diff options
author | Trevor <trevp@trevp.net> | 2013-05-12 18:55:27 -0700 |
---|---|---|
committer | Ben Laurie <ben@links.org> | 2013-07-03 11:53:30 +0100 |
commit | e27711cfddb15b3bd0c42c804d37ea0f33a3e4e5 (patch) | |
tree | 80076d131dbb4be7039da0dc20b96d1654e9610c /apps | |
parent | 28c08222c058eb3106fa559df05a8a822cc159de (diff) |
Trying cherrypick:
Add support for arbitrary TLS extensions.
Contributed by Trevor Perrin.
Conflicts:
CHANGES
ssl/ssl.h
ssl/ssltest.c
test/testssl
Fix compilation due to #endif.
Cherrypicking more stuff.
Cleanup of custom extension stuff.
serverinfo rejects non-empty extensions.
Omit extension if no relevant serverinfo data.
Improve error-handling in serverinfo callback.
Cosmetic cleanups.
s_client documentation.
s_server documentation.
SSL_CTX_serverinfo documentation.
Cleaup -1 and NULL callback handling for custom extensions, add tests.
Cleanup ssl_rsa.c serverinfo code.
Whitespace cleanup.
Improve comments in ssl.h for serverinfo.
Whitespace.
Cosmetic cleanup.
Reject non-zero-len serverinfo extensions.
Whitespace.
Make it build.
Conflicts:
test/testssl
Diffstat (limited to 'apps')
-rw-r--r-- | apps/s_client.c | 62 | ||||
-rw-r--r-- | apps/s_server.c | 15 |
2 files changed, 77 insertions, 0 deletions
diff --git a/apps/s_client.c b/apps/s_client.c index ad88c3770b..e08534b44d 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -364,6 +364,9 @@ static void sc_usage(void) # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif +#ifndef OPENSSL_NO_TLSEXT + BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n"); +#endif #endif BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); @@ -541,6 +544,26 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, con return SSL_TLSEXT_ERR_OK; } # endif /* ndef OPENSSL_NO_NEXTPROTONEG */ + +static int serverinfo_cli_cb(SSL* s, unsigned short ext_type, + const unsigned char* in, unsigned short inlen, + int* al, void* arg) + { + char pem_name[100]; + unsigned char ext_buf[4 + 65536]; + + /* Reconstruct the type/len fields prior to extension data */ + ext_buf[0] = ext_type >> 8; + ext_buf[1] = ext_type & 0xFF; + ext_buf[2] = inlen >> 8; + ext_buf[3] = inlen & 0xFF; + memcpy(ext_buf+4, in, inlen); + + BIO_snprintf(pem_name, sizeof(pem_name), "SERVER_INFO %d", ext_type); + PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen); + return 1; + } + #endif enum @@ -613,6 +636,9 @@ int MAIN(int argc, char **argv) # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; # endif +# define MAX_SI_TYPES 100 + unsigned short serverinfo_types[MAX_SI_TYPES]; + int serverinfo_types_count = 0; #endif char *sess_in = NULL; char *sess_out = NULL; @@ -949,6 +975,29 @@ static char *jpake_secret = NULL; next_proto_neg_in = *(++argv); } # endif + else if (strcmp(*argv,"-serverinfo") == 0) + { + char *c; + int start = 0; + int len; + + if (--argc < 1) goto bad; + c = *(++argv); + serverinfo_types_count = 0; + len = strlen(c); + for (i = 0; i <= len; ++i) + { + if (i == len || c[i] == ',') + { + serverinfo_types[serverinfo_types_count] + = atoi(c+start); + serverinfo_types_count++; + start = i+1; + } + if (serverinfo_types_count == MAX_SI_TYPES) + break; + } + } #endif #ifdef FIONBIO else if (strcmp(*argv,"-nbio") == 0) @@ -1242,6 +1291,19 @@ bad: if (next_proto.data) SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); #endif +#ifndef OPENSSL_NO_TLSEXT + if (serverinfo_types_count) + { + for (i = 0; i < serverinfo_types_count; i++) + { + SSL_CTX_set_custom_cli_ext(ctx, + serverinfo_types[i], + NULL, + serverinfo_cli_cb, + NULL); + } + } +#endif if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); #if 0 diff --git a/apps/s_server.c b/apps/s_server.c index 9acc374c01..6bd3ac7a84 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -311,6 +311,8 @@ static int cert_chain = 0; #ifndef OPENSSL_NO_TLSEXT static BIO *authz_in = NULL; static const char *s_authz_file = NULL; +static BIO *serverinfo_in = NULL; +static const char *s_serverinfo_file = NULL; #endif #ifndef OPENSSL_NO_PSK @@ -471,6 +473,9 @@ static void sv_usage(void) BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); +#ifndef OPENSSL_NO_TLSEXT + BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n"); +#endif BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ @@ -1065,6 +1070,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_authz_file = *(++argv); } + else if (strcmp(*argv,"-serverinfo") == 0) + { + if (--argc < 1) goto bad; + s_serverinfo_file = *(++argv); + } #endif else if (strcmp(*argv,"-certform") == 0) { @@ -1796,6 +1806,9 @@ bad: #ifndef OPENSSL_NO_TLSEXT if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file)) goto end; + if (s_serverinfo_file != NULL + && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) + goto end; #endif #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain)) @@ -1963,6 +1976,8 @@ end: EVP_PKEY_free(s_key2); if (authz_in != NULL) BIO_free(authz_in); + if (serverinfo_in != NULL) + BIO_free(serverinfo_in); #endif ssl_excert_free(exc); if (ssl_args) |