Add callbacks supporting generation and retrieval of supplemental data...

 Changes between 1.0.x and 1.1.0  [xx XXX xxxx]

  *) Add callbacks supporting generation and retrieval of supplemental

     data entries.

     [Scott Deboy <sdeboy@apache.org>, Trevor Perrin and Ben Laurie]

  *) Add EVP support for key wrapping algorithms, to avoid problems with

     existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in

     the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap

"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

"debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

"debug-darwin64-x86_64-cc","cc:-arch x86_64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

# iPhoneOS/iOS

int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);

int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,

					STACK_OF(X509) *chain, int build_chain);

# ifndef OPENSSL_NO_TLSEXT

int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,

                           unsigned char *authz, size_t authz_length);

# endif

int ssl_print_sigalgs(BIO *out, SSL *s);

int ssl_print_point_formats(BIO *out, SSL *s);

int ssl_print_curves(BIO *out, SSL *s, int noshared);

				case 16:

					str_details1 = ", ClientKeyExchange";

					break;

				case 23:

					str_details1 = ", SupplementalData";

					break;

				case 20:

					str_details1 = ", Finished";

					break;

#ifndef OPENSSL_NO_TLSEXT

static int c_tlsextdebug=0;

static int c_status_req=0;

static int c_proof_debug=0;

#endif

static int c_msg=0;

static int c_showcerts=0;

static void print_stuff(BIO *berr,SSL *con,int full);

#ifndef OPENSSL_NO_TLSEXT

static int ocsp_resp_cb(SSL *s, void *arg);

static int audit_proof_cb(SSL *s, void *arg);

static int c_auth = 0;

static int c_auth_require_reneg = 0;

#endif

static BIO *bio_c_out=NULL;

static BIO *bio_c_msg=NULL;

static int c_ign_eof=0;

static int c_brief=0;

#ifndef OPENSSL_NO_TLSEXT

static const unsigned char *most_recent_supplemental_data;

static size_t most_recent_supplemental_data_length;

static int server_provided_server_authz = 0;

static int server_provided_client_authz = 0;

static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};

static int suppdata_cb(SSL *s, unsigned short supp_data_type,

		       const unsigned char *in,

		       unsigned short inlen, int *al,

		       void *arg);

static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,

				     const unsigned char **out,

				     unsigned short *outlen, void *arg);

static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,

				    const unsigned char **out, unsigned short *outlen,

				    void *arg);

static int authz_tlsext_cb(SSL *s, unsigned short ext_type,

			   const unsigned char *in,

			   unsigned short inlen, int *al,

			   void *arg);

#endif

#ifndef OPENSSL_NO_PSK

/* Default PSK identity and key */

static char *psk_identity="Client_identity";

	BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");

	BIO_printf(bio_err," -status           - request certificate status from server\n");

	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");

	BIO_printf(bio_err," -proof_debug      - request an audit proof and print its hex dump\n");

	BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");

	BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");

	BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");

# ifndef OPENSSL_NO_NEXTPROTONEG

	BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");

	BIO_printf(bio_err," -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)\n");

# endif

#ifndef OPENSSL_NO_TLSEXT

	BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");

#endif

#endif

	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");

	BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");

			c_tlsextdebug=1;

		else if	(strcmp(*argv,"-status") == 0)

			c_status_req=1;

		else if	(strcmp(*argv,"-proof_debug") == 0)

			c_proof_debug=1;

		else if	(strcmp(*argv,"-auth") == 0)

			c_auth = 1;

		else if	(strcmp(*argv,"-auth_require_reneg") == 0)

			c_auth_require_reneg = 1;

#endif

#ifdef WATT32

		else if (strcmp(*argv,"-wdebug") == 0)

		}

#endif

	if (c_proof_debug)

		SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx,

							       audit_proof_cb);

	if (c_auth)

		{

		SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);

		SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);

		SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);

		}

#endif

	con=SSL_new(ctx);

	return 1;

	}

static int audit_proof_cb(SSL *s, void *arg)

static int authz_tlsext_cb(SSL *s, unsigned short ext_type,

			   const unsigned char *in,

			   unsigned short inlen, int *al,

			   void *arg)

	{

	const unsigned char *proof;

	size_t proof_len;

	size_t i;

	SSL_SESSION *sess = SSL_get_session(s);

	if (TLSEXT_TYPE_server_authz == ext_type)

		{

		server_provided_server_authz = (memchr(in,

		TLSEXT_AUTHZDATAFORMAT_dtcp,

		inlen) != NULL);

		}

	proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,

								&proof_len);

	if (proof != NULL)

	if (TLSEXT_TYPE_client_authz == ext_type)

		{

		BIO_printf(bio_c_out, "Audit proof: ");

		for (i = 0; i < proof_len; ++i)

			BIO_printf(bio_c_out, "%02X", proof[i]);

		BIO_printf(bio_c_out, "\n");

		server_provided_client_authz = (memchr(in,

		TLSEXT_AUTHZDATAFORMAT_dtcp,

		inlen) != NULL);

		}

	else

	return 1;

	}

static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,

				    const unsigned char **out, unsigned short *outlen,

				    void *arg)

	{

	if (c_auth)

		{

		if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))

			{

			*out = auth_ext_data;

			*outlen = 1;

			return 1;

			}

		}

	//no auth extension to send

	return -1;

	}

static int suppdata_cb(SSL *s, unsigned short supp_data_type,

		       const unsigned char *in,

		       unsigned short inlen, int *al,

		       void *arg)

	{

		BIO_printf(bio_c_out, "No audit proof found.\n");

	if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)

		{

		most_recent_supplemental_data = in;

		most_recent_supplemental_data_length = inlen;

		}

	return 1;

	}

static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,

				     const unsigned char **out,

				     unsigned short *outlen, void *arg)

	{

	unsigned char *result;

	if (c_auth && server_provided_client_authz && server_provided_server_authz)

		{

		if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))

			{

			result = OPENSSL_malloc(10);

			memcpy(result, "5432154321", 10);

			*out = result;

			*outlen = 10;

			return 1;

			}

		}

	//no supplemental data to send

	return -1;

	}

#endif