From 36086186a9b90cdad0d2cd0a598a10f03f8f4bcc Mon Sep 17 00:00:00 2001 From: Scott Deboy Date: Tue, 18 Jun 2013 14:34:38 -0700 Subject: Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions) Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API Tests exercising the new supplemental data registration and callback api can be found in ssltest.c. Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation. --- ssl/ssl_rsa.c | 233 +++------------------------------------------------------- 1 file changed, 9 insertions(+), 224 deletions(-) (limited to 'ssl/ssl_rsa.c') diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 2837624ae9..41878776ec 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -66,10 +66,6 @@ static int ssl_set_cert(CERT *c, X509 *x509); static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey); -#ifndef OPENSSL_NO_TLSEXT -static int ssl_set_authz(CERT *c, unsigned char *authz, - size_t authz_length); -#endif int SSL_use_certificate(SSL *ssl, X509 *x) { if (x == NULL) @@ -463,6 +459,15 @@ static int ssl_set_cert(CERT *c, X509 *x) X509_free(c->pkeys[i].x509); CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509); c->pkeys[i].x509=x; +#ifndef OPENSSL_NO_TLSEXT + /* Free the old serverinfo data, if it exists. */ + if (c->pkeys[i].serverinfo != NULL) + { + OPENSSL_free(c->pkeys[i].serverinfo); + c->pkeys[i].serverinfo = NULL; + c->pkeys[i].serverinfo_length = 0; + } +#endif c->key= &(c->pkeys[i]); c->valid=0; @@ -802,50 +807,6 @@ end: #endif #ifndef OPENSSL_NO_TLSEXT -/* authz_validate returns true iff authz is well formed, i.e. that it meets the - * wire format as documented in the CERT_PKEY structure and that there are no - * duplicate entries. */ -static char authz_validate(const unsigned char *authz, size_t length) - { - unsigned char types_seen_bitmap[32]; - - if (!authz) - return 1; - - memset(types_seen_bitmap, 0, sizeof(types_seen_bitmap)); - - for (;;) - { - unsigned char type, byte, bit; - unsigned short len; - - if (!length) - return 1; - - type = *(authz++); - length--; - - byte = type / 8; - bit = type & 7; - if (types_seen_bitmap[byte] & (1 << bit)) - return 0; - types_seen_bitmap[byte] |= (1 << bit); - - if (length < 2) - return 0; - len = ((unsigned short) authz[0]) << 8 | - ((unsigned short) authz[1]); - authz += 2; - length -= 2; - - if (length < len) - return 0; - - authz += len; - length -= len; - } - } - static int serverinfo_find_extension(const unsigned char *serverinfo, size_t serverinfo_length, unsigned short extension_type, @@ -978,83 +939,6 @@ static int serverinfo_process_buffer(const unsigned char *serverinfo, } } -static const unsigned char *authz_find_data(const unsigned char *authz, - size_t authz_length, - unsigned char data_type, - size_t *data_length) - { - if (authz == NULL) return NULL; - if (!authz_validate(authz, authz_length)) - { - SSLerr(SSL_F_AUTHZ_FIND_DATA,SSL_R_INVALID_AUTHZ_DATA); - return NULL; - } - - for (;;) - { - unsigned char type; - unsigned short len; - if (!authz_length) - return NULL; - - type = *(authz++); - authz_length--; - - /* We've validated the authz data, so we don't have to - * check again that we have enough bytes left. */ - len = ((unsigned short) authz[0]) << 8 | - ((unsigned short) authz[1]); - authz += 2; - authz_length -= 2; - if (type == data_type) - { - *data_length = len; - return authz; - } - authz += len; - authz_length -= len; - } - /* No match */ - return NULL; - } - -static int ssl_set_authz(CERT *c, unsigned char *authz, size_t authz_length) - { - CERT_PKEY *current_key = c->key; - if (current_key == NULL) - return 0; - if (!authz_validate(authz, authz_length)) - { - SSLerr(SSL_F_SSL_SET_AUTHZ,SSL_R_INVALID_AUTHZ_DATA); - return(0); - } - current_key->authz = OPENSSL_realloc(current_key->authz, authz_length); - if (current_key->authz == NULL) - { - SSLerr(SSL_F_SSL_SET_AUTHZ,ERR_R_MALLOC_FAILURE); - return 0; - } - current_key->authz_length = authz_length; - memcpy(current_key->authz, authz, authz_length); - return 1; - } - -int SSL_CTX_use_authz(SSL_CTX *ctx, unsigned char *authz, - size_t authz_length) - { - if (authz == NULL) - { - SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - if (!ssl_cert_inst(&ctx->cert)) - { - SSLerr(SSL_F_SSL_CTX_USE_AUTHZ,ERR_R_MALLOC_FAILURE); - return 0; - } - return ssl_set_authz(ctx->cert, authz, authz_length); - } - int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, size_t serverinfo_length) { @@ -1098,106 +982,7 @@ int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, return 1; } -int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length) - { - if (authz == NULL) - { - SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - if (!ssl_cert_inst(&ssl->cert)) - { - SSLerr(SSL_F_SSL_USE_AUTHZ,ERR_R_MALLOC_FAILURE); - return 0; - } - return ssl_set_authz(ssl->cert, authz, authz_length); - } - -const unsigned char *SSL_CTX_get_authz_data(SSL_CTX *ctx, unsigned char type, - size_t *data_length) - { - CERT_PKEY *current_key; - - if (ctx->cert == NULL) - return NULL; - current_key = ctx->cert->key; - if (current_key->authz == NULL) - return NULL; - return authz_find_data(current_key->authz, - current_key->authz_length, type, data_length); - } - #ifndef OPENSSL_NO_STDIO -/* read_authz returns a newly allocated buffer with authz data */ -static unsigned char *read_authz(const char *file, size_t *authz_length) - { - BIO *authz_in = NULL; - unsigned char *authz = NULL; - /* Allow authzs up to 64KB. */ - static const size_t authz_limit = 65536; - size_t read_length; - unsigned char *ret = NULL; - - authz_in = BIO_new(BIO_s_file_internal()); - if (authz_in == NULL) - { - SSLerr(SSL_F_READ_AUTHZ,ERR_R_BUF_LIB); - goto end; - } - - if (BIO_read_filename(authz_in,file) <= 0) - { - SSLerr(SSL_F_READ_AUTHZ,ERR_R_SYS_LIB); - goto end; - } - - authz = OPENSSL_malloc(authz_limit); - read_length = BIO_read(authz_in, authz, authz_limit); - if (read_length == authz_limit || read_length <= 0) - { - SSLerr(SSL_F_READ_AUTHZ,SSL_R_AUTHZ_DATA_TOO_LARGE); - OPENSSL_free(authz); - goto end; - } - *authz_length = read_length; - ret = authz; -end: - if (authz_in != NULL) BIO_free(authz_in); - return ret; - } - -int SSL_CTX_use_authz_file(SSL_CTX *ctx, const char *file) - { - unsigned char *authz = NULL; - size_t authz_length = 0; - int ret; - - authz = read_authz(file, &authz_length); - if (authz == NULL) - return 0; - - ret = SSL_CTX_use_authz(ctx, authz, authz_length); - /* SSL_CTX_use_authz makes a local copy of the authz. */ - OPENSSL_free(authz); - return ret; - } - -int SSL_use_authz_file(SSL *ssl, const char *file) - { - unsigned char *authz = NULL; - size_t authz_length = 0; - int ret; - - authz = read_authz(file, &authz_length); - if (authz == NULL) - return 0; - - ret = SSL_use_authz(ssl, authz, authz_length); - /* SSL_use_authz makes a local copy of the authz. */ - OPENSSL_free(authz); - return ret; - } - int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file) { unsigned char *serverinfo = NULL; -- cgit v1.2.3