*/
#include <stdio.h>
+#include <time.h>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
{
int cb_retval = 0;
cb_retval = record->fn1(s, record->ext_type,
- &out, &outlen, al,
+ &out, &outlen, al,
record->arg);
if (cb_retval == 0)
return NULL; /* error */
{
int extdatalen=0;
unsigned char *ret = p;
- size_t i;
- custom_srv_ext_record *record;
+ size_t i;
+ custom_srv_ext_record *record;
#ifndef OPENSSL_NO_NEXTPROTONEG
int next_proto_neg_seen;
#endif
}
#endif
- for (i = 0; i < s->ctx->custom_srv_ext_records_count; i++)
+ for (i = 0; i < s->ctx->custom_srv_ext_records_count; i++)
{
- record = &s->ctx->custom_srv_ext_records[i];
- const unsigned char *out = NULL;
- unsigned short outlen = 0;
- int cb_retval = 0;
-
- /* NULL callback or -1 omits extension */
- if (!record->fn2)
- break;
- cb_retval = record->fn2(s, record->ext_type,
- &out, &outlen, al,
- record->arg);
- if (cb_retval == 0)
- return NULL; /* error */
- if (cb_retval == -1)
- break; /* skip this extension */
- if (limit < ret + 4 + outlen)
- return NULL;
- s2n(record->ext_type, ret);
- s2n(outlen, ret);
- memcpy(ret, out, outlen);
- ret += outlen;
+ const unsigned char *out = NULL;
+ unsigned short outlen = 0;
+ int cb_retval = 0;
+
+ record = &s->ctx->custom_srv_ext_records[i];
+
+ /* NULL callback or -1 omits extension */
+ if (!record->fn2)
+ continue;
+ cb_retval = record->fn2(s, record->ext_type,
+ &out, &outlen, al,
+ record->arg);
+ if (cb_retval == 0)
+ return NULL; /* error */
+ if (cb_retval == -1)
+ continue; /* skip this extension */
+ if (limit < ret + 4 + outlen)
+ return NULL;
+ s2n(record->ext_type, ret);
+ s2n(outlen, ret);
+ memcpy(ret, out, outlen);
+ ret += outlen;
}
#ifdef TLSEXT_TYPE_encrypt_then_mac
if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC)
}
/* Clear observed custom extensions */
- s->s3->serverinfo_client_tlsext_custom_types_count = 0;
- if (s->s3->serverinfo_client_tlsext_custom_types != NULL)
+ s->s3->serverinfo_client_tlsext_custom_types_count = 0;
+ if (s->s3->serverinfo_client_tlsext_custom_types != NULL)
{
- OPENSSL_free(s->s3->serverinfo_client_tlsext_custom_types);
- s->s3->serverinfo_client_tlsext_custom_types = NULL;
- }
+ OPENSSL_free(s->s3->serverinfo_client_tlsext_custom_types);
+ s->s3->serverinfo_client_tlsext_custom_types = NULL;
+ }
#ifndef OPENSSL_NO_HEARTBEATS
s->tlsext_heartbeat &= ~(SSL_TLSEXT_HB_ENABLED |
}
#endif
+
+/* RFC6962 Signed Certificate Timestamp List X.509 extension parser */
+static int i2r_sctlist(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct,
+ BIO *out, int indent)
+ {
+ BN_ULLONG timestamp;
+ struct tm tm1;
+ time_t unix_epoch = 0;
+ unsigned char* data = oct->data;
+ char month[4];
+ unsigned short listlen, sctlen = 0, fieldlen;
+ int signhash_nid;
+
+ if (oct->length < 2)
+ return 0;
+ n2s(data, listlen);
+ if (listlen != oct->length - 2)
+ return 0;
+
+ while (listlen > 0)
+ {
+ if (listlen < 2)
+ return 0;
+ n2s(data, sctlen);
+ listlen -= 2;
+
+ if ((sctlen < 1) || (sctlen > listlen))
+ return 0;
+ listlen -= sctlen;
+
+ BIO_printf(out, "%*sSigned Certificate Timestamp:", indent,
+ "");
+
+ if (*data == 0) /* SCT v1 */
+ {
+ /* Fixed-length header:
+ * struct {
+ * (1 byte) Version sct_version;
+ * (32 bytes) LogID id;
+ * (8 bytes) uint64 timestamp;
+ * (2 bytes + ?) CtExtensions extensions;
+ */
+ if (sctlen < 43)
+ return 0;
+ sctlen -= 43;
+
+ BIO_printf(out, "\n%*sVersion : v1(0)", indent + 4,
+ "");
+
+ BIO_printf(out, "\n%*sLog ID : ", indent + 4, "");
+ BIO_hex_string(out, indent + 16, 16, data + 1, 32);
+
+ data += 33;
+ n2l8(data, timestamp);
+ OPENSSL_gmtime(&unix_epoch, &tm1);
+ OPENSSL_gmtime_adj(&tm1, timestamp / 86400000,
+ (timestamp % 86400000) / 1000);
+ strftime(month, 4, "%b", &tm1);
+ BIO_printf(out, "\n%*sTimestamp : ", indent + 4, "");
+ BIO_printf(out, "%s %2d %02d:%02d:%02d.%03u %d UTC",
+ month, tm1.tm_mday, tm1.tm_hour,
+ tm1.tm_min, tm1.tm_sec,
+ (unsigned int)(timestamp % 1000),
+ tm1.tm_year + 1900);
+
+ n2s(data, fieldlen);
+ if (sctlen < fieldlen)
+ return 0;
+ sctlen -= fieldlen;
+ BIO_printf(out, "\n%*sExtensions: ", indent + 4, "");
+ if (fieldlen == 0)
+ BIO_printf(out, "none");
+ else
+ BIO_hex_string(out, indent + 16, 16, data,
+ fieldlen);
+ data += fieldlen;
+
+ /* digitally-signed struct header:
+ * (1 byte) Hash algorithm
+ * (1 byte) Signature algorithm
+ * (2 bytes + ?) Signature
+ */
+ if (sctlen < 4)
+ return 0;
+ sctlen -= 4;
+
+ tls1_lookup_sigalg(NULL, NULL, &signhash_nid, data);
+ data += 2;
+ n2s(data, fieldlen);
+ if (sctlen != fieldlen)
+ return 0;
+ BIO_printf(out, "\n%*sSignature : ", indent + 4, "");
+ BIO_printf(out, "%s", OBJ_nid2ln(signhash_nid));
+ BIO_printf(out, "\n%*s ", indent + 4, "");
+ BIO_hex_string(out, indent + 16, 16, data, fieldlen);
+ if (listlen > 0) BIO_printf(out, "\n");
+ data += fieldlen;
+ }
+ }
+
+ return 1;
+ }
+
+static X509V3_EXT_METHOD ext_method_ct_precert_scts =
+ {
+ NID_ct_precert_scts, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
+ 0, 0, 0, 0, 0, 0, 0, 0, (X509V3_EXT_I2R)i2r_sctlist, NULL, NULL
+ };
+
+static X509V3_EXT_METHOD ext_method_ct_cert_scts =
+ {
+ NID_ct_cert_scts, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
+ 0, 0, 0, 0, 0, 0, 0, 0, (X509V3_EXT_I2R)i2r_sctlist, NULL, NULL
+ };
+
+int X509V3_EXT_add_rfc6962(void)
+ {
+ if (!X509V3_EXT_add(&ext_method_ct_precert_scts))
+ return 0;
+ if (!X509V3_EXT_add(&ext_method_ct_cert_scts))
+ return 0;
+ return 1;
+ }
projects / openssl.git / blobdiff