Commit ecf4d660 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Custom extension revision. 



Use the same structure for client and server custom extensions.

Add utility functions in new file t1_ext.c.
Use new utility functions to handle custom server and client extensions
and remove a lot of code duplication.
Reviewed-by: default avatarEmilia Käsper <emilia@openssl.org>
parent 879bde12

ssl/Makefile

+22 −2
Original line number Diff line number Diff line
@@ -24,7 +24,7 @@ LIBSRC= \ 
	s2_meth.c   s2_srvr.c s2_clnt.c  s2_lib.c  s2_enc.c s2_pkt.c \

	s3_meth.c   s3_srvr.c s3_clnt.c  s3_lib.c  s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \

	s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c          s23_pkt.c \

	t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c \

	t1_meth.c   t1_srvr.c t1_clnt.c  t1_lib.c  t1_enc.c t1_ext.c \

	d1_meth.c   d1_srvr.c d1_clnt.c  d1_lib.c  d1_pkt.c \

	d1_both.c d1_enc.c d1_srtp.c \

	ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
@@ -35,7 +35,7 @@ LIBOBJ= \ 
	s2_meth.o  s2_srvr.o  s2_clnt.o  s2_lib.o  s2_enc.o s2_pkt.o \

	s3_meth.o  s3_srvr.o  s3_clnt.o  s3_lib.o  s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \

	s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o          s23_pkt.o \

	t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o \

	t1_meth.o   t1_srvr.o t1_clnt.o  t1_lib.o  t1_enc.o t1_ext.o \

	d1_meth.o   d1_srvr.o d1_clnt.o  d1_lib.o  d1_pkt.o \

	d1_both.o d1_enc.o d1_srtp.o\

	ssl_lib.o ssl_err2.o ssl_cert.o ssl_sess.o \
@@ -997,6 +997,26 @@ t1_enc.o: ../include/openssl/ssl3.h ../include/openssl/stack.h 
t1_enc.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h

t1_enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h

t1_enc.o: t1_enc.c

t1_ext.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h

t1_ext.o: ../include/openssl/buffer.h ../include/openssl/comp.h

t1_ext.o: ../include/openssl/crypto.h ../include/openssl/dsa.h

t1_ext.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h

t1_ext.o: ../include/openssl/ec.h ../include/openssl/ecdh.h

t1_ext.o: ../include/openssl/ecdsa.h ../include/openssl/err.h

t1_ext.o: ../include/openssl/evp.h ../include/openssl/hmac.h

t1_ext.o: ../include/openssl/kssl.h ../include/openssl/lhash.h

t1_ext.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h

t1_ext.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h

t1_ext.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h

t1_ext.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h

t1_ext.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h

t1_ext.o: ../include/openssl/safestack.h ../include/openssl/sha.h

t1_ext.o: ../include/openssl/srtp.h ../include/openssl/ssl.h

t1_ext.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h

t1_ext.o: ../include/openssl/ssl3.h ../include/openssl/stack.h

t1_ext.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h

t1_ext.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ssl_locl.h

t1_ext.o: t1_ext.c

t1_lib.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h

t1_lib.o: ../include/openssl/bn.h ../include/openssl/buffer.h

t1_lib.o: ../include/openssl/comp.h ../include/openssl/conf.h

ssl/s23_clnt.c

+1 −1
Original line number Diff line number Diff line
@@ -368,7 +368,7 @@ static int ssl23_client_hello(SSL *s) 
		if (s->ctx->tlsext_opaque_prf_input_callback != 0 || s->tlsext_opaque_prf_input != NULL)

			ssl2_compat = 0;

#endif

		if (s->cert->custom_cli_ext_records_count != 0)

		if (s->cert->cli_ext.meths_count != 0)

			ssl2_compat = 0;

		}

#endif

ssl/ssl.h

+10 −10
Original line number Diff line number Diff line
@@ -409,21 +409,21 @@ typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, S 
 *   "al" is a TLS "AlertDescription" from 0-255 which WILL be sent as a 

 *     fatal TLS alert, if the callback returns zero.

 */

typedef int (*custom_cli_ext_first_cb_fn)(SSL *s, unsigned short ext_type,



typedef int (*custom_ext_add_cb)(SSL *s, unsigned short ext_type,

					  const unsigned char **out,

					  unsigned short *outlen, int *al, void *arg);

typedef int (*custom_cli_ext_second_cb_fn)(SSL *s, unsigned short ext_type,

					   const unsigned char *in,

					   unsigned short inlen, int *al,

					  unsigned short *outlen, int *al,

					   void *arg);



typedef int (*custom_srv_ext_first_cb_fn)(SSL *s, unsigned short ext_type,

typedef int (*custom_ext_parse_cb)(SSL *s, unsigned short ext_type,

					   const unsigned char *in,

					   unsigned short inlen, int *al,

					   void *arg);

typedef int (*custom_srv_ext_second_cb_fn)(SSL *s, unsigned short ext_type,

					   const unsigned char **out,

					   unsigned short *outlen, int *al, void *arg);



typedef custom_ext_add_cb custom_cli_ext_first_cb_fn;

typedef custom_ext_parse_cb custom_cli_ext_second_cb_fn;

typedef custom_ext_add_cb custom_srv_ext_second_cb_fn;

typedef custom_ext_parse_cb custom_srv_ext_first_cb_fn;



#endif

ssl/ssl_cert.c

+8 −26
Original line number Diff line number Diff line
@@ -424,24 +424,10 @@ CERT *ssl_cert_dup(CERT *cert) 
	ret->sec_ex = cert->sec_ex;



#ifndef OPENSSL_NO_TLSEXT

	if (cert->custom_cli_ext_records_count)

		{

		ret->custom_cli_ext_records = BUF_memdup(cert->custom_cli_ext_records, sizeof(custom_cli_ext_record) * cert->custom_cli_ext_records_count);

		if (ret->custom_cli_ext_records == NULL)

	if (!custom_exts_copy(&ret->cli_ext, &cert->cli_ext))

		goto err;

		ret->custom_cli_ext_records_count =

					cert->custom_cli_ext_records_count;

		}



	if (cert->custom_srv_ext_records_count)

		{

		ret->custom_srv_ext_records = BUF_memdup(cert->custom_srv_ext_records, sizeof(custom_srv_ext_record) * cert->custom_srv_ext_records_count);

		if (ret->custom_srv_ext_records == NULL)

	if (!custom_exts_copy(&ret->srv_ext, &cert->srv_ext))

		goto err;

		ret->custom_srv_ext_records_count =

					cert->custom_srv_ext_records_count;

		}



#endif



	return(ret);
@@ -463,10 +449,8 @@ err: 
#endif



#ifndef OPENSSL_NO_TLSEXT

	if (ret->custom_cli_ext_records)

		OPENSSL_free(ret->custom_cli_ext_records);

	if (ret->custom_srv_ext_records)

		OPENSSL_free(ret->custom_srv_ext_records);

	custom_exts_free(&ret->cli_ext);

	custom_exts_free(&ret->srv_ext);

#endif



	ssl_cert_clear_certs(ret);
@@ -560,10 +544,8 @@ void ssl_cert_free(CERT *c) 
	if (c->ciphers_raw)

		OPENSSL_free(c->ciphers_raw);

#ifndef OPENSSL_NO_TLSEXT

	if (c->custom_cli_ext_records)

		OPENSSL_free(c->custom_cli_ext_records);

	if (c->custom_srv_ext_records)

		OPENSSL_free(c->custom_srv_ext_records);

	custom_exts_free(&c->cli_ext);

	custom_exts_free(&c->srv_ext);

#endif

	OPENSSL_free(c);

	}

ssl/ssl_lib.c

+0 −71
Original line number Diff line number Diff line
@@ -1751,76 +1751,6 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned 
	}

# endif



static int cert_set_custom_cli_ext(CERT *cert, unsigned short ext_type,

			       custom_cli_ext_first_cb_fn fn1, 

			       custom_cli_ext_second_cb_fn fn2, void* arg)

	{

	size_t i;

	custom_cli_ext_record* record;



	/* Check for duplicates */

	for (i=0; i < cert->custom_cli_ext_records_count; i++)

		if (ext_type == cert->custom_cli_ext_records[i].ext_type)

			return 0;



	cert->custom_cli_ext_records = OPENSSL_realloc(cert->custom_cli_ext_records,

						      (cert->custom_cli_ext_records_count + 1) * 

						      sizeof(custom_cli_ext_record));

	if (!cert->custom_cli_ext_records) {

		cert->custom_cli_ext_records_count = 0;

		return 0;

	}

	cert->custom_cli_ext_records_count++;

	record = &cert->custom_cli_ext_records[cert->custom_cli_ext_records_count - 1];

	record->ext_type = ext_type;

	record->fn1 = fn1;

	record->fn2 = fn2;

	record->arg = arg;

	return 1;

	}



static int cert_set_custom_srv_ext(CERT *cert, unsigned short ext_type,

			       custom_srv_ext_first_cb_fn fn1, 

			       custom_srv_ext_second_cb_fn fn2, void* arg)

	{

	size_t i;

	custom_srv_ext_record* record;



	/* Check for duplicates */	

	for (i=0; i < cert->custom_srv_ext_records_count; i++)

		if (ext_type == cert->custom_srv_ext_records[i].ext_type)

			return 0;



	cert->custom_srv_ext_records = OPENSSL_realloc(cert->custom_srv_ext_records,

						      (cert->custom_srv_ext_records_count + 1) * 

						      sizeof(custom_srv_ext_record));

	if (!cert->custom_srv_ext_records) {

		cert->custom_srv_ext_records_count = 0;

		return 0;

	}

	cert->custom_srv_ext_records_count++;

	record = &cert->custom_srv_ext_records[cert->custom_srv_ext_records_count - 1];

	record->ext_type = ext_type;

	record->fn1 = fn1;

	record->fn2 = fn2;

	record->arg = arg;

	return 1;

	}

 

int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type,

			       custom_cli_ext_first_cb_fn fn1, 

			       custom_cli_ext_second_cb_fn fn2, void *arg)

	{

	return cert_set_custom_cli_ext(ctx->cert, ext_type, fn1, fn2,arg);

	}



int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,

			       custom_srv_ext_first_cb_fn fn1, 

			       custom_srv_ext_second_cb_fn fn2, void *arg)

	{

	return cert_set_custom_srv_ext(ctx->cert, ext_type, fn1, fn2,arg);

	}



/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.

 * |protos| must be in wire-format (i.e. a series of non-empty, 8-bit

 * length-prefixed strings).
@@ -3645,7 +3575,6 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx) 
	return ctx->cert->sec_ex;

	}





#if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16)

#include "../crypto/bio/bss_file.c"

#endif