Remove all RFC5878 code.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 4 Jul 2014 12:42:05 +0000 (13:42 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 4 Jul 2014 12:42:05 +0000 (13:42 +0100)
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs.

17 files changed:
CHANGES
apps/s_cb.c
apps/s_client.c
apps/s_server.c
doc/apps/s_client.pod
doc/apps/s_server.pod
ssl/s23_clnt.c
ssl/s3_clnt.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl3.h
ssl/ssl_err.c
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/ssl_stat.c
ssl/ssltest.c
ssl/tls1.h

diff --git a/CHANGES b/CHANGES
index d004adc..d82e05f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
      MGF1 digest and OAEP label.
      [Steve Henson]
 
-  *) Add callbacks supporting generation and retrieval of supplemental
-     data entries.
-     [Scott Deboy <sdeboy@apache.org>, Trevor Perrin and Ben Laurie]
-
   *) Add EVP support for key wrapping algorithms, to avoid problems with
      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
   *) Support for linux-x32, ILP32 environment in x86_64 framework.
      [Andy Polyakov]
 
-  *) RFC 5878 (TLS Authorization Extensions) support.
-     [Emilia Kasper, Adam Langley, Ben Laurie (Google)]
-
   *) Experimental multi-implementation support for FIPS capable OpenSSL.
      When in FIPS mode the approved implementations are used as normal,
      when not in FIPS mode the internal unapproved versions are used instead.
index b20d632..ed877af 100644 (file)
@@ -880,9 +880,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
                                case 20:
                                        str_details1 = ", Finished";
                                        break;
-                               case 23:
-                                       str_details1 = ", SupplementalData";
-                                       break;
                                        }
                                }
                        }
index 7ab5c48..5f52999 100644 (file)
@@ -214,8 +214,6 @@ static void sc_usage(void);
 static void print_stuff(BIO *berr,SSL *con,int full);
 #ifndef OPENSSL_NO_TLSEXT
 static int ocsp_resp_cb(SSL *s, void *arg);
-static int c_auth = 0;
-static int c_auth_require_reneg = 0;
 #endif
 static BIO *bio_c_out=NULL;
 static BIO *bio_c_msg=NULL;
@@ -223,37 +221,6 @@ static int c_quiet=0;
 static int c_ign_eof=0;
 static int c_brief=0;
 
-#ifndef OPENSSL_NO_TLSEXT
-
-static unsigned char *generated_supp_data = NULL;
-
-static const unsigned char *most_recent_supplemental_data = NULL;
-static size_t most_recent_supplemental_data_length = 0;
-
-static int server_provided_server_authz = 0;
-static int server_provided_client_authz = 0;
-
-static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-                      const unsigned char *in,
-                      unsigned short inlen, int *al,
-                      void *arg);
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg);
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-                                   const unsigned char **out, unsigned short *outlen,
-                                   int *al, void *arg);
-
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-                          const unsigned char *in,
-                          unsigned short inlen, int *al,
-                          void *arg);
-#endif
-
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
 static char *psk_identity="Client_identity";
@@ -397,8 +364,6 @@ static void sc_usage(void)
        BIO_printf(bio_err," -status           - request certificate status from server\n");
        BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
        BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
-       BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
-       BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
 #endif
 # ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
@@ -852,10 +817,6 @@ static char *jpake_secret = NULL;
                        c_tlsextdebug=1;
                else if (strcmp(*argv,"-status") == 0)
                        c_status_req=1;
-               else if (strcmp(*argv,"-auth") == 0)
-                       c_auth = 1;
-               else if (strcmp(*argv,"-auth_require_reneg") == 0)
-                       c_auth_require_reneg = 1;
 #endif
 #ifdef WATT32
                else if (strcmp(*argv,"-wdebug") == 0)
@@ -1429,12 +1390,6 @@ bad:
                }
 
 #endif
-       if (c_auth)
-               {
-               SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
-               SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
-               SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
-               }
 #endif
 
        con=SSL_new(ctx);
@@ -1775,12 +1730,6 @@ SSL_set_tlsext_status_ids(con, ids);
                                                "CONNECTION ESTABLISHED\n");
                                        print_ssl_summary(bio_err, con);
                                        }
-                               /*handshake is complete - free the generated supp data allocated in the callback */
-                               if (generated_supp_data)
-                                       {
-                                       OPENSSL_free(generated_supp_data);
-                                       generated_supp_data = NULL;
-                                       }
 
                                print_stuff(bio_c_out,con,full_log);
                                if (full_log > 0) full_log--;
@@ -2431,74 +2380,4 @@ static int ocsp_resp_cb(SSL *s, void *arg)
        return 1;
        }
 
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-                          const unsigned char *in,
-                          unsigned short inlen, int *al,
-                          void *arg)
-       {
-       if (TLSEXT_TYPE_server_authz == ext_type)
-               server_provided_server_authz
-                 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
-
-       if (TLSEXT_TYPE_client_authz == ext_type)
-               server_provided_client_authz
-                 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
-
-       return 1;
-       }
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-                                   const unsigned char **out, unsigned short *outlen,
-                                   int *al, void *arg)
-       {
-       if (c_auth)
-               {
-               /*if auth_require_reneg flag is set, only send extensions if
-                 renegotiation has occurred */
-               if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-                       {
-                       *out = auth_ext_data;
-                       *outlen = 1;
-                       return 1;
-                       }
-               }
-       /* no auth extension to send */
-       return -1;
-       }
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-                      const unsigned char *in,
-                      unsigned short inlen, int *al,
-                      void *arg)
-       {
-       if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
-               {
-               most_recent_supplemental_data = in;
-               most_recent_supplemental_data_length = inlen;
-               }
-       return 1;
-       }
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg)
-       {
-       if (c_auth && server_provided_client_authz && server_provided_server_authz)
-               {
-               /*if auth_require_reneg flag is set, only send supplemental data if
-                 renegotiation has occurred */
-               if (!c_auth_require_reneg
-                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-                       {
-                       generated_supp_data = OPENSSL_malloc(10);
-                       memcpy(generated_supp_data, "5432154321", 10);
-                       *out = generated_supp_data;
-                       *outlen = 10;
-                       return 1;
-                       }
-               }
-       /* no supplemental data to send */
-       return -1;
-       }
-
 #endif
index c9c4338..456b34d 100644 (file)
@@ -224,20 +224,6 @@ static DH *get_dh512(void);
 static void s_server_init(void);
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-
-static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
-
-static unsigned char *generated_supp_data = NULL;
-
-static const unsigned char *most_recent_supplemental_data = NULL;
-static size_t most_recent_supplemental_data_length = 0;
-
-static int client_provided_server_authz = 0;
-static int client_provided_client_authz = 0;
-
-#endif
-
 #ifndef OPENSSL_NO_DH
 static unsigned char dh512_p[]={
        0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
@@ -329,29 +315,9 @@ static int cert_chain = 0;
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-                      const unsigned char *in,
-                      unsigned short inlen, int *al,
-                      void *arg);
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg);
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-                                   const unsigned char **out, unsigned short *outlen,
-                                   int *al, void *arg);
-
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-                          const unsigned char *in,
-                          unsigned short inlen, int *al,
-                          void *arg);
-
 static BIO *serverinfo_in = NULL;
 static const char *s_serverinfo_file = NULL;
 
-static int c_auth = 0;
-static int c_auth_require_reneg = 0;
 #endif
 
 #ifndef OPENSSL_NO_PSK
@@ -1172,15 +1138,7 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_serverinfo_file = *(++argv);
                        }
-               else if (strcmp(*argv,"-auth") == 0)
-                       {
-                       c_auth = 1;
-                       }
 #endif
-               else if (strcmp(*argv,"-auth_require_reneg") == 0)
-                       {
-                       c_auth_require_reneg = 1;
-                       }
                else if (strcmp(*argv,"-certform") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1965,12 +1923,6 @@ bad:
                ERR_print_errors(bio_err);
                goto end;
                }
-       if (c_auth)
-               {
-               SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
-               SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
-               SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err);
-               }
 #endif
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain))
@@ -2671,12 +2623,6 @@ static int init_ssl_connection(SSL *con)
                        i=SSL_accept(con);
                }
 #endif
-       /*handshake is complete - free the generated supp data allocated in the callback */
-       if (generated_supp_data)
-               {
-               OPENSSL_free(generated_supp_data);
-               generated_supp_data = NULL;
-               }
 
        if (i <= 0)
                {
@@ -3542,76 +3488,3 @@ static void free_sessions(void)
        first = NULL;
        }
 
-#ifndef OPENSSL_NO_TLSEXT
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-                          const unsigned char *in,
-                          unsigned short inlen, int *al,
-                          void *arg)
-       {
-       if (TLSEXT_TYPE_server_authz == ext_type)
-               client_provided_server_authz
-                 = memchr(in,  TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
-
-       if (TLSEXT_TYPE_client_authz == ext_type)
-               client_provided_client_authz
-                 = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
-
-       return 1;
-       }
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-                                   const unsigned char **out, unsigned short *outlen,
-                                   int *al, void *arg)
-       {
-       if (c_auth && client_provided_client_authz && client_provided_server_authz)
-               {
-               /*if auth_require_reneg flag is set, only send extensions if
-                 renegotiation has occurred */
-               if (!c_auth_require_reneg
-                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-                       {
-                       *out = auth_ext_data;
-                       *outlen = 1;
-                       return 1;
-                       }
-               }
-       /* no auth extension to send */
-       return -1;
-       }
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-                      const unsigned char *in,
-                      unsigned short inlen, int *al,
-                      void *arg)
-       {
-       if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
-               {
-               most_recent_supplemental_data = in;
-               most_recent_supplemental_data_length = inlen;
-               }
-       return 1;
-       }
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg)
-       {
-       if (c_auth && client_provided_client_authz && client_provided_server_authz)
-               {
-               /*if auth_require_reneg flag is set, only send supplemental data if
-                 renegotiation has occurred */
-               if (!c_auth_require_reneg
-                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-                       {
-                       generated_supp_data = OPENSSL_malloc(10);
-                       memcpy(generated_supp_data, "1234512345", 10);
-                       *out = generated_supp_data;
-                       *outlen = 10;
-                       return 1;
-                       }
-               }
-       /* no supplemental data to send */
-       return -1;
-       }
-#endif
-
index ab67805..52881f8 100644 (file)
@@ -48,8 +48,6 @@ B<openssl> B<s_client>
 [B<-sess_in filename>]
 [B<-rand file(s)>]
 [B<-serverinfo types>]
-[B<-auth>]
-[B<-auth_require_reneg>]
 
 =head1 DESCRIPTION
 
@@ -269,15 +267,6 @@ a list of comma-separated TLS Extension Types (numbers between 0 and
 The server's response (if any) will be encoded and displayed as a PEM
 file.
 
-=item B<-auth>
-
-send RFC 5878 client and server authorization extensions in the Client Hello as well as
-supplemental data if the server also sent the authorization extensions in the Server Hello.
-
-=item B<-auth_require_reneg>
-
-only send RFC 5878 client and server authorization extensions during renegotiation.
-
 =back
 
 =head1 CONNECTED COMMANDS
index 2532502..4ec4e0c 100644 (file)
@@ -56,8 +56,6 @@ B<openssl> B<s_server>
 [B<-id_prefix arg>]
 [B<-rand file(s)>]
 [B<-serverinfo file>]
-[B<-auth>]
-[B<-auth_require_reneg>]
 [B<-no_resumption_on_reneg>]
 =head1 DESCRIPTION
 
@@ -292,19 +290,9 @@ followed by "length" bytes of extension data).  If the client sends
 an empty TLS ClientHello extension matching the type, the corresponding
 ServerHello extension will be returned.
 
-=item B<-auth>
-
-send RFC 5878 client and server authorization extensions in the Client Hello as well as
-supplemental data if the server also sent the authorization extensions in the Server Hello.
-
-=item B<-auth_require_reneg>
-
-only send RFC 5878 client and server authorization extensions during renegotiation.
-
 =item B<-no_resumption_on_reneg>
 
-set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.  Required in order to receive supplemental data
-during renegotiation if auth and auth_require_reneg are set.
+set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.
 
 =back
 
index e95e8d0..3953c56 100644 (file)
@@ -365,8 +365,6 @@ static int ssl23_client_hello(SSL *s)
 #endif
                if (s->ctx->custom_cli_ext_records_count != 0)
                        ssl2_compat = 0;
-               if (s->ctx->cli_supp_data_records_count != 0)
-                       ssl2_compat = 0;
                }
 #endif
 
index 29f24f1..4e3cc2e 100644 (file)
@@ -311,26 +311,11 @@ int ssl3_connect(SSL *s)
                                }
                        s->init_num=0;
                        break;
-#ifndef OPENSSL_NO_TLSEXT
-               case SSL3_ST_CR_SUPPLEMENTAL_DATA_A:
-               case SSL3_ST_CR_SUPPLEMENTAL_DATA_B:
-                       ret = tls1_get_server_supplemental_data(s);
-                       if (ret <= 0) goto end;
-                       s->state=SSL3_ST_CR_CERT_A;
-                       s->init_num = 0;
-                       break;
-#endif
                case SSL3_ST_CR_CERT_A:
                case SSL3_ST_CR_CERT_B:
 #ifndef OPENSSL_NO_TLSEXT
                        ret=ssl3_check_finished(s);
                        if (ret <= 0) goto end;
-                       if (ret == 3)
-                               {
-                               s->state=SSL3_ST_CR_SUPPLEMENTAL_DATA_A;
-                               s->init_num=0;
-                               break;
-                               }
                        if (ret == 2)
                                {
                                s->hit = 1;
@@ -409,14 +394,10 @@ int ssl3_connect(SSL *s)
                                        }
                                }
 #endif
-#ifndef OPENSSL_NO_TLSEXT
-                       s->state=SSL3_ST_CW_SUPPLEMENTAL_DATA_A;
-#else
                        if (s->s3->tmp.cert_req)
                                s->state=SSL3_ST_CW_CERT_A;
                        else
                                s->state=SSL3_ST_CW_KEY_EXCH_A;
-#endif
                        s->init_num=0;
 
                        break;
@@ -523,19 +504,6 @@ int ssl3_connect(SSL *s)
                        break;
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-               case SSL3_ST_CW_SUPPLEMENTAL_DATA_A:
-               case SSL3_ST_CW_SUPPLEMENTAL_DATA_B:
-                       ret = tls1_send_client_supplemental_data(s, &skip);
-                       if (ret <= 0) goto end;
-                       if (s->s3->tmp.cert_req)
-                               s->state=SSL3_ST_CW_CERT_A;
-                       else
-                               s->state=SSL3_ST_CW_KEY_EXCH_A;
-                       s->init_num=0;
-                       break;
-#endif
-
                case SSL3_ST_CW_FINISHED_A:
                case SSL3_ST_CW_FINISHED_B:
                        ret=ssl3_send_finished(s,
@@ -3583,10 +3551,11 @@ int ssl3_check_finished(SSL *s)
        int ok;
        long n;
 
-       /* Read the message to see if it is supplemental data,
-        * regardless if there is a session ticket this function is
-        * called when we really expect a Certificate message, so
-        * permit appropriate message length */
+       /* If we have no ticket it cannot be a resumed session. */
+       if (!s->session->tlsext_tick)
+               return 1;
+       /* this function is called when we really expect a Certificate
+        * message, so permit appropriate message length */
        n=s->method->ssl_get_message(s,
                SSL3_ST_CR_CERT_A,
                SSL3_ST_CR_CERT_B,
@@ -3596,11 +3565,6 @@ int ssl3_check_finished(SSL *s)
        if (!ok) return((int)n);
        s->s3->tmp.reuse_message = 1;
 
-       if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA)
-               return 3;
-       /* If we have no ticket it cannot be a resumed session. */
-       if (!s->session->tlsext_tick)
-               return 1;
        if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
                || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
                return 2;
@@ -3627,154 +3591,3 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
        return i;
        }
 
-#ifndef OPENSSL_NO_TLSEXT
-int tls1_send_client_supplemental_data(SSL *s, int *skip)
-       {
-       int al = 0;
-       if (s->ctx->cli_supp_data_records_count)
-               {
-               unsigned char *p = NULL;
-               unsigned char *size_loc = NULL;
-               cli_supp_data_record *record = NULL;
-               size_t length = 0;
-               size_t i = 0;
-
-               for (i = 0; i < s->ctx->cli_supp_data_records_count; i++)
-                       {
-                       const unsigned char *out = NULL;
-                       unsigned short outlen = 0;
-                       int cb_retval = 0;
-                       record = &s->ctx->cli_supp_data_records[i];
-
-                       /* NULL callback or -1 omits supp data entry*/
-                       if (!record->fn2)
-                               continue;
-                       cb_retval = record->fn2(s, record->supp_data_type,
-                                               &out, &outlen, &al,
-                                               record->arg);
-                       if (cb_retval == -1)
-                               continue; /* skip this supp data entry */
-                       if (cb_retval == 0)
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               goto f_err;
-                               }
-                       if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length)
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               return 0;
-                               }
-                       /* if first entry, write handshake message type */
-                       if (length == 0)
-                               {
-                               if (!BUF_MEM_grow_clean(s->init_buf, 4))
-                                       {
-                                       SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                                       return 0;
-                                       }
-                               p = (unsigned char *)s->init_buf->data;
-                               *(p++) = SSL3_MT_SUPPLEMENTAL_DATA;
-                               /* update message length when all
-                                * callbacks complete */
-                               size_loc = p;
-                               /* skip over handshake length field (3
-                                * bytes) and supp_data length field
-                                * (3 bytes) */
-                               p += 3 + 3;
-                               length += 1 +3 +3;
-                               }
-                       if (!BUF_MEM_grow(s->init_buf, outlen + 4))
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               return 0;
-                               }
-                       s2n(record->supp_data_type, p);
-                       s2n(outlen, p);
-                       memcpy(p, out, outlen);
-                       length += (outlen + 4);
-                       p += outlen;
-                       }
-               if (length > 0)
-                       {
-                       /* write handshake length */
-                       l2n3(length - 4, size_loc);
-                       /* supp_data length */
-                       l2n3(length - 7, size_loc);
-                       s->state = SSL3_ST_CW_SUPPLEMENTAL_DATA_B;
-                       s->init_num = length;
-                       s->init_off = 0;
-                       return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
-                       }
-               }
-
-       /* no supp data message sent */
-       *skip = 1;
-       s->init_num = 0;
-       s->init_off = 0;
-       return 1;
-
-       f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-       return 0;
-       }
-
-int tls1_get_server_supplemental_data(SSL *s)
-       {
-       int al = 0;
-       int ok;
-       long n;
-       const unsigned char *p, *d;
-       unsigned short supp_data_entry_type = 0;
-       unsigned short supp_data_entry_len = 0;
-       unsigned long supp_data_len = 0;
-       size_t i;
-       int cb_retval = 0;
-
-       n=s->method->ssl_get_message(s,
-                                    SSL3_ST_CR_SUPPLEMENTAL_DATA_A,
-                                    SSL3_ST_CR_SUPPLEMENTAL_DATA_B,
-                                    SSL3_MT_SUPPLEMENTAL_DATA,
-                                    /* use default limit */
-                                    TLSEXT_MAXLEN_supplemental_data,
-                                    &ok);
-
-       if (!ok) return((int)n);
-
-       p = (unsigned char *)s->init_msg;
-       d = p;
-       /* The message cannot be empty */
-       if (n < 3)
-               {
-               al = SSL_AD_DECODE_ERROR;
-               SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH);
-               goto f_err;
-               }
-       n2l3(p, supp_data_len);
-       while (p < d+supp_data_len)
-               {
-               n2s(p, supp_data_entry_type);
-               n2s(p, supp_data_entry_len);
-               /* if there is a callback for this supp data type, send it */
-               for (i=0; i < s->ctx->cli_supp_data_records_count; i++)
-                       {
-                       if (s->ctx->cli_supp_data_records[i].supp_data_type == supp_data_entry_type &&
-                           s->ctx->cli_supp_data_records[i].fn1)
-                               {
-                               cb_retval = s->ctx->cli_supp_data_records[i].fn1(s, supp_data_entry_type, p,
-                                                                                supp_data_entry_len, &al,
-                                                                                s->ctx->cli_supp_data_records[i].arg);
-                               if (cb_retval == 0)
-                                       {
-                                       SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB);
-                                       goto f_err;
-                                       }
-                               }
-                       }
-               p += supp_data_entry_len;
-               }
-       return 1;
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-       return -1;
-       }
-#endif
index f0f9226..24e695c 100644 (file)
@@ -402,24 +402,9 @@ int ssl3_accept(SSL *s)
                                        s->state=SSL3_ST_SW_CHANGE_A;
 #endif
                        else
-#ifndef OPENSSL_NO_TLSEXT
-                               s->state = SSL3_ST_SW_SUPPLEMENTAL_DATA_A;
-#else
-                       s->state = SSL3_ST_SW_CERT_A;
-#endif
-                       s->init_num = 0;
-                       break;
-
-#ifndef OPENSSL_NO_TLSEXT
-               case SSL3_ST_SW_SUPPLEMENTAL_DATA_A:
-               case SSL3_ST_SW_SUPPLEMENTAL_DATA_B:
-                       ret = tls1_send_server_supplemental_data(s, &skip);
-                       if (ret <= 0) goto end;
-
-                       s->state = SSL3_ST_SW_CERT_A;
+                                       s->state = SSL3_ST_SW_CERT_A;
                        s->init_num = 0;
                        break;
-#endif
 
                case SSL3_ST_SW_CERT_A:
                case SSL3_ST_SW_CERT_B:
@@ -589,16 +574,7 @@ int ssl3_accept(SSL *s)
 
                        s->state=s->s3->tmp.next_state;
                        break;
-#ifndef OPENSSL_NO_TLSEXT
-               case SSL3_ST_SR_SUPPLEMENTAL_DATA_A:
-               case SSL3_ST_SR_SUPPLEMENTAL_DATA_B:
-                       ret=tls1_get_client_supplemental_data(s);
-                       if (ret <= 0) goto end;
-                       s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
-                       s->state=SSL3_ST_SW_FLUSH;
-                       s->init_num=0;
-                       break;
-#endif
+
                case SSL3_ST_SR_CERT_A:
                case SSL3_ST_SR_CERT_B:
                        /* Check for second client hello (MS SGC) */
@@ -607,10 +583,6 @@ int ssl3_accept(SSL *s)
                                goto end;
                        if (ret == 2)
                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
-#ifndef OPENSSL_NO_TLSEXT
-                       else if (ret == 3)
-                               s->state = SSL3_ST_SR_SUPPLEMENTAL_DATA_A;
-#endif
                        else {
                                if (s->s3->tmp.cert_request)
                                        {
@@ -906,10 +878,6 @@ int ssl3_check_client_hello(SSL *s)
                &ok);
        if (!ok) return((int)n);
        s->s3->tmp.reuse_message = 1;
-#ifndef OPENSSL_NO_TLSEXT
-       if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA)
-               return 3;
-#endif
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
                /* We only allow the client to restart the handshake once per
@@ -3653,156 +3621,4 @@ int ssl3_get_next_proto(SSL *s)
        }
 # endif
 
-int tls1_send_server_supplemental_data(SSL *s, int *skip)
-       {
-       int al = 0;
-       if (s->ctx->srv_supp_data_records_count)
-               {
-               unsigned char *p = NULL;
-               unsigned char *size_loc = NULL;
-               srv_supp_data_record *record = NULL;
-               size_t length = 0;
-               size_t i = 0;
-
-               for (i = 0; i < s->ctx->srv_supp_data_records_count; i++)
-                       {
-                       const unsigned char *out = NULL;
-                       unsigned short outlen = 0;
-                       int cb_retval = 0;
-                       record = &s->ctx->srv_supp_data_records[i];
-
-                       /* NULL callback or -1 omits supp data entry */
-                       if (!record->fn1)
-                               continue;
-                       cb_retval = record->fn1(s, record->supp_data_type,
-                                               &out, &outlen, &al, record->arg);
-                       if (cb_retval == -1)
-                               continue; /* skip this supp data entry */
-                       if (cb_retval == 0)
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               goto f_err;
-                               }
-                       if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length)
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               return 0;
-                               }
-                       /* write supp data entry...
-                        * if first entry, write handshake message type
-                        * jump back to write length at end */
-                       if (length == 0)
-                               {
-                               /* 1 byte message type + 3 bytes for
-                                * message length */
-                               if (!BUF_MEM_grow_clean(s->init_buf, 4))
-                                       {
-                                       SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                                       return 0;
-                                       }
-                               p = (unsigned char *)s->init_buf->data;
-                               *(p++) = SSL3_MT_SUPPLEMENTAL_DATA;
-                               /* hold on to length field to update later */
-                               size_loc = p;
-                               /* skip over handshake length field (3
-                                * bytes) and supp_data length field
-                                * (3 bytes) */
-                               p += 3 + 3;
-                               length += 1 +3 +3;
-                               }
-                       /* 2 byte supp data type + 2 byte length + outlen */
-                       if (!BUF_MEM_grow(s->init_buf, outlen + 4))
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               return 0;
-                               }
-                       s2n(record->supp_data_type, p);
-                       s2n(outlen, p);
-                       memcpy(p, out, outlen);
-                       /* update length to supp data type (2 bytes) +
-                        * supp data length (2 bytes) + supp data */
-                       length += (outlen + 4);
-                       p += outlen;
-                       }
-               if (length > 0)
-                       {
-                       /* write handshake length */
-                       l2n3(length - 4, size_loc);
-                       /* supp_data length */
-                       l2n3(length - 7, size_loc);
-                       s->state = SSL3_ST_SW_SUPPLEMENTAL_DATA_B;
-                       s->init_num = length;
-                       s->init_off = 0;
-
-                       return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
-                       }
-               }
-
-       /* no supp data message sent */
-       *skip = 1;
-       s->init_num = 0;
-       s->init_off = 0;
-       return 1;
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-       return 0;
-       }
-
-int tls1_get_client_supplemental_data(SSL *s)
-       {
-       int al = 0;
-       int cb_retval = 0;
-       int ok;
-       long n;
-       const unsigned char *p, *d;
-       unsigned short supp_data_entry_type = 0;
-       unsigned short supp_data_entry_len = 0;
-       unsigned long supp_data_len = 0;
-       size_t i = 0;
-
-       n=s->method->ssl_get_message(s,
-                                    SSL3_ST_SR_SUPPLEMENTAL_DATA_A,
-                                    SSL3_ST_SR_SUPPLEMENTAL_DATA_B,
-                                    SSL3_MT_SUPPLEMENTAL_DATA,
-                                    /* use default limit */
-                                    TLSEXT_MAXLEN_supplemental_data,
-                                    &ok);
-
-       if (!ok) return((int)n);
-
-       p = (unsigned char *)s->init_msg;
-       d = p;
-
-       /* The message cannot be empty */
-       if (n < 3)
-               {
-               al = SSL_AD_DECODE_ERROR;
-               SSLerr(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH);
-               goto f_err;
-               }
-       n2l3(p, supp_data_len);
-       while (p<d+supp_data_len)
-               {
-               n2s(p, supp_data_entry_type);
-               n2s(p, supp_data_entry_len);
-               /* if there is a callback for this supp data type, send it */
-               for (i=0; i < s->ctx->srv_supp_data_records_count; i++)
-                       {
-                       if (s->ctx->srv_supp_data_records[i].supp_data_type == supp_data_entry_type && s->ctx->srv_supp_data_records[i].fn2)
-                               {
-                               cb_retval = s->ctx->srv_supp_data_records[i].fn2(s, supp_data_entry_type, p, supp_data_entry_len, &al, s->ctx->srv_supp_data_records[i].arg);
-                               if (cb_retval == 0)
-                                       {
-                                       SSLerr(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB);
-                                       goto f_err;
-                                       }
-                               }
-                       }
-               p+=supp_data_entry_len;
-               }
-       return 1;
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-       return -1;
-       }
 #endif
index 352d652..44f14fd 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -435,57 +435,6 @@ typedef struct {
        void *arg;
 } custom_srv_ext_record;
 
-/* Callbacks and structures for handling Supplemental Data:
- *   srv_supp_data_first_cb_fn  - server sends Supplemental Data
- *   srv_supp_data_second_cb_fn - server receives Supplemental Data
- *   cli_supp_data_first_cb_fn  - client receives Supplemental Data
- *   cli_supp_data_second_cb_fn - client sends Supplemental Data
- *
- *   All these functions return nonzero on success.  Zero will terminate
- *   the handshake (and return a specific TLS Fatal alert, if the function
- *   declaration has an "al" parameter).  -1 for the "sending" functions
- *   will result in no supplemental data entry being added to the
- *   supplemental data message for the provided supplemental data type.
- *
- *   "supp_data_type" is a Supplemental Data Type from 0-65535.
- *   "in" is a pointer to TLS "supplemental_data_entry" being provided to the cb.
- *   "out" is used by the callback to return a pointer to "supplemental data"
- *     which OpenSSL will later copy into the TLS handshake.  The contents
- *     of this buffer should not be changed until the handshake is complete.
- *   "inlen" and "outlen" are Supplemental Data lengths from 0-65535.
- *   "al" is a TLS "AlertDescription" from 0-255 which WILL be sent as a
- *     fatal TLS alert, if the callback returns zero.
- */
-typedef int (*srv_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type,
-                                        const unsigned char **out,
-                                        unsigned short *outlen, int *al, void *arg);
-typedef int (*srv_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type,
-                                         const unsigned char *in,
-                                         unsigned short inlen, int *al,
-                                         void *arg);
-
-typedef int (*cli_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type,
-                                        const unsigned char *in,
-                                        unsigned short inlen, int *al,
-                                        void *arg);
-typedef int (*cli_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type,
-                                         const unsigned char **out,
-                                         unsigned short *outlen, int *al, void *arg);
-
-typedef struct {
-       unsigned short supp_data_type;
-       srv_supp_data_first_cb_fn fn1;
-       srv_supp_data_second_cb_fn fn2;
-       void *arg;
-} srv_supp_data_record;
-
-typedef struct {
-       unsigned short supp_data_type;
-       cli_supp_data_first_cb_fn fn1;
-       cli_supp_data_second_cb_fn fn2;
-       void *arg;
-} cli_supp_data_record;
-
 #endif
 
 #ifndef OPENSSL_NO_SSL_INTERN
@@ -1210,12 +1159,6 @@ struct ssl_ctx_st
        size_t custom_cli_ext_records_count;
        custom_srv_ext_record *custom_srv_ext_records;
        size_t custom_srv_ext_records_count;
-
-       /* Arrays containing the callbacks for Supplemental Data. */
-       cli_supp_data_record *cli_supp_data_records;
-       size_t cli_supp_data_records_count;
-       srv_supp_data_record *srv_supp_data_records;
-       size_t srv_supp_data_records_count;
        };
 
 #endif
@@ -1363,30 +1306,6 @@ int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
                               custom_srv_ext_first_cb_fn fn1, 
                               custom_srv_ext_second_cb_fn fn2, void *arg);
 
-/* Register callbacks to handle Supplemental Data as client or server.
- *
- * For SSL_CTX_set_srv_supp_data, a NULL srv_supp_data_first_cb_fn results in no supplemental data
- * being sent by the server for that TLS extension.
- * A NULL srv_supp_data_second_cb_fn results in no supplemental data
- * being received by the server for that TLS extension.
- *
- * For SSL_CTX_set_cli_supp_data, a NULL cli_supp_data_first_cb_fn results in no supplemental data
- * being received by the client for that TLS extension.
- * A NULL cli_supp_data_second_cb_fn results in no supplemental data
- * being sent by the client for that TLS extension.
- *
- * Returns nonzero on success.  You cannot register twice for the same supp_data_type.
- */
-int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
-                             unsigned short supp_data_type,
-                             srv_supp_data_first_cb_fn fn1,
-                             srv_supp_data_second_cb_fn fn2, void *arg);
-
-int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
-                             unsigned short supp_data_type,
-                             cli_supp_data_first_cb_fn fn1,
-                             cli_supp_data_second_cb_fn fn2, void *arg);
-
 #endif
 
 #define SSL_NOTHING    1
@@ -2784,14 +2703,10 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT             274
 #define SSL_F_TLS1_ENC                                  210
 #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL               314
-#define SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA                 338
-#define SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA                 326
 #define SSL_F_TLS1_HEARTBEAT                            315
 #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT           275
 #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT           276
 #define SSL_F_TLS1_PRF                                  284
-#define SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA        339
-#define SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA        327
 #define SSL_F_TLS1_SETUP_KEY_BLOCK                      211
 #define SSL_F_WRITE_PENDING                             212
 
@@ -3090,7 +3005,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                         253
 #define SSL_R_UNKNOWN_SSL_VERSION                       254
 #define SSL_R_UNKNOWN_STATE                             255
-#define SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE            373
 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED      338
 #define SSL_R_UNSUPPORTED_CIPHER                        256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM                 257
index bc0986d..504ad49 100644 (file)
@@ -613,10 +613,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CR_CERT_REQ_B          (0x151|SSL_ST_CONNECT)
 #define SSL3_ST_CR_SRVR_DONE_A         (0x160|SSL_ST_CONNECT)
 #define SSL3_ST_CR_SRVR_DONE_B         (0x161|SSL_ST_CONNECT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_CR_SUPPLEMENTAL_DATA_A (0x212|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SUPPLEMENTAL_DATA_B  (0x213|SSL_ST_CONNECT)
-#endif
 /* write to server */
 #define SSL3_ST_CW_CERT_A              (0x170|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CERT_B              (0x171|SSL_ST_CONNECT)
@@ -632,10 +628,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CW_NEXT_PROTO_A                (0x200|SSL_ST_CONNECT)
 #define SSL3_ST_CW_NEXT_PROTO_B                (0x201|SSL_ST_CONNECT)
 #endif
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_CW_SUPPLEMENTAL_DATA_A         (0x222|SSL_ST_CONNECT)
-#define SSL3_ST_CW_SUPPLEMENTAL_DATA_B         (0x223|SSL_ST_CONNECT)
-#endif
 #define SSL3_ST_CW_FINISHED_A          (0x1B0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_B          (0x1B1|SSL_ST_CONNECT)
 /* read from server */
@@ -661,10 +653,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CLNT_HELLO_B                (0x111|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CLNT_HELLO_C                (0x112|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CLNT_HELLO_D                (0x115|SSL_ST_ACCEPT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_SR_SUPPLEMENTAL_DATA_A         (0x212|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_SUPPLEMENTAL_DATA_B         (0x213|SSL_ST_ACCEPT)
-#endif
 /* write to client */
 #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
 #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
@@ -705,10 +693,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SW_SESSION_TICKET_B    (0x1F1|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_CERT_STATUS_A       (0x200|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_CERT_STATUS_B       (0x201|SSL_ST_ACCEPT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_SW_SUPPLEMENTAL_DATA_A (0x222|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SUPPLEMENTAL_DATA_B (0x223|SSL_ST_ACCEPT)
-#endif
 
 #define SSL3_MT_HELLO_REQUEST                  0
 #define SSL3_MT_CLIENT_HELLO                   1
@@ -722,9 +706,6 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CLIENT_KEY_EXCHANGE            16
 #define SSL3_MT_FINISHED                       20
 #define SSL3_MT_CERTIFICATE_STATUS             22
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_MT_SUPPLEMENTAL_DATA              23
-#endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_MT_NEXT_PROTO                     67
 #endif
index 526caa8..fb90aa8 100644 (file)
@@ -293,14 +293,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT),        "TLS1_CHECK_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_ENC),     "tls1_enc"},
 {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL),  "tls1_export_keying_material"},
-{ERR_FUNC(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA),    "tls1_get_client_supplemental_data"},
-{ERR_FUNC(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA),    "tls1_get_server_supplemental_data"},
 {ERR_FUNC(SSL_F_TLS1_HEARTBEAT),       "tls1_heartbeat"},
 {ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT),      "TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT),      "TLS1_PREPARE_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_PRF),     "tls1_prf"},
-{ERR_FUNC(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA),   "tls1_send_client_supplemental_data"},
-{ERR_FUNC(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA),   "tls1_send_server_supplemental_data"},
 {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"},
 {ERR_FUNC(SSL_F_WRITE_PENDING),        "WRITE_PENDING"},
 {0,NULL}
@@ -602,7 +598,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
 {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
-{ERR_REASON(SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE),"unknown supplemental data type"},
 {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
index 3c2c471..f3a0edc 100644 (file)
@@ -1854,65 +1854,6 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
                *len = ssl->s3->alpn_selected_len;
        }
 
-int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
-                             unsigned short supp_data_type,
-                             cli_supp_data_first_cb_fn fn1,
-                             cli_supp_data_second_cb_fn fn2, void* arg)
-       {
-       size_t i;
-       cli_supp_data_record* record;
-
-       /* Check for duplicates */
-       for (i=0; i < ctx->cli_supp_data_records_count; i++)
-               if (supp_data_type == ctx->cli_supp_data_records[i].supp_data_type)
-                       return 0;
-
-       ctx->cli_supp_data_records = OPENSSL_realloc(ctx->cli_supp_data_records,
-         (ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record));
-       if (!ctx->cli_supp_data_records)
-               {
-               ctx->cli_supp_data_records_count = 0;
-               return 0;
-               }
-       ctx->cli_supp_data_records_count++;
-       record = &ctx->cli_supp_data_records[ctx->cli_supp_data_records_count - 1];
-       record->supp_data_type = supp_data_type;
-       record->fn1 = fn1;
-       record->fn2 = fn2;
-       record->arg = arg;
-       return 1;
-       }
-
-int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
-                             unsigned short supp_data_type,
-                             srv_supp_data_first_cb_fn fn1,
-                             srv_supp_data_second_cb_fn fn2, void* arg)
-       {
-       size_t i;
-       srv_supp_data_record* record;
-
-       /* Check for duplicates */
-       for (i=0; i < ctx->srv_supp_data_records_count; i++)
-               if (supp_data_type == ctx->srv_supp_data_records[i].supp_data_type)
-                       return 0;
-
-       ctx->srv_supp_data_records = OPENSSL_realloc(ctx->srv_supp_data_records,
-         (ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record));
-       if (!ctx->srv_supp_data_records)
-               {
-               ctx->srv_supp_data_records_count = 0;
-               return 0;
-               }
-       ctx->srv_supp_data_records_count++;
-       record = &ctx->srv_supp_data_records[ctx->srv_supp_data_records_count - 1];
-       record->supp_data_type = supp_data_type;
-       record->fn1 = fn1;
-       record->fn2 = fn2;
-       record->arg = arg;
-
-       return 1;
-       }
-
 #endif /* !OPENSSL_NO_TLSEXT */
 
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -2116,10 +2057,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        ret->custom_cli_ext_records_count = 0;
        ret->custom_srv_ext_records = NULL;
        ret->custom_srv_ext_records_count = 0;
-       ret->cli_supp_data_records = NULL;
-       ret->cli_supp_data_records_count = 0;
-       ret->srv_supp_data_records = NULL;
-       ret->srv_supp_data_records_count = 0;
 #ifndef OPENSSL_NO_BUF_FREELISTS
        ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
        ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -2261,8 +2198,6 @@ void SSL_CTX_free(SSL_CTX *a)
 #ifndef OPENSSL_NO_TLSEXT
        OPENSSL_free(a->custom_cli_ext_records);
        OPENSSL_free(a->custom_srv_ext_records);
-       OPENSSL_free(a->cli_supp_data_records);
-       OPENSSL_free(a->srv_supp_data_records);
 #endif
 #ifndef OPENSSL_NO_ENGINE
        if (a->client_cert_engine)
index d8248e3..af455df 100644 (file)
@@ -1272,13 +1272,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
 int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);
 
-/* server only */
-int tls1_send_server_supplemental_data(SSL *s, int *skip);
-int tls1_get_client_supplemental_data(SSL *s);
-/* client only */
-int tls1_send_client_supplemental_data(SSL *s, int *skip);
-int tls1_get_server_supplemental_data(SSL *s);
-
 #ifndef OPENSSL_NO_HEARTBEATS
 int tls1_heartbeat(SSL *s);
 int dtls1_heartbeat(SSL *s);
index b09cc7d..c5a15ce 100644 (file)
@@ -210,14 +210,6 @@ case SSL3_ST_SR_KEY_EXCH_A:        str="SSLv3 read client key exchange A"; break;
 case SSL3_ST_SR_KEY_EXCH_B:    str="SSLv3 read client key exchange B"; break;
 case SSL3_ST_SR_CERT_VRFY_A:   str="SSLv3 read certificate verify A"; break;
 case SSL3_ST_SR_CERT_VRFY_B:   str="SSLv3 read certificate verify B"; break;
-case SSL3_ST_CW_SUPPLEMENTAL_DATA_A: str="SSLv3 client write supplemental data A"; break;
-case SSL3_ST_CW_SUPPLEMENTAL_DATA_B: str="SSLv3 client write supplemental data B"; break;
-case SSL3_ST_SW_SUPPLEMENTAL_DATA_A: str="SSLv3 server write supplemental data A"; break;
-case SSL3_ST_SW_SUPPLEMENTAL_DATA_B: str="SSLv3 client write supplemental data B"; break;
-case SSL3_ST_CR_SUPPLEMENTAL_DATA_A: str="SSLv3 client read supplemental data A"; break;
-case SSL3_ST_CR_SUPPLEMENTAL_DATA_B: str="SSLv3 client read supplemental data B"; break;
-case SSL3_ST_SR_SUPPLEMENTAL_DATA_A: str="SSLv3 server read supplemental data A"; break;
-case SSL3_ST_SR_SUPPLEMENTAL_DATA_B: str="SSLv3 client read supplemental data B"; break;
 #endif
 
 /* SSLv2/v3 compatibility states */
index de4884d..a1e6626 100644 (file)
@@ -446,16 +446,6 @@ int custom_ext = 0;
 /* This set based on extension callbacks */
 int custom_ext_error = 0;
 
-/* Not IETF assigned supplemental data types */
-#define CUSTOM_SUPP_DATA_TYPE_0 100
-#define CUSTOM_SUPP_DATA_TYPE_1 101
-#define CUSTOM_SUPP_DATA_TYPE_2 102
-
-const char supp_data_0_string[] = "00000";
-
-int suppdata = 0;
-int suppdata_error = 0;
-
 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
                             const unsigned char* in, unsigned short inlen, 
                             int* al, void* arg)
@@ -658,110 +648,6 @@ static int custom_ext_3_srv_second_cb(SSL *s, unsigned short ext_type,
        return 1; /* Send "defg" */
        }
 
-static int supp_data_0_srv_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char **out,
-                                   unsigned short *outlen, int *al, void *arg)
-       {
-       *out = (const unsigned char*)supp_data_0_string;
-       *outlen = strlen(supp_data_0_string);
-       if (arg != s)
-               suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_0_srv_second_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char *in,
-                                    unsigned short inlen, int *al,
-                                    void *arg)
-       {
-       if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
-               suppdata_error = 1;
-       if (inlen != strlen(supp_data_0_string))
-               suppdata_error = 1;
-       if (memcmp(in, supp_data_0_string, inlen) != 0)
-               suppdata_error = 1;
-       if (arg != s)
-               suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_1_srv_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char **out,
-                                   unsigned short *outlen, int *al, void *arg)
-       {
-       return -1;
-       }
-
-static int supp_data_1_srv_second_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char *in,
-                                    unsigned short inlen, int *al,
-                                    void *arg)
-       {
-       suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_2_srv_second_cb(SSL *s, unsigned short supp_data_type,
-                               const unsigned char *in,
-                               unsigned short inlen, int *al,
-                               void *arg)
-       {
-       suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_0_cli_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char *in,
-                                   unsigned short inlen, int *al,
-                                   void *arg)
-       {
-       if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
-               suppdata_error = 1;
-       if (inlen != strlen(supp_data_0_string))
-               suppdata_error = 1;
-       if (memcmp(in, supp_data_0_string, inlen) != 0)
-               suppdata_error = 1;
-       if (arg != s)
-               suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_0_cli_second_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg)
-       {
-       *out = (const unsigned char*)supp_data_0_string;
-       *outlen = strlen(supp_data_0_string);
-       if (arg != s)
-               suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_1_cli_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char *in,
-                                   unsigned short inlen, int *al,
-                                   void *arg)
-       {
-       suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_1_cli_second_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg)
-       {
-       return -1;
-       }
-
-static int supp_data_2_cli_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char *in,
-                                   unsigned short inlen, int *al,
-                                   void *arg)
-       {
-       suppdata_error = 1;
-       return 1;
-       }
-
 static char *cipher=NULL;
 static int verbose=0;
 static int debug=0;
@@ -843,7 +729,6 @@ static void sv_usage(void)
        fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
        fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
        fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
-       fprintf(stderr, "-suppdata - exercise supplemental data callbacks\n");
        }
 
 static void print_details(SSL *c_ssl, const char *prefix)
@@ -1274,10 +1159,6 @@ int main(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        alpn_expected = *(++argv);
                        }
-               else if (strcmp(*argv,"-suppdata") == 0)
-                       {
-                       suppdata = 1;
-                       }
                else
                        {
                        fprintf(stderr,"unknown option %s\n",*argv);
@@ -1647,40 +1528,6 @@ bad:
        c_ssl=SSL_new(c_ctx);
        s_ssl=SSL_new(s_ctx);
 
-       if (suppdata)
-               {
-               /* TEST CASES */
-               /* client and server both send and receive, verify
-                * additional arg passed back */
-               SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_0,
-                                         supp_data_0_srv_first_cb,
-                                         supp_data_0_srv_second_cb, s_ssl);
-               SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_0,
-                                         supp_data_0_cli_first_cb,
-                                         supp_data_0_cli_second_cb, c_ssl);
-
-               /* -1 response from sending server/client doesn't
-                 * receive, -1 response from sending client/server
-                 * doesn't receive */
-               SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_1,
-                                         supp_data_1_srv_first_cb,
-                                         supp_data_1_srv_second_cb, NULL);
-               SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_1,
-                                         supp_data_1_cli_first_cb,
-                                         supp_data_1_cli_second_cb, NULL);
-
-               /* null sending server/client doesn't receive, null
-                  sending client/server doesn't receive */
-               SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_2,
-                                         /*supp_data_2_srv_first_cb*/NULL,
-                                         supp_data_2_srv_second_cb, NULL);
-               SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_2,
-                                         supp_data_2_cli_first_cb,
-                                         /*supp_data_2_cli_second_cb*/NULL,
-                                         NULL);
-
-               /* alerts set to non-zero and zero return values not tested */
-               }
 #ifndef OPENSSL_NO_KRB5
        if (c_ssl  &&  c_ssl->kssl_ctx)
                 {
@@ -2454,11 +2301,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
 
        if (verbose)
                print_details(c_ssl, "DONE: ");
-       if (suppdata_error < 0)
-               {
-               ret = 1;
-               goto err;
-               }
        if (verify_serverinfo() < 0)
                {
                ret = 1;
index 5ae60a6..8698808 100644 (file)
@@ -206,11 +206,9 @@ extern "C" {
 #define TLSEXT_TYPE_status_request             5
 /* ExtensionType values from RFC4681 */
 #define TLSEXT_TYPE_user_mapping               6
-
 /* ExtensionType values from RFC5878 */
 #define TLSEXT_TYPE_client_authz               7
 #define TLSEXT_TYPE_server_authz               8
-
 /* ExtensionType values from RFC6091 */
 #define TLSEXT_TYPE_cert_type          9
 
@@ -303,17 +301,6 @@ extern "C" {
 
 #define TLSEXT_MAXLEN_host_name 255
 
-/* From RFC 5878 */
-#define TLSEXT_SUPPLEMENTALDATATYPE_authz_data 16386
-
-/* DTCP Authorization Type
- * https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#authorization-data-rules
- * http://tools.ietf.org/id/draft-dthakore-tls-authz-04.txt
- */
-#define TLSEXT_AUTHZDATAFORMAT_dtcp 66
-
-#define TLSEXT_MAXLEN_supplemental_data 1024*16 /* Let's limit to 16k */
-
 const char *SSL_get_servername(const SSL *s, const int type);
 int SSL_get_servername_type(const SSL *s);
 /* SSL_export_keying_material exports a value derived from the master secret,