diff options
author | Rob Percival <robpercival@google.com> | 2016-03-03 16:19:23 +0000 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-03-04 10:50:10 -0500 |
commit | ed29e82adeea9d2ee89aeadf5646d4d1350a6855 (patch) | |
tree | ce8d5a9b580ad20efb4ebe51a20900e1e4c95c2d /ssl/ssl_locl.h | |
parent | ddb4c0477af623fcad3e6709640729e82693a4c9 (diff) |
Adds CT validation to SSL connections
Disabled by default, but can be enabled by setting the
ct_validation_callback on a SSL or SSL_CTX.
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl/ssl_locl.h')
-rw-r--r-- | ssl/ssl_locl.h | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4fc079baed..ca928e7d5d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -164,7 +164,9 @@ # include <openssl/ssl.h> # include <openssl/async.h> # include <openssl/symhacks.h> - +# ifndef OPENSSL_NO_CT +# include <openssl/ct.h> +# endif #include "record/record.h" #include "statem/statem.h" #include "packet_locl.h" @@ -815,6 +817,16 @@ struct ssl_ctx_st { int quiet_shutdown; +# ifndef OPENSSL_NO_CT + CTLOG_STORE *ctlog_store; /* CT Log Store */ + /* + * Validates that the SCTs (Signed Certificate Timestamps) are sufficient. + * If they are not, the connection should be aborted. + */ + ct_validation_cb ct_validation_callback; + void *ct_validation_callback_arg; +# endif + /* * Maximum amount of data to send in one fragment. actual record size can * be more than this due to padding and MAC overheads. @@ -1088,6 +1100,26 @@ struct ssl_st { /* certificate status request info */ /* Status type or -1 if no status type */ int tlsext_status_type; +# ifndef OPENSSL_NO_CT + /* + * Validates that the SCTs (Signed Certificate Timestamps) are sufficient. + * If they are not, the connection should be aborted. + */ + ct_validation_cb ct_validation_callback; + /* User-supplied argument tha tis passed to the ct_validation_callback */ + void *ct_validation_callback_arg; + /* + * Consolidated stack of SCTs from all sources. + * Lazily populated by CT_get_peer_scts(SSL*) + */ + STACK_OF(SCT) *scts; + /* Raw extension data, if seen */ + unsigned char *tlsext_scts; + /* Length of raw extension data, if seen */ + uint16_t tlsext_scts_len; + /* Have we attempted to find/parse SCTs yet? */ + int scts_parsed; +# endif /* Expect OCSP CertificateStatus message */ int tlsext_status_expected; /* OCSP status request only */ @@ -2037,6 +2069,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, int idx); void tls1_set_cert_validity(SSL *s); +#ifndef OPENSSL_NO_CT +__owur int SSL_validate_ct(SSL *s); +#endif + # ifndef OPENSSL_NO_DH __owur DH *ssl_get_auto_dh(SSL *s); # endif |