[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue Jun 7 16:07:50 UTC 2016
The branch master has been updated
via 8f09ba471c256020f8147c421e32b4d5fc162960 (commit)
via 243583408c033c9f41e8a1b6f07b6b37d4da030c (commit)
via 30b967651c1d01562087d65a28707678125d731a (commit)
via 93a9d5975ea1761247e44ee697d991aa88919c96 (commit)
via 4300aaf3512167c6759ba1feedcbb28e4ba8413a (commit)
from 56989dcd0e208dcad204e85367a20fab2a45e2f8 (commit)
- Log -----------------------------------------------------------------
commit 8f09ba471c256020f8147c421e32b4d5fc162960
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jun 7 16:35:38 2016 +0100
Add an SSL get/set test
We just do the getters/setter for tlsext_status_type. This could be extended
for others in the future.
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 243583408c033c9f41e8a1b6f07b6b37d4da030c
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jun 7 14:33:07 2016 +0100
Add documentation for the newly added SSL_get_tlsext_status_type()
And also for SSL_CTX_get_tlsext_status_type()
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 30b967651c1d01562087d65a28707678125d731a
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jun 7 15:14:14 2016 +0100
Add SSL_CTX_get_tlsext_status_type()
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 93a9d5975ea1761247e44ee697d991aa88919c96
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jun 7 15:13:40 2016 +0100
Return the value of tlsext_status_type in the return not arg
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 4300aaf3512167c6759ba1feedcbb28e4ba8413a
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date: Wed May 11 00:48:49 2016 +0100
Add SSL_get_tlsext_status_type() method
The tlsext_status_type field in SSL is used by e.g. OpenResty to determine
if the client requested the certificate status, but SSL is now opaque.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
doc/ssl/SSL_CTX_set_tlsext_status_cb.pod | 36 +++++++--
include/openssl/ssl.h | 1 +
include/openssl/tls1.h | 6 ++
ssl/s3_lib.c | 7 ++
test/build.info | 6 +-
test/getsettest.c | 90 ++++++++++++++++++++++
.../{70-test_clienthello.t => 90-test_getset.t} | 6 +-
7 files changed, 142 insertions(+), 10 deletions(-)
create mode 100644 test/getsettest.c
copy test/recipes/{70-test_clienthello.t => 90-test_getset.t} (74%)
diff --git a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
index b403394..5c58b23 100644
--- a/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
+++ b/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod
@@ -2,10 +2,15 @@
=head1 NAME
-SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg,
-SSL_CTX_set_tlsext_status_type, SSL_set_tlsext_status_type,
-SSL_get_tlsext_status_ocsp_resp, SSL_set_tlsext_status_ocsp_resp - OCSP
-Certificate Status Request functions
+SSL_CTX_set_tlsext_status_cb,
+SSL_CTX_set_tlsext_status_arg,
+SSL_CTX_set_tlsext_status_type,
+SSL_CTX_get_tlsext_status_type,
+SSL_set_tlsext_status_type,
+SSL_get_tlsext_status_type,
+SSL_get_tlsext_status_ocsp_resp,
+SSL_set_tlsext_status_ocsp_resp
+- OCSP Certificate Status Request functions
=head1 SYNOPSIS
@@ -16,8 +21,10 @@ Certificate Status Request functions
long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg);
long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type);
+ long SSL_CTX_get_tlsext_status_type(SSL_CTX *ctx);
long SSL_set_tlsext_status_type(SSL *s, int type);
+ long SSL_get_tlsext_status_type(SSL *s);
long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);
@@ -30,7 +37,9 @@ SSL_CTX_set_tlsext_status_type() function prior to the creation of any SSL
objects. Alternatively an application can call the SSL_set_tlsext_status_type()
function on an individual SSL object prior to the start of the handshake.
Currently the only supported type is B<TLSEXT_STATUSTYPE_ocsp>. This value
-should be passed in the B<type> argument.
+should be passed in the B<type> argument. Calling
+SSL_CTX_get_tlsext_status_type() will return the type B<TLSEXT_STATUSTYPE_ocsp>
+previously set via SSL_CTX_set_tlsext_status_type() or -1 if not set.
The client should additionally provide a callback function to decide what to do
with the returned OCSP response by calling SSL_CTX_set_tlsext_status_cb(). The
@@ -40,6 +49,13 @@ previously set via a call to SSL_CTX_set_tlsext_status_arg(). Note that the
callback will not be called in the event of a handshake where session resumption
occurs (because there are no Certificates exchanged in such a handshake).
+On the client side SSL_get_tlsext_status_type() can be used to determine whether
+the client has previously called SSL_set_tlsext_status_type(). It will return
+B<TLSEXT_STATUSTYPE_ocsp> if it has been called or -1 otherwise. On the server
+side SSL_get_tlsext_status_type() can be used to determine whether the client
+requested OCSP stapling. If the client requested it then this function will
+return B<TLSEXT_STATUSTYPE_ocsp>, or -1 otherwise.
+
The response returned by the server can be obtained via a call to
SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point
to the OCSP response data and the return value will be the length of that data.
@@ -73,12 +89,20 @@ SSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(),
SSL_CTX_set_tlsext_status_type(), SSL_set_tlsext_status_type() and
SSL_set_tlsext_status_ocsp_resp() return 0 on error or 1 on success.
+SSL_CTX_get_tlsext_status_type() returns the value previously set by
+SSL_CTX_set_tlsext_status_type(), or -1 if not set.
+
SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data
or -1 if there is no OCSP response data.
+SSL_get_tlsext_status_type() returns B<TLSEXT_STATUSTYPE_ocsp> on the client
+side if SSL_set_tlsext_status_type() was previously called, or on the server
+side if the client requested OCSP stapling. Otherwise -1 is returned.
+
=head1 HISTORY
-SSL_CTX_set_tlsext_status_type() was added in OpenSSL 1.1.0.
+SSL_get_tlsext_status_type(), SSL_CTX_get_tlsext_status_type() and
+SSL_CTX_set_tlsext_status_type() were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 9989b7e..2c897c4 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1133,6 +1133,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
# define SSL_CTRL_SET_MAX_PROTO_VERSION 124
# define SSL_CTRL_SET_SPLIT_SEND_FRAGMENT 125
# define SSL_CTRL_SET_MAX_PIPELINES 126
+# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE 127
# define SSL_CERT_SET_FIRST 1
# define SSL_CERT_SET_NEXT 2
# define SSL_CERT_SET_SERVER 3
diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 0537828..11ad8e5 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -252,6 +252,9 @@ SSL_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_CB,(void (*)(void))cb)
# define SSL_set_tlsext_debug_arg(ssl, arg) \
SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_DEBUG_ARG,0, (void *)arg)
+# define SSL_get_tlsext_status_type(ssl) \
+SSL_ctrl(ssl,SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE,0, NULL)
+
# define SSL_set_tlsext_status_type(ssl, type) \
SSL_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE,type, NULL)
@@ -298,6 +301,9 @@ SSL_CTX_ctrl(ssl,SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG,0, (void *)arg)
#define SSL_CTX_set_tlsext_status_type(ssl, type) \
SSL_CTX_ctrl(ssl, SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE, type, NULL)
+#define SSL_CTX_get_tlsext_status_type(ssl) \
+ SSL_CTX_ctrl(ssl, SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE, 0, NULL)
+
# define SSL_CTX_set_tlsext_ticket_key_cb(ssl, cb) \
SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index de7f1c0..44dac24 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2971,6 +2971,10 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ret = 1;
break;
+ case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
+ ret = s->tlsext_status_type;
+ break;
+
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
s->tlsext_status_type = larg;
ret = 1;
@@ -3325,6 +3329,9 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
return 1;
}
+ case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
+ return ctx->tlsext_status_type;
+
case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
ctx->tlsext_status_type = larg;
break;
diff --git a/test/build.info b/test/build.info
index 95afbe3..c74d717 100644
--- a/test/build.info
+++ b/test/build.info
@@ -17,7 +17,7 @@ IF[{- !$disabled{tests} -}]
packettest asynctest secmemtest srptest memleaktest \
dtlsv1listentest ct_test threadstest afalgtest d2i_test \
ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
- bioprinttest
+ bioprinttest getsettest
SOURCE[aborttest]=aborttest.c
INCLUDE[aborttest]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
@@ -280,4 +280,8 @@ IF[{- !$disabled{tests} -}]
_____
}
-}
+
+ SOURCE[getsettest]=getsettest.c
+ INCLUDE[getsettest]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+ DEPEND[getsettest]=../libcrypto ../libssl
ENDIF
diff --git a/test/getsettest.c b/test/getsettest.c
new file mode 100644
index 0000000..97d1b35
--- /dev/null
+++ b/test/getsettest.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/opensslconf.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/ssl.h>
+
+
+int main(int argc, char *argv[])
+{
+ SSL_CTX *ctx = NULL;
+ SSL *con = NULL;
+ BIO *err;
+ int testresult = 0;
+
+ err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+ CRYPTO_set_mem_debug(1);
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+ /* Test tlsext_status_type */
+ ctx = SSL_CTX_new(TLS_method());
+
+ if (SSL_CTX_get_tlsext_status_type(ctx) != -1) {
+ printf("Unexpected initial value for "
+ "SSL_CTX_get_tlsext_status_type()\n");
+ goto end;
+ }
+
+ con = SSL_new(ctx);
+
+ if (SSL_get_tlsext_status_type(con) != -1) {
+ printf("Unexpected initial value for SSL_get_tlsext_status_type()\n");
+ goto end;
+ }
+
+ if (!SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp)) {
+ printf("Unexpected fail for SSL_set_tlsext_status_type()\n");
+ goto end;
+ }
+
+ if (SSL_get_tlsext_status_type(con) != TLSEXT_STATUSTYPE_ocsp) {
+ printf("Unexpected result for SSL_get_tlsext_status_type()\n");
+ goto end;
+ }
+
+ SSL_free(con);
+ con = NULL;
+
+ if (!SSL_CTX_set_tlsext_status_type(ctx, TLSEXT_STATUSTYPE_ocsp)) {
+ printf("Unexpected fail for SSL_CTX_set_tlsext_status_type()\n");
+ goto end;
+ }
+
+ if (SSL_CTX_get_tlsext_status_type(ctx) != TLSEXT_STATUSTYPE_ocsp) {
+ printf("Unexpected result for SSL_CTX_get_tlsext_status_type()\n");
+ goto end;
+ }
+
+ con = SSL_new(ctx);
+
+ if (SSL_get_tlsext_status_type(con) != TLSEXT_STATUSTYPE_ocsp) {
+ printf("Unexpected result for SSL_get_tlsext_status_type() (test 2)\n");
+ goto end;
+ }
+
+ testresult = 1;
+
+ end:
+ SSL_free(con);
+ SSL_CTX_free(ctx);
+
+#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+ if (CRYPTO_mem_leaks(err) <= 0)
+ testresult = 0;
+#endif
+ BIO_free(err);
+
+ if (testresult)
+ printf("PASS\n");
+
+ return testresult?0:1;
+}
diff --git a/test/recipes/70-test_clienthello.t b/test/recipes/90-test_getset.t
similarity index 74%
copy from test/recipes/70-test_clienthello.t
copy to test/recipes/90-test_getset.t
index ef0868f..3e245c1 100644
--- a/test/recipes/70-test_clienthello.t
+++ b/test/recipes/90-test_getset.t
@@ -1,5 +1,5 @@
#! /usr/bin/env perl
-# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -10,11 +10,11 @@
use OpenSSL::Test;
use OpenSSL::Test::Utils;
-setup("test_clienthello");
+setup("test_getset");
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
plan tests => 1;
-ok(run(test(["clienthellotest"])), "running clienthellotest");
+ok(run(test(["getsettest"])), "running getsettest");
More information about the openssl-commits
mailing list