diff options
| author | Rob Percival <robpercival@google.com> | 2016-03-03 16:19:23 +0000 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-03-04 10:50:10 -0500 |
| commit | ed29e82adeea9d2ee89aeadf5646d4d1350a6855 (patch) | |
| tree | ce8d5a9b580ad20efb4ebe51a20900e1e4c95c2d /ssl/t1_lib.c | |
| parent | ddb4c0477af623fcad3e6709640729e82693a4c9 (diff) | |
Adds CT validation to SSL connections
Disabled by default, but can be enabled by setting the
ct_validation_callback on a SSL or SSL_CTX.
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'ssl/t1_lib.c')
| -rw-r--r-- | ssl/t1_lib.c | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index f068a2008a..70c47c8e65 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -120,6 +120,9 @@ # include <openssl/bn.h> #endif #include "ssl_locl.h" +#ifndef OPENSSL_NO_CT +# include <openssl/ct.h> +#endif static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, const unsigned char *sess_id, int sesslen, @@ -1450,6 +1453,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, s2n(TLSEXT_TYPE_encrypt_then_mac, ret); s2n(0, ret); #endif +#ifndef OPENSSL_NO_CT + if (s->ct_validation_callback != NULL) { + s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret); + s2n(0, ret); + } +#endif s2n(TLSEXT_TYPE_extended_master_secret, ret); s2n(0, ret); @@ -2414,6 +2423,30 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET *pkt, int *al) /* Set flag to expect CertificateStatus message */ s->tlsext_status_expected = 1; } +#ifndef OPENSSL_NO_CT + /* + * Only take it if we asked for it - i.e if there is no CT validation + * callback set, then a custom extension MAY be processing it, so we + * need to let control continue to flow to that. + */ + else if (type == TLSEXT_TYPE_signed_certificate_timestamp && + s->ct_validation_callback != NULL) { + /* Simply copy it off for later processing */ + if (s->tlsext_scts != NULL) { + OPENSSL_free(s->tlsext_scts); + s->tlsext_scts = NULL; + } + s->tlsext_scts_len = size; + if (size > 0) { + s->tlsext_scts = OPENSSL_malloc(size); + if (s->tlsext_scts == NULL) { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + memcpy(s->tlsext_scts, data, size); + } + } +#endif #ifndef OPENSSL_NO_NEXTPROTONEG else if (type == TLSEXT_TYPE_next_proto_neg && s->s3->tmp.finish_md_len == 0) { |