Remove all RFC5878 code.
authorDr. Stephen Henson <steve@openssl.org>
Fri, 4 Jul 2014 12:26:35 +0000 (13:26 +0100)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 4 Jul 2014 12:26:35 +0000 (13:26 +0100)
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs

18 files changed:
CHANGES
apps/s_cb.c
apps/s_client.c
apps/s_server.c
crypto/symhacks.h
doc/apps/s_client.pod
doc/apps/s_server.pod
ssl/s23_clnt.c
ssl/s3_clnt.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl3.h
ssl/ssl_err.c
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/ssl_stat.c
ssl/ssltest.c
ssl/tls1.h

diff --git a/CHANGES b/CHANGES
index 4236f86..bf37e58 100644 (file)
--- a/CHANGES
+++ b/CHANGES
 
      [Steve Henson]
 
-  *) Add callbacks supporting generation and retrieval of supplemental
-     data entries.
-     [Scott Deboy <sdeboy@apache.org>, Trevor Perrin and Ben Laurie]
-
   *) Add EVP support for key wrapping algorithms, to avoid problems with
      existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
      the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
   *) Support for linux-x32, ILP32 environment in x86_64 framework.
      [Andy Polyakov]
 
-  *) RFC 5878 (TLS Authorization Extensions) support.
-     [Emilia Kasper, Adam Langley, Ben Laurie (Google)]
-
   *) Experimental multi-implementation support for FIPS capable OpenSSL.
      When in FIPS mode the approved implementations are used as normal,
      when not in FIPS mode the internal unapproved versions are used instead.
index 787c2a7..cf34e00 100644 (file)
@@ -881,9 +881,6 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
                                case 20:
                                        str_details1 = ", Finished";
                                        break;
-                               case 23:
-                                       str_details1 = ", SupplementalData";
-                                       break;
                                        }
                                }
                        }
index 2155b05..9f8e2b8 100644 (file)
@@ -214,8 +214,6 @@ static void sc_usage(void);
 static void print_stuff(BIO *berr,SSL *con,int full);
 #ifndef OPENSSL_NO_TLSEXT
 static int ocsp_resp_cb(SSL *s, void *arg);
-static int c_auth = 0;
-static int c_auth_require_reneg = 0;
 #endif
 static BIO *bio_c_out=NULL;
 static BIO *bio_c_msg=NULL;
@@ -223,37 +221,6 @@ static int c_quiet=0;
 static int c_ign_eof=0;
 static int c_brief=0;
 
-#ifndef OPENSSL_NO_TLSEXT
-
-static unsigned char *generated_supp_data = NULL;
-
-static const unsigned char *most_recent_supplemental_data = NULL;
-static size_t most_recent_supplemental_data_length = 0;
-
-static int server_provided_server_authz = 0;
-static int server_provided_client_authz = 0;
-
-static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-                      const unsigned char *in,
-                      unsigned short inlen, int *al,
-                      void *arg);
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg);
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-                                   const unsigned char **out, unsigned short *outlen,
-                                   int *al, void *arg);
-
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-                          const unsigned char *in,
-                          unsigned short inlen, int *al,
-                          void *arg);
-#endif
-
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
 static char *psk_identity="Client_identity";
@@ -396,8 +363,6 @@ static void sc_usage(void)
        BIO_printf(bio_err," -status           - request certificate status from server\n");
        BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
        BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
-       BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
-       BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
 # ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
 # endif
@@ -863,10 +828,6 @@ static char *jpake_secret = NULL;
                        c_tlsextdebug=1;
                else if (strcmp(*argv,"-status") == 0)
                        c_status_req=1;
-               else if (strcmp(*argv,"-auth") == 0)
-                       c_auth = 1;
-               else if (strcmp(*argv,"-auth_require_reneg") == 0)
-                       c_auth_require_reneg = 1;
 #endif
 #ifdef WATT32
                else if (strcmp(*argv,"-wdebug") == 0)
@@ -1453,12 +1414,6 @@ bad:
                }
 
 #endif
-       if (c_auth)
-               {
-               SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
-               SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err);
-               SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err);
-               }
 #endif
 
        con=SSL_new(ctx);
@@ -1807,12 +1762,6 @@ SSL_set_tlsext_status_ids(con, ids);
                                                "CONNECTION ESTABLISHED\n");
                                        print_ssl_summary(bio_err, con);
                                        }
-                               /*handshake is complete - free the generated supp data allocated in the callback */
-                               if (generated_supp_data)
-                                       {
-                                       OPENSSL_free(generated_supp_data);
-                                       generated_supp_data = NULL;
-                                       }
 
                                print_stuff(bio_c_out,con,full_log);
                                if (full_log > 0) full_log--;
@@ -2463,74 +2412,4 @@ static int ocsp_resp_cb(SSL *s, void *arg)
        return 1;
        }
 
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-                          const unsigned char *in,
-                          unsigned short inlen, int *al,
-                          void *arg)
-       {
-       if (TLSEXT_TYPE_server_authz == ext_type)
-               server_provided_server_authz
-                 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
-
-       if (TLSEXT_TYPE_client_authz == ext_type)
-               server_provided_client_authz
-                 = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL);
-
-       return 1;
-       }
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-                                   const unsigned char **out, unsigned short *outlen,
-                                   int *al, void *arg)
-       {
-       if (c_auth)
-               {
-               /*if auth_require_reneg flag is set, only send extensions if
-                 renegotiation has occurred */
-               if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-                       {
-                       *out = auth_ext_data;
-                       *outlen = 1;
-                       return 1;
-                       }
-               }
-       /* no auth extension to send */
-       return -1;
-       }
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-                      const unsigned char *in,
-                      unsigned short inlen, int *al,
-                      void *arg)
-       {
-       if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
-               {
-               most_recent_supplemental_data = in;
-               most_recent_supplemental_data_length = inlen;
-               }
-       return 1;
-       }
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg)
-       {
-       if (c_auth && server_provided_client_authz && server_provided_server_authz)
-               {
-               /*if auth_require_reneg flag is set, only send supplemental data if
-                 renegotiation has occurred */
-               if (!c_auth_require_reneg
-                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-                       {
-                       generated_supp_data = OPENSSL_malloc(10);
-                       memcpy(generated_supp_data, "5432154321", 10);
-                       *out = generated_supp_data;
-                       *outlen = 10;
-                       return 1;
-                       }
-               }
-       /* no supplemental data to send */
-       return -1;
-       }
-
 #endif
index 6dabdf4..a2fa469 100644 (file)
@@ -224,20 +224,6 @@ static DH *load_dh_param(const char *dhfile);
 static void s_server_init(void);
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-
-static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
-
-static unsigned char *generated_supp_data = NULL;
-
-static const unsigned char *most_recent_supplemental_data = NULL;
-static size_t most_recent_supplemental_data_length = 0;
-
-static int client_provided_server_authz = 0;
-static int client_provided_client_authz = 0;
-
-#endif
-
 /* static int load_CA(SSL_CTX *ctx, char *file);*/
 
 #undef BUFSIZZ
@@ -302,29 +288,9 @@ static int cert_chain = 0;
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-                      const unsigned char *in,
-                      unsigned short inlen, int *al,
-                      void *arg);
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg);
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-                                   const unsigned char **out, unsigned short *outlen,
-                                   int *al, void *arg);
-
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-                          const unsigned char *in,
-                          unsigned short inlen, int *al,
-                          void *arg);
-
 static BIO *serverinfo_in = NULL;
 static const char *s_serverinfo_file = NULL;
 
-static int c_auth = 0;
-static int c_auth_require_reneg = 0;
 #endif
 
 #ifndef OPENSSL_NO_PSK
@@ -490,8 +456,6 @@ static void sv_usage(void)
        BIO_printf(bio_err," -naccept arg  - terminate after 'arg' connections\n");
 #ifndef OPENSSL_NO_TLSEXT
        BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n");
-       BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
-       BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
 #endif
     BIO_printf(bio_err," -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n");
        BIO_printf(bio_err," -crl_check    - check the peer certificate has not been revoked by its CA.\n" \
@@ -1178,15 +1142,7 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_serverinfo_file = *(++argv);
                        }
-               else if (strcmp(*argv,"-auth") == 0)
-                       {
-                       c_auth = 1;
-                       }
 #endif
-               else if (strcmp(*argv,"-auth_require_reneg") == 0)
-                       {
-                       c_auth_require_reneg = 1;
-                       }
                else if (strcmp(*argv,"-certform") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1997,12 +1953,6 @@ bad:
                ERR_print_errors(bio_err);
                goto end;
                }
-       if (c_auth)
-               {
-               SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
-               SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
-               SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err);
-               }
 #endif
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain))
@@ -2722,12 +2672,6 @@ static int init_ssl_connection(SSL *con)
                        i=SSL_accept(con);
                }
 #endif
-       /*handshake is complete - free the generated supp data allocated in the callback */
-       if (generated_supp_data)
-               {
-        OPENSSL_free(generated_supp_data);
-               generated_supp_data = NULL;
-               }
 
        if (i <= 0)
                {
@@ -3615,77 +3559,3 @@ static void free_sessions(void)
                }
        first = NULL;
        }
-
-#ifndef OPENSSL_NO_TLSEXT
-static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
-                          const unsigned char *in,
-                          unsigned short inlen, int *al,
-                          void *arg)
-       {
-       if (TLSEXT_TYPE_server_authz == ext_type)
-               client_provided_server_authz
-                 = memchr(in,  TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
-
-       if (TLSEXT_TYPE_client_authz == ext_type)
-               client_provided_client_authz
-                 = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
-
-       return 1;
-       }
-
-static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
-                                   const unsigned char **out, unsigned short *outlen,
-                                   int *al, void *arg)
-       {
-       if (c_auth && client_provided_client_authz && client_provided_server_authz)
-               {
-               /*if auth_require_reneg flag is set, only send extensions if
-                 renegotiation has occurred */
-               if (!c_auth_require_reneg
-                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-                       {
-                       *out = auth_ext_data;
-                       *outlen = 1;
-                       return 1;
-                       }
-               }
-       /* no auth extension to send */
-       return -1;
-       }
-
-static int suppdata_cb(SSL *s, unsigned short supp_data_type,
-                      const unsigned char *in,
-                      unsigned short inlen, int *al,
-                      void *arg)
-       {
-       if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
-               {
-               most_recent_supplemental_data = in;
-               most_recent_supplemental_data_length = inlen;
-               }
-       return 1;
-       }
-
-static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg)
-       {
-       if (c_auth && client_provided_client_authz && client_provided_server_authz)
-               {
-               /*if auth_require_reneg flag is set, only send supplemental data if
-                 renegotiation has occurred */
-               if (!c_auth_require_reneg
-                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
-                       {
-                       generated_supp_data = OPENSSL_malloc(10);
-                       memcpy(generated_supp_data, "1234512345", 10);
-                       *out = generated_supp_data;
-                       *outlen = 10;
-                       return 1;
-                       }
-               }
-       /* no supplemental data to send */
-       return -1;
-       }
-#endif
-
index 036b9c8..41da483 100644 (file)
 #undef SSL_set_not_resumable_session_callback
 #define SSL_set_not_resumable_session_callback SSL_set_not_resumbl_sess_cb
 
-#undef tls1_send_server_supplemental_data
-#define tls1_send_server_supplemental_data     tls1_send_server_suppl_data
-#undef tls1_send_client_supplemental_data
-#define tls1_send_client_supplemental_data     tls1_send_client_suppl_data
-#undef tls1_get_server_supplemental_data
-#define tls1_get_server_supplemental_data      tls1_get_server_suppl_data
-#undef tls1_get_client_supplemental_data
-#define tls1_get_client_supplemental_data      tls1_get_client_suppl_data
-
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
 #define ENGINE_get_default_BN_mod_exp_crt      ENGINE_get_def_BN_mod_exp_crt
index e5fe26b..f4155c4 100644 (file)
@@ -76,8 +76,6 @@ B<openssl> B<s_client>
 [B<-sess_in filename>]
 [B<-rand file(s)>]
 [B<-serverinfo types>]
-[B<-auth>]
-[B<-auth_require_reneg>]
 
 =head1 DESCRIPTION
 
@@ -329,15 +327,6 @@ a list of comma-separated TLS Extension Types (numbers between 0 and
 The server's response (if any) will be encoded and displayed as a PEM
 file.
 
-=item B<-auth>
-
-send RFC 5878 client and server authorization extensions in the Client Hello as well as
-supplemental data if the server also sent the authorization extensions in the Server Hello.
-
-=item B<-auth_require_reneg>
-
-only send RFC 5878 client and server authorization extensions during renegotiation.
-
 =back
 
 =head1 CONNECTED COMMANDS
index 9d4633c..a8e5278 100644 (file)
@@ -83,8 +83,6 @@ B<openssl> B<s_server>
 [B<-id_prefix arg>]
 [B<-rand file(s)>]
 [B<-serverinfo file>]
-[B<-auth>]
-[B<-auth_require_reneg>]
 [B<-no_resumption_on_reneg>]
 =head1 DESCRIPTION
 
@@ -362,19 +360,9 @@ followed by "length" bytes of extension data).  If the client sends
 an empty TLS ClientHello extension matching the type, the corresponding
 ServerHello extension will be returned.
 
-=item B<-auth>
-
-send RFC 5878 client and server authorization extensions in the Client Hello as well as
-supplemental data if the server also sent the authorization extensions in the Server Hello.
-
-=item B<-auth_require_reneg>
-
-only send RFC 5878 client and server authorization extensions during renegotiation.
-
 =item B<-no_resumption_on_reneg>
 
-set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.  Required in order to receive supplemental data
-during renegotiation if auth and auth_require_reneg are set.
+set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag.
 
 =back
 
index e32fbbf..0865485 100644 (file)
@@ -370,8 +370,6 @@ static int ssl23_client_hello(SSL *s)
 #endif
                if (s->ctx->custom_cli_ext_records_count != 0)
                        ssl2_compat = 0;
-               if (s->ctx->cli_supp_data_records_count != 0)
-                       ssl2_compat = 0;
                }
 #endif
 
index d009400..9a94de0 100644 (file)
@@ -318,26 +318,11 @@ int ssl3_connect(SSL *s)
                                }
                        s->init_num=0;
                        break;
-#ifndef OPENSSL_NO_TLSEXT
-               case SSL3_ST_CR_SUPPLEMENTAL_DATA_A:
-               case SSL3_ST_CR_SUPPLEMENTAL_DATA_B:
-                       ret = tls1_get_server_supplemental_data(s);
-                       if (ret <= 0) goto end;
-                       s->state=SSL3_ST_CR_CERT_A;
-                       s->init_num = 0;
-                       break;
-#endif
                case SSL3_ST_CR_CERT_A:
                case SSL3_ST_CR_CERT_B:
 #ifndef OPENSSL_NO_TLSEXT
                        ret=ssl3_check_finished(s);
                        if (ret <= 0) goto end;
-                       if (ret == 3)
-                               {
-                               s->state=SSL3_ST_CR_SUPPLEMENTAL_DATA_A;
-                               s->init_num=0;
-                               break;
-                               }
                        if (ret == 2)
                                {
                                s->hit = 1;
@@ -416,14 +401,10 @@ int ssl3_connect(SSL *s)
                                        }
                                }
 #endif
-#ifndef OPENSSL_NO_TLSEXT
-                       s->state=SSL3_ST_CW_SUPPLEMENTAL_DATA_A;
-#else
                        if (s->s3->tmp.cert_req)
                                s->state=SSL3_ST_CW_CERT_A;
                        else
                                s->state=SSL3_ST_CW_KEY_EXCH_A;
-#endif
                        s->init_num=0;
 
                        break;
@@ -530,19 +511,6 @@ int ssl3_connect(SSL *s)
                        break;
 #endif
 
-#ifndef OPENSSL_NO_TLSEXT
-               case SSL3_ST_CW_SUPPLEMENTAL_DATA_A:
-               case SSL3_ST_CW_SUPPLEMENTAL_DATA_B:
-                       ret = tls1_send_client_supplemental_data(s, &skip);
-                       if (ret <= 0) goto end;
-                       if (s->s3->tmp.cert_req)
-                               s->state=SSL3_ST_CW_CERT_A;
-                       else
-                               s->state=SSL3_ST_CW_KEY_EXCH_A;
-                       s->init_num=0;
-                       break;
-#endif
-
                case SSL3_ST_CW_FINISHED_A:
                case SSL3_ST_CW_FINISHED_B:
                        ret=ssl3_send_finished(s,
@@ -3611,10 +3579,11 @@ int ssl3_check_finished(SSL *s)
        int ok;
        long n;
 
-       /* Read the message to see if it is supplemental data,
-        * regardless if there is a session ticket this function is
-        * called when we really expect a Certificate message, so
-        * permit appropriate message length */
+       /* If we have no ticket it cannot be a resumed session. */
+       if (!s->session->tlsext_tick)
+               return 1;
+       /* this function is called when we really expect a Certificate
+        * message, so permit appropriate message length */
        n=s->method->ssl_get_message(s,
                SSL3_ST_CR_CERT_A,
                SSL3_ST_CR_CERT_B,
@@ -3624,11 +3593,6 @@ int ssl3_check_finished(SSL *s)
        if (!ok) return((int)n);
        s->s3->tmp.reuse_message = 1;
 
-       if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA)
-               return 3;
-       /* If we have no ticket it cannot be a resumed session. */
-       if (!s->session->tlsext_tick)
-               return 1;
        if ((s->s3->tmp.message_type == SSL3_MT_FINISHED)
                || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET))
                return 2;
@@ -3654,155 +3618,3 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
                i = s->ctx->client_cert_cb(s,px509,ppkey);
        return i;
        }
-
-#ifndef OPENSSL_NO_TLSEXT
-int tls1_send_client_supplemental_data(SSL *s, int *skip)
-       {
-       int al = 0;
-       if (s->ctx->cli_supp_data_records_count)
-               {
-               unsigned char *p = NULL;
-               unsigned char *size_loc = NULL;
-               cli_supp_data_record *record = NULL;
-               size_t length = 0;
-               size_t i = 0;
-
-               for (i = 0; i < s->ctx->cli_supp_data_records_count; i++)
-                       {
-                       const unsigned char *out = NULL;
-                       unsigned short outlen = 0;
-                       int cb_retval = 0;
-                       record = &s->ctx->cli_supp_data_records[i];
-
-                       /* NULL callback or -1 omits supp data entry*/
-                       if (!record->fn2)
-                               continue;
-                       cb_retval = record->fn2(s, record->supp_data_type,
-                                               &out, &outlen, &al,
-                                               record->arg);
-                       if (cb_retval == -1)
-                               continue; /* skip this supp data entry */
-                       if (cb_retval == 0)
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               goto f_err;
-                               }
-                       if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length)
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               return 0;
-                               }
-                       /* if first entry, write handshake message type */
-                       if (length == 0)
-                               {
-                               if (!BUF_MEM_grow_clean(s->init_buf, 4))
-                                       {
-                                       SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                                       return 0;
-                                       }
-                               p = (unsigned char *)s->init_buf->data;
-                               *(p++) = SSL3_MT_SUPPLEMENTAL_DATA;
-                               /* update message length when all
-                                * callbacks complete */
-                               size_loc = p;
-                               /* skip over handshake length field (3
-                                * bytes) and supp_data length field
-                                * (3 bytes) */
-                               p += 3 + 3;
-                               length += 1 +3 +3;
-                               }
-                       if (!BUF_MEM_grow(s->init_buf, outlen + 4))
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               return 0;
-                               }
-                       s2n(record->supp_data_type, p);
-                       s2n(outlen, p);
-                       memcpy(p, out, outlen);
-                       length += (outlen + 4);
-                       p += outlen;
-                       }
-               if (length > 0)
-                       {
-                       /* write handshake length */
-                       l2n3(length - 4, size_loc);
-                       /* supp_data length */
-                       l2n3(length - 7, size_loc);
-                       s->state = SSL3_ST_CW_SUPPLEMENTAL_DATA_B;
-                       s->init_num = length;
-                       s->init_off = 0;
-                       return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
-                       }
-               }
-
-       /* no supp data message sent */
-       *skip = 1;
-       s->init_num = 0;
-       s->init_off = 0;
-       return 1;
-
-       f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-       return 0;
-       }
-
-int tls1_get_server_supplemental_data(SSL *s)
-       {
-       int al = 0;
-       int ok;
-       long n;
-       const unsigned char *p, *d;
-       unsigned short supp_data_entry_type = 0;
-       unsigned short supp_data_entry_len = 0;
-       unsigned long supp_data_len = 0;
-       size_t i;
-       int cb_retval = 0;
-
-       n=s->method->ssl_get_message(s,
-                                    SSL3_ST_CR_SUPPLEMENTAL_DATA_A,
-                                    SSL3_ST_CR_SUPPLEMENTAL_DATA_B,
-                                    SSL3_MT_SUPPLEMENTAL_DATA,
-                                    /* use default limit */
-                                    TLSEXT_MAXLEN_supplemental_data,
-                                    &ok);
-
-       if (!ok) return((int)n);
-
-       p = (unsigned char *)s->init_msg;
-       d = p;
-       /* The message cannot be empty */
-       if (n < 3)
-               {
-               al = SSL_AD_DECODE_ERROR;
-               SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH);
-               goto f_err;
-               }
-       n2l3(p, supp_data_len);
-       while (p < d+supp_data_len)
-               {
-               n2s(p, supp_data_entry_type);
-               n2s(p, supp_data_entry_len);
-               /* if there is a callback for this supp data type, send it */
-               for (i=0; i < s->ctx->cli_supp_data_records_count; i++)
-                       {
-                       if (s->ctx->cli_supp_data_records[i].supp_data_type == supp_data_entry_type &&
-                           s->ctx->cli_supp_data_records[i].fn1)
-                               {
-                               cb_retval = s->ctx->cli_supp_data_records[i].fn1(s, supp_data_entry_type, p,
-                                                                                supp_data_entry_len, &al,
-                                                                                s->ctx->cli_supp_data_records[i].arg);
-                               if (cb_retval == 0)
-                                       {
-                                       SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB);
-                                       goto f_err;
-                                       }
-                               }
-                       }
-               p += supp_data_entry_len;
-               }
-       return 1;
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-       return -1;
-       }
-#endif
index 4941aca..00fa679 100644 (file)
@@ -409,24 +409,9 @@ int ssl3_accept(SSL *s)
                                        s->state=SSL3_ST_SW_CHANGE_A;
 #endif
                        else
-#ifndef OPENSSL_NO_TLSEXT
-                               s->state = SSL3_ST_SW_SUPPLEMENTAL_DATA_A;
-#else
-                       s->state = SSL3_ST_SW_CERT_A;
-#endif
-                       s->init_num = 0;
-                       break;
-
-#ifndef OPENSSL_NO_TLSEXT
-               case SSL3_ST_SW_SUPPLEMENTAL_DATA_A:
-               case SSL3_ST_SW_SUPPLEMENTAL_DATA_B:
-                       ret = tls1_send_server_supplemental_data(s, &skip);
-                       if (ret <= 0) goto end;
-
-                       s->state = SSL3_ST_SW_CERT_A;
+                                       s->state = SSL3_ST_SW_CERT_A;
                        s->init_num = 0;
                        break;
-#endif
 
                case SSL3_ST_SW_CERT_A:
                case SSL3_ST_SW_CERT_B:
@@ -596,16 +581,7 @@ int ssl3_accept(SSL *s)
 
                        s->state=s->s3->tmp.next_state;
                        break;
-#ifndef OPENSSL_NO_TLSEXT
-               case SSL3_ST_SR_SUPPLEMENTAL_DATA_A:
-               case SSL3_ST_SR_SUPPLEMENTAL_DATA_B:
-                       ret=tls1_get_client_supplemental_data(s);
-                       if (ret <= 0) goto end;
-                       s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
-                       s->state=SSL3_ST_SW_FLUSH;
-                       s->init_num=0;
-                       break;
-#endif
+
                case SSL3_ST_SR_CERT_A:
                case SSL3_ST_SR_CERT_B:
                        /* Check for second client hello (MS SGC) */
@@ -614,10 +590,6 @@ int ssl3_accept(SSL *s)
                                goto end;
                        if (ret == 2)
                                s->state = SSL3_ST_SR_CLNT_HELLO_C;
-#ifndef OPENSSL_NO_TLSEXT
-                       else if (ret == 3)
-                               s->state = SSL3_ST_SR_SUPPLEMENTAL_DATA_A;
-#endif
                        else {
                                if (s->s3->tmp.cert_request)
                                        {
@@ -913,10 +885,6 @@ int ssl3_check_client_hello(SSL *s)
                &ok);
        if (!ok) return((int)n);
        s->s3->tmp.reuse_message = 1;
-#ifndef OPENSSL_NO_TLSEXT
-       if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA)
-               return 3;
-#endif
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
                /* We only allow the client to restart the handshake once per
@@ -3755,156 +3723,4 @@ int ssl3_get_next_proto(SSL *s)
        }
 # endif
 
-int tls1_send_server_supplemental_data(SSL *s, int *skip)
-       {
-       int al = 0;
-       if (s->ctx->srv_supp_data_records_count)
-               {
-               unsigned char *p = NULL;
-               unsigned char *size_loc = NULL;
-               srv_supp_data_record *record = NULL;
-               size_t length = 0;
-               size_t i = 0;
-
-               for (i = 0; i < s->ctx->srv_supp_data_records_count; i++)
-                       {
-                       const unsigned char *out = NULL;
-                       unsigned short outlen = 0;
-                       int cb_retval = 0;
-                       record = &s->ctx->srv_supp_data_records[i];
-
-                       /* NULL callback or -1 omits supp data entry */
-                       if (!record->fn1)
-                               continue;
-                       cb_retval = record->fn1(s, record->supp_data_type,
-                                               &out, &outlen, &al, record->arg);
-                       if (cb_retval == -1)
-                               continue; /* skip this supp data entry */
-                       if (cb_retval == 0)
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               goto f_err;
-                               }
-                       if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length)
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               return 0;
-                               }
-                       /* write supp data entry...
-                        * if first entry, write handshake message type
-                        * jump back to write length at end */
-                       if (length == 0)
-                               {
-                               /* 1 byte message type + 3 bytes for
-                                * message length */
-                               if (!BUF_MEM_grow_clean(s->init_buf, 4))
-                                       {
-                                       SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                                       return 0;
-                                       }
-                               p = (unsigned char *)s->init_buf->data;
-                               *(p++) = SSL3_MT_SUPPLEMENTAL_DATA;
-                               /* hold on to length field to update later */
-                               size_loc = p;
-                               /* skip over handshake length field (3
-                                * bytes) and supp_data length field
-                                * (3 bytes) */
-                               p += 3 + 3;
-                               length += 1 +3 +3;
-                               }
-                       /* 2 byte supp data type + 2 byte length + outlen */
-                       if (!BUF_MEM_grow(s->init_buf, outlen + 4))
-                               {
-                               SSLerr(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB);
-                               return 0;
-                               }
-                       s2n(record->supp_data_type, p);
-                       s2n(outlen, p);
-                       memcpy(p, out, outlen);
-                       /* update length to supp data type (2 bytes) +
-                        * supp data length (2 bytes) + supp data */
-                       length += (outlen + 4);
-                       p += outlen;
-                       }
-               if (length > 0)
-                       {
-                       /* write handshake length */
-                       l2n3(length - 4, size_loc);
-                       /* supp_data length */
-                       l2n3(length - 7, size_loc);
-                       s->state = SSL3_ST_SW_SUPPLEMENTAL_DATA_B;
-                       s->init_num = length;
-                       s->init_off = 0;
-
-                       return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
-                       }
-               }
-
-       /* no supp data message sent */
-       *skip = 1;
-       s->init_num = 0;
-       s->init_off = 0;
-       return 1;
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-       return 0;
-       }
-
-int tls1_get_client_supplemental_data(SSL *s)
-       {
-       int al = 0;
-       int cb_retval = 0;
-       int ok;
-       long n;
-       const unsigned char *p, *d;
-       unsigned short supp_data_entry_type = 0;
-       unsigned short supp_data_entry_len = 0;
-       unsigned long supp_data_len = 0;
-       size_t i = 0;
-
-       n=s->method->ssl_get_message(s,
-                                    SSL3_ST_SR_SUPPLEMENTAL_DATA_A,
-                                    SSL3_ST_SR_SUPPLEMENTAL_DATA_B,
-                                    SSL3_MT_SUPPLEMENTAL_DATA,
-                                    /* use default limit */
-                                    TLSEXT_MAXLEN_supplemental_data,
-                                    &ok);
-
-       if (!ok) return((int)n);
-
-       p = (unsigned char *)s->init_msg;
-       d = p;
-
-       /* The message cannot be empty */
-       if (n < 3)
-               {
-               al = SSL_AD_DECODE_ERROR;
-               SSLerr(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH);
-               goto f_err;
-               }
-       n2l3(p, supp_data_len);
-       while (p<d+supp_data_len)
-               {
-               n2s(p, supp_data_entry_type);
-               n2s(p, supp_data_entry_len);
-               /* if there is a callback for this supp data type, send it */
-               for (i=0; i < s->ctx->srv_supp_data_records_count; i++)
-                       {
-                       if (s->ctx->srv_supp_data_records[i].supp_data_type == supp_data_entry_type && s->ctx->srv_supp_data_records[i].fn2)
-                               {
-                               cb_retval = s->ctx->srv_supp_data_records[i].fn2(s, supp_data_entry_type, p, supp_data_entry_len, &al, s->ctx->srv_supp_data_records[i].arg);
-                               if (cb_retval == 0)
-                                       {
-                                       SSLerr(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB);
-                                       goto f_err;
-                                       }
-                               }
-                       }
-               p+=supp_data_entry_len;
-               }
-       return 1;
-f_err:
-       ssl3_send_alert(s,SSL3_AL_FATAL,al);
-       return -1;
-       }
 #endif
index b7b101f..c434b86 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -439,57 +439,6 @@ typedef struct {
        void *arg;
 } custom_srv_ext_record;
 
-/* Callbacks and structures for handling Supplemental Data:
- *   srv_supp_data_first_cb_fn  - server sends Supplemental Data
- *   srv_supp_data_second_cb_fn - server receives Supplemental Data
- *   cli_supp_data_first_cb_fn  - client receives Supplemental Data
- *   cli_supp_data_second_cb_fn - client sends Supplemental Data
- *
- *   All these functions return nonzero on success.  Zero will terminate
- *   the handshake (and return a specific TLS Fatal alert, if the function
- *   declaration has an "al" parameter).  -1 for the "sending" functions
- *   will result in no supplemental data entry being added to the
- *   supplemental data message for the provided supplemental data type.
- *
- *   "supp_data_type" is a Supplemental Data Type from 0-65535.
- *   "in" is a pointer to TLS "supplemental_data_entry" being provided to the cb.
- *   "out" is used by the callback to return a pointer to "supplemental data"
- *     which OpenSSL will later copy into the TLS handshake.  The contents
- *     of this buffer should not be changed until the handshake is complete.
- *   "inlen" and "outlen" are Supplemental Data lengths from 0-65535.
- *   "al" is a TLS "AlertDescription" from 0-255 which WILL be sent as a
- *     fatal TLS alert, if the callback returns zero.
- */
-typedef int (*srv_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type,
-                                        const unsigned char **out,
-                                        unsigned short *outlen, int *al, void *arg);
-typedef int (*srv_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type,
-                                         const unsigned char *in,
-                                         unsigned short inlen, int *al,
-                                         void *arg);
-
-typedef int (*cli_supp_data_first_cb_fn)(SSL *s, unsigned short supp_data_type,
-                                        const unsigned char *in,
-                                        unsigned short inlen, int *al,
-                                        void *arg);
-typedef int (*cli_supp_data_second_cb_fn)(SSL *s, unsigned short supp_data_type,
-                                         const unsigned char **out,
-                                         unsigned short *outlen, int *al, void *arg);
-
-typedef struct {
-       unsigned short supp_data_type;
-       srv_supp_data_first_cb_fn fn1;
-       srv_supp_data_second_cb_fn fn2;
-       void *arg;
-} srv_supp_data_record;
-
-typedef struct {
-       unsigned short supp_data_type;
-       cli_supp_data_first_cb_fn fn1;
-       cli_supp_data_second_cb_fn fn2;
-       void *arg;
-} cli_supp_data_record;
-
 #endif
 
 #ifndef OPENSSL_NO_SSL_INTERN
@@ -1216,12 +1165,6 @@ struct ssl_ctx_st
        size_t custom_cli_ext_records_count;
        custom_srv_ext_record *custom_srv_ext_records;
        size_t custom_srv_ext_records_count;
-
-       /* Arrays containing the callbacks for Supplemental Data. */
-       cli_supp_data_record *cli_supp_data_records;
-       size_t cli_supp_data_records_count;
-       srv_supp_data_record *srv_supp_data_records;
-       size_t srv_supp_data_records_count;
        };
 
 #endif
@@ -1369,30 +1312,6 @@ int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
                               custom_srv_ext_first_cb_fn fn1, 
                               custom_srv_ext_second_cb_fn fn2, void *arg);
 
-/* Register callbacks to handle Supplemental Data as client or server.
- *
- * For SSL_CTX_set_srv_supp_data, a NULL srv_supp_data_first_cb_fn results in no supplemental data
- * being sent by the server for that TLS extension.
- * A NULL srv_supp_data_second_cb_fn results in no supplemental data
- * being received by the server for that TLS extension.
- *
- * For SSL_CTX_set_cli_supp_data, a NULL cli_supp_data_first_cb_fn results in no supplemental data
- * being received by the client for that TLS extension.
- * A NULL cli_supp_data_second_cb_fn results in no supplemental data
- * being sent by the client for that TLS extension.
- *
- * Returns nonzero on success.  You cannot register twice for the same supp_data_type.
- */
-int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
-                             unsigned short supp_data_type,
-                             srv_supp_data_first_cb_fn fn1,
-                             srv_supp_data_second_cb_fn fn2, void *arg);
-
-int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
-                             unsigned short supp_data_type,
-                             cli_supp_data_first_cb_fn fn1,
-                             cli_supp_data_second_cb_fn fn2, void *arg);
-
 #endif
 
 #define SSL_NOTHING    1
@@ -2660,8 +2579,6 @@ void ERR_load_SSL_strings(void);
 /* Error codes for the SSL functions. */
 
 /* Function codes. */
-#define SSL_F_AUTHZ_FIND_DATA                           330
-#define SSL_F_AUTHZ_VALIDATE                            323
 #define SSL_F_CHECK_SUITEB_CIPHER_LIST                  331
 #define SSL_F_CLIENT_CERTIFICATE                        100
 #define SSL_F_CLIENT_FINISHED                           167
@@ -2705,7 +2622,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_GET_SERVER_HELLO                          109
 #define SSL_F_GET_SERVER_VERIFY                                 110
 #define SSL_F_I2D_SSL_SESSION                           111
-#define SSL_F_READ_AUTHZ                                329
 #define SSL_F_READ_N                                    112
 #define SSL_F_REQUEST_CERTIFICATE                       113
 #define SSL_F_SERVER_FINISH                             239
@@ -2813,7 +2729,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT            219
 #define SSL_F_SSL_CTX_SET_SSL_VERSION                   170
 #define SSL_F_SSL_CTX_SET_TRUST                                 229
-#define SSL_F_SSL_CTX_USE_AUTHZ                                 324
 #define SSL_F_SSL_CTX_USE_CERTIFICATE                   171
 #define SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1              172
 #define SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE        220
@@ -2855,7 +2770,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SESSION_PRINT_FP                      190
 #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT               312
 #define SSL_F_SSL_SESS_CERT_NEW                                 225
-#define SSL_F_SSL_SET_AUTHZ                             325
 #define SSL_F_SSL_SET_CERT                              191
 #define SSL_F_SSL_SET_CIPHER_LIST                       271
 #define SSL_F_SSL_SET_FD                                192
@@ -2872,7 +2786,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_UNDEFINED_CONST_FUNCTION              243
 #define SSL_F_SSL_UNDEFINED_FUNCTION                    197
 #define SSL_F_SSL_UNDEFINED_VOID_FUNCTION               244
-#define SSL_F_SSL_USE_AUTHZ                             328
 #define SSL_F_SSL_USE_CERTIFICATE                       198
 #define SSL_F_SSL_USE_CERTIFICATE_ASN1                  199
 #define SSL_F_SSL_USE_CERTIFICATE_FILE                  200
@@ -2891,21 +2804,16 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT             274
 #define SSL_F_TLS1_ENC                                  210
 #define SSL_F_TLS1_EXPORT_KEYING_MATERIAL               314
-#define SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA                 335
-#define SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA                 326
 #define SSL_F_TLS1_HEARTBEAT                            315
 #define SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT           275
 #define SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT           276
 #define SSL_F_TLS1_PRF                                  284
-#define SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA        338
-#define SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA        327
 #define SSL_F_TLS1_SETUP_KEY_BLOCK                      211
 #define SSL_F_WRITE_PENDING                             212
 
 /* Reason codes. */
 #define SSL_R_APP_DATA_IN_HANDSHAKE                     100
 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
-#define SSL_R_AUTHZ_DATA_TOO_LARGE                      375
 #define SSL_R_BAD_ALERT_RECORD                          101
 #define SSL_R_BAD_AUTHENTICATION_TYPE                   102
 #define SSL_R_BAD_CHANGE_CIPHER_SPEC                    103
@@ -3003,7 +2911,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_ILLEGAL_SUITEB_DIGEST                     380
 #define SSL_R_INCONSISTENT_COMPRESSION                  340
 #define SSL_R_INVALID_AUDIT_PROOF                       371
-#define SSL_R_INVALID_AUTHZ_DATA                        374
 #define SSL_R_INVALID_CHALLENGE_LENGTH                  158
 #define SSL_R_INVALID_COMMAND                           280
 #define SSL_R_INVALID_COMPRESSION_ALGORITHM             341
@@ -3195,7 +3102,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNEXPECTED_RECORD                                 245
 #define SSL_R_UNINITIALIZED                             276
 #define SSL_R_UNKNOWN_ALERT_TYPE                        246
-#define SSL_R_UNKNOWN_AUTHZ_DATA_TYPE                   372
 #define SSL_R_UNKNOWN_CERTIFICATE_TYPE                  247
 #define SSL_R_UNKNOWN_CIPHER_RETURNED                   248
 #define SSL_R_UNKNOWN_CIPHER_TYPE                       249
@@ -3207,7 +3113,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_UNKNOWN_REMOTE_ERROR_TYPE                         253
 #define SSL_R_UNKNOWN_SSL_VERSION                       254
 #define SSL_R_UNKNOWN_STATE                             255
-#define SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE            373
 #define SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED      338
 #define SSL_R_UNSUPPORTED_CIPHER                        256
 #define SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM                 257
index f9b10cf..d3167cf 100644 (file)
@@ -637,10 +637,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CR_CERT_REQ_B          (0x151|SSL_ST_CONNECT)
 #define SSL3_ST_CR_SRVR_DONE_A         (0x160|SSL_ST_CONNECT)
 #define SSL3_ST_CR_SRVR_DONE_B         (0x161|SSL_ST_CONNECT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_CR_SUPPLEMENTAL_DATA_A (0x212|SSL_ST_CONNECT)
-#define SSL3_ST_CR_SUPPLEMENTAL_DATA_B  (0x213|SSL_ST_CONNECT)
-#endif
 /* write to server */
 #define SSL3_ST_CW_CERT_A              (0x170|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CERT_B              (0x171|SSL_ST_CONNECT)
@@ -656,10 +652,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CW_NEXT_PROTO_A                (0x200|SSL_ST_CONNECT)
 #define SSL3_ST_CW_NEXT_PROTO_B                (0x201|SSL_ST_CONNECT)
 #endif
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_CW_SUPPLEMENTAL_DATA_A         (0x222|SSL_ST_CONNECT)
-#define SSL3_ST_CW_SUPPLEMENTAL_DATA_B         (0x223|SSL_ST_CONNECT)
-#endif
 #define SSL3_ST_CW_FINISHED_A          (0x1B0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_B          (0x1B1|SSL_ST_CONNECT)
 /* read from server */
@@ -685,10 +677,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CLNT_HELLO_B                (0x111|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CLNT_HELLO_C                (0x112|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CLNT_HELLO_D                (0x115|SSL_ST_ACCEPT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_SR_SUPPLEMENTAL_DATA_A         (0x212|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_SUPPLEMENTAL_DATA_B         (0x213|SSL_ST_ACCEPT)
-#endif
 /* write to client */
 #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
 #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
@@ -729,10 +717,6 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SW_SESSION_TICKET_B    (0x1F1|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_CERT_STATUS_A       (0x200|SSL_ST_ACCEPT)
 #define SSL3_ST_SW_CERT_STATUS_B       (0x201|SSL_ST_ACCEPT)
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_ST_SW_SUPPLEMENTAL_DATA_A (0x222|SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SUPPLEMENTAL_DATA_B (0x223|SSL_ST_ACCEPT)
-#endif
 
 #define SSL3_MT_HELLO_REQUEST                  0
 #define SSL3_MT_CLIENT_HELLO                   1
@@ -746,9 +730,6 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CLIENT_KEY_EXCHANGE            16
 #define SSL3_MT_FINISHED                       20
 #define SSL3_MT_CERTIFICATE_STATUS             22
-#ifndef OPENSSL_NO_TLSEXT
-#define SSL3_MT_SUPPLEMENTAL_DATA              23
-#endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_MT_NEXT_PROTO                     67
 #endif
index db3f566..258d408 100644 (file)
@@ -70,8 +70,6 @@
 
 static ERR_STRING_DATA SSL_str_functs[]=
        {
-{ERR_FUNC(SSL_F_AUTHZ_FIND_DATA),      "AUTHZ_FIND_DATA"},
-{ERR_FUNC(SSL_F_AUTHZ_VALIDATE),       "AUTHZ_VALIDATE"},
 {ERR_FUNC(SSL_F_CHECK_SUITEB_CIPHER_LIST),     "CHECK_SUITEB_CIPHER_LIST"},
 {ERR_FUNC(SSL_F_CLIENT_CERTIFICATE),   "CLIENT_CERTIFICATE"},
 {ERR_FUNC(SSL_F_CLIENT_FINISHED),      "CLIENT_FINISHED"},
@@ -115,7 +113,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_GET_SERVER_HELLO),     "GET_SERVER_HELLO"},
 {ERR_FUNC(SSL_F_GET_SERVER_VERIFY),    "GET_SERVER_VERIFY"},
 {ERR_FUNC(SSL_F_I2D_SSL_SESSION),      "i2d_SSL_SESSION"},
-{ERR_FUNC(SSL_F_READ_AUTHZ),   "READ_AUTHZ"},
 {ERR_FUNC(SSL_F_READ_N),       "READ_N"},
 {ERR_FUNC(SSL_F_REQUEST_CERTIFICATE),  "REQUEST_CERTIFICATE"},
 {ERR_FUNC(SSL_F_SERVER_FINISH),        "SERVER_FINISH"},
@@ -223,7 +220,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SESSION_ID_CONTEXT),       "SSL_CTX_set_session_id_context"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_SSL_VERSION),      "SSL_CTX_set_ssl_version"},
 {ERR_FUNC(SSL_F_SSL_CTX_SET_TRUST),    "SSL_CTX_set_trust"},
-{ERR_FUNC(SSL_F_SSL_CTX_USE_AUTHZ),    "SSL_CTX_USE_AUTHZ"},
 {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE),      "SSL_CTX_use_certificate"},
 {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"},
 {ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE),   "SSL_CTX_use_certificate_chain_file"},
@@ -265,7 +261,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
 {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT),  "SSL_SESSION_set1_id_context"},
 {ERR_FUNC(SSL_F_SSL_SESS_CERT_NEW),    "ssl_sess_cert_new"},
-{ERR_FUNC(SSL_F_SSL_SET_AUTHZ),        "SSL_SET_AUTHZ"},
 {ERR_FUNC(SSL_F_SSL_SET_CERT), "SSL_SET_CERT"},
 {ERR_FUNC(SSL_F_SSL_SET_CIPHER_LIST),  "SSL_set_cipher_list"},
 {ERR_FUNC(SSL_F_SSL_SET_FD),   "SSL_set_fd"},
@@ -282,7 +277,6 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL_UNDEFINED_CONST_FUNCTION), "ssl_undefined_const_function"},
 {ERR_FUNC(SSL_F_SSL_UNDEFINED_FUNCTION),       "ssl_undefined_function"},
 {ERR_FUNC(SSL_F_SSL_UNDEFINED_VOID_FUNCTION),  "ssl_undefined_void_function"},
-{ERR_FUNC(SSL_F_SSL_USE_AUTHZ),        "SSL_USE_AUTHZ"},
 {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE),  "SSL_use_certificate"},
 {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1),     "SSL_use_certificate_ASN1"},
 {ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE),     "SSL_use_certificate_file"},
@@ -301,14 +295,10 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT),        "TLS1_CHECK_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_ENC),     "tls1_enc"},
 {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL),  "tls1_export_keying_material"},
-{ERR_FUNC(SSL_F_TLS1_GET_CLIENT_SUPPLEMENTAL_DATA),    "tls1_get_client_supplemental_data"},
-{ERR_FUNC(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA),    "tls1_get_server_supplemental_data"},
 {ERR_FUNC(SSL_F_TLS1_HEARTBEAT),       "tls1_heartbeat"},
 {ERR_FUNC(SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT),      "TLS1_PREPARE_CLIENTHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_PREPARE_SERVERHELLO_TLSEXT),      "TLS1_PREPARE_SERVERHELLO_TLSEXT"},
 {ERR_FUNC(SSL_F_TLS1_PRF),     "tls1_prf"},
-{ERR_FUNC(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA),   "tls1_send_client_supplemental_data"},
-{ERR_FUNC(SSL_F_TLS1_SEND_SERVER_SUPPLEMENTAL_DATA),   "tls1_send_server_supplemental_data"},
 {ERR_FUNC(SSL_F_TLS1_SETUP_KEY_BLOCK), "tls1_setup_key_block"},
 {ERR_FUNC(SSL_F_WRITE_PENDING),        "WRITE_PENDING"},
 {0,NULL}
@@ -318,7 +308,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
        {
 {ERR_REASON(SSL_R_APP_DATA_IN_HANDSHAKE) ,"app data in handshake"},
 {ERR_REASON(SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),"attempt to reuse session in different context"},
-{ERR_REASON(SSL_R_AUTHZ_DATA_TOO_LARGE)  ,"authz data too large"},
 {ERR_REASON(SSL_R_BAD_ALERT_RECORD)      ,"bad alert record"},
 {ERR_REASON(SSL_R_BAD_AUTHENTICATION_TYPE),"bad authentication type"},
 {ERR_REASON(SSL_R_BAD_CHANGE_CIPHER_SPEC),"bad change cipher spec"},
@@ -416,7 +405,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_ILLEGAL_SUITEB_DIGEST) ,"illegal Suite B digest"},
 {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
 {ERR_REASON(SSL_R_INVALID_AUDIT_PROOF)   ,"invalid audit proof"},
-{ERR_REASON(SSL_R_INVALID_AUTHZ_DATA)    ,"invalid authz data"},
 {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
 {ERR_REASON(SSL_R_INVALID_COMMAND)       ,"invalid command"},
 {ERR_REASON(SSL_R_INVALID_COMPRESSION_ALGORITHM),"invalid compression algorithm"},
@@ -608,7 +596,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNEXPECTED_RECORD)     ,"unexpected record"},
 {ERR_REASON(SSL_R_UNINITIALIZED)         ,"uninitialized"},
 {ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE)    ,"unknown alert type"},
-{ERR_REASON(SSL_R_UNKNOWN_AUTHZ_DATA_TYPE),"unknown authz data type"},
 {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE),"unknown certificate type"},
 {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED),"unknown cipher returned"},
 {ERR_REASON(SSL_R_UNKNOWN_CIPHER_TYPE)   ,"unknown cipher type"},
@@ -620,7 +607,6 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_UNKNOWN_REMOTE_ERROR_TYPE),"unknown remote error type"},
 {ERR_REASON(SSL_R_UNKNOWN_SSL_VERSION)   ,"unknown ssl version"},
 {ERR_REASON(SSL_R_UNKNOWN_STATE)         ,"unknown state"},
-{ERR_REASON(SSL_R_UNKNOWN_SUPPLEMENTAL_DATA_TYPE),"unknown supplemental data type"},
 {ERR_REASON(SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED),"unsafe legacy renegotiation disabled"},
 {ERR_REASON(SSL_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
 {ERR_REASON(SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM),"unsupported compression algorithm"},
index 4720680..9f4040d 100644 (file)
@@ -1879,65 +1879,6 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
                *len = ssl->s3->alpn_selected_len;
        }
 
-int SSL_CTX_set_cli_supp_data(SSL_CTX *ctx,
-                             unsigned short supp_data_type,
-                             cli_supp_data_first_cb_fn fn1,
-                             cli_supp_data_second_cb_fn fn2, void* arg)
-       {
-       size_t i;
-       cli_supp_data_record* record;
-
-       /* Check for duplicates */
-       for (i=0; i < ctx->cli_supp_data_records_count; i++)
-               if (supp_data_type == ctx->cli_supp_data_records[i].supp_data_type)
-                       return 0;
-
-       ctx->cli_supp_data_records = OPENSSL_realloc(ctx->cli_supp_data_records,
-         (ctx->cli_supp_data_records_count+1) * sizeof(cli_supp_data_record));
-       if (!ctx->cli_supp_data_records)
-               {
-               ctx->cli_supp_data_records_count = 0;
-               return 0;
-               }
-       ctx->cli_supp_data_records_count++;
-       record = &ctx->cli_supp_data_records[ctx->cli_supp_data_records_count - 1];
-       record->supp_data_type = supp_data_type;
-       record->fn1 = fn1;
-       record->fn2 = fn2;
-       record->arg = arg;
-       return 1;
-       }
-
-int SSL_CTX_set_srv_supp_data(SSL_CTX *ctx,
-                             unsigned short supp_data_type,
-                             srv_supp_data_first_cb_fn fn1,
-                             srv_supp_data_second_cb_fn fn2, void* arg)
-       {
-       size_t i;
-       srv_supp_data_record* record;
-
-       /* Check for duplicates */
-       for (i=0; i < ctx->srv_supp_data_records_count; i++)
-               if (supp_data_type == ctx->srv_supp_data_records[i].supp_data_type)
-                       return 0;
-
-       ctx->srv_supp_data_records = OPENSSL_realloc(ctx->srv_supp_data_records,
-         (ctx->srv_supp_data_records_count+1) * sizeof(srv_supp_data_record));
-       if (!ctx->srv_supp_data_records)
-               {
-               ctx->srv_supp_data_records_count = 0;
-               return 0;
-               }
-       ctx->srv_supp_data_records_count++;
-       record = &ctx->srv_supp_data_records[ctx->srv_supp_data_records_count - 1];
-       record->supp_data_type = supp_data_type;
-       record->fn1 = fn1;
-       record->fn2 = fn2;
-       record->arg = arg;
-
-       return 1;
-       }
-
 #endif /* !OPENSSL_NO_TLSEXT */
 
 int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
@@ -2141,10 +2082,6 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
        ret->custom_cli_ext_records_count = 0;
        ret->custom_srv_ext_records = NULL;
        ret->custom_srv_ext_records_count = 0;
-       ret->cli_supp_data_records = NULL;
-       ret->cli_supp_data_records_count = 0;
-       ret->srv_supp_data_records = NULL;
-       ret->srv_supp_data_records_count = 0;
 #ifndef OPENSSL_NO_BUF_FREELISTS
        ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
        ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -2286,8 +2223,6 @@ void SSL_CTX_free(SSL_CTX *a)
 #ifndef OPENSSL_NO_TLSEXT
        OPENSSL_free(a->custom_cli_ext_records);
        OPENSSL_free(a->custom_srv_ext_records);
-       OPENSSL_free(a->cli_supp_data_records);
-       OPENSSL_free(a->srv_supp_data_records);
 #endif
 #ifndef OPENSSL_NO_ENGINE
        if (a->client_cert_engine)
index 0b48c73..651b837 100644 (file)
@@ -1292,13 +1292,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
 int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);
 
-/* server only */
-int tls1_send_server_supplemental_data(SSL *s, int *skip);
-int tls1_get_client_supplemental_data(SSL *s);
-/* client only */
-int tls1_send_client_supplemental_data(SSL *s, int *skip);
-int tls1_get_server_supplemental_data(SSL *s);
-
 #ifndef OPENSSL_NO_HEARTBEATS
 int tls1_heartbeat(SSL *s);
 int dtls1_heartbeat(SSL *s);
index b09cc7d..c5a15ce 100644 (file)
@@ -210,14 +210,6 @@ case SSL3_ST_SR_KEY_EXCH_A:        str="SSLv3 read client key exchange A"; break;
 case SSL3_ST_SR_KEY_EXCH_B:    str="SSLv3 read client key exchange B"; break;
 case SSL3_ST_SR_CERT_VRFY_A:   str="SSLv3 read certificate verify A"; break;
 case SSL3_ST_SR_CERT_VRFY_B:   str="SSLv3 read certificate verify B"; break;
-case SSL3_ST_CW_SUPPLEMENTAL_DATA_A: str="SSLv3 client write supplemental data A"; break;
-case SSL3_ST_CW_SUPPLEMENTAL_DATA_B: str="SSLv3 client write supplemental data B"; break;
-case SSL3_ST_SW_SUPPLEMENTAL_DATA_A: str="SSLv3 server write supplemental data A"; break;
-case SSL3_ST_SW_SUPPLEMENTAL_DATA_B: str="SSLv3 client write supplemental data B"; break;
-case SSL3_ST_CR_SUPPLEMENTAL_DATA_A: str="SSLv3 client read supplemental data A"; break;
-case SSL3_ST_CR_SUPPLEMENTAL_DATA_B: str="SSLv3 client read supplemental data B"; break;
-case SSL3_ST_SR_SUPPLEMENTAL_DATA_A: str="SSLv3 server read supplemental data A"; break;
-case SSL3_ST_SR_SUPPLEMENTAL_DATA_B: str="SSLv3 client read supplemental data B"; break;
 #endif
 
 /* SSLv2/v3 compatibility states */
index cf889c7..efcd668 100644 (file)
@@ -521,16 +521,6 @@ int custom_ext = 0;
 /* This set based on extension callbacks */
 int custom_ext_error = 0;
 
-/* Not IETF assigned supplemental data types */
-#define CUSTOM_SUPP_DATA_TYPE_0 100
-#define CUSTOM_SUPP_DATA_TYPE_1 101
-#define CUSTOM_SUPP_DATA_TYPE_2 102
-
-const char supp_data_0_string[] = "00000";
-
-int suppdata = 0;
-int suppdata_error = 0;
-
 static int serverinfo_cli_cb(SSL* s, unsigned short ext_type,
                             const unsigned char* in, unsigned short inlen, 
                             int* al, void* arg)
@@ -733,110 +723,6 @@ static int custom_ext_3_srv_second_cb(SSL *s, unsigned short ext_type,
        return 1; /* Send "defg" */
        }
 
-static int supp_data_0_srv_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char **out,
-                                   unsigned short *outlen, int *al, void *arg)
-       {
-       *out = (const unsigned char*)supp_data_0_string;
-       *outlen = strlen(supp_data_0_string);
-       if (arg != s)
-               suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_0_srv_second_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char *in,
-                                    unsigned short inlen, int *al,
-                                    void *arg)
-       {
-       if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
-               suppdata_error = 1;
-       if (inlen != strlen(supp_data_0_string))
-               suppdata_error = 1;
-       if (memcmp(in, supp_data_0_string, inlen) != 0)
-               suppdata_error = 1;
-       if (arg != s)
-               suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_1_srv_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char **out,
-                                   unsigned short *outlen, int *al, void *arg)
-       {
-       return -1;
-       }
-
-static int supp_data_1_srv_second_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char *in,
-                                    unsigned short inlen, int *al,
-                                    void *arg)
-       {
-       suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_2_srv_second_cb(SSL *s, unsigned short supp_data_type,
-                               const unsigned char *in,
-                               unsigned short inlen, int *al,
-                               void *arg)
-       {
-       suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_0_cli_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char *in,
-                                   unsigned short inlen, int *al,
-                                   void *arg)
-       {
-       if (supp_data_type != CUSTOM_SUPP_DATA_TYPE_0)
-               suppdata_error = 1;
-       if (inlen != strlen(supp_data_0_string))
-               suppdata_error = 1;
-       if (memcmp(in, supp_data_0_string, inlen) != 0)
-               suppdata_error = 1;
-       if (arg != s)
-               suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_0_cli_second_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg)
-       {
-       *out = (const unsigned char*)supp_data_0_string;
-       *outlen = strlen(supp_data_0_string);
-       if (arg != s)
-               suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_1_cli_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char *in,
-                                   unsigned short inlen, int *al,
-                                   void *arg)
-       {
-       suppdata_error = 1;
-       return 1;
-       }
-
-static int supp_data_1_cli_second_cb(SSL *s, unsigned short supp_data_type,
-                                    const unsigned char **out,
-                                    unsigned short *outlen, int *al, void *arg)
-       {
-       return -1;
-       }
-
-static int supp_data_2_cli_first_cb(SSL *s, unsigned short supp_data_type,
-                                   const unsigned char *in,
-                                   unsigned short inlen, int *al,
-                                   void *arg)
-       {
-       suppdata_error = 1;
-       return 1;
-       }
-
 static char *cipher=NULL;
 static int verbose=0;
 static int debug=0;
@@ -923,7 +809,6 @@ static void sv_usage(void)
        fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
        fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
        fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
-       fprintf(stderr, "-suppdata - exercise supplemental data callbacks\n");
        }
 
 static void print_details(SSL *c_ssl, const char *prefix)
@@ -1368,10 +1253,6 @@ int main(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        alpn_expected = *(++argv);
                        }
-               else if (strcmp(*argv,"-suppdata") == 0)
-                       {
-                       suppdata = 1;
-                       }
                else
                        {
                        fprintf(stderr,"unknown option %s\n",*argv);
@@ -1766,40 +1647,6 @@ bad:
        c_ssl=SSL_new(c_ctx);
        s_ssl=SSL_new(s_ctx);
 
-       if (suppdata)
-               {
-               /* TEST CASES */
-               /* client and server both send and receive, verify
-                * additional arg passed back */
-               SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_0,
-                                         supp_data_0_srv_first_cb,
-                                         supp_data_0_srv_second_cb, s_ssl);
-               SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_0,
-                                         supp_data_0_cli_first_cb,
-                                         supp_data_0_cli_second_cb, c_ssl);
-
-               /* -1 response from sending server/client doesn't
-                 * receive, -1 response from sending client/server
-                 * doesn't receive */
-               SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_1,
-                                         supp_data_1_srv_first_cb,
-                                         supp_data_1_srv_second_cb, NULL);
-               SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_1,
-                                         supp_data_1_cli_first_cb,
-                                         supp_data_1_cli_second_cb, NULL);
-
-               /* null sending server/client doesn't receive, null
-                  sending client/server doesn't receive */
-               SSL_CTX_set_srv_supp_data(s_ctx, CUSTOM_SUPP_DATA_TYPE_2,
-                                         /*supp_data_2_srv_first_cb*/NULL,
-                                         supp_data_2_srv_second_cb, NULL);
-               SSL_CTX_set_cli_supp_data(c_ctx, CUSTOM_SUPP_DATA_TYPE_2,
-                                         supp_data_2_cli_first_cb,
-                                         /*supp_data_2_cli_second_cb*/NULL,
-                                         NULL);
-
-               /* alerts set to non-zero and zero return values not tested */
-               }
 #ifndef OPENSSL_NO_KRB5
        if (c_ssl  &&  c_ssl->kssl_ctx)
                 {
@@ -2586,11 +2433,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count)
                goto err;
                }
 #endif
-       if (suppdata_error < 0)
-               {
-               ret = 1;
-               goto err;
-               }
        if (verify_serverinfo() < 0)
                {
                ret = 1;
index 013aa4a..3499584 100644 (file)
@@ -211,11 +211,9 @@ extern "C" {
 #define TLSEXT_TYPE_status_request             5
 /* ExtensionType values from RFC4681 */
 #define TLSEXT_TYPE_user_mapping               6
-
 /* ExtensionType values from RFC5878 */
 #define TLSEXT_TYPE_client_authz               7
 #define TLSEXT_TYPE_server_authz               8
-
 /* ExtensionType values from RFC6091 */
 #define TLSEXT_TYPE_cert_type          9
 
@@ -312,17 +310,6 @@ extern "C" {
 
 #define TLSEXT_MAXLEN_host_name 255
 
-/* From RFC 5878 */
-#define TLSEXT_SUPPLEMENTALDATATYPE_authz_data 16386
-
-/* DTCP Authorization Type
- * https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#authorization-data-rules
- * http://tools.ietf.org/id/draft-dthakore-tls-authz-04.txt
- */
-#define TLSEXT_AUTHZDATAFORMAT_dtcp 66
-
-#define TLSEXT_MAXLEN_supplemental_data 1024*16 /* Let's limit to 16k */
-
 const char *SSL_get_servername(const SSL *s, const int type);
 int SSL_get_servername_type(const SSL *s);
 /* SSL_export_keying_material exports a value derived from the master secret,