Remove all RFC5878 code.

Remove RFC5878 code. It is no longer needed for CT and has numerous bugs

CHANGES

@@ -60,10 +60,6 @@
 
      [Steve Henson]
 
-  *) Add callbacks supporting generation and retrieval of supplemental
-     data entries.
-     [Scott Deboy <sdeboy@apache.org>, Trevor Perrin and Ben Laurie]
-
   *) Add EVP support for key wrapping algorithms, to avoid problems with
      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
@@ -528,9 +524,6 @@
   *) Support for linux-x32, ILP32 environment in x86_64 framework.
      [Andy Polyakov]
 
-  *) RFC 5878 (TLS Authorization Extensions) support.
-     [Emilia Kasper, Adam Langley, Ben Laurie (Google)]
-
   *) Experimental multi-implementation support for FIPS capable OpenSSL.
      When in FIPS mode the approved implementations are used as normal,
      when not in FIPS mode the internal unapproved versions are used instead.

apps/s_cb.c

@@ -881,9 +881,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 				case 20:
 					str_details1 = ", Finished";
 					break;
-				case 23:
-					str_details1 = ", SupplementalData";
-					break;
 					}
 				}
 			}

apps/s_client.c

@@ -214,8 +214,6 @@ static void sc_usage(void);
 static void print_stuff(BIO *berr,SSL *con,int full);
 #ifndef OPENSSL_NO_TLSEXT
 static int ocsp_resp_cb(SSL *s, void *arg);
-static int c_auth = 0;
-static int c_auth_require_reneg = 0;
 #endif
 static BIO *bio_c_out=NULL;
 static BIO *bio_c_msg=NULL;
@@ -223,37 +221,6 @@ static int c_quiet=0;
 static int c_ign_eof=0;
 static int c_brief=0;
 
-#ifndef OPENSSL_NO_TLSEXT
-
-static unsigned char *generated_supp_data = NULL;
-
-static const unsigned char *most_recent_supplemental_data = NULL;
-static size_t most_recent_supplemental_data_length = 0;
-
-static int server_provided_server_authz = 0;
-static int server_provided_client_authz = 0;
-
-static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-		       const unsigned char *in,
-		       unsigned short inlen, int *al,
-		       void *arg);
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-				     const unsigned char **out,
-				     unsigned short *outlen, int *al, void *arg);
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-				    const unsigned char **out, unsigned short *outlen,
-				    int *al, void *arg);
-
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-			   const unsigned char *in,
-			   unsigned short inlen, int *al,
-			   void *arg);
-#endif
-
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
 static char *psk_identity="Client_identity";
@@ -396,8 +363,6 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -status           - request certificate status from server\n");
 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
 	BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
-	BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
-	BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
 # ifndef OPENSSL_NO_NEXTPROTONEG
 	BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
 # endif
@@ -863,10 +828,6 @@ static char *jpake_secret = NULL;
 			c_tlsextdebug=1;
 		else if	(strcmp(*argv,"-status") == 0)
 			c_status_req=1;
-		else if	(strcmp(*argv,"-auth") == 0)
-			c_auth = 1;
-		else if	(strcmp(*argv,"-auth_require_reneg") == 0)
-			c_auth_require_reneg = 1;
 #endif
 #ifdef WATT32
 		else if (strcmp(*argv,"-wdebug") == 0)
@@ -1453,12 +1414,6 @@ bad:
 		}
 
 #endif
-	if (c_auth)
-		{
-		SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
-		SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
-		SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
-		}
 #endif
 
 	con=SSL_new(ctx);
@@ -1807,12 +1762,6 @@ SSL_set_tlsext_status_ids(con, ids);
 						"CONNECTION ESTABLISHED\n");
 					print_ssl_summary(bio_err, con);
 					}
-				/*handshake is complete - free the generated supp data allocated in the callback */
-				if (generated_supp_data)
-					{
-					OPENSSL_free(generated_supp_data);
-					generated_supp_data = NULL;
-					}
 
 				print_stuff(bio_c_out,con,full_log);
 				if (full_log > 0) full_log--;
@@ -2463,74 +2412,4 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 	return 1;
 	}
 
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-			   const unsigned char *in,
-			   unsigned short inlen, int *al,
-			   void *arg)
-	{
-	if (TLSEXT_TYPE_server_authz == ext_type)
-		server_provided_server_authz
-		  = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
-
-	if (TLSEXT_TYPE_client_authz == ext_type)
-		server_provided_client_authz
-		  = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
-
-	return 1;
-	}
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-				    const unsigned char **out, unsigned short *outlen,
-				    int *al, void *arg)
-	{
-	if (c_auth)
-		{
-		/*if auth_require_reneg flag is set, only send extensions if
-		  renegotiation has occurred */
-		if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-			{
-			*out = auth_ext_data;
-			*outlen = 1;
-			return 1;
-			}
-		}
-	/* no auth extension to send */
-	return -1;
-	}
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-		       const unsigned char *in,
-		       unsigned short inlen, int *al,
-		       void *arg)
-	{
-	if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
-		{
-		most_recent_supplemental_data = in;
-		most_recent_supplemental_data_length = inlen;
-		}
-	return 1;
-	}
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-				     const unsigned char **out,
-				     unsigned short *outlen, int *al, void *arg)
-	{
-	if (c_auth && server_provided_client_authz && server_provided_server_authz)
-		{
-		/*if auth_require_reneg flag is set, only send supplemental data if
-		  renegotiation has occurred */
-		if (!c_auth_require_reneg
-		    || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-			{
-			generated_supp_data = OPENSSL_malloc(10);
-			memcpy(generated_supp_data, "5432154321", 10);
-			*out = generated_supp_data;
-			*outlen = 10;
-			return 1;
-			}
-		}
-	/* no supplemental data to send */
-	return -1;
-	}
-
 #endif

apps/s_server.c

@@ -224,20 +224,6 @@ static DH *load_dh_param(const char *dhfile);
 static void s_server_init(void);
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-
-static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
-
-static unsigned char *generated_supp_data = NULL;
-
-static const unsigned char *most_recent_supplemental_data = NULL;
-static size_t most_recent_supplemental_data_length = 0;
-
-static int client_provided_server_authz = 0;
-static int client_provided_client_authz = 0;
-
-#endif
-
 /* static int load_CA(SSL_CTX *ctx, char *file);*/
 
 #undef BUFSIZZ
@@ -302,29 +288,9 @@ static int cert_chain = 0;
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-		       const unsigned char *in,
-		       unsigned short inlen, int *al,
-		       void *arg);
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-				     const unsigned char **out,
-				     unsigned short *outlen, int *al, void *arg);
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-				    const unsigned char **out, unsigned short *outlen,
-				    int *al, void *arg);
-
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-			   const unsigned char *in,
-			   unsigned short inlen, int *al,
-			   void *arg);
-
 static BIO *serverinfo_in = NULL;
 static const char *s_serverinfo_file = NULL;
 
-static int c_auth = 0;
-static int c_auth_require_reneg = 0;
 #endif
 
 #ifndef OPENSSL_NO_PSK
@@ -490,8 +456,6 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -naccept arg  - terminate after 'arg' connections\n");
 #ifndef OPENSSL_NO_TLSEXT
 	BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n");
-	BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
-	BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
 #endif
     BIO_printf(bio_err," -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n");
 	BIO_printf(bio_err," -crl_check    - check the peer certificate has not been revoked by its CA.\n" \
@@ -1178,15 +1142,7 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			s_serverinfo_file = *(++argv);
 			}
-		else if	(strcmp(*argv,"-auth") == 0)
-			{
-			c_auth = 1;
-			}
 #endif
-		else if	(strcmp(*argv,"-auth_require_reneg") == 0)
-			{
-			c_auth_require_reneg = 1;
-			}
 		else if	(strcmp(*argv,"-certform") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -1997,12 +1953,6 @@ bad:
 		ERR_print_errors(bio_err);
 		goto end;
 		}
-	if (c_auth)
-		{
-		SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
-		SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
-		SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err);
-		}
 #endif
 #ifndef OPENSSL_NO_TLSEXT
 	if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain))
@@ -2722,12 +2672,6 @@ static int init_ssl_connection(SSL *con)
 			i=SSL_accept(con);
 		}
 #endif
-	/*handshake is complete - free the generated supp data allocated in the callback */
-	if (generated_supp_data)
-		{
-        OPENSSL_free(generated_supp_data);
-		generated_supp_data = NULL;
-		}
 
 	if (i <= 0)
 		{
@@ -3615,77 +3559,3 @@ static void free_sessions(void)
 		}
 	first = NULL;
 	}
-
-#ifndef OPENSSL_NO_TLSEXT
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-			   const unsigned char *in,
-			   unsigned short inlen, int *al,
-			   void *arg)
-	{
-	if (TLSEXT_TYPE_server_authz == ext_type)
-		client_provided_server_authz
-		  = memchr(in,	TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
-
-	if (TLSEXT_TYPE_client_authz == ext_type)
-		client_provided_client_authz
-		  = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
-
-	return 1;
-	}
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-				    const unsigned char **out, unsigned short *outlen,
-				    int *al, void *arg)
-	{
-	if (c_auth && client_provided_client_authz && client_provided_server_authz)
-		{
-		/*if auth_require_reneg flag is set, only send extensions if
-		  renegotiation has occurred */
-		if (!c_auth_require_reneg
-		    || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-			{
-			*out = auth_ext_data;
-			*outlen = 1;
-			return 1;
-			}
-		}
-	/* no auth extension to send */
-	return -1;
-	}
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-		       const unsigned char *in,
-		       unsigned short inlen, int *al,
-		       void *arg)
-	{
-	if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
-		{
-		most_recent_supplemental_data = in;
-		most_recent_supplemental_data_length = inlen;
-		}
-	return 1;
-	}
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-				     const unsigned char **out,
-				     unsigned short *outlen, int *al, void *arg)
-	{
-	if (c_auth && client_provided_client_authz && client_provided_server_authz)
-		{
-		/*if auth_require_reneg flag is set, only send supplemental data if
-		  renegotiation has occurred */
-		if (!c_auth_require_reneg
-		    || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-			{
-			generated_supp_data = OPENSSL_malloc(10);
-			memcpy(generated_supp_data, "1234512345", 10);
-			*out = generated_supp_data;
-			*outlen = 10;
-			return 1;
-			}
-		}
-	/* no supplemental data to send */
-	return -1;
-	}
-#endif
-

crypto/symhacks.h

@@ -210,15 +210,6 @@
 #undef SSL_set_not_resumable_session_callback
 #define SSL_set_not_resumable_session_callback	SSL_set_not_resumbl_sess_cb
 
-#undef tls1_send_server_supplemental_data
-#define tls1_send_server_supplemental_data	tls1_send_server_suppl_data
-#undef tls1_send_client_supplemental_data
-#define tls1_send_client_supplemental_data	tls1_send_client_suppl_data
-#undef tls1_get_server_supplemental_data
-#define tls1_get_server_supplemental_data	tls1_get_server_suppl_data
-#undef tls1_get_client_supplemental_data
-#define tls1_get_client_supplemental_data	tls1_get_client_suppl_data
-
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
 #define ENGINE_get_default_BN_mod_exp_crt	ENGINE_get_def_BN_mod_exp_crt

doc/apps/s_client.pod

@@ -76,8 +76,6 @@ B<openssl> B<s_client>
 [B<-sess_in filename>]
 [B<-rand file(s)>]
 [B<-serverinfo types>]
-[B<-auth>]
-[B<-auth_require_reneg>]
 
 =head1 DESCRIPTION
 
@@ -329,15 +327,6 @@ a list of comma-separated TLS Extension Types (numbers between 0 and
 The server's response (if any) will be encoded and displayed as a PEM
 file.
 
-=item B<-auth>
-
-send RFC 5878 client and server authorization extensions in the Client Hello as well as
-supplemental data if the server also sent the authorization extensions in the Server Hello.
-
-=item B<-auth_require_reneg>
-
-only send RFC 5878 client and server authorization extensions during renegotiation.
-
 =back
 
 =head1 CONNECTED COMMANDS

doc/apps/s_server.pod

@@ -83,8 +83,6 @@ B<openssl> B<s_server>
 [B<-id_prefix arg>]
 [B<-rand file(s)>]
 [B<-serverinfo file>]
-[B<-auth>]
-[B<-auth_require_reneg>]
 [B<-no_resumption_on_reneg>]
 =head1 DESCRIPTION
 
@@ -362,19 +360,9 @@ followed by "length" bytes of extension data).  If the client sends
 an empty TLS ClientHello extension matching the type, the corresponding
 ServerHello extension will be returned.
 
-=item B<-auth>
-
-send RFC 5878 client and server authorization extensions in the Client Hello as well as
-supplemental data if the server also sent the authorization extensions in the Server Hello.
-
-=item B<-auth_require_reneg>
-
-only send RFC 5878 client and server authorization extensions during renegotiation.
-
 =item B<-no_resumption_on_reneg>
 
-set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.  Required in order to receive supplemental data
-during renegotiation if auth and auth_require_reneg are set.
+set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.
 
 =back
 

ssl/s23_clnt.c

@@ -370,8 +370,6 @@ static int ssl23_client_hello(SSL *s)
 #endif
 		if (s->ctx->custom_cli_ext_records_count != 0)
 			ssl2_compat = 0;
-		if (s->ctx->cli_supp_data_records_count != 0)
-			ssl2_compat = 0;
 		}
 #endif
 

ssl/s3_clnt.c

@@ -318,26 +318,11 @@ int ssl3_connect(SSL *s)
 				}
 			s->init_num=0;
 			break;
-#ifndef OPENSSL_NO_TLSEXT
-		case SSL3_ST_CR_SUPPLEMENTAL_DATA_A:
-		case SSL3_ST_CR_SUPPLEMENTAL_DATA_B:
-			ret = tls1_get_server_supplemental_data(s);
-			if (ret <= 0) goto end;
-			s->state=SSL3_ST_CR_CERT_A;
-			s->init_num = 0;
-			break;
-#endif
 		case SSL3_ST_CR_CERT_A:
 		case SSL3_ST_CR_CERT_B:
 #ifndef OPENSSL_NO_TLSEXT
 			ret=ssl3_check_finished(s);
 			if (ret <= 0) goto end;
-			if (ret == 3)
-				{
-				s->state=SSL3_ST_CR_SUPPLEMENTAL_DATA_A;
-				s->init_num=0;
-				break;
-				}
 			if (ret == 2)
 				{
 				s->hit = 1;
@@ -416,14 +401,10 @@ int ssl3_connect(SSL *s)
 					}
 				}
 #endif
-#ifndef OPENSSL_NO_TLSEXT
-			s->state=SSL3_ST_CW_SUPPLEMENTAL_DATA_A;
-#else
 			if (s->s3->tmp.cert_req)
 				s->state=SSL3_ST_CW_CERT_A;
 			else
 				s->state=SSL3_ST_CW_KEY_EXCH_A;
-#endif
 			s->init_num=0;
 
 			break;
@@ -530,19 +511,6 @@ int ssl3_connect(SSL *s)
 			break;
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-		case SSL3_ST_CW_SUPPLEMENTAL_DATA_A:
-		case SSL3_ST_CW_SUPPLEMENTAL_DATA_B:
-			ret = tls1_send_client_supplemental_data(s, &skip);
-			if (ret <= 0) goto end;
-			if (s->s3->tmp.cert_req)
-				s->state=SSL3_ST_CW_CERT_A;
-			else
-				s->state=SSL3_ST_CW_KEY_EXCH_A;
-			s->init_num=0;
-			break;
-#endif
-
 		case SSL3_ST_CW_FINISHED_A:
 		case SSL3_ST_CW_FINISHED_B:
 			ret=ssl3_send_finished(s,
@@ -3611,10 +3579,11 @@ int ssl3_check_finished(SSL *s)
 	int ok;
 	long n;
 
-	/* Read the message to see if it is supplemental data,
-	 * regardless if there is a session ticket this function is
-	 * called when we really expect a Certificate message, so
-	 * permit appropriate message length */
+	/* If we have no ticket it cannot be a resumed session. */
+	if (!s->session->tlsext_tick)
+		return 1;
+	/* this function is called when we really expect a Certificate
+	 * message, so permit appropriate message length */
 	n=s->method->ssl_get_message(s,
 		SSL3_ST_CR_CERT_A,
 		SSL3_ST_CR_CERT_B,
@@ -3624,11 +3593,6 @@ int ssl3_check_finished(SSL *s)
 	if (!ok) return((int)n);
 	s->s3->tmp.reuse_message = 1;
 
-	if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA)
-		return 3;
-	/* If we have no ticket it cannot be a resumed session. */
-	if (!s->session->tlsext_tick)
-		return 1;
 	if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
 		|| (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
 		return 2;
@@ -3654,155 +3618,3 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
 		i = s->ctx->client_cert_cb(s,px509,ppkey);
 	return i;
 	}
-
-#ifndef OPENSSL_NO_TLSEXT
-int tls1_send_client_supplemental_data(SSL *s, int *skip)
-	{
-	int al = 0;
-	if (s->ctx->cli_supp_data_records_count)
-		{
-		unsigned char *p = NULL;
-		unsigned char *size_loc = NULL;
-		cli_supp_data_record *record = NULL;
-		size_t length = 0;
-		size_t i = 0;
-
-		for (i = 0; i < s->ctx->cli_supp_data_records_count; i++)
-			{
-			const unsigned char *out = NULL;
-			unsigned short outlen = 0;
-			int cb_retval = 0;
-			record = &s->ctx->cli_supp_data_records[i];
-
-			/* NULL callback or -1 omits supp data entry*/
-			if (!record->fn2)
-				continue;
-			cb_retval = record->fn2(s, record->supp_data_type,
-						&out, &outlen, &al,
-						record->arg);
-			if (cb_retval == -1)
-				continue; /* skip this supp data entry */
-			if (cb_retval == 0)
-				{
-				SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-				goto f_err;
-				}
-			if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length)
-				{
-				SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-				return 0;
-				}
-			/* if first entry, write handshake message type */
-			if (length == 0)
-				{
-				if (!BUF_MEM_grow_clean(s->init_buf, 4))
-					{
-					SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-					return 0;
-					}
-				p = (unsigned char *)s->init_buf->data;
-				*(p++) = SSL3_MT_SUPPLEMENTAL_DATA;
-				/* update message length when all
-				 * callbacks complete */
-				size_loc = p;
-				/* skip over handshake length field (3
-				 * bytes) and supp_data length field
-				 * (3 bytes) */
-				p += 3 + 3;
-				length += 1 +3 +3;
-				}
-			if (!BUF_MEM_grow(s->init_buf, outlen + 4))
-				{
-				SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-				return 0;
-				}
-			s2n(record->supp_data_type, p);
-			s2n(outlen, p);
-			memcpy(p, out, outlen);
-			length += (outlen + 4);
-			p += outlen;
-			}
-		if (length > 0)
-			{
-			/* write handshake length */
-			l2n3(length - 4, size_loc);
-			/* supp_data length */
-			l2n3(length - 7, size_loc);
-			s->state = SSL3_ST_CW_SUPPLEMENTAL_DATA_B;
-			s->init_num = length;
-			s->init_off = 0;
-			return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
-			}
-		}
-
-	/* no supp data message sent */
-	*skip = 1;
-	s->init_num = 0;
-	s->init_off = 0;
-	return 1;
-
-	f_err:
-	ssl3_send_alert(s,SSL3_AL_FATAL,al);
-	return 0;
-	}
-
-int tls1_get_server_supplemental_data(SSL *s)
-	{
-	int al = 0;
-	int ok;
-	long n;
-	const unsigned char *p, *d;
-	unsigned short supp_data_entry_type = 0;
-	unsigned short supp_data_entry_len = 0;
-	unsigned long supp_data_len = 0;
-	size_t i;
-	int cb_retval = 0;
-
-	n=s->method->ssl_get_message(s,
-				     SSL3_ST_CR_SUPPLEMENTAL_DATA_A,
-				     SSL3_ST_CR_SUPPLEMENTAL_DATA_B,
-				     SSL3_MT_SUPPLEMENTAL_DATA,
-				     /* use default limit */
-				     TLSEXT_MAXLEN_supplemental_data,
-				     &ok);
-
-	if (!ok) return((int)n);
-
-	p = (unsigned char *)s->init_msg;
-	d = p;
-	/* The message cannot be empty */
-	if (n < 3)
-		{
-		al = SSL_AD_DECODE_ERROR;
-		SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH);
-		goto f_err;
-		}
-	n2l3(p, supp_data_len);
-	while (p < d+supp_data_len)
-		{
-		n2s(p, supp_data_entry_type);
-		n2s(p, supp_data_entry_len);
-		/* if there is a callback for this supp data type, send it */
-		for (i=0; i < s->ctx->cli_supp_data_records_count; i++)
-			{
-			if (s->ctx->cli_supp_data_records[i].supp_data_type == supp_data_entry_type &&
-			    s->ctx->cli_supp_data_records[i].fn1)
-				{
-				cb_retval = s->ctx->cli_supp_data_records[i].fn1(s, supp_data_entry_type, p,
-										 supp_data_entry_len, &al,
-										 s->ctx->cli_supp_data_records[i].arg);
-				if (cb_retval == 0)
-					{
-					SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB);
-					goto f_err;
-					}
-				}
-			}
-		p += supp_data_entry_len;
-		}
-	return 1;
-f_err:
-	ssl3_send_alert(s,SSL3_AL_FATAL,al);
-	return -1;
-	}
-#endif

ssl/s3_srvr.c

@@ -409,24 +409,9 @@ int ssl3_accept(SSL *s)
 					s->state=SSL3_ST_SW_CHANGE_A;
 #endif
 			else
-#ifndef OPENSSL_NO_TLSEXT
-				s->state = SSL3_ST_SW_SUPPLEMENTAL_DATA_A;
-#else
-			s->state = SSL3_ST_SW_CERT_A;
-#endif
-			s->init_num = 0;
-			break;
-
-#ifndef OPENSSL_NO_TLSEXT
-		case SSL3_ST_SW_SUPPLEMENTAL_DATA_A:
-		case SSL3_ST_SW_SUPPLEMENTAL_DATA_B:
-			ret = tls1_send_server_supplemental_data(s, &skip);
-			if (ret <= 0) goto end;
-
-			s->state = SSL3_ST_SW_CERT_A;
+					s->state = SSL3_ST_SW_CERT_A;
 			s->init_num = 0;
 			break;
-#endif
 
 		case SSL3_ST_SW_CERT_A:
 		case SSL3_ST_SW_CERT_B:
@@ -596,16 +581,7 @@ int ssl3_accept(SSL *s)
 
 			s->state=s->s3->tmp.next_state;
 			break;
-#ifndef OPENSSL_NO_TLSEXT
-		case SSL3_ST_SR_SUPPLEMENTAL_DATA_A:
-		case SSL3_ST_SR_SUPPLEMENTAL_DATA_B:
-			ret=tls1_get_client_supplemental_data(s);
-			if (ret <= 0) goto end;
-			s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
-			s->state=SSL3_ST_SW_FLUSH;
-			s->init_num=0;
-			break;
-#endif
+
 		case SSL3_ST_SR_CERT_A:
 		case SSL3_ST_SR_CERT_B:
 			/* Check for second client hello (MS SGC) */
@@ -614,10 +590,6 @@ int ssl3_accept(SSL *s)
 				goto end;
 			if (ret == 2)
 				s->state = SSL3_ST_SR_CLNT_HELLO_C;
-#ifndef OPENSSL_NO_TLSEXT
-			else if (ret == 3)
-				s->state = SSL3_ST_SR_SUPPLEMENTAL_DATA_A;
-#endif
 			else {
 				if (s->s3->tmp.cert_request)
 					{
@@ -913,10 +885,6 @@ int ssl3_check_client_hello(SSL *s)
 		&ok);
 	if (!ok) return((int)n);
 	s->s3->tmp.reuse_message = 1;
-#ifndef OPENSSL_NO_TLSEXT
-	if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA)
-		return 3;
-#endif
 	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
 		{
 		/* We only allow the client to restart the handshake once per
@@ -3755,156 +3723,4 @@ int ssl3_get_next_proto(SSL *s)
 	}
 # endif
 
-int tls1_send_server_supplemental_data(SSL *s, int *skip)
-	{
-	int al = 0;
-	if (s->ctx->srv_supp_data_records_count)
-		{
-		unsigned char *p = NULL;
-		unsigned char *size_loc = NULL;
-		srv_supp_data_record *record = NULL;
-		size_t length = 0;
-		size_t i = 0;
-
-		for (i = 0; i < s->ctx->srv_supp_data_records_count; i++)
-			{
-			const unsigned char *out = NULL;
-			unsigned short outlen = 0;
-			int cb_retval = 0;
-			record = &s->ctx->srv_supp_data_records[i];
-
-			/* NULL callback or -1 omits supp data entry */
-			if (!record->fn1)
-				continue;
-			cb_retval = record->fn1(s, record->supp_data_type,
-						&out, &outlen, &al, record->arg);
-			if (cb_retval == -1)
-				continue; /* skip this supp data entry */
-			if (cb_retval == 0)
-				{
-				SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-				goto f_err;
-				}
-			if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length)
-				{
-				SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-				return 0;
-				}
-			/* write supp data entry...
-			 * if first entry, write handshake message type
-			 * jump back to write length at end */
-			if (length == 0)
-				{
-				/* 1 byte message type + 3 bytes for
-				 * message length */
-				if (!BUF_MEM_grow_clean(s->init_buf, 4))
-					{
-					SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-					return 0;
-					}
-				p = (unsigned char *)s->init_buf->data;
-				*(p++) = SSL3_MT_SUPPLEMENTAL_DATA;
-				/* hold on to length field to update later */
-				size_loc = p;
-				/* skip over handshake length field (3
-				 * bytes) and supp_data length field
-				 * (3 bytes) */
-				p += 3 + 3;
-				length += 1 +3 +3;
-				}
-			/* 2 byte supp data type + 2 byte length + outlen */
-			if (!BUF_MEM_grow(s->init_buf, outlen + 4))
-				{
-				SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-				return 0;
-				}
-			s2n(record->supp_data_type, p);
-			s2n(outlen, p);
-			memcpy(p, out, outlen);
-			/* update length to supp data type (2 bytes) +
-			 * supp data length (2 bytes) + supp data */
-			length += (outlen + 4);
-			p += outlen;
-			}
-		if (length > 0)
-			{
-			/* write handshake length */
-			l2n3(length - 4, size_loc);
-			/* supp_data length */
-			l2n3(length - 7, size_loc);
-			s->state = SSL3_ST_SW_SUPPLEMENTAL_DATA_B;
-			s->init_num = length;
-			s->init_off = 0;
-
-			return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
-			}
-		}
-
-	/* no supp data message sent */
-	*skip = 1;
-	s->init_num = 0;
-	s->init_off = 0;
-	return 1;
-f_err:
-	ssl3_send_alert(s,SSL3_AL_FATAL,al);
-	return 0;
-	}
-
-int tls1_get_client_supplemental_data(SSL *s)
-	{
-	int al = 0;
-	int cb_retval = 0;
-	int ok;
-	long n;
-	const unsigned char *p, *d;
-	unsigned short supp_data_entry_type = 0;
-	unsigned short supp_data_entry_len = 0;
-	unsigned long supp_data_len = 0;
-	size_t i = 0;
-
-	n=s->method->ssl_get_message(s,
-				     SSL3_ST_SR_SUPPLEMENTAL_DATA_A,
-				     SSL3_ST_SR_SUPPLEMENTAL_DATA_B,
-				     SSL3_MT_SUPPLEMENTAL_DATA,
-				     /* use default limit */
-				     TLSEXT_MAXLEN_supplemental_data,
-				     &ok);
-
-	if (!ok) return((int)n);
-
-	p = (unsigned char *)s->init_msg;
-	d = p;
-
-	/* The message cannot be empty */
-	if (n < 3)
-		{
-		al = SSL_AD_DECODE_ERROR;
-		SSLerr(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH);
-		goto f_err;
-		}
-	n2l3(p, supp_data_len);
-	while (p<d+supp_data_len)
-		{
-		n2s(p, supp_data_entry_type);
-		n2s(p, supp_data_entry_len);
-		/* if there is a callback for this supp data type, send it */
-		for (i=0; i < s->ctx->srv_supp_data_records_count; i++)
-			{
-			if (s->ctx->srv_supp_data_records[i].supp_data_type == supp_data_entry_type && s->ctx->srv_supp_data_records[i].fn2)
-				{
-				cb_retval = s->ctx->srv_supp_data_records[i].fn2(s, supp_data_entry_type, p, supp_data_entry_len, &al, s->ctx->srv_supp_data_records[i].arg);
-				if (cb_retval == 0)
-					{
-					SSLerr(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB);
-					goto f_err;
-					}
-				}
-			}
-		p+=supp_data_entry_len;
-		}
-	return 1;
-f_err:
-	ssl3_send_alert(s,SSL3_AL_FATAL,al);
-	return -1;
-	}
 #endif

ssl/ssl.h

@@ -439,57 +439,6 @@ typedef struct {
 	void *arg;
 } custom_srv_ext_record;
 
-/* Callbacks and structures for handling Supplemental Data:
- *   srv_supp_data_first_cb_fn  - server sends Supplemental Data
- *   srv_supp_data_second_cb_fn - server receives Supplemental Data
- *   cli_supp_data_first_cb_fn  - client receives Supplemental Data
- *   cli_supp_data_second_cb_fn - client sends Supplemental Data
- *
- *   All these functions return nonzero on success.  Zero will terminate
- *   the handshake (and return a specific TLS Fatal alert, if the function
- *   declaration has an "al" parameter).  -1 for the "sending" functions
- *   will result in no supplemental data entry being added to the
- *   supplemental data message for the provided supplemental data type.
- *
- *   "supp_data_type" is a Supplemental Data Type from 0-65535.
- *   "in" is a pointer to TLS "supplemental_data_entry" being provided to the cb.
- *   "out" is used by the callback to return a pointer to "supplemental data"
- *     which OpenSSL will later copy into the TLS handshake.  The contents
- *     of this buffer should not be changed until the handshake is complete.
- *   "inlen" and "outlen" are Supplemental Data lengths from 0-65535.
- *   "al" is a TLS "AlertDescription" from 0-255 which WILL be sent as a
- *     fatal TLS alert, if the callback returns zero.
- */
-typedef int (*srv_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type,
-					 const unsigned char **out,
-					 unsigned short *outlen, int *al, void *arg);
-typedef int (*srv_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type,
-					  const unsigned char *in,
-					  unsigned short inlen, int *al,
-					  void *arg);
-
-typedef int (*cli_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type,
-					 const unsigned char *in,
-					 unsigned short inlen, int *al,
-					 void *arg);
-typedef int (*cli_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type,
-					  const unsigned char **out,
-					  unsigned short *outlen, int *al, void *arg);
-
-typedef struct {
-	unsigned short supp_data_type;
-	srv_supp_data_first_cb_fn fn1;
-	srv_supp_data_second_cb_fn fn2;
-	void *arg;
-} srv_supp_data_record;
-
-typedef struct {
-	unsigned short supp_data_type;
-	cli_supp_data_first_cb_fn fn1;
-	cli_supp_data_second_cb_fn fn2;
-	void *arg;
-} cli_supp_data_record;
-
 #endif
 
 #ifndef OPENSSL_NO_SSL_INTERN
@@ -1216,12 +1165,6 @@ struct ssl_ctx_st
 	size_t custom_cli_ext_records_count;
 	custom_srv_ext_record *custom_srv_ext_records;
 	size_t custom_srv_ext_records_count;
-
- 	/* Arrays containing the callbacks for Supplemental Data. */
- 	cli_supp_data_record *cli_supp_data_records;
-	size_t cli_supp_data_records_count;
-	srv_supp_data_record *srv_supp_data_records;
-	size_t srv_supp_data_records_count;
 	};
 
 #endif
@@ -1369,30 +1312,6 @@ int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
 			       custom_srv_ext_first_cb_fn fn1, 
 			       custom_srv_ext_second_cb_fn fn2, void *arg);
 
-/* Register callbacks to handle Supplemental Data as client or server.
- *
- * For SSL_CTX_set_srv_supp_data, a NULL srv_supp_data_first_cb_fn results in no supplemental data
- * being sent by the server for that TLS extension.
- * A NULL srv_supp_data_second_cb_fn results in no supplemental data
- * being received by the server for that TLS extension.
- *
- * For SSL_CTX_set_cli_supp_data, a NULL cli_supp_data_first_cb_fn results in no supplemental data
- * being received by the client for that TLS extension.
- * A NULL cli_supp_data_second_cb_fn results in no supplemental data
- * being sent by the client for that TLS extension.
- *
- * Returns nonzero on success.  You cannot register twice for the same supp_data_type.
- */
-int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
-			      unsigned short supp_data_type,
-			      srv_supp_data_first_cb_fn fn1,
-			      srv_supp_data_second_cb_fn fn2, void *arg);
-
-int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
-			      unsigned short supp_data_type,
-			      cli_supp_data_first_cb_fn fn1,
-			      cli_supp_data_second_cb_fn fn2, void *arg);
-
 #endif
 
 #define SSL_NOTHING	1
@@ -2660,8 +2579,6 @@ void ERR_load_SSL_strings(void);
 /* Error codes for the SSL functions. */
 
 /* Function codes. */
-#define SSL_F_AUTHZ_FIND_DATA				 330
-#define SSL_F_AUTHZ_VALIDATE				 323
 #define SSL_F_CHECK_SUITEB_CIPHER_LIST			 331
 #define SSL_F_CLIENT_CERTIFICATE			 100
 #define SSL_F_CLIENT_FINISHED				 167
@@ -2705,7 +2622,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_GET_SERVER_HELLO				 109
 #define SSL_F_GET_SERVER_VERIFY				 110
 #define SSL_F_I2D_SSL_SESSION				 111
-#define SSL_F_READ_AUTHZ				 329
 #define SSL_F_READ_N					 112
 #define SSL_F_REQUEST_CERTIFICATE			 113
 #define SSL_F_SERVER_FINISH				 239
@@ -2813,7 +2729,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT		 219
 #define SSL_F_SSL_CTX_SET_SSL_VERSION			 170
 #define SSL_F_SSL_CTX_SET_TRUST				 229
-#define SSL_F_SSL_CTX_USE_AUTHZ				 324
 #define SSL_F_SSL_CTX_USE_CERTIFICATE			 171
 #define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1		 172
 #define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE	 220
@@ -2855,7 +2770,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SESSION_PRINT_FP			 190
 #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT		 312
 #define SSL_F_SSL_SESS_CERT_NEW				 225
-#define SSL_F_SSL_SET_AUTHZ				 325
 #define SSL_F_SSL_SET_CERT				 191
 #define SSL_F_SSL_SET_CIPHER_LIST			 271
 #define SSL_F_SSL_SET_FD				 192
@@ -2872,7 +2786,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_UNDEFINED_CONST_FUNCTION		 243
 #define SSL_F_SSL_UNDEFINED_FUNCTION			 197
 #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION		 244
-#define SSL_F_SSL_USE_AUTHZ				 328
 #define SSL_F_SSL_USE_CERTIFICATE			 198
 #define SSL_F_SSL_USE_CERTIFICATE_ASN1			 199
 #define SSL_F_SSL_USE_CERTIFICATE_FILE			 200
@@ -2891,21 +2804,16 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT		 274
 #define SSL_F_TLS1_ENC					 210
 #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL		 314
-#define SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA		 335
-#define SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA		 326
 #define SSL_F_TLS1_HEARTBEAT				 315
 #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT		 275
 #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT		 276
 #define SSL_F_TLS1_PRF					 284
-#define SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA	 338
-#define SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA	 327
 #define SSL_F_TLS1_SETUP_KEY_BLOCK			 211
 #define SSL_F_WRITE_PENDING				 212
 
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE			 100
 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
-#define SSL_R_AUTHZ_DATA_TOO_LARGE			 375
 #define SSL_R_BAD_ALERT_RECORD				 101
 #define SSL_R_BAD_AUTHENTICATION_TYPE			 102
 #define SSL_R_BAD_CHANGE_CIPHER_SPEC			 103
@@ -3003,7 +2911,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_ILLEGAL_SUITEB_DIGEST			 380
 #define SSL_R_INCONSISTENT_COMPRESSION			 340
 #define SSL_R_INVALID_AUDIT_PROOF			 371
-#define SSL_R_INVALID_AUTHZ_DATA			 374
 #define SSL_R_INVALID_CHALLENGE_LENGTH			 158
 #define SSL_R_INVALID_COMMAND				 280
 #define SSL_R_INVALID_COMPRESSION_ALGORITHM		 341
@@ -3195,7 +3102,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNEXPECTED_RECORD				 245
 #define SSL_R_UNINITIALIZED				 276
 #define SSL_R_UNKNOWN_ALERT_TYPE			 246
-#define SSL_R_UNKNOWN_AUTHZ_DATA_TYPE			 372
 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE			 247
 #define SSL_R_UNKNOWN_CIPHER_RETURNED			 248
 #define SSL_R_UNKNOWN_CIPHER_TYPE			 249
@@ -3207,7 +3113,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE			 253
 #define SSL_R_UNKNOWN_SSL_VERSION			 254
 #define SSL_R_UNKNOWN_STATE				 255
-#define SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE		 373
 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED	 338
 #define SSL_R_UNSUPPORTED_CIPHER			 256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM		 257

ssl/ssl3.h

@@ -637,10 +637,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CR_CERT_REQ_B		(0x151|SSL_ST_CONNECT)
 #define SSL3_ST_CR_SRVR_DONE_A		(0x160|SSL_ST_CONNECT)
 #define SSL3_ST_CR_SRVR_DONE_B		(0x161|SSL_ST_CONNECT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_CR_SUPPLEMENTAL_DATA_A	(0x212|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SUPPLEMENTAL_DATA_B  (0x213|SSL_ST_CONNECT)
-#endif
 /* write to server */
 #define SSL3_ST_CW_CERT_A		(0x170|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CERT_B		(0x171|SSL_ST_CONNECT)
@@ -656,10 +652,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CW_NEXT_PROTO_A		(0x200|SSL_ST_CONNECT)
 #define SSL3_ST_CW_NEXT_PROTO_B		(0x201|SSL_ST_CONNECT)
 #endif
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_CW_SUPPLEMENTAL_DATA_A		(0x222|SSL_ST_CONNECT)
-#define SSL3_ST_CW_SUPPLEMENTAL_DATA_B		(0x223|SSL_ST_CONNECT)
-#endif
 #define SSL3_ST_CW_FINISHED_A		(0x1B0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_B		(0x1B1|SSL_ST_CONNECT)
 /* read from server */
@@ -685,10 +677,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CLNT_HELLO_B		(0x111|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CLNT_HELLO_C		(0x112|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CLNT_HELLO_D		(0x115|SSL_ST_ACCEPT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_SR_SUPPLEMENTAL_DATA_A		(0x212|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_SUPPLEMENTAL_DATA_B		(0x213|SSL_ST_ACCEPT)
-#endif
 /* write to client */
 #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
 #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
@@ -729,10 +717,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SW_SESSION_TICKET_B	(0x1F1|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_CERT_STATUS_A	(0x200|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_CERT_STATUS_B	(0x201|SSL_ST_ACCEPT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_SW_SUPPLEMENTAL_DATA_A	(0x222|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SUPPLEMENTAL_DATA_B	(0x223|SSL_ST_ACCEPT)
-#endif
 
 #define SSL3_MT_HELLO_REQUEST			0
 #define SSL3_MT_CLIENT_HELLO			1
@@ -746,9 +730,6 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CLIENT_KEY_EXCHANGE		16
 #define SSL3_MT_FINISHED			20
 #define SSL3_MT_CERTIFICATE_STATUS		22
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_MT_SUPPLEMENTAL_DATA		23
-#endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_MT_NEXT_PROTO			67
 #endif

ssl/ssl_err.c

@@ -70,8 +70,6 @@
 
 static ERR_STRING_DATA SSL_str_functs[]=
 	{
-{ERR_FUNC(SSL_F_AUTHZ_FIND_DATA),	"AUTHZ_FIND_DATA"},
-{ERR_FUNC(SSL_F_AUTHZ_VALIDATE),	"AUTHZ_VALIDATE"},
 {ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST),	"CHECK_SUITEB_CIPHER_LIST"},
 {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),	"CLIENT_CERTIFICATE"},
 {ERR_FUNC(SSL_F_CLIENT_FINISHED),	"CLIENT_FINISHED"},
@@ -115,7 +113,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_GET_SERVER_HELLO),	"GET_SERVER_HELLO"},
 {ERR_FUNC(SSL_F_GET_SERVER_VERIFY),	"GET_SERVER_VERIFY"},
 {ERR_FUNC(SSL_F_I2D_SSL_SESSION),	"i2d_SSL_SESSION"},
-{ERR_FUNC(SSL_F_READ_AUTHZ),	"READ_AUTHZ"},
 {ERR_FUNC(SSL_F_READ_N),	"READ_N"},
 {ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),	"REQUEST_CERTIFICATE"},
 {ERR_FUNC(SSL_F_SERVER_FINISH),	"SERVER_FINISH"},
@@ -223,7 +220,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),	"SSL_CTX_set_session_id_context"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),	"SSL_CTX_set_ssl_version"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST),	"SSL_CTX_set_trust"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_AUTHZ),	"SSL_CTX_USE_AUTHZ"},
 {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE),	"SSL_CTX_use_certificate"},
 {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1),	"SSL_CTX_use_certificate_ASN1"},
 {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE),	"SSL_CTX_use_certificate_chain_file"},
@@ -265,7 +261,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP),	"SSL_SESSION_print_fp"},
 {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT),	"SSL_SESSION_set1_id_context"},
 {ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW),	"ssl_sess_cert_new"},
-{ERR_FUNC(SSL_F_SSL_SET_AUTHZ),	"SSL_SET_AUTHZ"},
 {ERR_FUNC(SSL_F_SSL_SET_CERT),	"SSL_SET_CERT"},
 {ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST),	"SSL_set_cipher_list"},
 {ERR_FUNC(SSL_F_SSL_SET_FD),	"SSL_set_fd"},
@@ -282,7 +277,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION),	"ssl_undefined_const_function"},
 {ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION),	"ssl_undefined_function"},
 {ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION),	"ssl_undefined_void_function"},
-{ERR_FUNC(SSL_F_SSL_USE_AUTHZ),	"SSL_USE_AUTHZ"},
 {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE),	"SSL_use_certificate"},
 {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1),	"SSL_use_certificate_ASN1"},
 {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE),	"SSL_use_certificate_file"},
@@ -301,14 +295,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT),	"TLS1_CHECK_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_ENC),	"tls1_enc"},
 {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL),	"tls1_export_keying_material"},
-{ERR_FUNC(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA),	"tls1_get_client_supplemental_data"},
-{ERR_FUNC(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA),	"tls1_get_server_supplemental_data"},
 {ERR_FUNC(SSL_F_TLS1_HEARTBEAT),	"tls1_heartbeat"},
 {ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT),	"TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT),	"TLS1_PREPARE_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_PRF),	"tls1_prf"},
-{ERR_FUNC(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA),	"tls1_send_client_supplemental_data"},
-{ERR_FUNC(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA),	"tls1_send_server_supplemental_data"},
 {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK),	"tls1_setup_key_block"},
 {ERR_FUNC(SSL_F_WRITE_PENDING),	"WRITE_PENDING"},
 {0,NULL}
@@ -318,7 +308,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 	{
 {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
 {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
-{ERR_REASON(SSL_R_AUTHZ_DATA_TOO_LARGE)  ,"authz data too large"},
 {ERR_REASON(SSL_R_BAD_ALERT_RECORD)      ,"bad alert record"},
 {ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
 {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
@@ -416,7 +405,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_ILLEGAL_SUITEB_DIGEST) ,"illegal Suite B digest"},
 {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
 {ERR_REASON(SSL_R_INVALID_AUDIT_PROOF)   ,"invalid audit proof"},
-{ERR_REASON(SSL_R_INVALID_AUTHZ_DATA)    ,"invalid authz data"},
 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
 {ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
 {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
@@ -608,7 +596,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNEXPECTED_RECORD)     ,"unexpected record"},
 {ERR_REASON(SSL_R_UNINITIALIZED)         ,"uninitialized"},
 {ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE)    ,"unknown alert type"},
-{ERR_REASON(SSL_R_UNKNOWN_AUTHZ_DATA_TYPE),"unknown authz data type"},
 {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
 {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
 {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE)   ,"unknown cipher type"},
@@ -620,7 +607,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
 {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
-{ERR_REASON(SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE),"unknown supplemental data type"},
 {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},

ssl/ssl_lib.c

@@ -1879,65 +1879,6 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
 		*len = ssl->s3->alpn_selected_len;
 	}
 
-int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
-			      unsigned short supp_data_type,
-			      cli_supp_data_first_cb_fn fn1,
-			      cli_supp_data_second_cb_fn fn2, void* arg)
-	{
-	size_t i;
-	cli_supp_data_record* record;
-
-	/* Check for duplicates */
-	for (i=0; i < ctx->cli_supp_data_records_count; i++)
-		if (supp_data_type == ctx->cli_supp_data_records[i].supp_data_type)
-			return 0;
-
-	ctx->cli_supp_data_records = OPENSSL_realloc(ctx->cli_supp_data_records,
-	  (ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record));
-	if (!ctx->cli_supp_data_records)
-		{
-		ctx->cli_supp_data_records_count = 0;
-		return 0;
-		}
-	ctx->cli_supp_data_records_count++;
-	record = &ctx->cli_supp_data_records[ctx->cli_supp_data_records_count - 1];
-	record->supp_data_type = supp_data_type;
-	record->fn1 = fn1;
-	record->fn2 = fn2;
-	record->arg = arg;
-	return 1;
-	}
-
-int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
-			      unsigned short supp_data_type,
-			      srv_supp_data_first_cb_fn fn1,
-			      srv_supp_data_second_cb_fn fn2, void* arg)
-	{
-	size_t i;
-	srv_supp_data_record* record;
-
-	/* Check for duplicates */
-	for (i=0; i < ctx->srv_supp_data_records_count; i++)
-		if (supp_data_type == ctx->srv_supp_data_records[i].supp_data_type)
-			return 0;
-
-	ctx->srv_supp_data_records = OPENSSL_realloc(ctx->srv_supp_data_records,
-	  (ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record));
-	if (!ctx->srv_supp_data_records)
-		{
-		ctx->srv_supp_data_records_count = 0;
-		return 0;
-		}
-	ctx->srv_supp_data_records_count++;
-	record = &ctx->srv_supp_data_records[ctx->srv_supp_data_records_count - 1];
-	record->supp_data_type = supp_data_type;
-	record->fn1 = fn1;
-	record->fn2 = fn2;
-	record->arg = arg;
-
-	return 1;
-	}
-
 #endif /* !OPENSSL_NO_TLSEXT */
 
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -2141,10 +2082,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 	ret->custom_cli_ext_records_count = 0;
 	ret->custom_srv_ext_records = NULL;
 	ret->custom_srv_ext_records_count = 0;
-	ret->cli_supp_data_records = NULL;
-	ret->cli_supp_data_records_count = 0;
-	ret->srv_supp_data_records = NULL;
-	ret->srv_supp_data_records_count = 0;
 #ifndef OPENSSL_NO_BUF_FREELISTS
 	ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
 	ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -2286,8 +2223,6 @@ void SSL_CTX_free(SSL_CTX *a)
 #ifndef OPENSSL_NO_TLSEXT
 	OPENSSL_free(a->custom_cli_ext_records);
 	OPENSSL_free(a->custom_srv_ext_records);
-	OPENSSL_free(a->cli_supp_data_records);
-	OPENSSL_free(a->srv_supp_data_records);
 #endif
 #ifndef OPENSSL_NO_ENGINE
 	if (a->client_cert_engine)

ssl/ssl_locl.h

@@ -1292,13 +1292,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
 int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);
 
-/* server only */
-int tls1_send_server_supplemental_data(SSL *s, int *skip);
-int tls1_get_client_supplemental_data(SSL *s);
-/* client only */
-int tls1_send_client_supplemental_data(SSL *s, int *skip);
-int tls1_get_server_supplemental_data(SSL *s);
-
 #ifndef OPENSSL_NO_HEARTBEATS
 int tls1_heartbeat(SSL *s);
 int dtls1_heartbeat(SSL *s);

ssl/ssl_stat.c

@@ -210,14 +210,6 @@ case SSL3_ST_SR_KEY_EXCH_A:	str="SSLv3 read client key exchange A"; break;
 case SSL3_ST_SR_KEY_EXCH_B:	str="SSLv3 read client key exchange B"; break;
 case SSL3_ST_SR_CERT_VRFY_A:	str="SSLv3 read certificate verify A"; break;
 case SSL3_ST_SR_CERT_VRFY_B:	str="SSLv3 read certificate verify B"; break;
-case SSL3_ST_CW_SUPPLEMENTAL_DATA_A: str="SSLv3 client write supplemental data A"; break;
-case SSL3_ST_CW_SUPPLEMENTAL_DATA_B: str="SSLv3 client write supplemental data B"; break;
-case SSL3_ST_SW_SUPPLEMENTAL_DATA_A: str="SSLv3 server write supplemental data A"; break;
-case SSL3_ST_SW_SUPPLEMENTAL_DATA_B: str="SSLv3 client write supplemental data B"; break;
-case SSL3_ST_CR_SUPPLEMENTAL_DATA_A: str="SSLv3 client read supplemental data A"; break;
-case SSL3_ST_CR_SUPPLEMENTAL_DATA_B: str="SSLv3 client read supplemental data B"; break;
-case SSL3_ST_SR_SUPPLEMENTAL_DATA_A: str="SSLv3 server read supplemental data A"; break;
-case SSL3_ST_SR_SUPPLEMENTAL_DATA_B: str="SSLv3 client read supplemental data B"; break;
 #endif
 
 /* SSLv2/v3 compatibility states */

ssl/ssltest.c

@@ -521,16 +521,6 @@ int custom_ext = 0;
 /* This set based on extension callbacks */
 int custom_ext_error = 0;
 
-/* Not IETF assigned supplemental data types */
-#define CUSTOM_SUPP_DATA_TYPE_0 100
-#define CUSTOM_SUPP_DATA_TYPE_1 101
-#define CUSTOM_SUPP_DATA_TYPE_2 102
-
-const char supp_data_0_string[] = "00000";
-
-int suppdata = 0;
-int suppdata_error = 0;
-
 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
 			     const unsigned char* in, unsigned short inlen, 
 			     int* al, void* arg)
@@ -733,110 +723,6 @@ static int custom_ext_3_srv_second_cb(SSL *s, unsigned short ext_type,
 	return 1; /* Send "defg" */
 	}
 
-static int supp_data_0_srv_first_cb(SSL *s, unsigned short supp_data_type,
-				    const unsigned char **out,
-				    unsigned short *outlen, int *al, void *arg)
-	{
-	*out = (const unsigned char*)supp_data_0_string;
-	*outlen = strlen(supp_data_0_string);
-	if (arg != s)
-		suppdata_error = 1;
-	return 1;
-	}
-
-static int supp_data_0_srv_second_cb(SSL *s, unsigned short supp_data_type,
-				     const unsigned char *in,
-				     unsigned short inlen, int *al,
-				     void *arg)
-	{
-	if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
-		suppdata_error = 1;
-	if (inlen != strlen(supp_data_0_string))
-		suppdata_error = 1;
-	if (memcmp(in, supp_data_0_string, inlen) != 0)
-		suppdata_error = 1;
-	if (arg != s)
-		suppdata_error = 1;
-	return 1;
-	}
-
-static int supp_data_1_srv_first_cb(SSL *s, unsigned short supp_data_type,
-				    const unsigned char **out,
-				    unsigned short *outlen, int *al, void *arg)
-	{
-	return -1;
-	}
-
-static int supp_data_1_srv_second_cb(SSL *s, unsigned short supp_data_type,
-				     const unsigned char *in,
-				     unsigned short inlen, int *al,
-				     void *arg)
-	{
-	suppdata_error = 1;
-	return 1;
-	}
-
-static int supp_data_2_srv_second_cb(SSL *s, unsigned short supp_data_type,
-				const unsigned char *in,
-				unsigned short inlen, int *al,
-				void *arg)
-	{
-	suppdata_error = 1;
-	return 1;
-	}
-
-static int supp_data_0_cli_first_cb(SSL *s, unsigned short supp_data_type,
-				    const unsigned char *in,
-				    unsigned short inlen, int *al,
-				    void *arg)
-	{
-	if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
-		suppdata_error = 1;
-	if (inlen != strlen(supp_data_0_string))
-		suppdata_error = 1;
-	if (memcmp(in, supp_data_0_string, inlen) != 0)
-		suppdata_error = 1;
-	if (arg != s)
-		suppdata_error = 1;
-	return 1;
-	}
-
-static int supp_data_0_cli_second_cb(SSL *s, unsigned short supp_data_type,
-				     const unsigned char **out,
-				     unsigned short *outlen, int *al, void *arg)
-	{
-	*out = (const unsigned char*)supp_data_0_string;
-	*outlen = strlen(supp_data_0_string);
-	if (arg != s)
-		suppdata_error = 1;
-	return 1;
-	}
-
-static int supp_data_1_cli_first_cb(SSL *s, unsigned short supp_data_type,
-				    const unsigned char *in,
-				    unsigned short inlen, int *al,
-				    void *arg)
-	{
-	suppdata_error = 1;
-	return 1;
-	}
-
-static int supp_data_1_cli_second_cb(SSL *s, unsigned short supp_data_type,
-				     const unsigned char **out,
-				     unsigned short *outlen, int *al, void *arg)
-	{
-	return -1;
-	}
-
-static int supp_data_2_cli_first_cb(SSL *s, unsigned short supp_data_type,
-				    const unsigned char *in,
-				    unsigned short inlen, int *al,
-				    void *arg)
-	{
-	suppdata_error = 1;
-	return 1;
-	}
-
 static char *cipher=NULL;
 static int verbose=0;
 static int debug=0;
@@ -923,7 +809,6 @@ static void sv_usage(void)
 	fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
 	fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
 	fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
-	fprintf(stderr, "-suppdata - exercise supplemental data callbacks\n");
 	}
 
 static void print_details(SSL *c_ssl, const char *prefix)
@@ -1368,10 +1253,6 @@ int main(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			alpn_expected = *(++argv);
 			}
-		else if (strcmp(*argv,"-suppdata") == 0)
-			{
-			suppdata = 1;
-			}
 		else
 			{
 			fprintf(stderr,"unknown option %s\n",*argv);
@@ -1766,40 +1647,6 @@ bad:
 	c_ssl=SSL_new(c_ctx);
 	s_ssl=SSL_new(s_ctx);
 
-	if (suppdata)
-		{
-		/* TEST CASES */
-		/* client and server both send and receive, verify
-		 * additional arg passed back */
-		SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_0,
-					  supp_data_0_srv_first_cb,
-					  supp_data_0_srv_second_cb, s_ssl);
-		SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_0,
-					  supp_data_0_cli_first_cb,
-					  supp_data_0_cli_second_cb, c_ssl);
-
-		/* -1 response from sending server/client doesn't
-                 * receive, -1 response from sending client/server
-                 * doesn't receive */
-		SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_1,
-					  supp_data_1_srv_first_cb,
-					  supp_data_1_srv_second_cb, NULL);
-		SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_1,
-					  supp_data_1_cli_first_cb,
-					  supp_data_1_cli_second_cb, NULL);
-
-		/* null sending server/client doesn't receive, null
-		   sending client/server doesn't receive */
-		SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_2,
-					  /*supp_data_2_srv_first_cb*/NULL,
-					  supp_data_2_srv_second_cb, NULL);
-		SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_2,
-					  supp_data_2_cli_first_cb,
-					  /*supp_data_2_cli_second_cb*/NULL,
-					  NULL);
-
-		/* alerts set to non-zero and zero return values not tested */
-		}
 #ifndef OPENSSL_NO_KRB5
 	if (c_ssl  &&  c_ssl->kssl_ctx)
                 {
@@ -2586,11 +2433,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
 		goto err;
 		}
 #endif
-	if (suppdata_error < 0)
-		{
-		ret = 1;
-		goto err;
-		}
 	if (verify_serverinfo() < 0)
 		{
 		ret = 1;

ssl/tls1.h

@@ -211,11 +211,9 @@ extern "C" {
 #define TLSEXT_TYPE_status_request		5
 /* ExtensionType values from RFC4681 */
 #define TLSEXT_TYPE_user_mapping		6
-
 /* ExtensionType values from RFC5878 */
 #define TLSEXT_TYPE_client_authz		7
 #define TLSEXT_TYPE_server_authz		8
-
 /* ExtensionType values from RFC6091 */
 #define TLSEXT_TYPE_cert_type		9
 
@@ -312,17 +310,6 @@ extern "C" {
 
 #define TLSEXT_MAXLEN_host_name 255
 
-/* From RFC 5878 */
-#define TLSEXT_SUPPLEMENTALDATATYPE_authz_data 16386
-
-/* DTCP Authorization Type
- * https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#authorization-data-rules
- * http://tools.ietf.org/id/draft-dthakore-tls-authz-04.txt
- */
-#define TLSEXT_AUTHZDATAFORMAT_dtcp 66
-
-#define TLSEXT_MAXLEN_supplemental_data 1024*16 /* Let's limit to 16k */
-
 const char *SSL_get_servername(const SSL *s, const int type);
 int SSL_get_servername_type(const SSL *s);
 /* SSL_export_keying_material exports a value derived from the master secret,