diff options
author | Matt Caswell <matt@openssl.org> | 2018-08-13 17:23:27 +0300 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-08-20 17:14:01 +0300 |
commit | 32097b33bdff520d149ad6c8a11bd344e4ef764b (patch) | |
tree | c46929e459ee7c2688765c56afbf329f38a6edda /ssl | |
parent | 756510c102885005c2fc31eb01e3a6b95f8ed985 (diff) |
Change Post Handshake auth so that it is opt-in
Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.
Fixes #6933.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
Diffstat (limited to 'ssl')
-rw-r--r-- | ssl/ssl_lib.c | 4 | ||||
-rw-r--r-- | ssl/ssl_locl.h | 2 | ||||
-rw-r--r-- | ssl/statem/extensions_clnt.c | 19 |
3 files changed, 5 insertions, 20 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a486356c2a..89570fbe3a 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5455,9 +5455,9 @@ int SSL_stateless(SSL *s) return -1; } -void SSL_force_post_handshake_auth(SSL *ssl) +void SSL_set_post_handshake_auth(SSL *ssl, int val) { - ssl->pha_forced = 1; + ssl->pha_enabled = val; } int SSL_verify_client_post_handshake(SSL *ssl) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 6d6404ba3d..0d98110480 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1391,7 +1391,7 @@ struct ssl_st { int key_update; /* Post-handshake authentication state */ SSL_PHA_STATE post_handshake_auth; - int pha_forced; + int pha_enabled; uint8_t* pha_context; size_t pha_context_len; int certreqs_sent; diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 86d6189ea1..2d5b60a737 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1193,23 +1193,8 @@ EXT_RETURN tls_construct_ctos_post_handshake_auth(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx) { #ifndef OPENSSL_NO_TLS1_3 - if (!s->pha_forced) { - int i, n = 0; - - /* check for cert, if present, we can do post-handshake auth */ - if (s->cert == NULL) - return EXT_RETURN_NOT_SENT; - - for (i = 0; i < SSL_PKEY_NUM; i++) { - if (s->cert->pkeys[i].x509 != NULL - && s->cert->pkeys[i].privatekey != NULL) - n++; - } - - /* no identity certificates, so no extension */ - if (n == 0) - return EXT_RETURN_NOT_SENT; - } + if (!s->pha_enabled) + return EXT_RETURN_NOT_SENT; /* construct extension - 0 length, no contents */ if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_post_handshake_auth) |