Add client cert engine to SSL routines.
This commit is contained in:
parent
eafd6e5110
commit
368888bcb6
6 changed files with 56 additions and 4 deletions
3
CHANGES
3
CHANGES
|
@ -4,6 +4,9 @@
|
|||
|
||||
Changes between 0.9.8g and 0.9.9 [xx XXX xxxx]
|
||||
|
||||
*) Expand ENGINE to support engine supplied SSL client certificate functions.
|
||||
[Steve Henson]
|
||||
|
||||
*) Revamp of LHASH to provide stronger type-checking. Still to come:
|
||||
STACK, TXT_DB, bsearch, qsort.
|
||||
[Ben Laurie]
|
||||
|
|
|
@ -1096,8 +1096,7 @@ int dtls1_send_client_certificate(SSL *s)
|
|||
* ssl->rwstate=SSL_X509_LOOKUP; return(-1);
|
||||
* We then get retied later */
|
||||
i=0;
|
||||
if (s->ctx->client_cert_cb != NULL)
|
||||
i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
|
||||
i = ssl_do_client_cert_cb(s, &x509, &pkey);
|
||||
if (i < 0)
|
||||
{
|
||||
s->rwstate=SSL_X509_LOOKUP;
|
||||
|
|
|
@ -160,6 +160,9 @@
|
|||
#include <openssl/dh.h>
|
||||
#endif
|
||||
#include <openssl/bn.h>
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
|
||||
static const SSL_METHOD *ssl3_get_client_method(int ver);
|
||||
static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
|
||||
|
@ -2723,8 +2726,7 @@ int ssl3_send_client_certificate(SSL *s)
|
|||
* ssl->rwstate=SSL_X509_LOOKUP; return(-1);
|
||||
* We then get retied later */
|
||||
i=0;
|
||||
if (s->ctx->client_cert_cb != NULL)
|
||||
i=s->ctx->client_cert_cb(s,&(x509),&(pkey));
|
||||
i = ssl_do_client_cert_cb(s, &x509, &pkey);
|
||||
if (i < 0)
|
||||
{
|
||||
s->rwstate=SSL_X509_LOOKUP;
|
||||
|
@ -2948,3 +2950,21 @@ static int ssl3_check_finished(SSL *s)
|
|||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
|
||||
{
|
||||
int i = 0;
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if (s->ctx->client_cert_engine)
|
||||
{
|
||||
i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
|
||||
SSL_get_client_CA_list(s),
|
||||
px509, ppkey, NULL, NULL);
|
||||
if (i != 0)
|
||||
return i;
|
||||
}
|
||||
#endif
|
||||
if (s->ctx->client_cert_cb)
|
||||
i = s->ctx->client_cert_cb(s,px509,ppkey);
|
||||
return i;
|
||||
}
|
||||
|
|
|
@ -798,6 +798,12 @@ struct ssl_ctx_st
|
|||
*/
|
||||
unsigned int max_send_fragment;
|
||||
|
||||
#ifndef OPENSSL_ENGINE
|
||||
/* Engine to pass requests for client certs to
|
||||
*/
|
||||
ENGINE *client_cert_engine;
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
/* TLS extensions servername callback */
|
||||
int (*tlsext_servername_callback)(SSL*, int *, void *);
|
||||
|
@ -879,6 +885,7 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,
|
|||
void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
|
||||
void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
|
||||
int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
|
||||
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
|
||||
void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len));
|
||||
void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len));
|
||||
|
||||
|
|
|
@ -927,6 +927,7 @@ int ssl3_get_cert_status(SSL *s);
|
|||
int ssl3_get_server_done(SSL *s);
|
||||
int ssl3_send_client_verify(SSL *s);
|
||||
int ssl3_send_client_certificate(SSL *s);
|
||||
int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
|
||||
int ssl3_send_client_key_exchange(SSL *s);
|
||||
int ssl3_get_key_exchange(SSL *s);
|
||||
int ssl3_get_server_certificate(SSL *s);
|
||||
|
|
|
@ -138,6 +138,9 @@
|
|||
#include <stdio.h>
|
||||
#include <openssl/lhash.h>
|
||||
#include <openssl/rand.h>
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
#include <openssl/engine.h>
|
||||
#endif
|
||||
#include "ssl_locl.h"
|
||||
|
||||
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
|
||||
|
@ -998,6 +1001,25 @@ int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509 , EVP_PK
|
|||
return ctx->client_cert_cb;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
|
||||
{
|
||||
if (!ENGINE_init(e))
|
||||
{
|
||||
SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, ERR_R_ENGINE_LIB);
|
||||
return 0;
|
||||
}
|
||||
if(!ENGINE_get_ssl_client_cert_function(e))
|
||||
{
|
||||
SSLerr(SSL_F_SSL_CTX_SET_CLIENT_CERT_ENGINE, SSL_R_NO_CLIENT_CERT_METHOD);
|
||||
ENGINE_finish(e);
|
||||
return 0;
|
||||
}
|
||||
ctx->client_cert_engine = e;
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
|
||||
void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
|
||||
int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue