diff options
author | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-07 14:17:37 -0400 |
---|---|---|
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | 2016-04-07 14:41:34 -0400 |
commit | 43341433a88a6a2cd38c35359f48653e809b10cd (patch) | |
tree | 37b70a38d94f8f9bfa18f633b35df2647d13273a /include/openssl/ct.h | |
parent | c636c1c470fd2b4b0cb546e6ee85971375e42ec1 (diff) | |
download | openssl-43341433a88a6a2cd38c35359f48653e809b10cd.tar.gz |
Suppress CT callback as appropriate
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates. Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing
when the chain is fails verification.
Move and consolidate CT callbacks from libcrypto to libssl. We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.
Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information. When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'include/openssl/ct.h')
-rw-r--r-- | include/openssl/ct.h | 20 |
1 files changed, 5 insertions, 15 deletions
diff --git a/include/openssl/ct.h b/include/openssl/ct.h index 0da3125d17..9b0ce2f119 100644 --- a/include/openssl/ct.h +++ b/include/openssl/ct.h @@ -130,21 +130,6 @@ const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *c void CT_POLICY_EVAL_CTX_set0_log_store(CT_POLICY_EVAL_CTX *ctx, CTLOG_STORE *log_store); -/* - * A callback for verifying that the received SCTs are sufficient. - * Expected to return 1 if they are sufficient, otherwise 0. - * May return a negative integer if an error occurs. - * A connection should be aborted if the SCTs are deemed insufficient. - */ -typedef int(*ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx, - const STACK_OF(SCT) *scts, void *arg); -/* Returns 0 if there are invalid SCTs */ -int CT_verify_no_bad_scts(const CT_POLICY_EVAL_CTX *ctx, - const STACK_OF(SCT) *scts, void *arg); -/* Returns 0 if there are invalid SCTS or fewer than one valid SCT */ -int CT_verify_at_least_one_good_sct(const CT_POLICY_EVAL_CTX *ctx, - const STACK_OF(SCT) *scts, void *arg); - /***************** * SCT functions * *****************/ @@ -299,6 +284,11 @@ sct_source_t SCT_get_source(const SCT *sct); __owur int SCT_set_source(SCT *sct, sct_source_t source); /* + * Returns a text string describing the validation status of |sct|. + */ +const char *SCT_validation_status_string(const SCT *sct); + +/* * Pretty-prints an |sct| to |out|. * It will be indented by the number of spaces specified by |indent|. * If |logs| is not NULL, it will be used to lookup the CT log that the SCT came |