Draft 19 certificate request format support. #2918
Conversation
|
Also TODO: trace support. |
ssl/statem/statem_clnt.c
Outdated
| goto err; | ||
| } | ||
| int al = SSL_AD_DECODE_ERROR; | ||
| unsigned int i; |
There was a problem hiding this comment.
blank line after decl. and should i be size_t?
There was a problem hiding this comment.
There's no reason i should be unsigned, even... it's only used as an index as far as I can see (?)
There was a problem hiding this comment.
It makes sense to me for it to be size_t since it is bounded by the size of something (i.e. SSL_PKEY_NUM) and can't be -ve.
ssl/statem/statem_lib.c
Outdated
| } | ||
|
|
||
| int parse_ca_names(SSL *s, PACKET *pkt, int *al) | ||
| { |
ssl/statem/statem_lib.c
Outdated
| } | ||
|
|
||
| namestart = namebytes; | ||
|
|
There was a problem hiding this comment.
delete this blank line, the one at 1913, and maybe add one before 1918?
ssl/statem/statem_lib.c
Outdated
|
|
||
| return 1; | ||
|
|
||
| decerr: |
ssl/statem/statem_lib.c
Outdated
|
|
||
| decerr: | ||
| *al = SSL_AD_DECODE_ERROR; | ||
| err: |
ssl/statem/statem_srvr.c
Outdated
| int i; | ||
| STACK_OF(X509_NAME) *sk = NULL; | ||
|
|
||
| int al = SSL_AD_INTERNAL_ERROR; |
snhenson
force-pushed
the
draft19_certreq
branch
from
ca1d3ca
to
505380d
Compare
snhenson
changed the title
|
Update: rebased and comments addressed. Tests are in #2969, the additional APIs etc. can be part of a separate PR. Taken out of WIP. |
| } | ||
|
|
||
| sk_X509_NAME_pop_free(s->s3->tmp.ca_names, X509_NAME_free); | ||
| s->s3->tmp.ca_names = ca_sk; |
There was a problem hiding this comment.
free the old value? suppose peer sends this extension twice, for example?
There was a problem hiding this comment.
The new extension code rejects duplicate supported extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #2918)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #2918)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #2918)
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from #2918)
Checklist
Description of change
Add support for the TLS 1.3 draft-19 certificate request format.
It passes 'make test' but no other interop testing has been done: there aren't many implementations about yet ;-)
This adds support for the certificate_authorities extension which can be used by client and server.
The signature algorithms extension can now be generated/parsed by both client and server.
Still todo:
Check new extension code is correct. Maybe rename/move the signature algorithms functions: e.g. tls_construct_ctos_sig_algs can now also construct signature algorithms from server to client too.
Add functions to allow setting of CA list client side and retrieval server side and appropriate options to s_client, s_server and SSL_CONF.
Document new functions.
Add tests: the certificate request distinguished names is currently untested too: DONE in #2969