Add support for SSL_CTX_set_post_handshake_auth() (e97be718) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

doc/man3/SSL_CTX_set_verify.pod

+9 −7

Original line number	Diff line number	Diff line
		@@ -7,7 +7,8 @@ SSL_CTX_set_verify, SSL_set_verify,
		SSL_CTX_set_verify_depth, SSL_set_verify_depth,
		SSL_verify_cb,
		SSL_verify_client_post_handshake,
		SSL_set_post_handshake_auth
		SSL_set_post_handshake_auth,
		SSL_CTX_set_post_handshake_auth
		- set peer certificate verification parameters

		=head1 SYNOPSIS
		@@ -24,6 +25,7 @@ SSL_set_post_handshake_auth
		void SSL_set_verify_depth(SSL *ssl, int depth);

		int SSL_verify_client_post_handshake(SSL *ssl);
		void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
		void SSL_set_post_handshake_auth(SSL *ssl, int val);

		=head1 DESCRIPTION
		@@ -48,12 +50,12 @@ verification that shall be allowed for B<ctx>.
		SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain
		verification that shall be allowed for B<ssl>.

		SSL_set_post_handshake_auth() enables the Post-Handshake Authentication
		extension to be added to the ClientHello such that post-handshake authentication
		can be requested by the server. If B<val> is 0 then the extension is not sent,
		otherwise it is. By default the extension is not sent. A certificate callback
		will need to be set via SSL_CTX_set_client_cert_cb() if no certificate is
		provided at initialization.
		SSL_CTX_set_post_handshake_auth() and SSL_set_post_handshake_auth() enable the
		Post-Handshake Authentication extension to be added to the ClientHello such that
		post-handshake authentication can be requested by the server. If B<val> is 0
		then the extension is not sent, otherwise it is. By default the extension is not
		sent. A certificate callback will need to be set via
		SSL_CTX_set_client_cert_cb() if no certificate is provided at initialization.

		SSL_verify_client_post_handshake() causes a CertificateRequest message to be
		sent by a server on the given B<ssl> connection. The SSL_VERIFY_PEER flag must

include/openssl/ssl.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -1898,6 +1898,7 @@ int SSL_renegotiate_abbreviated(SSL *s);
		__owur int SSL_renegotiate_pending(SSL *s);
		int SSL_shutdown(SSL *s);
		__owur int SSL_verify_client_post_handshake(SSL *s);
		void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
		void SSL_set_post_handshake_auth(SSL *s, int val);

		__owur const SSL_METHOD SSL_CTX_get_ssl_method(SSL_CTX ctx);

ssl/ssl_lib.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -702,6 +702,7 @@ SSL SSL_new(SSL_CTX ctx)
		s->max_early_data = ctx->max_early_data;
		s->recv_max_early_data = ctx->recv_max_early_data;
		s->num_tickets = ctx->num_tickets;
		s->pha_enabled = ctx->pha_enabled;

		/* Shallow copy of the ciphersuites stack */
		s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites);
		@@ -5455,6 +5456,11 @@ int SSL_stateless(SSL *s)
		return -1;
		}

		void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
		{
		ctx->pha_enabled = val;
		}

		void SSL_set_post_handshake_auth(SSL *ssl, int val)
		{
		ssl->pha_enabled = val;

ssl/ssl_locl.h

+3 −0

Original line number	Diff line number	Diff line
		@@ -1063,6 +1063,9 @@ struct ssl_ctx_st {
		/* Callback to determine if early_data is acceptable or not */
		SSL_allow_early_data_cb_fn allow_early_data_cb;
		void *allow_early_data_cb_data;

		/* Do we advertise Post-handshake auth support? */
		int pha_enabled;
		};

		struct ssl_st {

test/sslapitest.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -4331,13 +4331,12 @@ static int test_pha_key_update(void)
		\|\| !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
		goto end;

		SSL_CTX_set_post_handshake_auth(cctx, 1);

		if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
		NULL, NULL)))
		goto end;

		SSL_set_post_handshake_auth(clientssl, 1);

		if (!TEST_true(create_ssl_connection(serverssl, clientssl,
		SSL_ERROR_NONE)))
		goto end;