From f6da3bbfb7342f3931d36e0c67bd9f79169fac2b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 14 Nov 2022 15:29:38 +0000 Subject: [PATCH] Add the ability to add a custom extension on an SSL object Previously we could only do this at the SSL_CTX level. We add the ability to also do this on an SSL - but only for internal code. Reviewed-by: Hugo Landau Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/19748) --- ssl/ssl_local.h | 8 ++++++++ ssl/statem/extensions_cust.c | 40 ++++++++++++++++++++---------------- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index 25fa38137e..ea8f5aa8b4 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -2894,6 +2894,14 @@ custom_ext_method *custom_ext_find(const custom_ext_methods *exts, void custom_ext_init(custom_ext_methods *meths); +int ossl_tls_add_custom_ext_intern(SSL_CTX *ctx, custom_ext_methods *exts, + ENDPOINT role, unsigned int ext_type, + unsigned int context, + SSL_custom_ext_add_cb_ex add_cb, + SSL_custom_ext_free_cb_ex free_cb, + void *add_arg, + SSL_custom_ext_parse_cb_ex parse_cb, + void *parse_arg); __owur int custom_ext_parse(SSL_CONNECTION *s, unsigned int context, unsigned int ext_type, const unsigned char *ext_data, size_t ext_size, diff --git a/ssl/statem/extensions_cust.c b/ssl/statem/extensions_cust.c index ebfe7d16ee..83470b1bf3 100644 --- a/ssl/statem/extensions_cust.c +++ b/ssl/statem/extensions_cust.c @@ -344,16 +344,15 @@ int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type) NULL) != NULL; } -static int add_custom_ext_intern(SSL_CTX *ctx, ENDPOINT role, - unsigned int ext_type, - unsigned int context, - SSL_custom_ext_add_cb_ex add_cb, - SSL_custom_ext_free_cb_ex free_cb, - void *add_arg, - SSL_custom_ext_parse_cb_ex parse_cb, - void *parse_arg) +int ossl_tls_add_custom_ext_intern(SSL_CTX *ctx, custom_ext_methods *exts, + ENDPOINT role, unsigned int ext_type, + unsigned int context, + SSL_custom_ext_add_cb_ex add_cb, + SSL_custom_ext_free_cb_ex free_cb, + void *add_arg, + SSL_custom_ext_parse_cb_ex parse_cb, + void *parse_arg) { - custom_ext_methods *exts = &ctx->cert->custext; custom_ext_method *meth, *tmp; /* @@ -363,6 +362,9 @@ static int add_custom_ext_intern(SSL_CTX *ctx, ENDPOINT role, if (add_cb == NULL && free_cb != NULL) return 0; + if (exts == NULL) + exts = &ctx->cert->custext; + #ifndef OPENSSL_NO_CT /* * We don't want applications registering callbacks for SCT extensions @@ -371,6 +373,7 @@ static int add_custom_ext_intern(SSL_CTX *ctx, ENDPOINT role, */ if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp && (context & SSL_EXT_CLIENT_HELLO) != 0 + && ctx != NULL && SSL_CTX_ct_is_enabled(ctx)) return 0; #endif @@ -435,13 +438,13 @@ static int add_old_custom_ext(SSL_CTX *ctx, ENDPOINT role, parse_cb_wrap->parse_arg = parse_arg; parse_cb_wrap->parse_cb = parse_cb; - ret = add_custom_ext_intern(ctx, role, ext_type, - context, - custom_ext_add_old_cb_wrap, - custom_ext_free_old_cb_wrap, - add_cb_wrap, - custom_ext_parse_old_cb_wrap, - parse_cb_wrap); + ret = ossl_tls_add_custom_ext_intern(ctx, NULL, role, ext_type, + context, + custom_ext_add_old_cb_wrap, + custom_ext_free_old_cb_wrap, + add_cb_wrap, + custom_ext_parse_old_cb_wrap, + parse_cb_wrap); if (!ret) { OPENSSL_free(add_cb_wrap); @@ -487,8 +490,9 @@ int SSL_CTX_add_custom_ext(SSL_CTX *ctx, unsigned int ext_type, void *add_arg, SSL_custom_ext_parse_cb_ex parse_cb, void *parse_arg) { - return add_custom_ext_intern(ctx, ENDPOINT_BOTH, ext_type, context, add_cb, - free_cb, add_arg, parse_cb, parse_arg); + return ossl_tls_add_custom_ext_intern(ctx, NULL, ENDPOINT_BOTH, ext_type, + context, add_cb, free_cb, add_arg, + parse_cb, parse_arg); } int SSL_extension_supported(unsigned int ext_type) -- 2.39.5