Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)

Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

1 files changed, 66 insertions, 19 deletions

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 9f00400654..0b2d5ffd95 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1840,6 +1840,66 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
 	else
 		*len = ssl->s3->alpn_selected_len;
 	}
+
+int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
+			      unsigned short supp_data_type,
+			      cli_supp_data_first_cb_fn fn1,
+			      cli_supp_data_second_cb_fn fn2, void* arg)
+	{
+	size_t i;
+	cli_supp_data_record* record;
+
+	/* Check for duplicates */
+	for (i=0; i < ctx->cli_supp_data_records_count; i++)
+		if (supp_data_type == ctx->cli_supp_data_records[i].supp_data_type)
+			return 0;
+
+	ctx->cli_supp_data_records = OPENSSL_realloc(ctx->cli_supp_data_records,
+	(ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record));
+	if (!ctx->cli_supp_data_records)
+		{
+		ctx->cli_supp_data_records_count = 0;
+		return 0;
+		}
+	ctx->cli_supp_data_records_count++;
+	record = &ctx->cli_supp_data_records[ctx->cli_supp_data_records_count - 1];
+	record->supp_data_type = supp_data_type;
+	record->fn1 = fn1;
+	record->fn2 = fn2;
+	record->arg = arg;
+	return 1;
+	}
+
+int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
+			      unsigned short supp_data_type,
+			      srv_supp_data_first_cb_fn fn1,
+			      srv_supp_data_second_cb_fn fn2, void* arg)
+	{
+	size_t i;
+	srv_supp_data_record* record;
+
+	/* Check for duplicates */
+	for (i=0; i < ctx->srv_supp_data_records_count; i++)
+		if (supp_data_type == ctx->srv_supp_data_records[i].supp_data_type)
+			return 0;
+
+	ctx->srv_supp_data_records = OPENSSL_realloc(ctx->srv_supp_data_records,
+	(ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record));
+	if (!ctx->srv_supp_data_records)
+		{
+		ctx->srv_supp_data_records_count = 0;
+		return 0;
+		}
+	ctx->srv_supp_data_records_count++;
+	record = &ctx->srv_supp_data_records[ctx->srv_supp_data_records_count - 1];
+	record->supp_data_type = supp_data_type;
+	record->fn1 = fn1;
+	record->fn2 = fn2;
+	record->arg = arg;
+
+	return 1;
+	}
+
 #endif /* !OPENSSL_NO_TLSEXT */
 
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -2043,6 +2103,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 	ret->custom_cli_ext_records_count = 0;
 	ret->custom_srv_ext_records = NULL;
 	ret->custom_srv_ext_records_count = 0;
+	ret->cli_supp_data_records = NULL;
+	ret->cli_supp_data_records_count = 0;
+	ret->srv_supp_data_records = NULL;
+	ret->srv_supp_data_records_count = 0;
 #ifndef OPENSSL_NO_BUF_FREELISTS
 	ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
 	ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -2184,6 +2248,8 @@ void SSL_CTX_free(SSL_CTX *a)
 #ifndef OPENSSL_NO_TLSEXT
 	OPENSSL_free(a->custom_cli_ext_records);
 	OPENSSL_free(a->custom_srv_ext_records);
+	OPENSSL_free(a->cli_supp_data_records);
+	OPENSSL_free(a->srv_supp_data_records);
 #endif
 #ifndef OPENSSL_NO_ENGINE
 	if (a->client_cert_engine)
@@ -2621,25 +2687,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
 	}
 
 #ifndef OPENSSL_NO_TLSEXT
-unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length)
-	{
-	CERT *c;
-	int i;
-
-	c = s->cert;
-	i = ssl_get_server_cert_index(s);
-
-	if (i == -1)
-		return NULL;
-
-	*authz_length = 0;
-	if (c->pkeys[i].authz == NULL)
-		return(NULL);
-	*authz_length = c->pkeys[i].authz_length;
-
-	return c->pkeys[i].authz;
-	}
-
 int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
 				   size_t *serverinfo_length)
 	{