diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2017-02-22 17:26:44 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2017-02-27 18:23:18 +0000 |
| commit | 03f44b974b1c85804b54af7c3ffb5241d5ffd952 (patch) | |
| tree | a5da2267b5cc1e615edb973040fed6c2cfc89aca /ssl/statem/statem_srvr.c | |
| parent | 013bc448672cbc3c9cd154709400c676c2955229 (diff) | |
| download | openssl-03f44b974b1c85804b54af7c3ffb5241d5ffd952.zip openssl-03f44b974b1c85804b54af7c3ffb5241d5ffd952.tar.gz openssl-03f44b974b1c85804b54af7c3ffb5241d5ffd952.tar.bz2 | |
Initial incomplete TLS 1.3 certificate request support.
This adds partial support for TLS 1.3 certificate request message.
The request context and extensions are currently ignored on receive
and set to zero length on send.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2728)
Diffstat (limited to 'ssl/statem/statem_srvr.c')
| -rw-r--r-- | ssl/statem/statem_srvr.c | 30 |
1 files changed, 23 insertions, 7 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 9c422e4..26c37c7 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2448,12 +2448,21 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) int i; STACK_OF(X509_NAME) *sk = NULL; - /* get the list of acceptable cert types */ - if (!WPACKET_start_sub_packet_u8(pkt) - || !ssl3_get_req_cert_type(s, pkt) - || !WPACKET_close(pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); - goto err; + if (SSL_IS_TLS13(s)) { + /* TODO(TLS1.3) for now send empty request context */ + if (!WPACKET_put_bytes_u8(pkt, 0)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + goto err; + } + } else { + /* get the list of acceptable cert types */ + if (!WPACKET_start_sub_packet_u8(pkt) + || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + goto err; + } } if (SSL_USE_SIGALGS(s)) { @@ -2494,11 +2503,18 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt) } } /* else no CA names */ - if (!WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } + /* + * TODO(TLS1.3) implement configurable certificate_extensions + * For now just send zero length extensions. + */ + if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u16(pkt, 0)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } s->s3->tmp.cert_request = 1; |