs up to 64KB bytes. */ + static const size_t authz_limit = 65536; + + authz_in = BIO_new(BIO_s_file_internal()); + if (authz_in == NULL) + { + ERR_print_errors(bio_err); + goto end; + } + + if (BIO_read_filename(authz_in, s_authz_file) <= 0) + { + ERR_print_errors(bio_err); + goto end; + } + authz = OPENSSL_malloc(authz_limit); + authz_length = BIO_read(authz_in, authz, authz_limit); + if (authz_length == authz_limit || authz_length <= 0) + { + BIO_printf(bio_err, "authz too large\n"); + goto end; + } + BIO_free(authz_in); + authz_in = NULL; + } +#endif /* OPENSSL_NO_TLSEXT */ } @@ -1790,6 +1831,10 @@ bad: if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT + if (authz != NULL && !SSL_CTX_use_authz(ctx, authz, authz_length)) + goto end; +#endif +#ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; #endif @@ -1983,6 +2028,10 @@ end: X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); + if (authz != NULL) + OPENSSL_free(authz); + if (authz_in != NULL) + BIO_free(authz_in); #endif if (bio_s_out != NULL) { |