Suppress CT callback as appropriate
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates. Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing
when the chain is fails verification.
Move and consolidate CT callbacks from libcrypto to libssl. We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.
Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information. When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c
index 7940cfc..e993397 100644
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c
@@ -260,12 +260,6 @@
custom_ext_parse_cb parse_cb,
void *parse_arg)
{
- int ret = custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb,
- free_cb, add_arg, parse_cb, parse_arg);
-
- if (ret != 1)
- goto end;
-
#ifndef OPENSSL_NO_CT
/*
* We don't want applications registering callbacks for SCT extensions
@@ -273,12 +267,11 @@
* these two things may not play well together.
*/
if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp &&
- SSL_CTX_get_ct_validation_callback(ctx) != NULL) {
- ret = 0;
- }
+ SSL_CTX_ct_is_enabled(ctx))
+ return 0;
#endif
-end:
- return ret;
+ return custom_ext_meth_add(&ctx->cert->cli_ext, ext_type, add_cb,
+ free_cb, add_arg, parse_cb, parse_arg);
}
int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
