[openssl-commits] [openssl] master update

Viktor Dukhovni viktor at openssl.org
Thu Apr 7 18:41:50 UTC 2016


The branch master has been updated
       via  a4ccf06808422400a6a0673b452d388e95a455fd (commit)
       via  43341433a88a6a2cd38c35359f48653e809b10cd (commit)
       via  c636c1c470fd2b4b0cb546e6ee85971375e42ec1 (commit)
      from  6afef8b1fb679df7d6a8606d713192c9907b1890 (commit)


- Log -----------------------------------------------------------------
commit a4ccf06808422400a6a0673b452d388e95a455fd
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Thu Apr 7 14:19:16 2016 -0400

    make update
    
    Signed-off-by: Rob Percival <robpercival at google.com>
    Reviewed-by: Emilia Käsper <emilia at openssl.org>

commit 43341433a88a6a2cd38c35359f48653e809b10cd
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Thu Apr 7 14:17:37 2016 -0400

    Suppress CT callback as appropriate
    
    Suppress CT callbacks with aNULL or PSK ciphersuites that involve
    no certificates.  Ditto when the certificate chain is validated via
    DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
    when the chain is fails verification.
    
    Move and consolidate CT callbacks from libcrypto to libssl.  We
    also simplify the interface to SSL_{,CTX_}_enable_ct() which can
    specify either a permissive mode that just collects information or
    a strict mode that requires at least one valid SCT or else asks to
    abort the connection.
    
    Simplified SCT processing and options in s_client(1) which now has
    just a simple pair of "-noct" vs. "-ct" options, the latter enables
    the permissive callback so that we can complete the handshake and
    report all relevant information.  When printing SCTs, print the
    validation status if set and not valid.
    
    Signed-off-by: Rob Percival <robpercival at google.com>
    Reviewed-by: Emilia Käsper <emilia at openssl.org>

commit c636c1c470fd2b4b0cb546e6ee85971375e42ec1
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date:   Sat Apr 2 16:47:48 2016 -0400

    Fix client verify mode to check SSL_VERIFY_PEER
    
    The original check for != SSL_VERIFY_NONE can give surprising results
    when flags SSL_VERIFY_PEER is not set, but other flags are.  Note
    that SSL_VERIFY_NONE (0) is not a flag bit, it is rather the absense
    of all other flag bits.
    
    Signed-off-by: Rob Percival <robpercival at google.com>
    Reviewed-by: Emilia Käsper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 apps/s_client.c                                |  67 +++++++-----
 crypto/ct/ct_err.c                             |   3 -
 crypto/ct/ct_oct.c                             |  12 ++-
 crypto/ct/ct_prn.c                             |  23 ++++-
 crypto/ct/ct_sct.c                             |  33 +++++-
 crypto/ct/ct_vfy.c                             |  59 -----------
 doc/apps/s_client.pod                          |  14 ++-
 doc/ssl/SSL_CTX_set_ct_validation_callback.pod | 113 ++++++++++++++------
 doc/ssl/SSL_CTX_set_ctlog_list_file.pod        |   2 +-
 doc/ssl/SSL_CTX_set_verify.pod                 |  15 +--
 include/openssl/ct.h                           |  22 +---
 include/openssl/ssl.h                          |  60 ++++++++---
 ssl/ssl_err.c                                  |  14 +--
 ssl/ssl_lib.c                                  | 138 +++++++++++++++++++------
 ssl/ssl_locl.h                                 |   4 +-
 ssl/statem/statem_clnt.c                       |   5 +-
 ssl/t1_ext.c                                   |  15 +--
 test/ct_test.c                                 |  22 ++--
 test/recipes/80-test_ssl_old.t                 |  27 ++---
 test/ssltest_old.c                             |  14 ++-
 util/libcrypto.num                             |   3 +-
 util/libssl.num                                |   6 +-
 22 files changed, 402 insertions(+), 269 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index b180dbc..b2f10c8 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -666,7 +666,7 @@ typedef enum OPTION_choice {
     OPT_S_ENUM,
     OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN,
 #ifndef OPENSSL_NO_CT
-    OPT_NOCT, OPT_REQUESTCT, OPT_REQUIRECT, OPT_CTLOG_FILE,
+    OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
 #endif
     OPT_DANE_TLSA_RRDATA
 } OPTION_CHOICE;
@@ -831,9 +831,8 @@ OPTIONS s_client_options[] = {
      "Specify engine to be used for client certificate operations"},
 #endif
 #ifndef OPENSSL_NO_CT
+    {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
     {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
-    {"requestct", OPT_REQUESTCT, '-', "Request SCTs (enables OCSP stapling)"},
-    {"requirect", OPT_REQUIRECT, '-', "Require at least 1 SCT (enables OCSP stapling)"},
     {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
 #endif
     {NULL}
@@ -935,7 +934,7 @@ int s_client_main(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_CT
     char *ctlog_file = NULL;
-    ct_validation_cb ct_validation = NULL;
+    int ct_validation = 0;
 #endif
     int min_version = 0, max_version = 0;
 
@@ -1335,13 +1334,10 @@ int s_client_main(int argc, char **argv)
             break;
 #ifndef OPENSSL_NO_CT
         case OPT_NOCT:
-            ct_validation = NULL;
+            ct_validation = 0;
             break;
-        case OPT_REQUESTCT:
-            ct_validation = CT_verify_no_bad_scts;
-            break;
-        case OPT_REQUIRECT:
-            ct_validation = CT_verify_at_least_one_good_sct;
+        case OPT_CT:
+            ct_validation = 1;
             break;
         case OPT_CTLOG_FILE:
             ctlog_file = opt_arg();
@@ -1684,13 +1680,15 @@ int s_client_main(int argc, char **argv)
         SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
 
 #ifndef OPENSSL_NO_CT
-    if (!SSL_CTX_set_ct_validation_callback(ctx, ct_validation, NULL)) {
+    /* Enable SCT processing, without early connection termination */
+    if (ct_validation &&
+        !SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_PERMISSIVE)) {
         ERR_print_errors(bio_err);
         goto end;
     }
 
     if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
-        if (ct_validation != NULL) {
+        if (ct_validation) {
             ERR_print_errors(bio_err);
             goto end;
         }
@@ -2570,7 +2568,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 #endif
     unsigned char *exportedkeymat;
 #ifndef OPENSSL_NO_CT
-    const STACK_OF(SCT) *scts;
     const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
 #endif
 
@@ -2626,21 +2623,35 @@ static void print_stuff(BIO *bio, SSL *s, int full)
         ssl_print_tmp_key(bio, s);
 
 #ifndef OPENSSL_NO_CT
-        scts = SSL_get0_peer_scts(s);
-        BIO_printf(bio, "---\nSCTs present (%i)\n",
-                   scts != NULL ? sk_SCT_num(scts) : 0);
-
-        if (SSL_get_ct_validation_callback(s) == NULL) {
-          BIO_printf(bio, "Warning: CT validation is disabled, so not all "
-                     "SCTs may be displayed. Re-run with \"-requestct\".\n");
-        }
-
-        if (scts != NULL && sk_SCT_num(scts) > 0) {
-            const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
-
-            BIO_printf(bio, "---\n");
-            SCT_LIST_print(scts, bio, 0, "\n---\n", log_store);
-            BIO_printf(bio, "\n");
+        /*
+         * When the SSL session is anonymous, or resumed via an abbreviated
+         * handshake, no SCTs are provided as part of the handshake.  While in
+         * a resumed session SCTs may be present in the session's certificate,
+         * no callbacks are invoked to revalidate these, and in any case that
+         * set of SCTs may be incomplete.  Thus it makes little sense to
+         * attempt to display SCTs from a resumed session's certificate, and of
+         * course none are associated with an anonymous peer.
+         */
+        if (peer != NULL && !SSL_session_reused(s) && SSL_ct_is_enabled(s)) {
+            const STACK_OF(SCT) *scts = SSL_get0_peer_scts(s);
+            int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
+
+            BIO_printf(bio, "---\nSCTs present (%i)\n", sct_count);
+            if (sct_count > 0) {
+                const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
+
+                BIO_printf(bio, "---\n");
+                for (i = 0; i < sct_count; ++i) {
+                    SCT *sct = sk_SCT_value(scts, i);
+
+                    BIO_printf(bio, "SCT validation status: %s\n",
+                               SCT_validation_status_string(sct));
+                    SCT_print(sct, bio, 0, log_store);
+                    if (i < sct_count - 1)
+                        BIO_printf(bio, "\n---\n");
+                }
+                BIO_printf(bio, "\n");
+            }
         }
 #endif
 
diff --git a/crypto/ct/ct_err.c b/crypto/ct/ct_err.c
index 9d4548c..1754395 100644
--- a/crypto/ct/ct_err.c
+++ b/crypto/ct/ct_err.c
@@ -91,9 +91,6 @@ static ERR_STRING_DATA CT_str_functs[] = {
     {ERR_FUNC(CT_F_CT_POLICY_EVAL_CTX_SET0_LOG_STORE),
      "CT_POLICY_EVAL_CTX_set0_log_store"},
     {ERR_FUNC(CT_F_CT_V1_LOG_ID_FROM_PKEY), "ct_v1_log_id_from_pkey"},
-    {ERR_FUNC(CT_F_CT_VERIFY_AT_LEAST_ONE_GOOD_SCT),
-     "CT_verify_at_least_one_good_sct"},
-    {ERR_FUNC(CT_F_CT_VERIFY_NO_BAD_SCTS), "CT_verify_no_bad_scts"},
     {ERR_FUNC(CT_F_D2I_SCT_LIST), "d2i_SCT_LIST"},
     {ERR_FUNC(CT_F_I2D_SCT_LIST), "i2d_SCT_LIST"},
     {ERR_FUNC(CT_F_I2O_SCT), "i2o_SCT"},
diff --git a/crypto/ct/ct_oct.c b/crypto/ct/ct_oct.c
index 620edab..ece353b 100644
--- a/crypto/ct/ct_oct.c
+++ b/crypto/ct/ct_oct.c
@@ -135,10 +135,14 @@ SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len)
     if (sct->version == SCT_VERSION_V1) {
         int sig_len;
         size_t len2;
-        /*
-         * Fixed-length header: struct { (1 byte) Version sct_version; (32
-         * bytes) log_id id; (8 bytes) uint64 timestamp; (2 bytes + ?)
-         * CtExtensions extensions;
+        /*-
+         * Fixed-length header:
+         *   struct {
+         *     Version sct_version;     (1 byte)
+         *     log_id id;               (32 bytes)
+         *     uint64 timestamp;        (8 bytes)
+         *     CtExtensions extensions; (2 bytes + ?)
+         *   }
          */
         if (len < 43) {
             CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID);
diff --git a/crypto/ct/ct_prn.c b/crypto/ct/ct_prn.c
index 0d9d019..5004ae0 100644
--- a/crypto/ct/ct_prn.c
+++ b/crypto/ct/ct_prn.c
@@ -96,6 +96,26 @@ static void timestamp_print(uint64_t timestamp, BIO *out)
     ASN1_GENERALIZEDTIME_free(gen);
 }
 
+const char *SCT_validation_status_string(const SCT *sct)
+{
+
+    switch (SCT_get_validation_status(sct)) {
+    case SCT_VALIDATION_STATUS_NOT_SET:
+        return "not set";
+    case SCT_VALIDATION_STATUS_UNKNOWN_VERSION:
+        return "unknown version";
+    case SCT_VALIDATION_STATUS_UNKNOWN_LOG:
+        return "unknown log";
+    case SCT_VALIDATION_STATUS_UNVERIFIED:
+        return "unverified";
+    case SCT_VALIDATION_STATUS_INVALID:
+        return "invalid";
+    case SCT_VALIDATION_STATUS_VALID:
+        return "valid";
+    }
+    return "unknown status";
+}
+
 void SCT_print(const SCT *sct, BIO *out, int indent,
                const CTLOG_STORE *log_store)
 {
@@ -143,9 +163,10 @@ void SCT_print(const SCT *sct, BIO *out, int indent,
 void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent,
                     const char *separator, const CTLOG_STORE *log_store)
 {
+    int sct_count = sk_SCT_num(sct_list);
     int i;
 
-    for (i = 0; i < sk_SCT_num(sct_list); ++i) {
+    for (i = 0; i < sct_count; ++i) {
         SCT *sct = sk_SCT_value(sct_list, i);
 
         SCT_print(sct, out, indent, log_store);
diff --git a/crypto/ct/ct_sct.c b/crypto/ct/ct_sct.c
index 9eefa0c..1fc7456 100644
--- a/crypto/ct/ct_sct.c
+++ b/crypto/ct/ct_sct.c
@@ -334,17 +334,22 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
     X509_PUBKEY *pub = NULL, *log_pkey = NULL;
     const CTLOG *log;
 
+    /*
+     * With an unrecognized SCT version we don't know what such an SCT means,
+     * let alone validate one.  So we return validation failure (0).
+     */
     if (sct->version != SCT_VERSION_V1) {
         sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_VERSION;
-        goto end;
+        return 0;
     }
 
     log = CTLOG_STORE_get0_log_by_id(ctx->log_store,
                                      sct->log_id, sct->log_id_len);
 
+    /* Similarly, an SCT from an unknown log also cannot be validated. */
     if (log == NULL) {
         sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_LOG;
-        goto end;
+        return 0;
     }
 
     sctx = SCT_CTX_new();
@@ -372,10 +377,28 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
             goto err;
     }
 
+    /*
+     * XXX: Potential for optimization.  This repeats some idempotent heavy
+     * lifting on the certificate for each candidate SCT, and appears to not
+     * use any information in the SCT itself, only the certificate is
+     * processed.  So it may make more sense to to do this just once, perhaps
+     * associated with the shared (by all SCTs) policy eval ctx.
+     *
+     * XXX: Failure here is global (SCT independent) and represents either an
+     * issue with the certificate (e.g. duplicate extensions) or an out of
+     * memory condition.  When the certificate is incompatible with CT, we just
+     * mark the SCTs invalid, rather than report a failure to determine the
+     * validation status.  That way, callbacks that want to do "soft" SCT
+     * processing will not abort handshakes with false positive internal
+     * errors.  Since the function does not distinguish between certificate
+     * issues (peer's fault) and internal problems (out fault) the safe thing
+     * to do is to report a validation failure and let the callback or
+     * application decide what to do.
+     */
     if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)
-        goto err;
-
-    sct->validation_status = SCT_verify(sctx, sct) == 1 ?
+        sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
+    else
+        sct->validation_status = SCT_verify(sctx, sct) == 1 ?
             SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;
 
 end:
diff --git a/crypto/ct/ct_vfy.c b/crypto/ct/ct_vfy.c
index 9895231..71c0361 100644
--- a/crypto/ct/ct_vfy.c
+++ b/crypto/ct/ct_vfy.c
@@ -71,65 +71,6 @@ typedef enum sct_signature_type_t {
     SIGNATURE_TYPE_TREE_HASH
 } SCT_SIGNATURE_TYPE;
 
-int CT_verify_no_bad_scts(const CT_POLICY_EVAL_CTX *ctx,
-                          const STACK_OF(SCT) *scts, void *arg)
-{
-    int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
-    int i;
-
-    for (i = 0; i < sct_count; ++i) {
-        SCT *sct = sk_SCT_value(scts, i);
-
-        switch (SCT_get_validation_status(sct)) {
-            case SCT_VALIDATION_STATUS_INVALID:
-                return 0;
-            case SCT_VALIDATION_STATUS_NOT_SET:
-                CTerr(CT_F_CT_VERIFY_NO_BAD_SCTS,
-                      CT_R_SCT_VALIDATION_STATUS_NOT_SET);
-                return -1;
-            default:
-                /* Ignore other validation statuses. */
-                break;
-        }
-    }
-
-    return 1;
-}
-
-int CT_verify_at_least_one_good_sct(const CT_POLICY_EVAL_CTX *ctx,
-                                    const STACK_OF(SCT) *scts, void *arg)
-{
-    int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
-    int valid_scts = 0;
-    int i;
-
-    for (i = 0; i < sct_count; ++i) {
-        SCT *sct = sk_SCT_value(scts, i);
-
-        switch (SCT_get_validation_status(sct)) {
-            case SCT_VALIDATION_STATUS_VALID:
-                ++valid_scts;
-                break;
-            case SCT_VALIDATION_STATUS_INVALID:
-                return 0;
-            case SCT_VALIDATION_STATUS_NOT_SET:
-                CTerr(CT_F_CT_VERIFY_AT_LEAST_ONE_GOOD_SCT,
-                      CT_R_SCT_VALIDATION_STATUS_NOT_SET);
-                return -1;
-            default:
-                /* Ignore other validation statuses. */
-                break;
-        }
-    }
-
-    if (valid_scts == 0) {
-        CTerr(CT_F_CT_VERIFY_AT_LEAST_ONE_GOOD_SCT, CT_R_NOT_ENOUGH_SCTS);
-        return 0;
-    }
-
-    return 1;
-}
-
 /*
  * Update encoding for SCT signature verification/generation to supplied
  * EVP_MD_CTX.
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 881fbcf..e06af14 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -95,7 +95,7 @@ B<openssl> B<s_client>
 [B<-serverinfo types>]
 [B<-status>]
 [B<-nextprotoneg protocols>]
-[B<-noct|requestct|requirect>]
+[B<-ct|noct>]
 [B<-ctlogfile>]
 
 =head1 DESCRIPTION
@@ -464,14 +464,12 @@ Empty list of protocols is treated specially and will cause the client to
 advertise support for the TLS extension but disconnect just after
 receiving ServerHello with a list of server supported protocols.
 
-=item B<-noct|requestct|requirect>
+=item B<-ct|noct>
 
-Use one of these three options to control whether Certificate Transparency (CT)
-is disabled (-noct), enabled but not enforced (-requestct), or enabled and
-enforced (-requirect). If CT is enabled, signed certificate timestamps (SCTs)
-will be requested from the server and invalid SCTs will cause the connection to
-be aborted. If CT is enforced, at least one valid SCT from a recognised CT log
-(see B<-ctlogfile>) will be required or the connection will be aborted.
+Use one of these two options to control whether Certificate Transparency (CT)
+is enabled (B<-ct>) or disabled (B<-noct>).
+If CT is enabled, signed certificate timestamps (SCTs) will be requested from
+the server and reported at handshake completion.
 
 Enabling CT also enables OCSP stapling, as this is one possible delivery method
 for SCTs.
diff --git a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
index 167a044..ec51c75 100644
--- a/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
+++ b/doc/ssl/SSL_CTX_set_ct_validation_callback.pod
@@ -2,39 +2,92 @@
 
 =head1 NAME
 
+SSL_ct_enable, SSL_CTX_ct_enable, SSL_ct_disable, SSL_CTX_ct_disable,
 SSL_set_ct_validation_callback, SSL_CTX_set_ct_validation_callback,
-SSL_get_ct_validation_callback, SSL_CTX_get_ct_validation_callback -
+SSL_ct_is_enabled, SSL_CTX_ct_is_enabled -
 control Certificate Transparency policy
 
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
 
- int SSL_set_ct_validation_callback(SSL *s, ct_validation_cb callback, void *arg);
- int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ct_validation_cb callback, void *arg);
- ct_validation_cb SSL_get_ct_validation_callback(const SSL *s);
- ct_validation_cb SSL_CTX_get_ct_validation_callback(const SSL_CTX *ctx);
+ int SSL_ct_enable(SSL *s, int validation_mode);
+ int SSL_CTX_ct_enable(SSL_CTX *ctx, int validation_mode);
+ int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
+                                    void *arg);
+ int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
+                                        ssl_ct_validation_cb callback,
+                                        void *arg);
+ void SSL_ct_disable(SSL *s);
+ void SSL_CTX_ct_disable(SSL_CTX *ctx);
+ int SSL_ct_is_enabled(const SSL *s);
+ int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx);
 
 =head1 DESCRIPTION
 
-SSL_set_ct_validation_callback() and SSL_CTX_set_ct_validation_callback() set
-the function that is called when Certificate Transparency validation needs to
-occur. It is the responsibility of this function to examine the signed
-certificate timestamps (SCTs) that are passed to it and determine whether they
-are sufficient to allow the connection to continue. If they are, the function
-must return 1, otherwise it must return 0.
-
-An arbitrary piece of user data, B<arg>, can be passed in when setting the
-callback. This will be passed to the callback whenever it is invoked. Ownership
-of this userdata remains with the caller.
+SSL_ct_enable() and SSL_CTX_ct_enable() enable the processing of signed
+certificate timestamps (SCTs) either for a given SSL connection or for all
+connections that share the given SSL context, respectively.
+This is accomplished by setting a built-in CT validation callback.
+The behaviour of the callback is determined by the B<validation_mode> argument,
+which can be either of B<SSL_CT_VALIDATION_PERMISSIVE> or
+B<SSL_CT_VALIDATION_STRICT> as described below.
+
+If B<validation_mode> is equal to B<SSL_CT_VALIDATION_PERMISSIVE>, then the
+handshake continues regardless of the validation status of any SCTs.
+The application can inspect the validation status of the SCTs at handshake
+completion.
+Note that with session resumption there will not be any SCTs presented during
+the handshake.
+Therefore, in applications that delay SCT policy enforcement until after
+handshake completion, SCT checks should only be performed when the session is
+not reused.
+See L<SSL_session_reused(3)>.
+
+If B<validation_mode> is equal to B<SSL_CT_VALIDATION_STRICT>, then in a full
+TLS handshake with the verification mode set to B<SSL_VERIFY_PEER>, if the peer
+presents no valid SCTs the handshake will be aborted.
+See L<SSL_set_verify(3)>.
+
+SSL_set_ct_validation_callback() and SSL_CTX_set_ct_validation_callback()
+register a custom callback that may implement a different policy than either of
+the above.
+This callback can examine the peer's SCTs and determine whether they are
+sufficient to allow the connection to continue.
+The TLS handshake is aborted if the verification mode is not B<SSL_VERIFY_NONE>
+and the callback returns a non-positive result.
+
+An arbitrary callback context argument, B<arg>, can be passed in when setting
+the callback.
+This will be passed to the callback whenever it is invoked.
+Ownership of this context remains with the caller.
 
 If no callback is set, SCTs will not be requested and Certificate Transparency
 validation will not occur.
 
+No callback will be invoked when the peer presents no certificate, e.g. by
+employing an anonymous (aNULL) ciphersuite.
+In that case the handshake continues as it would had no callback been
+requested.
+Callbacks are also not invoked when the peer certificate chain is invalid or
+validated via DANE-TA(2) or DANE-EE(3) TLSA records which use a private X.509
+PKI, or no X.509 PKI at all, respectively.
+Clients that require SCTs are expected to not have enabled any aNULL ciphers
+nor to have specified server verification via DANE-TA(2) or DANE-EE(3) TLSA
+records.
+
+SSL_ct_disable() and SSL_CTX_ct_disable() turn off CT processing, whether
+enabled via the built-in or the custom callbacks, by setting a NULL callback.
+These may be implemented as macros.
+
+SSL_ct_is_enabled() and SSL_CTX_ct_is_enabled() return 1 if CT processing is
+enabled via either SSL_ct_enable() or a non-null custom callback, and 0
+otherwise.
+
 =head1 NOTES
 
-If a callback is set, OCSP stapling will be enabled. This is because one
-possible source of SCTs is the OCSP response from a server.
+When SCT processing is enabled, OCSP stapling will be enabled. This is because
+one possible source of SCTs is the OCSP response from a server.
 
 =head1 RESTRICTIONS
 
@@ -42,24 +95,26 @@ Certificate Transparency validation cannot be enabled and so a callback cannot
 be set if a custom client extension handler has been registered to handle SCT
 extensions (B<TLSEXT_TYPE_signed_certificate_timestamp>).
 
-If an SCT callback is enabled, a handshake may fail if the peer does
-not provide a certificate, which can happen when using opportunistic
-encryption with anonymous (B<aNULL>) cipher-suites enabled on both ends.
-SCTs should only be used when the application requires an authenticated
-connection, and wishes to perform additional validation on that identity.
-
 =head1 RETURN VALUES
 
-SSL_CTX_set_ct_validation_callback() and SSL_set_ct_validation_callback()
-return 1 if the B<callback> is successfully set. They return 0 if an error
-occurs, e.g. a custom client extension handler has been setup to handle SCTs.
+SSL_ct_enable(), SSL_CTX_ct_enable(), SSL_CTX_set_ct_validation_callback() and
+SSL_set_ct_validation_callback() return 1 if the B<callback> is successfully
+set.
+They return 0 if an error occurs, e.g. a custom client extension handler has
+been setup to handle SCTs.
+
+SSL_ct_disable() and SSL_CTX_ct_disable() do not return a result.
 
-SSL_CTX_get_ct_validation_callback() and SSL_get_ct_validation_callback()
-return the current callback, or NULL if no callback is set.
+SSL_CTX_ct_is_enabled() and SSL_ct_is_enabled() return a 1 if a non-null CT
+validation callback is set, or 0 if no callback (or equivalently a NULL
+callback) is set.
 
 =head1 SEE ALSO
 
 L<ssl(3)>,
-L<ct_validation_cb(3)>
+L<SSL_session_reused(3)>,
+L<SSL_set_verify(3)>,
+L<SSL_CTX_set_verify(3)>,
+L<ssl_ct_validation_cb(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
index 9ef15ad..9e5798f 100644
--- a/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
+++ b/doc/ssl/SSL_CTX_set_ctlog_list_file.pod
@@ -49,6 +49,6 @@ the case of an error, the log list may have been partially loaded.
 =head1 SEE ALSO
 
 L<ssl(3)>,
-L<ct_validation_cb(3)>
+L<ssl_ct_validation_cb(3)>
 
 =cut
diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod
index 5da4166..d60bb6a 100644
--- a/doc/ssl/SSL_CTX_set_verify.pod
+++ b/doc/ssl/SSL_CTX_set_verify.pod
@@ -89,8 +89,7 @@ B<Client mode:> ignored
 
 =back
 
-Exactly one of the B<mode> flags SSL_VERIFY_NONE and SSL_VERIFY_PEER must be
-set at any time.
+If the B<mode> is SSL_VERIFY_NONE none of the other flags may be set.
 
 The actual verification procedure is performed either using the built-in
 verification procedure or using another application provided verification
@@ -146,18 +145,6 @@ Its return value is identical to B<preverify_ok>, so that any verification
 failure will lead to a termination of the TLS/SSL handshake with an
 alert message, if SSL_VERIFY_PEER is set.
 
-=head1 BUGS
-
-In client mode, it is not checked whether the SSL_VERIFY_PEER flag
-is set, but whether SSL_VERIFY_NONE is not set. This can lead to
-unexpected behaviour, if the SSL_VERIFY_PEER and SSL_VERIFY_NONE are not
-used as required (exactly one must be set at any time).
-
-The certificate verification depth set with SSL[_CTX]_verify_depth()
-stops the verification at a certain depth. The error message produced
-will be that of an incomplete certificate chain and not
-X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected.
-
 =head1 RETURN VALUES
 
 The SSL*_set_verify*() functions do not provide diagnostic information.
diff --git a/include/openssl/ct.h b/include/openssl/ct.h
index 0da3125..f12ca92 100644
--- a/include/openssl/ct.h
+++ b/include/openssl/ct.h
@@ -130,21 +130,6 @@ const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *c
 void CT_POLICY_EVAL_CTX_set0_log_store(CT_POLICY_EVAL_CTX *ctx,
                                        CTLOG_STORE *log_store);
 
-/*
- * A callback for verifying that the received SCTs are sufficient.
- * Expected to return 1 if they are sufficient, otherwise 0.
- * May return a negative integer if an error occurs.
- * A connection should be aborted if the SCTs are deemed insufficient.
- */
-typedef int(*ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx,
-                               const STACK_OF(SCT) *scts, void *arg);
-/* Returns 0 if there are invalid SCTs */
-int CT_verify_no_bad_scts(const CT_POLICY_EVAL_CTX *ctx,
-                          const STACK_OF(SCT) *scts, void *arg);
-/* Returns 0 if there are invalid SCTS or fewer than one valid SCT */
-int CT_verify_at_least_one_good_sct(const CT_POLICY_EVAL_CTX *ctx,
-                                    const STACK_OF(SCT) *scts, void *arg);
-
 /*****************
  * SCT functions *
  *****************/
@@ -299,6 +284,11 @@ sct_source_t SCT_get_source(const SCT *sct);
 __owur int SCT_set_source(SCT *sct, sct_source_t source);
 
 /*
+ * Returns a text string describing the validation status of |sct|.
+ */
+const char *SCT_validation_status_string(const SCT *sct);
+
+/*
  * Pretty-prints an |sct| to |out|.
  * It will be indented by the number of spaces specified by |indent|.
  * If |logs| is not NULL, it will be used to lookup the CT log that the SCT came
@@ -554,8 +544,6 @@ void ERR_load_CT_strings(void);
 # define CT_F_CT_POLICY_EVAL_CTX_SET0_ISSUER              135
 # define CT_F_CT_POLICY_EVAL_CTX_SET0_LOG_STORE           136
 # define CT_F_CT_V1_LOG_ID_FROM_PKEY                      125
-# define CT_F_CT_VERIFY_AT_LEAST_ONE_GOOD_SCT             137
-# define CT_F_CT_VERIFY_NO_BAD_SCTS                       138
 # define CT_F_D2I_SCT_LIST                                105
 # define CT_F_I2D_SCT_LIST                                106
 # define CT_F_I2O_SCT                                     107
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index ea47cb3..ae9d8f2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1899,6 +1899,15 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client);
 # ifndef OPENSSL_NO_CT
 
 /*
+ * A callback for verifying that the received SCTs are sufficient.
+ * Expected to return 1 if they are sufficient, otherwise 0.
+ * May return a negative integer if an error occurs.
+ * A connection should be aborted if the SCTs are deemed insufficient.
+ */
+typedef int(*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx,
+                                   const STACK_OF(SCT) *scts, void *arg);
+
+/*
  * Sets a |callback| that is invoked upon receipt of ServerHelloDone to validate
  * the received SCTs.
  * If the callback returns a non-positive result, the connection is terminated.
@@ -1910,18 +1919,42 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client);
  * NOTE: A side-effect of setting a CT callback is that an OCSP stapled response
  *       will be requested.
  */
-__owur int SSL_set_ct_validation_callback(SSL *s,
-                                          ct_validation_cb callback,
-                                          void *arg);
-__owur int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
-                                              ct_validation_cb callback,
-                                              void *arg);
+int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
+                                   void *arg);
+int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
+                                       ssl_ct_validation_cb callback,
+                                       void *arg);
+#define SSL_disable_ct(s) \
+        ((void) SSL_set_validation_callback((s), NULL, NULL))
+#define SSL_CTX_disable_ct(ctx) \
+        ((void) SSL_CTX_set_validation_callback((ctx), NULL, NULL))
+
+/*
+ * The validation type enumerates the available behaviours of the built-in SSL
+ * CT validation callback selected via SSL_enable_ct() and SSL_CTX_enable_ct().
+ * The underlying callback is a static function in libssl.
+ */
+enum {
+    SSL_CT_VALIDATION_PERMISSIVE = 0,
+    SSL_CT_VALIDATION_STRICT
+};
+
+/*
+ * Enable CT by setting up a callback that implements one of the built-in
+ * validation variants.  The SSL_CT_VALIDATION_PERMISSIVE variant always
+ * continues the handshake, the application can make appropriate decisions at
+ * handshake completion.  The SSL_CT_VALIDATION_STRICT variant requires at
+ * least one valid SCT, or else handshake termination will be requested.  The
+ * handshake may continue anyway if SSL_VERIFY_NONE is in effect.
+ */
+int SSL_enable_ct(SSL *s, int validation_mode);
+int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode);
+
 /*
- * Gets the callback being used to validate SCTs.
- * This will return NULL if SCTs are neither being requested nor validated.
+ * Report whether a non-NULL callback is enabled.
  */
-__owur ct_validation_cb SSL_get_ct_validation_callback(const SSL *s);
-__owur ct_validation_cb SSL_CTX_get_ct_validation_callback(const SSL_CTX *ctx);
+int SSL_ct_is_enabled(const SSL *s);
+int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx);
 
 /* Gets the SCTs received from a connection */
 const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);
@@ -2073,6 +2106,7 @@ void ERR_load_SSL_strings(void);
 /* Function codes. */
 # define SSL_F_CHECK_SUITEB_CIPHER_LIST                   331
 # define SSL_F_CT_MOVE_SCTS                               345
+# define SSL_F_CT_STRICT                                  349
 # define SSL_F_D2I_SSL_SESSION                            103
 # define SSL_F_DANE_CTX_ENABLE                            347
 # define SSL_F_DANE_MTYPE_SET                             393
@@ -2155,7 +2189,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL_CREATE_CIPHER_LIST                     166
 # define SSL_F_SSL_CTRL                                   232
 # define SSL_F_SSL_CTX_CHECK_PRIVATE_KEY                  168
-# define SSL_F_SSL_CTX_GET_CT_VALIDATION_CALLBACK         349
+# define SSL_F_SSL_CTX_ENABLE_CT                          398
 # define SSL_F_SSL_CTX_MAKE_PROFILES                      309
 # define SSL_F_SSL_CTX_NEW                                169
 # define SSL_F_SSL_CTX_SET_ALPN_PROTOS                    343
@@ -2181,8 +2215,8 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL_DANE_ENABLE                            395
 # define SSL_F_SSL_DO_CONFIG                              391
 # define SSL_F_SSL_DO_HANDSHAKE                           180
+# define SSL_F_SSL_ENABLE_CT                              402
 # define SSL_F_SSL_GET0_PEER_SCTS                         397
-# define SSL_F_SSL_GET_CT_VALIDATION_CALLBACK             398
 # define SSL_F_SSL_GET_NEW_SESSION                        181
 # define SSL_F_SSL_GET_PREV_SESSION                       217
 # define SSL_F_SSL_GET_SERVER_CERT_INDEX                  322
@@ -2405,6 +2439,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_INVALID_COMMAND                            280
 # define SSL_R_INVALID_COMPRESSION_ALGORITHM              341
 # define SSL_R_INVALID_CONFIGURATION_NAME                 113
+# define SSL_R_INVALID_CT_VALIDATION_TYPE                 212
 # define SSL_R_INVALID_NULL_CMD_NAME                      385
 # define SSL_R_INVALID_PURPOSE                            278
 # define SSL_R_INVALID_SEQUENCE_NUMBER                    402
@@ -2453,6 +2488,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_NO_SHARED_CIPHER                           193
 # define SSL_R_NO_SHARED_SIGATURE_ALGORITHMS              376
 # define SSL_R_NO_SRTP_PROFILES                           359
+# define SSL_R_NO_VALID_SCTS                              216
 # define SSL_R_NO_VERIFY_CALLBACK                         194
 # define SSL_R_NO_VERIFY_COOKIE_CALLBACK                  403
 # define SSL_R_NULL_SSL_CTX                               195
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index d0cadc6..df98c76 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -70,7 +70,8 @@
 
 static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST), "check_suiteb_cipher_list"},
-    {ERR_FUNC(SSL_F_CT_MOVE_SCTS), "CT_move_scts"},
+    {ERR_FUNC(SSL_F_CT_MOVE_SCTS), "ct_move_scts"},
+    {ERR_FUNC(SSL_F_CT_STRICT), "ct_strict"},
     {ERR_FUNC(SSL_F_D2I_SSL_SESSION), "d2i_SSL_SESSION"},
     {ERR_FUNC(SSL_F_DANE_CTX_ENABLE), "dane_ctx_enable"},
     {ERR_FUNC(SSL_F_DANE_MTYPE_SET), "dane_mtype_set"},
@@ -170,8 +171,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_CREATE_CIPHER_LIST), "ssl_create_cipher_list"},
     {ERR_FUNC(SSL_F_SSL_CTRL), "SSL_ctrl"},
     {ERR_FUNC(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY), "SSL_CTX_check_private_key"},
-    {ERR_FUNC(SSL_F_SSL_CTX_GET_CT_VALIDATION_CALLBACK),
-     "SSL_CTX_get_ct_validation_callback"},
+    {ERR_FUNC(SSL_F_SSL_CTX_ENABLE_CT), "SSL_CTX_enable_ct"},
     {ERR_FUNC(SSL_F_SSL_CTX_MAKE_PROFILES), "ssl_ctx_make_profiles"},
     {ERR_FUNC(SSL_F_SSL_CTX_NEW), "SSL_CTX_new"},
     {ERR_FUNC(SSL_F_SSL_CTX_SET_ALPN_PROTOS), "SSL_CTX_set_alpn_protos"},
@@ -208,9 +208,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_DANE_ENABLE), "SSL_dane_enable"},
     {ERR_FUNC(SSL_F_SSL_DO_CONFIG), "ssl_do_config"},
     {ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
+    {ERR_FUNC(SSL_F_SSL_ENABLE_CT), "SSL_enable_ct"},
     {ERR_FUNC(SSL_F_SSL_GET0_PEER_SCTS), "SSL_get0_peer_scts"},
-    {ERR_FUNC(SSL_F_SSL_GET_CT_VALIDATION_CALLBACK),
-     "SSL_get_ct_validation_callback"},
     {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "ssl_get_new_session"},
     {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "ssl_get_prev_session"},
     {ERR_FUNC(SSL_F_SSL_GET_SERVER_CERT_INDEX), "ssl_get_server_cert_index"},
@@ -280,7 +279,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
     {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
     {ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
-    {ERR_FUNC(SSL_F_SSL_VALIDATE_CT), "SSL_validate_ct"},
+    {ERR_FUNC(SSL_F_SSL_VALIDATE_CT), "ssl_validate_ct"},
     {ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "ssl_verify_cert_chain"},
     {ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
     {ERR_FUNC(SSL_F_STATE_MACHINE), "state_machine"},
@@ -502,6 +501,8 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
      "invalid compression algorithm"},
     {ERR_REASON(SSL_R_INVALID_CONFIGURATION_NAME),
      "invalid configuration name"},
+    {ERR_REASON(SSL_R_INVALID_CT_VALIDATION_TYPE),
+     "invalid ct validation type"},
     {ERR_REASON(SSL_R_INVALID_NULL_CMD_NAME), "invalid null cmd name"},
     {ERR_REASON(SSL_R_INVALID_PURPOSE), "invalid purpose"},
     {ERR_REASON(SSL_R_INVALID_SEQUENCE_NUMBER), "invalid sequence number"},
@@ -555,6 +556,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
     {ERR_REASON(SSL_R_NO_SHARED_SIGATURE_ALGORITHMS),
      "no shared sigature algorithms"},
     {ERR_REASON(SSL_R_NO_SRTP_PROFILES), "no srtp profiles"},
+    {ERR_REASON(SSL_R_NO_VALID_SCTS), "no valid scts"},
     {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK), "no verify callback"},
     {ERR_REASON(SSL_R_NO_VERIFY_COOKIE_CALLBACK), "no verify cookie callback"},
     {ERR_REASON(SSL_R_NULL_SSL_CTX), "null ssl ctx"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 6875f38..5a6e6a7 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -4039,10 +4039,32 @@ err:
     return NULL;
 }
 
-int SSL_set_ct_validation_callback(SSL *s, ct_validation_cb callback, void *arg)
+static int ct_permissive(const CT_POLICY_EVAL_CTX *ctx,
+                         const STACK_OF(SCT) *scts, void *unused_arg)
 {
-    int ret = 0;
+    return 1;
+}
+
+static int ct_strict(const CT_POLICY_EVAL_CTX *ctx,
+                     const STACK_OF(SCT) *scts, void *unused_arg)
+{
+    int count = scts != NULL ? sk_SCT_num(scts) : 0;
+    int i;
 
+    for (i = 0; i < count; ++i) {
+        SCT *sct = sk_SCT_value(scts, i);
+        int status = SCT_get_validation_status(sct);
+
+        if (status == SCT_VALIDATION_STATUS_VALID)
+            return 1;
+    }
+    SSLerr(SSL_F_CT_STRICT, SSL_R_NO_VALID_SCTS);
+    return 0;
+}
+
+int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
+                                   void *arg)
+{
     /*
      * Since code exists that uses the custom extension handler for CT, look
      * for this and throw an error if they have already registered to use CT.
@@ -4051,28 +4073,25 @@ int SSL_set_ct_validation_callback(SSL *s, ct_validation_cb callback, void *arg)
             TLSEXT_TYPE_signed_certificate_timestamp)) {
         SSLerr(SSL_F_SSL_SET_CT_VALIDATION_CALLBACK,
                SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
-        goto err;
+        return 0;
     }
 
-    s->ct_validation_callback = callback;
-    s->ct_validation_callback_arg = arg;
-
     if (callback != NULL) {
         /* If we are validating CT, then we MUST accept SCTs served via OCSP */
         if (!SSL_set_tlsext_status_type(s, TLSEXT_STATUSTYPE_ocsp))
-            goto err;
+            return 0;
     }
 
-    ret = 1;
-err:
-    return ret;
+    s->ct_validation_callback = callback;
+    s->ct_validation_callback_arg = arg;
+
+    return 1;
 }
 
-int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ct_validation_cb callback,
+int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
+                                       ssl_ct_validation_cb callback,
                                        void *arg)
 {
-    int ret = 0;
-
     /*
      * Since code exists that uses the custom extension handler for CT, look for
      * this and throw an error if they have already registered to use CT.
@@ -4081,59 +4100,90 @@ int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ct_validation_cb callback,
             TLSEXT_TYPE_signed_certificate_timestamp)) {
         SSLerr(SSL_F_SSL_CTX_SET_CT_VALIDATION_CALLBACK,
                SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED);
-        goto err;
+        return 0;
     }
 
     ctx->ct_validation_callback = callback;
     ctx->ct_validation_callback_arg = arg;
-    ret = 1;
-err:
-    return ret;
+    return 1;
 }
 
-ct_validation_cb SSL_get_ct_validation_callback(const SSL *s)
+int SSL_ct_is_enabled(const SSL *s)
 {
-    return s->ct_validation_callback;
+    return s->ct_validation_callback != NULL;
 }
 
-ct_validation_cb SSL_CTX_get_ct_validation_callback(const SSL_CTX *ctx)
+int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx)
 {
-    return ctx->ct_validation_callback;
+    return ctx->ct_validation_callback != NULL;
 }
 
 int ssl_validate_ct(SSL *s)
 {
     int ret = 0;
     X509 *cert = s->session != NULL ? s->session->peer : NULL;
-    X509 *issuer = NULL;
+    X509 *issuer;
+    struct dane_st *dane = &s->dane;
     CT_POLICY_EVAL_CTX *ctx = NULL;
     const STACK_OF(SCT) *scts;
 
-    /* If no callback is set, attempt no validation - just return success */
-    if (s->ct_validation_callback == NULL)
+    /*
+     * If no callback is set, the peer is anonymous, or its chain is invalid,
+     * skip SCT validation - just return success.  Applications that continue
+     * handshakes without certificates, with unverified chains, or pinned leaf
+     * certificates are outside the scope of the WebPKI and CT.
+     *
+     * The above exclusions notwithstanding the vast majority of peers will
+     * have rather ordinary certificate chains validated by typical
+     * applications that perform certificate verification and therefore will
+     * process SCTs when enabled.
+     */
+    if (s->ct_validation_callback == NULL || cert == NULL ||
+        s->verify_result != X509_V_OK ||
+        s->verified_chain == NULL ||
+        sk_X509_num(s->verified_chain) <= 1)
         return 1;
 
-    if (cert == NULL) {
-        SSLerr(SSL_F_SSL_VALIDATE_CT, SSL_R_NO_CERTIFICATE_ASSIGNED);
-        goto end;
+    /*
+     * CT not applicable for chains validated via DANE-TA(2) or DANE-EE(3)
+     * trust-anchors.  See https://tools.ietf.org/html/rfc7671#section-4.2
+     */
+    if (DANETLS_ENABLED(dane) && dane->mtlsa != NULL) {
+        switch (dane->mtlsa->usage) {
+        case DANETLS_USAGE_DANE_TA:
+        case DANETLS_USAGE_DANE_EE:
+            return 1;
+        }
     }
 
-    if (s->verified_chain != NULL && sk_X509_num(s->verified_chain) > 1)
-        issuer = sk_X509_value(s->verified_chain, 1);
-
     ctx = CT_POLICY_EVAL_CTX_new();
     if (ctx == NULL) {
         SSLerr(SSL_F_SSL_VALIDATE_CT, ERR_R_MALLOC_FAILURE);
         goto end;
     }
 
+    issuer = sk_X509_value(s->verified_chain, 1);
     CT_POLICY_EVAL_CTX_set0_cert(ctx, cert);
     CT_POLICY_EVAL_CTX_set0_issuer(ctx, issuer);
     CT_POLICY_EVAL_CTX_set0_log_store(ctx, s->ctx->ctlog_store);
 
     scts = SSL_get0_peer_scts(s);
 
-    if (SCT_LIST_validate(scts, ctx) != 1) {
+    /*
+     * This function returns success (> 0) only when all the SCTs are valid, 0
+     * when some are invalid, and < 0 on various internal errors (out of
+     * memory, etc.).  Having some, or even all, invalid SCTs is not sufficient
+     * reason to abort the handshake, that decision is up to the callback.
+     * Therefore, we error out only in the unexpected case that the return
+     * value is negative.
+     *
+     * XXX: One might well argue that the return value of this function is an
+     * unforunate design choice.  Its job is only to determine the validation
+     * status of each of the provided SCTs.  So long as it correctly separates
+     * the wheat from the chaff it should return success.  Failure in this case
+     * ought to correspond to an inability to carry out its duties.
+     */
+    if (SCT_LIST_validate(scts, ctx) < 0) {
         SSLerr(SSL_F_SSL_VALIDATE_CT, SSL_R_SCT_VERIFICATION_FAILED);
         goto end;
     }
@@ -4147,6 +4197,32 @@ end:
     return ret;
 }
 
+int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode)
+{
+    switch (validation_mode) {
+    default:
+        SSLerr(SSL_F_SSL_CTX_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE);
+        return 0;
+    case SSL_CT_VALIDATION_PERMISSIVE:
+        return SSL_CTX_set_ct_validation_callback(ctx, ct_permissive, NULL);
+    case SSL_CT_VALIDATION_STRICT:
+        return SSL_CTX_set_ct_validation_callback(ctx, ct_strict, NULL);
+    }
+}
+
+int SSL_enable_ct(SSL *s, int validation_mode)
+{
+    switch (validation_mode) {
+    default:
+        SSLerr(SSL_F_SSL_ENABLE_CT, SSL_R_INVALID_CT_VALIDATION_TYPE);
+        return 0;
+    case SSL_CT_VALIDATION_PERMISSIVE:
+        return SSL_set_ct_validation_callback(s, ct_permissive, NULL);
+    case SSL_CT_VALIDATION_STRICT:
+        return SSL_set_ct_validation_callback(s, ct_strict, NULL);
+    }
+}
+
 int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx)
 {
     return CTLOG_STORE_load_default_file(ctx->ctlog_store);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4a2b52d..8c8876c 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -816,7 +816,7 @@ struct ssl_ctx_st {
     * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
     * If they are not, the connection should be aborted.
     */
-    ct_validation_cb ct_validation_callback;
+    ssl_ct_validation_cb ct_validation_callback;
     void *ct_validation_callback_arg;
 #  endif
 
@@ -1123,7 +1123,7 @@ struct ssl_st {
     * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
     * If they are not, the connection should be aborted.
     */
-    ct_validation_cb ct_validation_callback;
+    ssl_ct_validation_cb ct_validation_callback;
     /* User-supplied argument tha tis passed to the ct_validation_callback */
     void *ct_validation_callback_arg;
     /*
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 4806e67..fe1cde6 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1334,7 +1334,7 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
     }
 
     i = ssl_verify_cert_chain(s, sk);
-    if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
+    if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) {
         al = ssl_verify_alarm_type(s->verify_result);
         SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
                SSL_R_CERTIFICATE_VERIFY_FAILED);
@@ -2067,7 +2067,8 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
 
 #ifndef OPENSSL_NO_CT
     if (s->ct_validation_callback != NULL) {
-        if (!ssl_validate_ct(s)) {
+        /* Note we validate the SCTs whether or not we abort on error */
+        if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
             return MSG_PROCESS_ERROR;
         }
diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c
index 7940cfc..e993397 100644
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c
@@ -260,12 +260,6 @@ int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
                                   custom_ext_parse_cb parse_cb,
                                   void *parse_arg)
 {
-    int ret = custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb,
-                                  free_cb, add_arg, parse_cb, parse_arg);
-
-    if (ret != 1)
-        goto end;
-
 #ifndef OPENSSL_NO_CT
     /*
      * We don't want applications registering callbacks for SCT extensions
@@ -273,12 +267,11 @@ int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
      * these two things may not play well together.
      */
     if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp &&
-        SSL_CTX_get_ct_validation_callback(ctx) != NULL) {
-        ret = 0;
-    }
+        SSL_CTX_ct_is_enabled(ctx))
+        return 0;
 #endif
-end:
-    return ret;
+    return custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb,
+                               free_cb, add_arg, parse_cb, parse_arg);
 }
 
 int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
diff --git a/test/ct_test.c b/test/ct_test.c
index 5446f9d..bdd5b84 100644
--- a/test/ct_test.c
+++ b/test/ct_test.c
@@ -402,6 +402,17 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
             goto end;
         }
 
+        if (fixture.test_validity && cert != NULL) {
+            int is_sct_validated = SCT_validate(sct, ct_policy_ctx);
+            if (is_sct_validated < 0) {
+                fprintf(stderr, "Error validating SCT\n");
+                goto end;
+            } else if (!is_sct_validated) {
+                fprintf(stderr, "SCT failed verification\n");
+                goto end;
+            }
+        }
+
         if (fixture.sct_text_file
             && compare_sct_printout(sct, expected_sct_text)) {
                 goto end;
@@ -413,17 +424,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
             fprintf(stderr, "Failed to encode SCT into TLS format correctly\n");
             goto end;
         }
-
-        if (fixture.test_validity && cert != NULL) {
-            int is_sct_validated = SCT_validate(sct, ct_policy_ctx);
-            if (is_sct_validated < 0) {
-                fprintf(stderr, "Error validating SCT\n");
-                goto end;
-            } else if (!is_sct_validated) {
-                fprintf(stderr, "SCT failed verification\n");
-                goto end;
-            }
-        }
     }
     success = 1;
 
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 855e7c6..13fcfbe 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -811,20 +811,21 @@ sub testssl {
 	plan tests => 3;
 
       SKIP: {
-	  skip "Certificate Transparency is not supported by this OpenSSL build", 3
-	      if $no_ct;
-	  skip "TLSv1.0 is not supported by this OpenSSL build", 3
-	      if $no_tls1;
-
-    $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-noct"])));
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requestct"])));
-	  # No SCTs provided, so this should fail.
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-requirect",
-	               "-should_negotiate", "fail-client"])));
-	}
+        skip "Certificate Transparency is not supported by this OpenSSL build", 3
+            if $no_ct;
+        skip "TLSv1.0 is not supported by this OpenSSL build", 3
+            if $no_tls1;
+
+        $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");
+        my @ca = qw(-CAfile certCA.ss);
+        ok(run(test([@ssltest, @ca, "-bio_pair", "-tls1", "-noct"])));
+        # No SCTs provided, so this should fail.
+        ok(run(test([@ssltest, @ca, "-bio_pair", "-tls1", "-ct",
+                     "-should_negotiate", "fail-client"])));
+        # No SCTs provided, unverified chains still succeed.
+        ok(run(test([@ssltest, "-bio_pair", "-tls1", "-ct"])));
+        }
     };
-
 }
 
 sub testsslproxy {
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 8018b3b..e3f8d77 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -1113,7 +1113,7 @@ int main(int argc, char *argv[])
      * Disable CT validation by default, because it will interfere with
      * anything using custom extension handlers to deal with SCT extensions.
      */
-    ct_validation_cb ct_validation = NULL;
+    int ct_validation = 0;
 #endif
     SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL;
     STACK_OF(OPENSSL_STRING) *conf_args = NULL;
@@ -1300,13 +1300,10 @@ int main(int argc, char *argv[])
         }
 #ifndef OPENSSL_NO_CT
         else if (strcmp(*argv, "-noct") == 0) {
-            ct_validation = NULL;
+            ct_validation = 0;
         }
-        else if (strcmp(*argv, "-requestct") == 0) {
-            ct_validation = CT_verify_no_bad_scts;
-        }
-        else if (strcmp(*argv, "-requirect") == 0) {
-            ct_validation = CT_verify_at_least_one_good_sct;
+        else if (strcmp(*argv, "-ct") == 0) {
+            ct_validation = 1;
         }
 #endif
 #ifndef OPENSSL_NO_COMP
@@ -1633,7 +1630,8 @@ int main(int argc, char *argv[])
     }
 
 #ifndef OPENSSL_NO_CT
-    if (!SSL_CTX_set_ct_validation_callback(c_ctx, ct_validation, NULL)) {
+    if (ct_validation &&
+        !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) {
         ERR_print_errors(bio_err);
         goto end;
     }
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 5cbdfcc..2d4c0e6 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -238,7 +238,6 @@ EVP_PKEY_meth_set_decrypt               233	1_1_0	EXIST::FUNCTION:
 EVP_rc2_ecb                             234	1_1_0	EXIST::FUNCTION:RC2
 i2b_PublicKey_bio                       235	1_1_0	EXIST::FUNCTION:
 d2i_ASN1_SET_ANY                        236	1_1_0	EXIST::FUNCTION:
-CT_verify_no_bad_scts                   237	1_1_0	EXIST::FUNCTION:CT
 ASN1_item_i2d                           238	1_1_0	EXIST::FUNCTION:
 OCSP_copy_nonce                         239	1_1_0	EXIST::FUNCTION:
 OBJ_txt2nid                             240	1_1_0	EXIST::FUNCTION:
@@ -716,7 +715,6 @@ OPENSSL_isservice                       697	1_1_0	EXIST::FUNCTION:
 DH_compute_key                          698	1_1_0	EXIST::FUNCTION:DH
 TS_RESP_CTX_set_signer_key              699	1_1_0	EXIST::FUNCTION:TS
 i2d_DSAPrivateKey_bio                   700	1_1_0	EXIST::FUNCTION:DSA
-CT_verify_at_least_one_good_sct         701	1_1_0	EXIST::FUNCTION:CT
 ASN1_item_d2i                           702	1_1_0	EXIST::FUNCTION:
 BIO_int_ctrl                            703	1_1_0	EXIST::FUNCTION:
 CMS_ReceiptRequest_it                   704	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:CMS
@@ -1240,6 +1238,7 @@ OBJ_obj2nid                             1202	1_1_0	EXIST::FUNCTION:
 PKCS12_SAFEBAG_free                     1203	1_1_0	EXIST::FUNCTION:
 EVP_cast5_cfb64                         1204	1_1_0	EXIST::FUNCTION:CAST
 OPENSSL_uni2asc                         1205	1_1_0	EXIST::FUNCTION:
+SCT_validation_status_string            1206	1_1_0	EXIST::FUNCTION:CT
 PKCS7_add_attribute                     1207	1_1_0	EXIST::FUNCTION:
 ENGINE_register_DSA                     1208	1_1_0	EXIST::FUNCTION:ENGINE
 lh_node_stats                           1209	1_1_0	EXIST::FUNCTION:STDIO
diff --git a/util/libssl.num b/util/libssl.num
index 8b2155e..950ca03 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -377,10 +377,10 @@ SSL_CTX_set_ctlog_list_file             376	1_1_0	EXIST::FUNCTION:CT
 SSL_set_ct_validation_callback          377	1_1_0	EXIST::FUNCTION:CT
 SSL_CTX_set_default_ctlog_list_file     378	1_1_0	EXIST::FUNCTION:CT
 SSL_CTX_has_client_custom_ext           379	1_1_0	EXIST::FUNCTION:
-SSL_get_ct_validation_callback          380	1_1_0	EXIST::FUNCTION:CT
+SSL_ct_is_enabled                       380	1_1_0	EXIST::FUNCTION:CT
 SSL_get0_peer_scts                      381	1_1_0	EXIST::FUNCTION:CT
 SSL_CTX_set_ct_validation_callback      382	1_1_0	EXIST::FUNCTION:CT
-SSL_CTX_get_ct_validation_callback      383	1_1_0	EXIST::FUNCTION:CT
+SSL_CTX_ct_is_enabled                   383	1_1_0	EXIST::FUNCTION:CT
 SSL_set_default_read_buffer_len         384	1_1_0	EXIST::FUNCTION:
 SSL_CTX_set_default_read_buffer_len     385	1_1_0	EXIST::FUNCTION:
 SSL_has_pending                         386	1_1_0	EXIST::FUNCTION:
@@ -390,3 +390,5 @@ SSL_CIPHER_is_aead                      389	1_1_0	EXIST::FUNCTION:
 SSL_SESSION_up_ref                      390	1_1_0	EXIST::FUNCTION:
 SSL_CTX_set0_ctlog_store                391	1_1_0	EXIST::FUNCTION:CT
 SSL_CTX_get0_ctlog_store                392	1_1_0	EXIST::FUNCTION:CT
+SSL_enable_ct                           393	1_1_0	EXIST::FUNCTION:CT
+SSL_CTX_enable_ct                       394	1_1_0	EXIST::FUNCTION:CT


More information about the openssl-commits mailing list