diff --git a/CHANGES b/CHANGES index 4236f8600e..bf37e58999 100644 --- a/CHANGES +++ b/CHANGES @@ -60,10 +60,6 @@ [Steve Henson] - *) Add callbacks supporting generation and retrieval of supplemental - data entries. - [Scott Deboy , Trevor Perrin and Ben Laurie] - *) Add EVP support for key wrapping algorithms, to avoid problems with existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap @@ -528,9 +524,6 @@ *) Support for linux-x32, ILP32 environment in x86_64 framework. [Andy Polyakov] - *) RFC 5878 (TLS Authorization Extensions) support. - [Emilia Kasper, Adam Langley, Ben Laurie (Google)] - *) Experimental multi-implementation support for FIPS capable OpenSSL. When in FIPS mode the approved implementations are used as normal, when not in FIPS mode the internal unapproved versions are used instead. diff --git a/apps/s_cb.c b/apps/s_cb.c index 787c2a7073..cf34e00a4c 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -881,9 +881,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * case 20: str_details1 = ", Finished"; break; - case 23: - str_details1 = ", SupplementalData"; - break; } } } diff --git a/apps/s_client.c b/apps/s_client.c index 2155b055cc..9f8e2b8e94 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -214,8 +214,6 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); -static int c_auth = 0; -static int c_auth_require_reneg = 0; #endif static BIO *bio_c_out=NULL; static BIO *bio_c_msg=NULL; @@ -223,37 +221,6 @@ static int c_quiet=0; static int c_ign_eof=0; static int c_brief=0; -#ifndef OPENSSL_NO_TLSEXT - -static unsigned char *generated_supp_data = NULL; - -static const unsigned char *most_recent_supplemental_data = NULL; -static size_t most_recent_supplemental_data_length = 0; - -static int server_provided_server_authz = 0; -static int server_provided_client_authz = 0; - -static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp}; - -static int suppdata_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); - -static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg); - -static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - int *al, void *arg); - -static int authz_tlsext_cb(SSL *s, unsigned short ext_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); -#endif - #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ static char *psk_identity="Client_identity"; @@ -396,8 +363,6 @@ static void sc_usage(void) BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n"); - BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n"); - BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n"); # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif @@ -863,10 +828,6 @@ static char *jpake_secret = NULL; c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) c_status_req=1; - else if (strcmp(*argv,"-auth") == 0) - c_auth = 1; - else if (strcmp(*argv,"-auth_require_reneg") == 0) - c_auth_require_reneg = 1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) @@ -1453,12 +1414,6 @@ bad: } #endif - if (c_auth) - { - SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err); - SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err); - SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err); - } #endif con=SSL_new(ctx); @@ -1807,12 +1762,6 @@ SSL_set_tlsext_status_ids(con, ids); "CONNECTION ESTABLISHED\n"); print_ssl_summary(bio_err, con); } - /*handshake is complete - free the generated supp data allocated in the callback */ - if (generated_supp_data) - { - OPENSSL_free(generated_supp_data); - generated_supp_data = NULL; - } print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; @@ -2463,74 +2412,4 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; } -static int authz_tlsext_cb(SSL *s, unsigned short ext_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (TLSEXT_TYPE_server_authz == ext_type) - server_provided_server_authz - = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL); - - if (TLSEXT_TYPE_client_authz == ext_type) - server_provided_client_authz - = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL); - - return 1; - } - -static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - int *al, void *arg) - { - if (c_auth) - { - /*if auth_require_reneg flag is set, only send extensions if - renegotiation has occurred */ - if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s))) - { - *out = auth_ext_data; - *outlen = 1; - return 1; - } - } - /* no auth extension to send */ - return -1; - } - -static int suppdata_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data) - { - most_recent_supplemental_data = in; - most_recent_supplemental_data_length = inlen; - } - return 1; - } - -static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg) - { - if (c_auth && server_provided_client_authz && server_provided_server_authz) - { - /*if auth_require_reneg flag is set, only send supplemental data if - renegotiation has occurred */ - if (!c_auth_require_reneg - || (c_auth_require_reneg && SSL_num_renegotiations(s))) - { - generated_supp_data = OPENSSL_malloc(10); - memcpy(generated_supp_data, "5432154321", 10); - *out = generated_supp_data; - *outlen = 10; - return 1; - } - } - /* no supplemental data to send */ - return -1; - } - #endif diff --git a/apps/s_server.c b/apps/s_server.c index 6dabdf4f40..a2fa469f06 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -224,20 +224,6 @@ static DH *load_dh_param(const char *dhfile); static void s_server_init(void); #endif -#ifndef OPENSSL_NO_TLSEXT - -static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp}; - -static unsigned char *generated_supp_data = NULL; - -static const unsigned char *most_recent_supplemental_data = NULL; -static size_t most_recent_supplemental_data_length = 0; - -static int client_provided_server_authz = 0; -static int client_provided_client_authz = 0; - -#endif - /* static int load_CA(SSL_CTX *ctx, char *file);*/ #undef BUFSIZZ @@ -302,29 +288,9 @@ static int cert_chain = 0; #endif #ifndef OPENSSL_NO_TLSEXT -static int suppdata_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); - -static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg); - -static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - int *al, void *arg); - -static int authz_tlsext_cb(SSL *s, unsigned short ext_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); - static BIO *serverinfo_in = NULL; static const char *s_serverinfo_file = NULL; -static int c_auth = 0; -static int c_auth_require_reneg = 0; #endif #ifndef OPENSSL_NO_PSK @@ -490,8 +456,6 @@ static void sv_usage(void) BIO_printf(bio_err," -naccept arg - terminate after 'arg' connections\n"); #ifndef OPENSSL_NO_TLSEXT BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n"); - BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n"); - BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n"); #endif BIO_printf(bio_err," -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ @@ -1178,15 +1142,7 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_serverinfo_file = *(++argv); } - else if (strcmp(*argv,"-auth") == 0) - { - c_auth = 1; - } #endif - else if (strcmp(*argv,"-auth_require_reneg") == 0) - { - c_auth_require_reneg = 1; - } else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -1997,12 +1953,6 @@ bad: ERR_print_errors(bio_err); goto end; } - if (c_auth) - { - SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); - SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); - SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err); - } #endif #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain)) @@ -2722,12 +2672,6 @@ static int init_ssl_connection(SSL *con) i=SSL_accept(con); } #endif - /*handshake is complete - free the generated supp data allocated in the callback */ - if (generated_supp_data) - { - OPENSSL_free(generated_supp_data); - generated_supp_data = NULL; - } if (i <= 0) { @@ -3615,77 +3559,3 @@ static void free_sessions(void) } first = NULL; } - -#ifndef OPENSSL_NO_TLSEXT -static int authz_tlsext_cb(SSL *s, unsigned short ext_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (TLSEXT_TYPE_server_authz == ext_type) - client_provided_server_authz - = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL; - - if (TLSEXT_TYPE_client_authz == ext_type) - client_provided_client_authz - = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL; - - return 1; - } - -static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - int *al, void *arg) - { - if (c_auth && client_provided_client_authz && client_provided_server_authz) - { - /*if auth_require_reneg flag is set, only send extensions if - renegotiation has occurred */ - if (!c_auth_require_reneg - || (c_auth_require_reneg && SSL_num_renegotiations(s))) - { - *out = auth_ext_data; - *outlen = 1; - return 1; - } - } - /* no auth extension to send */ - return -1; - } - -static int suppdata_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data) - { - most_recent_supplemental_data = in; - most_recent_supplemental_data_length = inlen; - } - return 1; - } - -static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg) - { - if (c_auth && client_provided_client_authz && client_provided_server_authz) - { - /*if auth_require_reneg flag is set, only send supplemental data if - renegotiation has occurred */ - if (!c_auth_require_reneg - || (c_auth_require_reneg && SSL_num_renegotiations(s))) - { - generated_supp_data = OPENSSL_malloc(10); - memcpy(generated_supp_data, "1234512345", 10); - *out = generated_supp_data; - *outlen = 10; - return 1; - } - } - /* no supplemental data to send */ - return -1; - } -#endif - diff --git a/crypto/symhacks.h b/crypto/symhacks.h index 036b9c8b81..41da483051 100644 --- a/crypto/symhacks.h +++ b/crypto/symhacks.h @@ -210,15 +210,6 @@ #undef SSL_set_not_resumable_session_callback #define SSL_set_not_resumable_session_callback SSL_set_not_resumbl_sess_cb -#undef tls1_send_server_supplemental_data -#define tls1_send_server_supplemental_data tls1_send_server_suppl_data -#undef tls1_send_client_supplemental_data -#define tls1_send_client_supplemental_data tls1_send_client_suppl_data -#undef tls1_get_server_supplemental_data -#define tls1_get_server_supplemental_data tls1_get_server_suppl_data -#undef tls1_get_client_supplemental_data -#define tls1_get_client_supplemental_data tls1_get_client_suppl_data - /* Hack some long ENGINE names */ #undef ENGINE_get_default_BN_mod_exp_crt #define ENGINE_get_default_BN_mod_exp_crt ENGINE_get_def_BN_mod_exp_crt diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod index e5fe26b190..f4155c4064 100644 --- a/doc/apps/s_client.pod +++ b/doc/apps/s_client.pod @@ -76,8 +76,6 @@ B B [B<-sess_in filename>] [B<-rand file(s)>] [B<-serverinfo types>] -[B<-auth>] -[B<-auth_require_reneg>] =head1 DESCRIPTION @@ -329,15 +327,6 @@ a list of comma-separated TLS Extension Types (numbers between 0 and The server's response (if any) will be encoded and displayed as a PEM file. -=item B<-auth> - -send RFC 5878 client and server authorization extensions in the Client Hello as well as -supplemental data if the server also sent the authorization extensions in the Server Hello. - -=item B<-auth_require_reneg> - -only send RFC 5878 client and server authorization extensions during renegotiation. - =back =head1 CONNECTED COMMANDS diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod index 9d4633cf7c..a8e5278230 100644 --- a/doc/apps/s_server.pod +++ b/doc/apps/s_server.pod @@ -83,8 +83,6 @@ B B [B<-id_prefix arg>] [B<-rand file(s)>] [B<-serverinfo file>] -[B<-auth>] -[B<-auth_require_reneg>] [B<-no_resumption_on_reneg>] =head1 DESCRIPTION @@ -362,19 +360,9 @@ followed by "length" bytes of extension data). If the client sends an empty TLS ClientHello extension matching the type, the corresponding ServerHello extension will be returned. -=item B<-auth> - -send RFC 5878 client and server authorization extensions in the Client Hello as well as -supplemental data if the server also sent the authorization extensions in the Server Hello. - -=item B<-auth_require_reneg> - -only send RFC 5878 client and server authorization extensions during renegotiation. - =item B<-no_resumption_on_reneg> -set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. Required in order to receive supplemental data -during renegotiation if auth and auth_require_reneg are set. +set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag. =back diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index e32fbbff4f..0865485bcf 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -370,8 +370,6 @@ static int ssl23_client_hello(SSL *s) #endif if (s->ctx->custom_cli_ext_records_count != 0) ssl2_compat = 0; - if (s->ctx->cli_supp_data_records_count != 0) - ssl2_compat = 0; } #endif diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index d009400891..9a94de00d8 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -318,26 +318,11 @@ int ssl3_connect(SSL *s) } s->init_num=0; break; -#ifndef OPENSSL_NO_TLSEXT - case SSL3_ST_CR_SUPPLEMENTAL_DATA_A: - case SSL3_ST_CR_SUPPLEMENTAL_DATA_B: - ret = tls1_get_server_supplemental_data(s); - if (ret <= 0) goto end; - s->state=SSL3_ST_CR_CERT_A; - s->init_num = 0; - break; -#endif case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: #ifndef OPENSSL_NO_TLSEXT ret=ssl3_check_finished(s); if (ret <= 0) goto end; - if (ret == 3) - { - s->state=SSL3_ST_CR_SUPPLEMENTAL_DATA_A; - s->init_num=0; - break; - } if (ret == 2) { s->hit = 1; @@ -416,14 +401,10 @@ int ssl3_connect(SSL *s) } } #endif -#ifndef OPENSSL_NO_TLSEXT - s->state=SSL3_ST_CW_SUPPLEMENTAL_DATA_A; -#else if (s->s3->tmp.cert_req) s->state=SSL3_ST_CW_CERT_A; else s->state=SSL3_ST_CW_KEY_EXCH_A; -#endif s->init_num=0; break; @@ -530,19 +511,6 @@ int ssl3_connect(SSL *s) break; #endif -#ifndef OPENSSL_NO_TLSEXT - case SSL3_ST_CW_SUPPLEMENTAL_DATA_A: - case SSL3_ST_CW_SUPPLEMENTAL_DATA_B: - ret = tls1_send_client_supplemental_data(s, &skip); - if (ret <= 0) goto end; - if (s->s3->tmp.cert_req) - s->state=SSL3_ST_CW_CERT_A; - else - s->state=SSL3_ST_CW_KEY_EXCH_A; - s->init_num=0; - break; -#endif - case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: ret=ssl3_send_finished(s, @@ -3611,10 +3579,11 @@ int ssl3_check_finished(SSL *s) int ok; long n; - /* Read the message to see if it is supplemental data, - * regardless if there is a session ticket this function is - * called when we really expect a Certificate message, so - * permit appropriate message length */ + /* If we have no ticket it cannot be a resumed session. */ + if (!s->session->tlsext_tick) + return 1; + /* this function is called when we really expect a Certificate + * message, so permit appropriate message length */ n=s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, @@ -3624,11 +3593,6 @@ int ssl3_check_finished(SSL *s) if (!ok) return((int)n); s->s3->tmp.reuse_message = 1; - if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA) - return 3; - /* If we have no ticket it cannot be a resumed session. */ - if (!s->session->tlsext_tick) - return 1; if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) return 2; @@ -3654,155 +3618,3 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) i = s->ctx->client_cert_cb(s,px509,ppkey); return i; } - -#ifndef OPENSSL_NO_TLSEXT -int tls1_send_client_supplemental_data(SSL *s, int *skip) - { - int al = 0; - if (s->ctx->cli_supp_data_records_count) - { - unsigned char *p = NULL; - unsigned char *size_loc = NULL; - cli_supp_data_record *record = NULL; - size_t length = 0; - size_t i = 0; - - for (i = 0; i < s->ctx->cli_supp_data_records_count; i++) - { - const unsigned char *out = NULL; - unsigned short outlen = 0; - int cb_retval = 0; - record = &s->ctx->cli_supp_data_records[i]; - - /* NULL callback or -1 omits supp data entry*/ - if (!record->fn2) - continue; - cb_retval = record->fn2(s, record->supp_data_type, - &out, &outlen, &al, - record->arg); - if (cb_retval == -1) - continue; /* skip this supp data entry */ - if (cb_retval == 0) - { - SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - goto f_err; - } - if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length) - { - SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - /* if first entry, write handshake message type */ - if (length == 0) - { - if (!BUF_MEM_grow_clean(s->init_buf, 4)) - { - SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - p = (unsigned char *)s->init_buf->data; - *(p++) = SSL3_MT_SUPPLEMENTAL_DATA; - /* update message length when all - * callbacks complete */ - size_loc = p; - /* skip over handshake length field (3 - * bytes) and supp_data length field - * (3 bytes) */ - p += 3 + 3; - length += 1 +3 +3; - } - if (!BUF_MEM_grow(s->init_buf, outlen + 4)) - { - SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - s2n(record->supp_data_type, p); - s2n(outlen, p); - memcpy(p, out, outlen); - length += (outlen + 4); - p += outlen; - } - if (length > 0) - { - /* write handshake length */ - l2n3(length - 4, size_loc); - /* supp_data length */ - l2n3(length - 7, size_loc); - s->state = SSL3_ST_CW_SUPPLEMENTAL_DATA_B; - s->init_num = length; - s->init_off = 0; - return ssl3_do_write(s, SSL3_RT_HANDSHAKE); - } - } - - /* no supp data message sent */ - *skip = 1; - s->init_num = 0; - s->init_off = 0; - return 1; - - f_err: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return 0; - } - -int tls1_get_server_supplemental_data(SSL *s) - { - int al = 0; - int ok; - long n; - const unsigned char *p, *d; - unsigned short supp_data_entry_type = 0; - unsigned short supp_data_entry_len = 0; - unsigned long supp_data_len = 0; - size_t i; - int cb_retval = 0; - - n=s->method->ssl_get_message(s, - SSL3_ST_CR_SUPPLEMENTAL_DATA_A, - SSL3_ST_CR_SUPPLEMENTAL_DATA_B, - SSL3_MT_SUPPLEMENTAL_DATA, - /* use default limit */ - TLSEXT_MAXLEN_supplemental_data, - &ok); - - if (!ok) return((int)n); - - p = (unsigned char *)s->init_msg; - d = p; - /* The message cannot be empty */ - if (n < 3) - { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH); - goto f_err; - } - n2l3(p, supp_data_len); - while (p < d+supp_data_len) - { - n2s(p, supp_data_entry_type); - n2s(p, supp_data_entry_len); - /* if there is a callback for this supp data type, send it */ - for (i=0; i < s->ctx->cli_supp_data_records_count; i++) - { - if (s->ctx->cli_supp_data_records[i].supp_data_type == supp_data_entry_type && - s->ctx->cli_supp_data_records[i].fn1) - { - cb_retval = s->ctx->cli_supp_data_records[i].fn1(s, supp_data_entry_type, p, - supp_data_entry_len, &al, - s->ctx->cli_supp_data_records[i].arg); - if (cb_retval == 0) - { - SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB); - goto f_err; - } - } - } - p += supp_data_entry_len; - } - return 1; -f_err: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; - } -#endif diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 4941aca60f..00fa6793e9 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -409,25 +409,10 @@ int ssl3_accept(SSL *s) s->state=SSL3_ST_SW_CHANGE_A; #endif else -#ifndef OPENSSL_NO_TLSEXT - s->state = SSL3_ST_SW_SUPPLEMENTAL_DATA_A; -#else - s->state = SSL3_ST_SW_CERT_A; -#endif + s->state = SSL3_ST_SW_CERT_A; s->init_num = 0; break; -#ifndef OPENSSL_NO_TLSEXT - case SSL3_ST_SW_SUPPLEMENTAL_DATA_A: - case SSL3_ST_SW_SUPPLEMENTAL_DATA_B: - ret = tls1_send_server_supplemental_data(s, &skip); - if (ret <= 0) goto end; - - s->state = SSL3_ST_SW_CERT_A; - s->init_num = 0; - break; -#endif - case SSL3_ST_SW_CERT_A: case SSL3_ST_SW_CERT_B: /* Check if it is anon DH or anon ECDH, */ @@ -596,16 +581,7 @@ int ssl3_accept(SSL *s) s->state=s->s3->tmp.next_state; break; -#ifndef OPENSSL_NO_TLSEXT - case SSL3_ST_SR_SUPPLEMENTAL_DATA_A: - case SSL3_ST_SR_SUPPLEMENTAL_DATA_B: - ret=tls1_get_client_supplemental_data(s); - if (ret <= 0) goto end; - s->s3->tmp.next_state=SSL3_ST_SR_CERT_A; - s->state=SSL3_ST_SW_FLUSH; - s->init_num=0; - break; -#endif + case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: /* Check for second client hello (MS SGC) */ @@ -614,10 +590,6 @@ int ssl3_accept(SSL *s) goto end; if (ret == 2) s->state = SSL3_ST_SR_CLNT_HELLO_C; -#ifndef OPENSSL_NO_TLSEXT - else if (ret == 3) - s->state = SSL3_ST_SR_SUPPLEMENTAL_DATA_A; -#endif else { if (s->s3->tmp.cert_request) { @@ -913,10 +885,6 @@ int ssl3_check_client_hello(SSL *s) &ok); if (!ok) return((int)n); s->s3->tmp.reuse_message = 1; -#ifndef OPENSSL_NO_TLSEXT - if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA) - return 3; -#endif if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO) { /* We only allow the client to restart the handshake once per @@ -3755,156 +3723,4 @@ int ssl3_get_next_proto(SSL *s) } # endif -int tls1_send_server_supplemental_data(SSL *s, int *skip) - { - int al = 0; - if (s->ctx->srv_supp_data_records_count) - { - unsigned char *p = NULL; - unsigned char *size_loc = NULL; - srv_supp_data_record *record = NULL; - size_t length = 0; - size_t i = 0; - - for (i = 0; i < s->ctx->srv_supp_data_records_count; i++) - { - const unsigned char *out = NULL; - unsigned short outlen = 0; - int cb_retval = 0; - record = &s->ctx->srv_supp_data_records[i]; - - /* NULL callback or -1 omits supp data entry */ - if (!record->fn1) - continue; - cb_retval = record->fn1(s, record->supp_data_type, - &out, &outlen, &al, record->arg); - if (cb_retval == -1) - continue; /* skip this supp data entry */ - if (cb_retval == 0) - { - SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - goto f_err; - } - if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length) - { - SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - /* write supp data entry... - * if first entry, write handshake message type - * jump back to write length at end */ - if (length == 0) - { - /* 1 byte message type + 3 bytes for - * message length */ - if (!BUF_MEM_grow_clean(s->init_buf, 4)) - { - SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - p = (unsigned char *)s->init_buf->data; - *(p++) = SSL3_MT_SUPPLEMENTAL_DATA; - /* hold on to length field to update later */ - size_loc = p; - /* skip over handshake length field (3 - * bytes) and supp_data length field - * (3 bytes) */ - p += 3 + 3; - length += 1 +3 +3; - } - /* 2 byte supp data type + 2 byte length + outlen */ - if (!BUF_MEM_grow(s->init_buf, outlen + 4)) - { - SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - s2n(record->supp_data_type, p); - s2n(outlen, p); - memcpy(p, out, outlen); - /* update length to supp data type (2 bytes) + - * supp data length (2 bytes) + supp data */ - length += (outlen + 4); - p += outlen; - } - if (length > 0) - { - /* write handshake length */ - l2n3(length - 4, size_loc); - /* supp_data length */ - l2n3(length - 7, size_loc); - s->state = SSL3_ST_SW_SUPPLEMENTAL_DATA_B; - s->init_num = length; - s->init_off = 0; - - return ssl3_do_write(s, SSL3_RT_HANDSHAKE); - } - } - - /* no supp data message sent */ - *skip = 1; - s->init_num = 0; - s->init_off = 0; - return 1; -f_err: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return 0; - } - -int tls1_get_client_supplemental_data(SSL *s) - { - int al = 0; - int cb_retval = 0; - int ok; - long n; - const unsigned char *p, *d; - unsigned short supp_data_entry_type = 0; - unsigned short supp_data_entry_len = 0; - unsigned long supp_data_len = 0; - size_t i = 0; - - n=s->method->ssl_get_message(s, - SSL3_ST_SR_SUPPLEMENTAL_DATA_A, - SSL3_ST_SR_SUPPLEMENTAL_DATA_B, - SSL3_MT_SUPPLEMENTAL_DATA, - /* use default limit */ - TLSEXT_MAXLEN_supplemental_data, - &ok); - - if (!ok) return((int)n); - - p = (unsigned char *)s->init_msg; - d = p; - - /* The message cannot be empty */ - if (n < 3) - { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH); - goto f_err; - } - n2l3(p, supp_data_len); - while (pctx->srv_supp_data_records_count; i++) - { - if (s->ctx->srv_supp_data_records[i].supp_data_type == supp_data_entry_type && s->ctx->srv_supp_data_records[i].fn2) - { - cb_retval = s->ctx->srv_supp_data_records[i].fn2(s, supp_data_entry_type, p, supp_data_entry_len, &al, s->ctx->srv_supp_data_records[i].arg); - if (cb_retval == 0) - { - SSLerr(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB); - goto f_err; - } - } - } - p+=supp_data_entry_len; - } - return 1; -f_err: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; - } #endif diff --git a/ssl/ssl.h b/ssl/ssl.h index b7b101ff0a..c434b86a54 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -439,57 +439,6 @@ typedef struct { void *arg; } custom_srv_ext_record; -/* Callbacks and structures for handling Supplemental Data: - * srv_supp_data_first_cb_fn - server sends Supplemental Data - * srv_supp_data_second_cb_fn - server receives Supplemental Data - * cli_supp_data_first_cb_fn - client receives Supplemental Data - * cli_supp_data_second_cb_fn - client sends Supplemental Data - * - * All these functions return nonzero on success. Zero will terminate - * the handshake (and return a specific TLS Fatal alert, if the function - * declaration has an "al" parameter). -1 for the "sending" functions - * will result in no supplemental data entry being added to the - * supplemental data message for the provided supplemental data type. - * - * "supp_data_type" is a Supplemental Data Type from 0-65535. - * "in" is a pointer to TLS "supplemental_data_entry" being provided to the cb. - * "out" is used by the callback to return a pointer to "supplemental data" - * which OpenSSL will later copy into the TLS handshake. The contents - * of this buffer should not be changed until the handshake is complete. - * "inlen" and "outlen" are Supplemental Data lengths from 0-65535. - * "al" is a TLS "AlertDescription" from 0-255 which WILL be sent as a - * fatal TLS alert, if the callback returns zero. - */ -typedef int (*srv_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg); -typedef int (*srv_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); - -typedef int (*cli_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); -typedef int (*cli_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg); - -typedef struct { - unsigned short supp_data_type; - srv_supp_data_first_cb_fn fn1; - srv_supp_data_second_cb_fn fn2; - void *arg; -} srv_supp_data_record; - -typedef struct { - unsigned short supp_data_type; - cli_supp_data_first_cb_fn fn1; - cli_supp_data_second_cb_fn fn2; - void *arg; -} cli_supp_data_record; - #endif #ifndef OPENSSL_NO_SSL_INTERN @@ -1216,12 +1165,6 @@ struct ssl_ctx_st size_t custom_cli_ext_records_count; custom_srv_ext_record *custom_srv_ext_records; size_t custom_srv_ext_records_count; - - /* Arrays containing the callbacks for Supplemental Data. */ - cli_supp_data_record *cli_supp_data_records; - size_t cli_supp_data_records_count; - srv_supp_data_record *srv_supp_data_records; - size_t srv_supp_data_records_count; }; #endif @@ -1369,30 +1312,6 @@ int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type, custom_srv_ext_first_cb_fn fn1, custom_srv_ext_second_cb_fn fn2, void *arg); -/* Register callbacks to handle Supplemental Data as client or server. - * - * For SSL_CTX_set_srv_supp_data, a NULL srv_supp_data_first_cb_fn results in no supplemental data - * being sent by the server for that TLS extension. - * A NULL srv_supp_data_second_cb_fn results in no supplemental data - * being received by the server for that TLS extension. - * - * For SSL_CTX_set_cli_supp_data, a NULL cli_supp_data_first_cb_fn results in no supplemental data - * being received by the client for that TLS extension. - * A NULL cli_supp_data_second_cb_fn results in no supplemental data - * being sent by the client for that TLS extension. - * - * Returns nonzero on success. You cannot register twice for the same supp_data_type. - */ -int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx, - unsigned short supp_data_type, - srv_supp_data_first_cb_fn fn1, - srv_supp_data_second_cb_fn fn2, void *arg); - -int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx, - unsigned short supp_data_type, - cli_supp_data_first_cb_fn fn1, - cli_supp_data_second_cb_fn fn2, void *arg); - #endif #define SSL_NOTHING 1 @@ -2660,8 +2579,6 @@ void ERR_load_SSL_strings(void); /* Error codes for the SSL functions. */ /* Function codes. */ -#define SSL_F_AUTHZ_FIND_DATA 330 -#define SSL_F_AUTHZ_VALIDATE 323 #define SSL_F_CHECK_SUITEB_CIPHER_LIST 331 #define SSL_F_CLIENT_CERTIFICATE 100 #define SSL_F_CLIENT_FINISHED 167 @@ -2705,7 +2622,6 @@ void ERR_load_SSL_strings(void); #define SSL_F_GET_SERVER_HELLO 109 #define SSL_F_GET_SERVER_VERIFY 110 #define SSL_F_I2D_SSL_SESSION 111 -#define SSL_F_READ_AUTHZ 329 #define SSL_F_READ_N 112 #define SSL_F_REQUEST_CERTIFICATE 113 #define SSL_F_SERVER_FINISH 239 @@ -2813,7 +2729,6 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT 219 #define SSL_F_SSL_CTX_SET_SSL_VERSION 170 #define SSL_F_SSL_CTX_SET_TRUST 229 -#define SSL_F_SSL_CTX_USE_AUTHZ 324 #define SSL_F_SSL_CTX_USE_CERTIFICATE 171 #define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 #define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220 @@ -2855,7 +2770,6 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_SESSION_PRINT_FP 190 #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 #define SSL_F_SSL_SESS_CERT_NEW 225 -#define SSL_F_SSL_SET_AUTHZ 325 #define SSL_F_SSL_SET_CERT 191 #define SSL_F_SSL_SET_CIPHER_LIST 271 #define SSL_F_SSL_SET_FD 192 @@ -2872,7 +2786,6 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_UNDEFINED_CONST_FUNCTION 243 #define SSL_F_SSL_UNDEFINED_FUNCTION 197 #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION 244 -#define SSL_F_SSL_USE_AUTHZ 328 #define SSL_F_SSL_USE_CERTIFICATE 198 #define SSL_F_SSL_USE_CERTIFICATE_ASN1 199 #define SSL_F_SSL_USE_CERTIFICATE_FILE 200 @@ -2891,21 +2804,16 @@ void ERR_load_SSL_strings(void); #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 #define SSL_F_TLS1_ENC 210 #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 314 -#define SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA 335 -#define SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA 326 #define SSL_F_TLS1_HEARTBEAT 315 #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275 #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT 276 #define SSL_F_TLS1_PRF 284 -#define SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA 338 -#define SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA 327 #define SSL_F_TLS1_SETUP_KEY_BLOCK 211 #define SSL_F_WRITE_PENDING 212 /* Reason codes. */ #define SSL_R_APP_DATA_IN_HANDSHAKE 100 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272 -#define SSL_R_AUTHZ_DATA_TOO_LARGE 375 #define SSL_R_BAD_ALERT_RECORD 101 #define SSL_R_BAD_AUTHENTICATION_TYPE 102 #define SSL_R_BAD_CHANGE_CIPHER_SPEC 103 @@ -3003,7 +2911,6 @@ void ERR_load_SSL_strings(void); #define SSL_R_ILLEGAL_SUITEB_DIGEST 380 #define SSL_R_INCONSISTENT_COMPRESSION 340 #define SSL_R_INVALID_AUDIT_PROOF 371 -#define SSL_R_INVALID_AUTHZ_DATA 374 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_COMPRESSION_ALGORITHM 341 @@ -3195,7 +3102,6 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNEXPECTED_RECORD 245 #define SSL_R_UNINITIALIZED 276 #define SSL_R_UNKNOWN_ALERT_TYPE 246 -#define SSL_R_UNKNOWN_AUTHZ_DATA_TYPE 372 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE 247 #define SSL_R_UNKNOWN_CIPHER_RETURNED 248 #define SSL_R_UNKNOWN_CIPHER_TYPE 249 @@ -3207,7 +3113,6 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE 253 #define SSL_R_UNKNOWN_SSL_VERSION 254 #define SSL_R_UNKNOWN_STATE 255 -#define SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE 373 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED 338 #define SSL_R_UNSUPPORTED_CIPHER 256 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM 257 diff --git a/ssl/ssl3.h b/ssl/ssl3.h index f9b10cf9a0..d3167cf575 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -637,10 +637,6 @@ typedef struct ssl3_state_st #define SSL3_ST_CR_CERT_REQ_B (0x151|SSL_ST_CONNECT) #define SSL3_ST_CR_SRVR_DONE_A (0x160|SSL_ST_CONNECT) #define SSL3_ST_CR_SRVR_DONE_B (0x161|SSL_ST_CONNECT) -#ifndef OPENSSL_NO_TLSEXT -#define SSL3_ST_CR_SUPPLEMENTAL_DATA_A (0x212|SSL_ST_CONNECT) -#define SSL3_ST_CR_SUPPLEMENTAL_DATA_B (0x213|SSL_ST_CONNECT) -#endif /* write to server */ #define SSL3_ST_CW_CERT_A (0x170|SSL_ST_CONNECT) #define SSL3_ST_CW_CERT_B (0x171|SSL_ST_CONNECT) @@ -656,10 +652,6 @@ typedef struct ssl3_state_st #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) #endif -#ifndef OPENSSL_NO_TLSEXT -#define SSL3_ST_CW_SUPPLEMENTAL_DATA_A (0x222|SSL_ST_CONNECT) -#define SSL3_ST_CW_SUPPLEMENTAL_DATA_B (0x223|SSL_ST_CONNECT) -#endif #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) /* read from server */ @@ -685,10 +677,6 @@ typedef struct ssl3_state_st #define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT) #define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT) #define SSL3_ST_SR_CLNT_HELLO_D (0x115|SSL_ST_ACCEPT) -#ifndef OPENSSL_NO_TLSEXT -#define SSL3_ST_SR_SUPPLEMENTAL_DATA_A (0x212|SSL_ST_ACCEPT) -#define SSL3_ST_SR_SUPPLEMENTAL_DATA_B (0x213|SSL_ST_ACCEPT) -#endif /* write to client */ #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT) #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT) @@ -729,10 +717,6 @@ typedef struct ssl3_state_st #define SSL3_ST_SW_SESSION_TICKET_B (0x1F1|SSL_ST_ACCEPT) #define SSL3_ST_SW_CERT_STATUS_A (0x200|SSL_ST_ACCEPT) #define SSL3_ST_SW_CERT_STATUS_B (0x201|SSL_ST_ACCEPT) -#ifndef OPENSSL_NO_TLSEXT -#define SSL3_ST_SW_SUPPLEMENTAL_DATA_A (0x222|SSL_ST_ACCEPT) -#define SSL3_ST_SW_SUPPLEMENTAL_DATA_B (0x223|SSL_ST_ACCEPT) -#endif #define SSL3_MT_HELLO_REQUEST 0 #define SSL3_MT_CLIENT_HELLO 1 @@ -746,9 +730,6 @@ typedef struct ssl3_state_st #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 #define SSL3_MT_FINISHED 20 #define SSL3_MT_CERTIFICATE_STATUS 22 -#ifndef OPENSSL_NO_TLSEXT -#define SSL3_MT_SUPPLEMENTAL_DATA 23 -#endif #ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_MT_NEXT_PROTO 67 #endif diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index db3f56617d..258d408f54 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -70,8 +70,6 @@ static ERR_STRING_DATA SSL_str_functs[]= { -{ERR_FUNC(SSL_F_AUTHZ_FIND_DATA), "AUTHZ_FIND_DATA"}, -{ERR_FUNC(SSL_F_AUTHZ_VALIDATE), "AUTHZ_VALIDATE"}, {ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST), "CHECK_SUITEB_CIPHER_LIST"}, {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE), "CLIENT_CERTIFICATE"}, {ERR_FUNC(SSL_F_CLIENT_FINISHED), "CLIENT_FINISHED"}, @@ -115,7 +113,6 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_GET_SERVER_HELLO), "GET_SERVER_HELLO"}, {ERR_FUNC(SSL_F_GET_SERVER_VERIFY), "GET_SERVER_VERIFY"}, {ERR_FUNC(SSL_F_I2D_SSL_SESSION), "i2d_SSL_SESSION"}, -{ERR_FUNC(SSL_F_READ_AUTHZ), "READ_AUTHZ"}, {ERR_FUNC(SSL_F_READ_N), "READ_N"}, {ERR_FUNC(SSL_F_REQUEST_CERTIFICATE), "REQUEST_CERTIFICATE"}, {ERR_FUNC(SSL_F_SERVER_FINISH), "SERVER_FINISH"}, @@ -223,7 +220,6 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT), "SSL_CTX_set_session_id_context"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION), "SSL_CTX_set_ssl_version"}, {ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST), "SSL_CTX_set_trust"}, -{ERR_FUNC(SSL_F_SSL_CTX_USE_AUTHZ), "SSL_CTX_USE_AUTHZ"}, {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"}, {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"}, {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE), "SSL_CTX_use_certificate_chain_file"}, @@ -265,7 +261,6 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"}, {ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW), "ssl_sess_cert_new"}, -{ERR_FUNC(SSL_F_SSL_SET_AUTHZ), "SSL_SET_AUTHZ"}, {ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"}, {ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST), "SSL_set_cipher_list"}, {ERR_FUNC(SSL_F_SSL_SET_FD), "SSL_set_fd"}, @@ -282,7 +277,6 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "ssl_undefined_const_function"}, {ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION), "ssl_undefined_function"}, {ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION), "ssl_undefined_void_function"}, -{ERR_FUNC(SSL_F_SSL_USE_AUTHZ), "SSL_USE_AUTHZ"}, {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"}, {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"}, {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"}, @@ -301,14 +295,10 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT), "TLS1_CHECK_SERVERHELLO_TLSEXT"}, {ERR_FUNC(SSL_F_TLS1_ENC), "tls1_enc"}, {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL), "tls1_export_keying_material"}, -{ERR_FUNC(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA), "tls1_get_client_supplemental_data"}, -{ERR_FUNC(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA), "tls1_get_server_supplemental_data"}, {ERR_FUNC(SSL_F_TLS1_HEARTBEAT), "tls1_heartbeat"}, {ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT), "TLS1_PREPARE_CLIENTHELLO_TLSEXT"}, {ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT), "TLS1_PREPARE_SERVERHELLO_TLSEXT"}, {ERR_FUNC(SSL_F_TLS1_PRF), "tls1_prf"}, -{ERR_FUNC(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA), "tls1_send_client_supplemental_data"}, -{ERR_FUNC(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA), "tls1_send_server_supplemental_data"}, {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"}, {ERR_FUNC(SSL_F_WRITE_PENDING), "WRITE_PENDING"}, {0,NULL} @@ -318,7 +308,6 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"}, {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"}, -{ERR_REASON(SSL_R_AUTHZ_DATA_TOO_LARGE) ,"authz data too large"}, {ERR_REASON(SSL_R_BAD_ALERT_RECORD) ,"bad alert record"}, {ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"}, {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"}, @@ -416,7 +405,6 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_ILLEGAL_SUITEB_DIGEST) ,"illegal Suite B digest"}, {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"}, {ERR_REASON(SSL_R_INVALID_AUDIT_PROOF) ,"invalid audit proof"}, -{ERR_REASON(SSL_R_INVALID_AUTHZ_DATA) ,"invalid authz data"}, {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"}, @@ -608,7 +596,6 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_UNEXPECTED_RECORD) ,"unexpected record"}, {ERR_REASON(SSL_R_UNINITIALIZED) ,"uninitialized"}, {ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) ,"unknown alert type"}, -{ERR_REASON(SSL_R_UNKNOWN_AUTHZ_DATA_TYPE),"unknown authz data type"}, {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"}, {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"}, {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE) ,"unknown cipher type"}, @@ -620,7 +607,6 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"}, {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION) ,"unknown ssl version"}, {ERR_REASON(SSL_R_UNKNOWN_STATE) ,"unknown state"}, -{ERR_REASON(SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE),"unknown supplemental data type"}, {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"}, {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 4720680769..9f4040d701 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1879,65 +1879,6 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, *len = ssl->s3->alpn_selected_len; } -int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx, - unsigned short supp_data_type, - cli_supp_data_first_cb_fn fn1, - cli_supp_data_second_cb_fn fn2, void* arg) - { - size_t i; - cli_supp_data_record* record; - - /* Check for duplicates */ - for (i=0; i < ctx->cli_supp_data_records_count; i++) - if (supp_data_type == ctx->cli_supp_data_records[i].supp_data_type) - return 0; - - ctx->cli_supp_data_records = OPENSSL_realloc(ctx->cli_supp_data_records, - (ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record)); - if (!ctx->cli_supp_data_records) - { - ctx->cli_supp_data_records_count = 0; - return 0; - } - ctx->cli_supp_data_records_count++; - record = &ctx->cli_supp_data_records[ctx->cli_supp_data_records_count - 1]; - record->supp_data_type = supp_data_type; - record->fn1 = fn1; - record->fn2 = fn2; - record->arg = arg; - return 1; - } - -int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx, - unsigned short supp_data_type, - srv_supp_data_first_cb_fn fn1, - srv_supp_data_second_cb_fn fn2, void* arg) - { - size_t i; - srv_supp_data_record* record; - - /* Check for duplicates */ - for (i=0; i < ctx->srv_supp_data_records_count; i++) - if (supp_data_type == ctx->srv_supp_data_records[i].supp_data_type) - return 0; - - ctx->srv_supp_data_records = OPENSSL_realloc(ctx->srv_supp_data_records, - (ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record)); - if (!ctx->srv_supp_data_records) - { - ctx->srv_supp_data_records_count = 0; - return 0; - } - ctx->srv_supp_data_records_count++; - record = &ctx->srv_supp_data_records[ctx->srv_supp_data_records_count - 1]; - record->supp_data_type = supp_data_type; - record->fn1 = fn1; - record->fn2 = fn2; - record->arg = arg; - - return 1; - } - #endif /* !OPENSSL_NO_TLSEXT */ int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, @@ -2141,10 +2082,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->custom_cli_ext_records_count = 0; ret->custom_srv_ext_records = NULL; ret->custom_srv_ext_records_count = 0; - ret->cli_supp_data_records = NULL; - ret->cli_supp_data_records_count = 0; - ret->srv_supp_data_records = NULL; - ret->srv_supp_data_records_count = 0; #ifndef OPENSSL_NO_BUF_FREELISTS ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT; ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST)); @@ -2286,8 +2223,6 @@ void SSL_CTX_free(SSL_CTX *a) #ifndef OPENSSL_NO_TLSEXT OPENSSL_free(a->custom_cli_ext_records); OPENSSL_free(a->custom_srv_ext_records); - OPENSSL_free(a->cli_supp_data_records); - OPENSSL_free(a->srv_supp_data_records); #endif #ifndef OPENSSL_NO_ENGINE if (a->client_cert_engine) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 0b48c735ae..651b837f54 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1292,13 +1292,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s); -/* server only */ -int tls1_send_server_supplemental_data(SSL *s, int *skip); -int tls1_get_client_supplemental_data(SSL *s); -/* client only */ -int tls1_send_client_supplemental_data(SSL *s, int *skip); -int tls1_get_server_supplemental_data(SSL *s); - #ifndef OPENSSL_NO_HEARTBEATS int tls1_heartbeat(SSL *s); int dtls1_heartbeat(SSL *s); diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index b09cc7d287..c5a15ce548 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -210,14 +210,6 @@ case SSL3_ST_SR_KEY_EXCH_A: str="SSLv3 read client key exchange A"; break; case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break; case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break; case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break; -case SSL3_ST_CW_SUPPLEMENTAL_DATA_A: str="SSLv3 client write supplemental data A"; break; -case SSL3_ST_CW_SUPPLEMENTAL_DATA_B: str="SSLv3 client write supplemental data B"; break; -case SSL3_ST_SW_SUPPLEMENTAL_DATA_A: str="SSLv3 server write supplemental data A"; break; -case SSL3_ST_SW_SUPPLEMENTAL_DATA_B: str="SSLv3 client write supplemental data B"; break; -case SSL3_ST_CR_SUPPLEMENTAL_DATA_A: str="SSLv3 client read supplemental data A"; break; -case SSL3_ST_CR_SUPPLEMENTAL_DATA_B: str="SSLv3 client read supplemental data B"; break; -case SSL3_ST_SR_SUPPLEMENTAL_DATA_A: str="SSLv3 server read supplemental data A"; break; -case SSL3_ST_SR_SUPPLEMENTAL_DATA_B: str="SSLv3 client read supplemental data B"; break; #endif /* SSLv2/v3 compatibility states */ diff --git a/ssl/ssltest.c b/ssl/ssltest.c index cf889c7e49..efcd6686b8 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -521,16 +521,6 @@ int custom_ext = 0; /* This set based on extension callbacks */ int custom_ext_error = 0; -/* Not IETF assigned supplemental data types */ -#define CUSTOM_SUPP_DATA_TYPE_0 100 -#define CUSTOM_SUPP_DATA_TYPE_1 101 -#define CUSTOM_SUPP_DATA_TYPE_2 102 - -const char supp_data_0_string[] = "00000"; - -int suppdata = 0; -int suppdata_error = 0; - static int serverinfo_cli_cb(SSL* s, unsigned short ext_type, const unsigned char* in, unsigned short inlen, int* al, void* arg) @@ -733,110 +723,6 @@ static int custom_ext_3_srv_second_cb(SSL *s, unsigned short ext_type, return 1; /* Send "defg" */ } -static int supp_data_0_srv_first_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg) - { - *out = (const unsigned char*)supp_data_0_string; - *outlen = strlen(supp_data_0_string); - if (arg != s) - suppdata_error = 1; - return 1; - } - -static int supp_data_0_srv_second_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0) - suppdata_error = 1; - if (inlen != strlen(supp_data_0_string)) - suppdata_error = 1; - if (memcmp(in, supp_data_0_string, inlen) != 0) - suppdata_error = 1; - if (arg != s) - suppdata_error = 1; - return 1; - } - -static int supp_data_1_srv_first_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg) - { - return -1; - } - -static int supp_data_1_srv_second_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - suppdata_error = 1; - return 1; - } - -static int supp_data_2_srv_second_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - suppdata_error = 1; - return 1; - } - -static int supp_data_0_cli_first_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0) - suppdata_error = 1; - if (inlen != strlen(supp_data_0_string)) - suppdata_error = 1; - if (memcmp(in, supp_data_0_string, inlen) != 0) - suppdata_error = 1; - if (arg != s) - suppdata_error = 1; - return 1; - } - -static int supp_data_0_cli_second_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg) - { - *out = (const unsigned char*)supp_data_0_string; - *outlen = strlen(supp_data_0_string); - if (arg != s) - suppdata_error = 1; - return 1; - } - -static int supp_data_1_cli_first_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - suppdata_error = 1; - return 1; - } - -static int supp_data_1_cli_second_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg) - { - return -1; - } - -static int supp_data_2_cli_first_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - suppdata_error = 1; - return 1; - } - static char *cipher=NULL; static int verbose=0; static int debug=0; @@ -923,7 +809,6 @@ static void sv_usage(void) fprintf(stderr," -alpn_client - have client side offer ALPN\n"); fprintf(stderr," -alpn_server - have server side offer ALPN\n"); fprintf(stderr," -alpn_expected - the ALPN protocol that should be negotiated\n"); - fprintf(stderr, "-suppdata - exercise supplemental data callbacks\n"); } static void print_details(SSL *c_ssl, const char *prefix) @@ -1368,10 +1253,6 @@ int main(int argc, char *argv[]) if (--argc < 1) goto bad; alpn_expected = *(++argv); } - else if (strcmp(*argv,"-suppdata") == 0) - { - suppdata = 1; - } else { fprintf(stderr,"unknown option %s\n",*argv); @@ -1766,40 +1647,6 @@ bad: c_ssl=SSL_new(c_ctx); s_ssl=SSL_new(s_ctx); - if (suppdata) - { - /* TEST CASES */ - /* client and server both send and receive, verify - * additional arg passed back */ - SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_0, - supp_data_0_srv_first_cb, - supp_data_0_srv_second_cb, s_ssl); - SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_0, - supp_data_0_cli_first_cb, - supp_data_0_cli_second_cb, c_ssl); - - /* -1 response from sending server/client doesn't - * receive, -1 response from sending client/server - * doesn't receive */ - SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_1, - supp_data_1_srv_first_cb, - supp_data_1_srv_second_cb, NULL); - SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_1, - supp_data_1_cli_first_cb, - supp_data_1_cli_second_cb, NULL); - - /* null sending server/client doesn't receive, null - sending client/server doesn't receive */ - SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_2, - /*supp_data_2_srv_first_cb*/NULL, - supp_data_2_srv_second_cb, NULL); - SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_2, - supp_data_2_cli_first_cb, - /*supp_data_2_cli_second_cb*/NULL, - NULL); - - /* alerts set to non-zero and zero return values not tested */ - } #ifndef OPENSSL_NO_KRB5 if (c_ssl && c_ssl->kssl_ctx) { @@ -2586,11 +2433,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) goto err; } #endif - if (suppdata_error < 0) - { - ret = 1; - goto err; - } if (verify_serverinfo() < 0) { ret = 1; diff --git a/ssl/tls1.h b/ssl/tls1.h index 013aa4a2da..3499584bc3 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -211,11 +211,9 @@ extern "C" { #define TLSEXT_TYPE_status_request 5 /* ExtensionType values from RFC4681 */ #define TLSEXT_TYPE_user_mapping 6 - /* ExtensionType values from RFC5878 */ #define TLSEXT_TYPE_client_authz 7 #define TLSEXT_TYPE_server_authz 8 - /* ExtensionType values from RFC6091 */ #define TLSEXT_TYPE_cert_type 9 @@ -312,17 +310,6 @@ extern "C" { #define TLSEXT_MAXLEN_host_name 255 -/* From RFC 5878 */ -#define TLSEXT_SUPPLEMENTALDATATYPE_authz_data 16386 - -/* DTCP Authorization Type - * https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#authorization-data-rules - * http://tools.ietf.org/id/draft-dthakore-tls-authz-04.txt - */ -#define TLSEXT_AUTHZDATAFORMAT_dtcp 66 - -#define TLSEXT_MAXLEN_supplemental_data 1024*16 /* Let's limit to 16k */ - const char *SSL_get_servername(const SSL *s, const int type); int SSL_get_servername_type(const SSL *s); /* SSL_export_keying_material exports a value derived from the master secret,