Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)

Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API Tests exercising the new supplemental data registration and callback api can be found in ssltest.c. Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation. (cherry picked from commit 36086186a9b90cdad0d2cd0a598a10f03f8f4bcc) Conflicts: Configure apps/s_client.c apps/s_server.c ssl/ssl.h ssl/ssl3.h ssl/ssltest.c
author: Scott Deboy <sdeboy@secondstryke.com> 2013-06-18 14:34:38 -0700
committer: Scott Deboy <sdeboy@secondstryke.com> 2014-02-08 16:12:15 -0800
commit: 038bec784e528ce273169f178c35991fbc3bea92 (patch)
tree: be8a71c2c534db29ea7ee31f1207be9b976b0698 /ssl/ssltest.c
parent: f407eec799f1f5d271b809875f016f680935567b (diff)
1 files changed, 140 insertions, 1 deletions
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index c126eb627b..3755e06905 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -446,6 +446,16 @@ int custom_ext = 0;
 /* This set based on extension callbacks */
 int custom_ext_error = 0;
 
+/*Not IETF assigned supplemental data types*/
+#define CUSTOM_SUPP_DATA_TYPE_0 100
+#define CUSTOM_SUPP_DATA_TYPE_1 101
+#define CUSTOM_SUPP_DATA_TYPE_2 102
+
+const char supp_data_0_string[] = "00000";
+
+int suppdata = 0;
+int suppdata_error = 0;
+
 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
 			     const unsigned char* in, unsigned short inlen, 
 			     int* al, void* arg)
@@ -651,6 +661,109 @@ static int custom_ext_3_srv_second_cb(SSL *s, unsigned short ext_type,
 	return 1; /* Send "defg" */
 	}
 
+static int supp_data_0_srv_first_cb(SSL *s, unsigned short supp_data_type,
+				    const unsigned char **out,
+				    unsigned short *outlen, void *arg)
+	{
+	*out = (const unsigned char*)supp_data_0_string;
+	*outlen = strlen(supp_data_0_string);
+	if (arg != s)
+		suppdata_error = 1;
+	return 1;
+	}
+
+static int supp_data_0_srv_second_cb(SSL *s, unsigned short supp_data_type,
+				     const unsigned char *in,
+				     unsigned short inlen, int *al,
+				     void *arg)
+	{
+	if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
+		suppdata_error = 1;
+	if (inlen != strlen(supp_data_0_string))
+		suppdata_error = 1;
+	if (memcmp(in, supp_data_0_string, inlen) != 0)
+		suppdata_error = 1;
+	if (arg != s)
+		suppdata_error = 1;
+	return 1;
+	}
+
+static int supp_data_1_srv_first_cb(SSL *s, unsigned short supp_data_type,
+				    const unsigned char **out,
+				    unsigned short *outlen, void *arg)
+	{
+	return -1;
+	}
+
+static int supp_data_1_srv_second_cb(SSL *s, unsigned short supp_data_type,
+				     const unsigned char *in,
+				     unsigned short inlen, int *al,
+				     void *arg)
+	{
+	suppdata_error = 1;
+	return 1;
+	}
+
+static int supp_data_2_srv_second_cb(SSL *s, unsigned short supp_data_type,
+				     const unsigned char *in,
+				     unsigned short inlen, int *al,
+				     void *arg)
+	{
+	suppdata_error = 1;
+	return 1;
+	}
+
+static int supp_data_0_cli_first_cb(SSL *s, unsigned short supp_data_type,
+				    const unsigned char *in,
+				    unsigned short inlen, int *al,
+				    void *arg)
+	{
+	if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
+		suppdata_error = 1;
+	if (inlen != strlen(supp_data_0_string))
+		suppdata_error = 1;
+	if (memcmp(in, supp_data_0_string, inlen) != 0)
+		suppdata_error = 1;
+	if (arg != s)
+		suppdata_error = 1;
+	return 1;
+	}
+
+static int supp_data_0_cli_second_cb(SSL *s, unsigned short supp_data_type,
+				     const unsigned char **out,
+				     unsigned short *outlen, void *arg)
+	{
+	*out = (const unsigned char*)supp_data_0_string;
+	*outlen = strlen(supp_data_0_string);
+	if (arg != s)
+		suppdata_error = 1;
+	return 1;
+	}
+
+static int supp_data_1_cli_first_cb(SSL *s, unsigned short supp_data_type,
+				    const unsigned char *in,
+				    unsigned short inlen, int *al,
+				    void *arg)
+	{
+	suppdata_error = 1;
+	return 1;
+	}
+
+static int supp_data_1_cli_second_cb(SSL *s, unsigned short supp_data_type,
+				     const unsigned char **out,
+				     unsigned short *outlen, void *arg)
+	{
+	return -1;
+	}
+
+static int supp_data_2_cli_first_cb(SSL *s, unsigned short supp_data_type,
+				    const unsigned char *in,
+				    unsigned short inlen, int *al,
+				    void *arg)
+	{
+	suppdata_error = 1;
+	return 1;
+	}
 
 static char *cipher=NULL;
 static int verbose=0;
@@ -738,6 +851,7 @@ static void sv_usage(void)
 	fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
 	fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
 	fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
+	fprintf(stderr, "-suppdata - exercise supplemental data callbacks\n");
 	}
 
 static void print_details(SSL *c_ssl, const char *prefix)
@@ -1241,6 +1355,10 @@ int main(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			alpn_expected = *(++argv);
 			}
+		else if (strcmp(*argv,"-suppdata") == 0)
+			{
+			suppdata = 1;
+			}
 		else
 			{
 			fprintf(stderr,"unknown option %s\n",*argv);
@@ -1647,6 +1765,23 @@ bad:
 	c_ssl=SSL_new(c_ctx);
 	s_ssl=SSL_new(s_ctx);
 
+	if (suppdata)
+		{
+		//TEST CASES
+		//client and server both send and receive, verify additional arg passed back
+		SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_0, supp_data_0_srv_first_cb, supp_data_0_srv_second_cb, s_ssl);
+		SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_0, supp_data_0_cli_first_cb, supp_data_0_cli_second_cb, c_ssl);
+
+		//-1 response from sending server/client doesn't receive, -1 response from sending client/server doesn't receive
+		SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_1, supp_data_1_srv_first_cb, supp_data_1_srv_second_cb, NULL);
+		SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_1, supp_data_1_cli_first_cb, supp_data_1_cli_second_cb, NULL);
+
+		//null sending server/client doesn't receive, null sending client/server doesn't receive
+		SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_2, /*supp_data_2_srv_first_cb*/NULL, supp_data_2_srv_second_cb, NULL);
+		SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_2, supp_data_2_cli_first_cb, /*supp_data_2_cli_second_cb*/NULL, NULL);
+
+		//alerts set to non-zero and zero return values not tested
+		}
 #ifndef OPENSSL_NO_KRB5
 	if (c_ssl  &&  c_ssl->kssl_ctx)
                 {
@@ -2411,7 +2546,11 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
 
 	if (verbose)
 		print_details(c_ssl, "DONE: ");
-
+	if (suppdata_error < 0)
+		{
+		ret = 1;
+		goto err;
+		}
 	if (verify_serverinfo() < 0)
 		{
 		ret = 1;
author	Scott Deboy <sdeboy@secondstryke.com>	2013-06-18 14:34:38 -0700
committer	Scott Deboy <sdeboy@secondstryke.com>	2014-02-08 16:12:15 -0800
commit	038bec784e528ce273169f178c35991fbc3bea92 (patch)
tree	be8a71c2c534db29ea7ee31f1207be9b976b0698 /ssl/ssltest.c
parent	f407eec799f1f5d271b809875f016f680935567b (diff)