Remove serverinfo and custom extensions support.
If we need an extension, we can implement it in-library.
Change-Id: I0eac5affcd8e7252b998b6c86ed2068234134b08
Reviewed-on: https://boringssl-review.googlesource.com/1051
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index f2bbabc..6d3f18e 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -347,8 +347,6 @@
#endif
if (s->ctx->tlsext_authz_server_audit_proof_cb != NULL)
ssl2_compat = 0;
- if (s->ctx->custom_cli_ext_records_count != 0)
- ssl2_compat = 0;
}
#endif
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 8d6f7f8..5b8b526 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -370,58 +370,6 @@
typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data, int len, void *arg);
typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, SSL_CIPHER **cipher, void *arg);
-#ifndef OPENSSL_NO_TLSEXT
-/* Callbacks and structures for handling custom TLS Extensions:
- * cli_ext_first_cb - sends data for ClientHello TLS Extension
- * cli_ext_second_cb - receives data from ServerHello TLS Extension
- * srv_ext_first_cb - receives data from ClientHello TLS Extension
- * srv_ext_second_cb - sends data for ServerHello TLS Extension
- *
- * All these functions return nonzero on success. Zero will terminate
- * the handshake (and return a specific TLS Fatal alert, if the function
- * declaration has an "al" parameter). -1 for the "sending" functions
- * will cause the TLS Extension to be omitted.
- *
- * "ext_type" is a TLS "ExtensionType" from 0-65535.
- * "in" is a pointer to TLS "extension_data" being provided to the cb.
- * "out" is used by the callback to return a pointer to "extension data"
- * which OpenSSL will later copy into the TLS handshake. The contents
- * of this buffer should not be changed until the handshake is complete.
- * "inlen" and "outlen" are TLS Extension lengths from 0-65535.
- * "al" is a TLS "AlertDescription" from 0-255 which WILL be sent as a
- * fatal TLS alert, if the callback returns zero.
- */
-typedef int (*custom_cli_ext_first_cb_fn)(SSL *s, unsigned short ext_type,
- const unsigned char **out,
- unsigned short *outlen, void *arg);
-typedef int (*custom_cli_ext_second_cb_fn)(SSL *s, unsigned short ext_type,
- const unsigned char *in,
- unsigned short inlen, int *al,
- void *arg);
-
-typedef int (*custom_srv_ext_first_cb_fn)(SSL *s, unsigned short ext_type,
- const unsigned char *in,
- unsigned short inlen, int *al,
- void *arg);
-typedef int (*custom_srv_ext_second_cb_fn)(SSL *s, unsigned short ext_type,
- const unsigned char **out,
- unsigned short *outlen, void *arg);
-
-typedef struct {
- unsigned short ext_type;
- custom_cli_ext_first_cb_fn fn1;
- custom_cli_ext_second_cb_fn fn2;
- void *arg;
-} custom_cli_ext_record;
-
-typedef struct {
- unsigned short ext_type;
- custom_srv_ext_first_cb_fn fn1;
- custom_srv_ext_second_cb_fn fn2;
- void *arg;
-} custom_srv_ext_record;
-#endif
-
#ifndef OPENSSL_NO_SSL_INTERN
/* used to hold info on the particular ciphers used */
@@ -1196,12 +1144,6 @@
void *tlsext_authz_server_audit_proof_cb_arg;
#endif
- /* Arrays containing the callbacks for custom TLS Extensions. */
- custom_cli_ext_record *custom_cli_ext_records;
- size_t custom_cli_ext_records_count;
- custom_srv_ext_record *custom_srv_ext_records;
- size_t custom_srv_ext_records_count;
-
/* If true, a client will advertise the Channel ID extension and a
* server will echo it. */
char tlsext_channel_id_enabled;
@@ -1345,32 +1287,6 @@
const char *SSL_get_psk_identity(const SSL *s);
#endif
-#ifndef OPENSSL_NO_TLSEXT
-/* Register callbacks to handle custom TLS Extensions as client or server.
- *
- * Returns nonzero on success. You cannot register twice for the same
- * extension number, and registering for an extension number already
- * handled by OpenSSL will succeed, but the callbacks will not be invoked.
- *
- * NULL can be registered for any callback function. For the client
- * functions, a NULL custom_cli_ext_first_cb_fn sends an empty ClientHello
- * Extension, and a NULL custom_cli_ext_second_cb_fn ignores the ServerHello
- * response (if any).
- *
- * For the server functions, a NULL custom_srv_ext_first_cb_fn means the
- * ClientHello extension's data will be ignored, but the extension will still
- * be noted and custom_srv_ext_second_cb_fn will still be invoked. A NULL
- * custom_srv_ext_second_cb doesn't send a ServerHello extension.
- */
-int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type,
- custom_cli_ext_first_cb_fn fn1,
- custom_cli_ext_second_cb_fn fn2, void *arg);
-
-int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
- custom_srv_ext_first_cb_fn fn1,
- custom_srv_ext_second_cb_fn fn2, void *arg);
-#endif
-
#define SSL_NOTHING 1
#define SSL_WRITING 2
#define SSL_READING 3
@@ -2192,13 +2108,6 @@
int SSL_use_authz_file(SSL *ssl, const char *file);
#endif
-/* Set serverinfo data for the current active cert. */
-int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
- size_t serverinfo_length);
-#ifndef OPENSSL_NO_STDIO
-int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
-#endif /* NO_STDIO */
-
#endif
#ifndef OPENSSL_NO_STDIO
@@ -2570,7 +2479,6 @@
#define SSL_F_dtls1_heartbeat 106
#define SSL_F_ssl3_digest_cached_records 107
#define SSL_F_SSL_set_wfd 108
-#define SSL_F_SSL_CTX_use_serverinfo 109
#define SSL_F_ssl_set_pkey 110
#define SSL_F_SSL_CTX_use_certificate 111
#define SSL_F_dtls1_read_bytes 112
@@ -2611,7 +2519,6 @@
#define SSL_F_ssl3_get_record 147
#define SSL_F_SSL_CTX_use_RSAPrivateKey 148
#define SSL_F_SSL_use_certificate_file 149
-#define SSL_F_SSL_CTX_use_serverinfo_file 150
#define SSL_F_SSL_load_client_CA_file 151
#define SSL_F_dtls1_preprocess_fragment 152
#define SSL_F_SSL_CTX_check_private_key 153
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 1bad680..a11d7a3 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -341,23 +341,6 @@
cert->pkeys[i].authz,
cert->pkeys[i].authz_length);
}
-
- if (cert->pkeys[i].serverinfo != NULL)
- {
- /* Just copy everything. */
- ret->pkeys[i].serverinfo =
- OPENSSL_malloc(cert->pkeys[i].serverinfo_length);
- if (ret->pkeys[i].serverinfo == NULL)
- {
- OPENSSL_PUT_ERROR(SSL, ssl_cert_dup, ERR_R_MALLOC_FAILURE);
- return NULL;
- }
- ret->pkeys[i].serverinfo_length =
- cert->pkeys[i].serverinfo_length;
- memcpy(ret->pkeys[i].serverinfo,
- cert->pkeys[i].serverinfo,
- cert->pkeys[i].serverinfo_length);
- }
#endif
}
@@ -479,12 +462,6 @@
OPENSSL_free(cpk->authz);
cpk->authz = NULL;
}
- if (cpk->serverinfo)
- {
- OPENSSL_free(cpk->serverinfo);
- cpk->serverinfo = NULL;
- cpk->serverinfo_length = 0;
- }
#endif
/* Clear all flags apart from explicit sign */
cpk->valid_flags &= CERT_PKEY_EXPLICIT_SIGN;
diff --git a/ssl/ssl_error.c b/ssl/ssl_error.c
index 0018d07..9d2c4bd 100644
--- a/ssl/ssl_error.c
+++ b/ssl/ssl_error.c
@@ -36,8 +36,6 @@
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate_chain_file, 0), "SSL_CTX_use_certificate_chain_file"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_certificate_file, 0), "SSL_CTX_use_certificate_file"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_psk_identity_hint, 0), "SSL_CTX_use_psk_identity_hint"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_serverinfo, 0), "SSL_CTX_use_serverinfo"},
- {ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_CTX_use_serverinfo_file, 0), "SSL_CTX_use_serverinfo_file"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_new, 0), "SSL_SESSION_new"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_print_fp, 0), "SSL_SESSION_print_fp"},
{ERR_PACK(ERR_LIB_SSL, SSL_F_SSL_SESSION_set1_id_context, 0), "SSL_SESSION_set1_id_context"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index d9fb695..f5e49d0 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1839,62 +1839,6 @@
}
# endif
-int SSL_CTX_set_custom_cli_ext(SSL_CTX *ctx, unsigned short ext_type,
- custom_cli_ext_first_cb_fn fn1,
- custom_cli_ext_second_cb_fn fn2, void* arg)
- {
- size_t i;
- custom_cli_ext_record* record;
-
- /* Check for duplicates */
- for (i=0; i < ctx->custom_cli_ext_records_count; i++)
- if (ext_type == ctx->custom_cli_ext_records[i].ext_type)
- return 0;
-
- ctx->custom_cli_ext_records = OPENSSL_realloc(ctx->custom_cli_ext_records,
- (ctx->custom_cli_ext_records_count + 1) *
- sizeof(custom_cli_ext_record));
- if (!ctx->custom_cli_ext_records) {
- ctx->custom_cli_ext_records_count = 0;
- return 0;
- }
- ctx->custom_cli_ext_records_count++;
- record = &ctx->custom_cli_ext_records[ctx->custom_cli_ext_records_count - 1];
- record->ext_type = ext_type;
- record->fn1 = fn1;
- record->fn2 = fn2;
- record->arg = arg;
- return 1;
- }
-
-int SSL_CTX_set_custom_srv_ext(SSL_CTX *ctx, unsigned short ext_type,
- custom_srv_ext_first_cb_fn fn1,
- custom_srv_ext_second_cb_fn fn2, void* arg)
- {
- size_t i;
- custom_srv_ext_record* record;
-
- /* Check for duplicates */
- for (i=0; i < ctx->custom_srv_ext_records_count; i++)
- if (ext_type == ctx->custom_srv_ext_records[i].ext_type)
- return 0;
-
- ctx->custom_srv_ext_records = OPENSSL_realloc(ctx->custom_srv_ext_records,
- (ctx->custom_srv_ext_records_count + 1) *
- sizeof(custom_srv_ext_record));
- if (!ctx->custom_srv_ext_records) {
- ctx->custom_srv_ext_records_count = 0;
- return 0;
- }
- ctx->custom_srv_ext_records_count++;
- record = &ctx->custom_srv_ext_records[ctx->custom_srv_ext_records_count - 1];
- record->ext_type = ext_type;
- record->fn1 = fn1;
- record->fn2 = fn2;
- record->arg = arg;
- return 1;
- }
-
/* SSL_CTX_set_alpn_protos sets the ALPN protocol list on |ctx| to |protos|.
* |protos| must be in wire-format (i.e. a series of non-empty, 8-bit
* length-prefixed strings).
@@ -2138,10 +2082,6 @@
ret->psk_client_callback=NULL;
ret->psk_server_callback=NULL;
#endif
- ret->custom_cli_ext_records = NULL;
- ret->custom_cli_ext_records_count = 0;
- ret->custom_srv_ext_records = NULL;
- ret->custom_srv_ext_records_count = 0;
#ifndef OPENSSL_NO_BUF_FREELISTS
ret->freelist_max_len = SSL_MAX_BUF_FREELIST_LEN_DEFAULT;
ret->rbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
@@ -2268,10 +2208,6 @@
if (a->psk_identity_hint)
OPENSSL_free(a->psk_identity_hint);
#endif
-#ifndef OPENSSL_NO_TLSEXT
- OPENSSL_free(a->custom_cli_ext_records);
- OPENSSL_free(a->custom_srv_ext_records);
-#endif
/* TODO(fork): remove. */
#if 0
@@ -2728,26 +2664,6 @@
return c->pkeys[i].authz;
}
-
-int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
- size_t *serverinfo_length)
- {
- CERT *c = NULL;
- int i = 0;
- *serverinfo_length = 0;
-
- c = s->cert;
- i = ssl_get_server_cert_index(s);
-
- if (i == -1)
- return 0;
- if (c->pkeys[i].serverinfo == NULL)
- return 0;
-
- *serverinfo = c->pkeys[i].serverinfo;
- *serverinfo_length = c->pkeys[i].serverinfo_length;
- return 1;
- }
#endif
void ssl_update_cache(SSL *s,int mode)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 2dcff75..4a2d4a5 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -519,14 +519,6 @@
* uint8_t data[length]; */
unsigned char *authz;
size_t authz_length;
-
- /* serverinfo data for this certificate. The data is in TLS Extension
- * wire format, specifically it's a series of records like:
- * uint16_t extension_type; // (RFC 5246, 7.4.1.4, Extension)
- * uint16_t length;
- * uint8_t data[length]; */
- unsigned char *serverinfo;
- size_t serverinfo_length;
#endif
/* Set if CERT_PKEY can be used with current SSL session: e.g.
* appropriate curve, signature algorithms etc. If zero it can't be
@@ -1030,8 +1022,6 @@
CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
#ifndef OPENSSL_NO_TLSEXT
unsigned char *ssl_get_authz_data(SSL *s, size_t *authz_length);
-int ssl_get_server_cert_serverinfo(SSL *s, const unsigned char **serverinfo,
- size_t *serverinfo_length);
#endif
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 04bbabe..4a6ed62 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -850,138 +850,6 @@
}
}
-static int serverinfo_find_extension(const unsigned char *serverinfo,
- size_t serverinfo_length,
- unsigned short extension_type,
- const unsigned char **extension_data,
- unsigned short *extension_length)
- {
- *extension_data = NULL;
- *extension_length = 0;
- if (serverinfo == NULL || serverinfo_length == 0)
- return 0;
- for (;;)
- {
- unsigned short type = 0; /* uint16 */
- unsigned short len = 0; /* uint16 */
-
- /* end of serverinfo */
- if (serverinfo_length == 0)
- return -1; /* Extension not found */
-
- /* read 2-byte type field */
- if (serverinfo_length < 2)
- return 0; /* Error */
- type = (serverinfo[0] << 8) + serverinfo[1];
- serverinfo += 2;
- serverinfo_length -= 2;
-
- /* read 2-byte len field */
- if (serverinfo_length < 2)
- return 0; /* Error */
- len = (serverinfo[0] << 8) + serverinfo[1];
- serverinfo += 2;
- serverinfo_length -= 2;
-
- if (len > serverinfo_length)
- return 0; /* Error */
-
- if (type == extension_type)
- {
- *extension_data = serverinfo;
- *extension_length = len;
- return 1; /* Success */
- }
-
- serverinfo += len;
- serverinfo_length -= len;
- }
- return 0; /* Error */
- }
-
-static int serverinfo_srv_first_cb(SSL *s, unsigned short ext_type,
- const unsigned char *in,
- unsigned short inlen, int *al,
- void *arg)
- {
- if (inlen != 0)
- {
- *al = SSL_AD_DECODE_ERROR;
- return 0;
- }
- return 1;
- }
-
-static int serverinfo_srv_second_cb(SSL *s, unsigned short ext_type,
- const unsigned char **out, unsigned short *outlen,
- void *arg)
- {
- const unsigned char *serverinfo = NULL;
- size_t serverinfo_length = 0;
-
- /* Is there serverinfo data for the chosen server cert? */
- if ((ssl_get_server_cert_serverinfo(s, &serverinfo,
- &serverinfo_length)) != 0)
- {
- /* Find the relevant extension from the serverinfo */
- int retval = serverinfo_find_extension(serverinfo, serverinfo_length,
- ext_type, out, outlen);
- if (retval == 0)
- return 0; /* Error */
- if (retval == -1)
- return -1; /* No extension found, don't send extension */
- return 1; /* Send extension */
- }
- return -1; /* No serverinfo data found, don't send extension */
- }
-
-/* With a NULL context, this function just checks that the serverinfo data
- parses correctly. With a non-NULL context, it registers callbacks for
- the included extensions. */
-static int serverinfo_process_buffer(const unsigned char *serverinfo,
- size_t serverinfo_length, SSL_CTX *ctx)
- {
- if (serverinfo == NULL || serverinfo_length == 0)
- return 0;
- for (;;)
- {
- unsigned short ext_type = 0; /* uint16 */
- unsigned short len = 0; /* uint16 */
-
- /* end of serverinfo */
- if (serverinfo_length == 0)
- return 1;
-
- /* read 2-byte type field */
- if (serverinfo_length < 2)
- return 0;
- /* FIXME: check for types we understand explicitly? */
-
- /* Register callbacks for extensions */
- ext_type = (serverinfo[0] << 8) + serverinfo[1];
- if (ctx && !SSL_CTX_set_custom_srv_ext(ctx, ext_type,
- serverinfo_srv_first_cb,
- serverinfo_srv_second_cb, NULL))
- return 0;
-
- serverinfo += 2;
- serverinfo_length -= 2;
-
- /* read 2-byte len field */
- if (serverinfo_length < 2)
- return 0;
- len = (serverinfo[0] << 8) + serverinfo[1];
- serverinfo += 2;
- serverinfo_length -= 2;
-
- if (len > serverinfo_length)
- return 0;
-
- serverinfo += len;
- serverinfo_length -= len;
- }
- }
-
static const unsigned char *authz_find_data(const unsigned char *authz,
size_t authz_length,
unsigned char data_type,
@@ -1059,49 +927,6 @@
return ssl_set_authz(ctx->cert, authz, authz_length);
}
-int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
- size_t serverinfo_length)
- {
- if (ctx == NULL || serverinfo == NULL || serverinfo_length == 0)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_PASSED_NULL_PARAMETER);
- return 0;
- }
- if (!serverinfo_process_buffer(serverinfo, serverinfo_length, NULL))
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, SSL_R_INVALID_SERVERINFO_DATA);
- return 0;
- }
- if (!ssl_cert_inst(&ctx->cert))
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- if (ctx->cert->key == NULL)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_INTERNAL_ERROR);
- return 0;
- }
- ctx->cert->key->serverinfo = OPENSSL_realloc(ctx->cert->key->serverinfo,
- serverinfo_length);
- if (ctx->cert->key->serverinfo == NULL)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, ERR_R_MALLOC_FAILURE);
- return 0;
- }
- memcpy(ctx->cert->key->serverinfo, serverinfo, serverinfo_length);
- ctx->cert->key->serverinfo_length = serverinfo_length;
-
- /* Now that the serverinfo is validated and stored, go ahead and
- * register callbacks. */
- if (!serverinfo_process_buffer(serverinfo, serverinfo_length, ctx))
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo, SSL_R_INVALID_SERVERINFO_DATA);
- return 0;
- }
- return 1;
- }
-
int SSL_use_authz(SSL *ssl, unsigned char *authz, size_t authz_length)
{
if (authz == NULL)
@@ -1201,93 +1026,5 @@
OPENSSL_free(authz);
return ret;
}
-
-int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file)
- {
- unsigned char *serverinfo = NULL;
- size_t serverinfo_length = 0;
- unsigned char* extension = 0;
- long extension_length = 0;
- char* name = NULL;
- char* header = NULL;
- char namePrefix[] = "SERVERINFO FOR ";
- int ret = 0;
- BIO *bin = NULL;
- size_t num_extensions = 0;
-
- if (ctx == NULL || file == NULL)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_PASSED_NULL_PARAMETER);
- goto end;
- }
-
- bin = BIO_new(BIO_s_file());
- if (bin == NULL)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_BUF_LIB);
- goto end;
- }
- if (BIO_read_filename(bin, file) <= 0)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_SYS_LIB);
- goto end;
- }
-
- for (num_extensions=0;; num_extensions++)
- {
- if (PEM_read_bio(bin, &name, &header, &extension, &extension_length) == 0)
- {
- /* There must be at least one extension in this file */
- if (num_extensions == 0)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_NO_PEM_EXTENSIONS);
- goto end;
- }
- else /* End of file, we're done */
- break;
- }
- /* Check that PEM name starts with "BEGIN SERVERINFO FOR " */
- if (strlen(name) < strlen(namePrefix))
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_PEM_NAME_TOO_SHORT);
- goto end;
- }
- if (strncmp(name, namePrefix, strlen(namePrefix)) != 0)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_PEM_NAME_BAD_PREFIX);
- goto end;
- }
- /* Check that the decoded PEM data is plausible (valid length field) */
- if (extension_length < 4 || (extension[2] << 8) + extension[3] != extension_length - 4)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, SSL_R_BAD_DATA);
- goto end;
- }
- /* Append the decoded extension to the serverinfo buffer */
- serverinfo = OPENSSL_realloc(serverinfo, serverinfo_length + extension_length);
- if (serverinfo == NULL)
- {
- OPENSSL_PUT_ERROR(SSL, SSL_CTX_use_serverinfo_file, ERR_R_MALLOC_FAILURE);
- goto end;
- }
- memcpy(serverinfo + serverinfo_length, extension, extension_length);
- serverinfo_length += extension_length;
-
- OPENSSL_free(name); name = NULL;
- OPENSSL_free(header); header = NULL;
- OPENSSL_free(extension); extension = NULL;
- }
-
- ret = SSL_CTX_use_serverinfo(ctx, serverinfo, serverinfo_length);
-end:
- /* SSL_CTX_use_serverinfo makes a local copy of the serverinfo. */
- OPENSSL_free(name);
- OPENSSL_free(header);
- OPENSSL_free(extension);
- OPENSSL_free(serverinfo);
- if (bin != NULL)
- BIO_free(bin);
- return ret;
- }
#endif /* OPENSSL_NO_STDIO */
#endif /* OPENSSL_NO_TLSEXT */
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 5e99928..fe0c177 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1536,40 +1536,6 @@
*(ret++) = TLSEXT_AUTHZDATAFORMAT_audit_proof;
}
- /* Add custom TLS Extensions to ClientHello */
- if (s->ctx->custom_cli_ext_records_count)
- {
- size_t i;
- custom_cli_ext_record* record;
-
- for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
- {
- const unsigned char* out = NULL;
- unsigned short outlen = 0;
-
- record = &s->ctx->custom_cli_ext_records[i];
- /* NULL callback sends empty extension */
- /* -1 from callback omits extension */
- if (record->fn1)
- {
- int cb_retval = 0;
- cb_retval = record->fn1(s, record->ext_type,
- &out, &outlen,
- record->arg);
- if (cb_retval == 0)
- return NULL; /* error */
- if (cb_retval == -1)
- continue; /* skip this extension */
- }
- if (limit < ret + 4 + outlen)
- return NULL;
- s2n(record->ext_type, ret);
- s2n(outlen, ret);
- memcpy(ret, out, outlen);
- ret += outlen;
- }
- }
-
#ifndef OPENSSL_NO_EC
if (using_ecc)
{
@@ -1886,47 +1852,6 @@
}
}
- /* If custom types were sent in ClientHello, add ServerHello responses */
- if (s->s3->tlsext_custom_types_count)
- {
- size_t i;
-
- for (i = 0; i < s->s3->tlsext_custom_types_count; i++)
- {
- size_t j;
- custom_srv_ext_record *record;
-
- for (j = 0; j < s->ctx->custom_srv_ext_records_count; j++)
- {
- record = &s->ctx->custom_srv_ext_records[j];
- if (s->s3->tlsext_custom_types[i] == record->ext_type)
- {
- const unsigned char *out = NULL;
- unsigned short outlen = 0;
- int cb_retval = 0;
-
- /* NULL callback or -1 omits extension */
- if (!record->fn2)
- break;
- cb_retval = record->fn2(s, record->ext_type,
- &out, &outlen,
- record->arg);
- if (cb_retval == 0)
- return NULL; /* error */
- if (cb_retval == -1)
- break; /* skip this extension */
- if (limit < ret + 4 + outlen)
- return NULL;
- s2n(record->ext_type, ret);
- s2n(outlen, ret);
- memcpy(ret, out, outlen);
- ret += outlen;
- break;
- }
- }
- }
- }
-
if (s->s3->alpn_selected)
{
const uint8_t *selected = s->s3->alpn_selected;
@@ -2130,14 +2055,6 @@
s->s3->next_proto_neg_seen = 0;
#endif
- /* Clear observed custom extensions */
- s->s3->tlsext_custom_types_count = 0;
- if (s->s3->tlsext_custom_types != NULL)
- {
- OPENSSL_free(s->s3->tlsext_custom_types);
- s->s3->tlsext_custom_types = NULL;
- }
-
if (s->s3->alpn_selected)
{
OPENSSL_free(s->s3->alpn_selected);
@@ -2674,54 +2591,6 @@
}
}
- /* If this ClientHello extension was unhandled and this is
- * a nonresumed connection, check whether the extension is a
- * custom TLS Extension (has a custom_srv_ext_record), and if
- * so call the callback and record the extension number so that
- * an appropriate ServerHello may be later returned.
- */
- else if (!s->hit && s->ctx->custom_srv_ext_records_count)
- {
- custom_srv_ext_record *record;
-
- for (i=0; i < s->ctx->custom_srv_ext_records_count; i++)
- {
- record = &s->ctx->custom_srv_ext_records[i];
- if (type == record->ext_type)
- {
- size_t j;
-
- /* Error on duplicate TLS Extensions */
- for (j = 0; j < s->s3->tlsext_custom_types_count; j++)
- {
- if (type == s->s3->tlsext_custom_types[j])
- {
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
- }
-
- /* NULL callback still notes the extension */
- if (record->fn1 && !record->fn1(s, type, data, size, al, record->arg))
- return 0;
-
- /* Add the (non-duplicated) entry */
- s->s3->tlsext_custom_types_count++;
- s->s3->tlsext_custom_types = OPENSSL_realloc(
- s->s3->tlsext_custom_types,
- s->s3->tlsext_custom_types_count * 2);
- if (s->s3->tlsext_custom_types == NULL)
- {
- s->s3->tlsext_custom_types = 0;
- *al = TLS1_AD_INTERNAL_ERROR;
- return 0;
- }
- s->s3->tlsext_custom_types[
- s->s3->tlsext_custom_types_count - 1] = type;
- }
- }
- }
-
data+=size;
}
@@ -3057,31 +2926,6 @@
s->s3->tlsext_authz_server_promised = 1;
}
-
- /* If this extension type was not otherwise handled, but
- * matches a custom_cli_ext_record, then send it to the c
- * callback */
- /* TODO(fork): Can this be removed or transitioned to a
- * CBS-based API? It's only used in certificate_transparency to
- * parse the signed_certificate_timestamp extension which should
- * just be built-in. */
- else if (s->ctx->custom_cli_ext_records_count)
- {
- size_t i;
- custom_cli_ext_record* record;
-
- for (i = 0; i < s->ctx->custom_cli_ext_records_count; i++)
- {
- record = &s->ctx->custom_cli_ext_records[i];
- if (record->ext_type == type)
- {
- if (record->fn2 && !record->fn2(s, type, CBS_data(&extension), CBS_len(&extension), out_alert, record->arg))
- return 0;
- break;
- }
- }
- }
-
}
if (!s->hit && tlsext_servername == 1)
