From e97be718044fd9a296f05f13e3ad91427b212b7c Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 13 Aug 2018 15:53:42 +0100 Subject: [PATCH] Add support for SSL_CTX_set_post_handshake_auth() We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX equivalent. Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/6938) --- doc/man3/SSL_CTX_set_verify.pod | 16 +++++++++------- include/openssl/ssl.h | 1 + ssl/ssl_lib.c | 6 ++++++ ssl/ssl_locl.h | 3 +++ test/sslapitest.c | 3 +-- util/libssl.num | 1 + 6 files changed, 21 insertions(+), 9 deletions(-) diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod index 173f006eb6..c192f9af6f 100644 --- a/doc/man3/SSL_CTX_set_verify.pod +++ b/doc/man3/SSL_CTX_set_verify.pod @@ -7,7 +7,8 @@ SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth, SSL_verify_cb, SSL_verify_client_post_handshake, -SSL_set_post_handshake_auth +SSL_set_post_handshake_auth, +SSL_CTX_set_post_handshake_auth - set peer certificate verification parameters =head1 SYNOPSIS @@ -24,6 +25,7 @@ SSL_set_post_handshake_auth void SSL_set_verify_depth(SSL *ssl, int depth); int SSL_verify_client_post_handshake(SSL *ssl); + void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val); void SSL_set_post_handshake_auth(SSL *ssl, int val); =head1 DESCRIPTION @@ -48,12 +50,12 @@ verification that shall be allowed for B. SSL_set_verify_depth() sets the maximum B for the certificate chain verification that shall be allowed for B. -SSL_set_post_handshake_auth() enables the Post-Handshake Authentication -extension to be added to the ClientHello such that post-handshake authentication -can be requested by the server. If B is 0 then the extension is not sent, -otherwise it is. By default the extension is not sent. A certificate callback -will need to be set via SSL_CTX_set_client_cert_cb() if no certificate is -provided at initialization. +SSL_CTX_set_post_handshake_auth() and SSL_set_post_handshake_auth() enable the +Post-Handshake Authentication extension to be added to the ClientHello such that +post-handshake authentication can be requested by the server. If B is 0 +then the extension is not sent, otherwise it is. By default the extension is not +sent. A certificate callback will need to be set via +SSL_CTX_set_client_cert_cb() if no certificate is provided at initialization. SSL_verify_client_post_handshake() causes a CertificateRequest message to be sent by a server on the given B connection. The SSL_VERIFY_PEER flag must diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index b61119cc18..eb689c1c36 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1898,6 +1898,7 @@ int SSL_renegotiate_abbreviated(SSL *s); __owur int SSL_renegotiate_pending(SSL *s); int SSL_shutdown(SSL *s); __owur int SSL_verify_client_post_handshake(SSL *s); +void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val); void SSL_set_post_handshake_auth(SSL *s, int val); __owur const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 89570fbe3a..7e8093bcfd 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -702,6 +702,7 @@ SSL *SSL_new(SSL_CTX *ctx) s->max_early_data = ctx->max_early_data; s->recv_max_early_data = ctx->recv_max_early_data; s->num_tickets = ctx->num_tickets; + s->pha_enabled = ctx->pha_enabled; /* Shallow copy of the ciphersuites stack */ s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); @@ -5455,6 +5456,11 @@ int SSL_stateless(SSL *s) return -1; } +void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val) +{ + ctx->pha_enabled = val; +} + void SSL_set_post_handshake_auth(SSL *ssl, int val) { ssl->pha_enabled = val; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 0d98110480..362ae1cbe5 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1063,6 +1063,9 @@ struct ssl_ctx_st { /* Callback to determine if early_data is acceptable or not */ SSL_allow_early_data_cb_fn allow_early_data_cb; void *allow_early_data_cb_data; + + /* Do we advertise Post-handshake auth support? */ + int pha_enabled; }; struct ssl_st { diff --git a/test/sslapitest.c b/test/sslapitest.c index 81761f2f65..d21b39d84c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -4331,13 +4331,12 @@ static int test_pha_key_update(void) || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION))) goto end; + SSL_CTX_set_post_handshake_auth(cctx, 1); if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL))) goto end; - SSL_set_post_handshake_auth(clientssl, 1); - if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) goto end; diff --git a/util/libssl.num b/util/libssl.num index 521637f098..3c31d7cc95 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -496,3 +496,4 @@ SSL_set_recv_max_early_data 496 1_1_1 EXIST::FUNCTION: SSL_get_recv_max_early_data 497 1_1_1 EXIST::FUNCTION: SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION: SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION: +SSL_CTX_set_post_handshake_auth 500 1_1_1 EXIST::FUNCTION: -- 2.25.1