提交 e97be718 编写于 作者: M Matt Caswell

Add support for SSL_CTX_set_post_handshake_auth()

We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX
equivalent.
Reviewed-by: NTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
上级 32097b33
...@@ -7,7 +7,8 @@ SSL_CTX_set_verify, SSL_set_verify, ...@@ -7,7 +7,8 @@ SSL_CTX_set_verify, SSL_set_verify,
SSL_CTX_set_verify_depth, SSL_set_verify_depth, SSL_CTX_set_verify_depth, SSL_set_verify_depth,
SSL_verify_cb, SSL_verify_cb,
SSL_verify_client_post_handshake, SSL_verify_client_post_handshake,
SSL_set_post_handshake_auth SSL_set_post_handshake_auth,
SSL_CTX_set_post_handshake_auth
- set peer certificate verification parameters - set peer certificate verification parameters
=head1 SYNOPSIS =head1 SYNOPSIS
...@@ -24,6 +25,7 @@ SSL_set_post_handshake_auth ...@@ -24,6 +25,7 @@ SSL_set_post_handshake_auth
void SSL_set_verify_depth(SSL *ssl, int depth); void SSL_set_verify_depth(SSL *ssl, int depth);
int SSL_verify_client_post_handshake(SSL *ssl); int SSL_verify_client_post_handshake(SSL *ssl);
void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
void SSL_set_post_handshake_auth(SSL *ssl, int val); void SSL_set_post_handshake_auth(SSL *ssl, int val);
=head1 DESCRIPTION =head1 DESCRIPTION
...@@ -48,12 +50,12 @@ verification that shall be allowed for B<ctx>. ...@@ -48,12 +50,12 @@ verification that shall be allowed for B<ctx>.
SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain SSL_set_verify_depth() sets the maximum B<depth> for the certificate chain
verification that shall be allowed for B<ssl>. verification that shall be allowed for B<ssl>.
SSL_set_post_handshake_auth() enables the Post-Handshake Authentication SSL_CTX_set_post_handshake_auth() and SSL_set_post_handshake_auth() enable the
extension to be added to the ClientHello such that post-handshake authentication Post-Handshake Authentication extension to be added to the ClientHello such that
can be requested by the server. If B<val> is 0 then the extension is not sent, post-handshake authentication can be requested by the server. If B<val> is 0
otherwise it is. By default the extension is not sent. A certificate callback then the extension is not sent, otherwise it is. By default the extension is not
will need to be set via SSL_CTX_set_client_cert_cb() if no certificate is sent. A certificate callback will need to be set via
provided at initialization. SSL_CTX_set_client_cert_cb() if no certificate is provided at initialization.
SSL_verify_client_post_handshake() causes a CertificateRequest message to be SSL_verify_client_post_handshake() causes a CertificateRequest message to be
sent by a server on the given B<ssl> connection. The SSL_VERIFY_PEER flag must sent by a server on the given B<ssl> connection. The SSL_VERIFY_PEER flag must
......
...@@ -1898,6 +1898,7 @@ int SSL_renegotiate_abbreviated(SSL *s); ...@@ -1898,6 +1898,7 @@ int SSL_renegotiate_abbreviated(SSL *s);
__owur int SSL_renegotiate_pending(SSL *s); __owur int SSL_renegotiate_pending(SSL *s);
int SSL_shutdown(SSL *s); int SSL_shutdown(SSL *s);
__owur int SSL_verify_client_post_handshake(SSL *s); __owur int SSL_verify_client_post_handshake(SSL *s);
void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
void SSL_set_post_handshake_auth(SSL *s, int val); void SSL_set_post_handshake_auth(SSL *s, int val);
__owur const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx); __owur const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx);
......
...@@ -702,6 +702,7 @@ SSL *SSL_new(SSL_CTX *ctx) ...@@ -702,6 +702,7 @@ SSL *SSL_new(SSL_CTX *ctx)
s->max_early_data = ctx->max_early_data; s->max_early_data = ctx->max_early_data;
s->recv_max_early_data = ctx->recv_max_early_data; s->recv_max_early_data = ctx->recv_max_early_data;
s->num_tickets = ctx->num_tickets; s->num_tickets = ctx->num_tickets;
s->pha_enabled = ctx->pha_enabled;
/* Shallow copy of the ciphersuites stack */ /* Shallow copy of the ciphersuites stack */
s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites); s->tls13_ciphersuites = sk_SSL_CIPHER_dup(ctx->tls13_ciphersuites);
...@@ -5455,6 +5456,11 @@ int SSL_stateless(SSL *s) ...@@ -5455,6 +5456,11 @@ int SSL_stateless(SSL *s)
return -1; return -1;
} }
void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val)
{
ctx->pha_enabled = val;
}
void SSL_set_post_handshake_auth(SSL *ssl, int val) void SSL_set_post_handshake_auth(SSL *ssl, int val)
{ {
ssl->pha_enabled = val; ssl->pha_enabled = val;
......
...@@ -1063,6 +1063,9 @@ struct ssl_ctx_st { ...@@ -1063,6 +1063,9 @@ struct ssl_ctx_st {
/* Callback to determine if early_data is acceptable or not */ /* Callback to determine if early_data is acceptable or not */
SSL_allow_early_data_cb_fn allow_early_data_cb; SSL_allow_early_data_cb_fn allow_early_data_cb;
void *allow_early_data_cb_data; void *allow_early_data_cb_data;
/* Do we advertise Post-handshake auth support? */
int pha_enabled;
}; };
struct ssl_st { struct ssl_st {
......
...@@ -4331,13 +4331,12 @@ static int test_pha_key_update(void) ...@@ -4331,13 +4331,12 @@ static int test_pha_key_update(void)
|| !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION))) || !TEST_true(SSL_CTX_set_max_proto_version(cctx, TLS1_3_VERSION)))
goto end; goto end;
SSL_CTX_set_post_handshake_auth(cctx, 1);
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
NULL, NULL))) NULL, NULL)))
goto end; goto end;
SSL_set_post_handshake_auth(clientssl, 1);
if (!TEST_true(create_ssl_connection(serverssl, clientssl, if (!TEST_true(create_ssl_connection(serverssl, clientssl,
SSL_ERROR_NONE))) SSL_ERROR_NONE)))
goto end; goto end;
......
...@@ -496,3 +496,4 @@ SSL_set_recv_max_early_data 496 1_1_1 EXIST::FUNCTION: ...@@ -496,3 +496,4 @@ SSL_set_recv_max_early_data 496 1_1_1 EXIST::FUNCTION:
SSL_get_recv_max_early_data 497 1_1_1 EXIST::FUNCTION: SSL_get_recv_max_early_data 497 1_1_1 EXIST::FUNCTION:
SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION: SSL_CTX_get_recv_max_early_data 498 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION: SSL_CTX_set_recv_max_early_data 499 1_1_1 EXIST::FUNCTION:
SSL_CTX_set_post_handshake_auth 500 1_1_1 EXIST::FUNCTION:
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册