Remove all RFC5878 code. Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index d009400..9a94de0 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c
@@ -318,26 +318,11 @@ } s->init_num=0; break; -#ifndef OPENSSL_NO_TLSEXT - case SSL3_ST_CR_SUPPLEMENTAL_DATA_A: - case SSL3_ST_CR_SUPPLEMENTAL_DATA_B: - ret = tls1_get_server_supplemental_data(s); - if (ret <= 0) goto end; - s->state=SSL3_ST_CR_CERT_A; - s->init_num = 0; - break; -#endif case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: #ifndef OPENSSL_NO_TLSEXT ret=ssl3_check_finished(s); if (ret <= 0) goto end; - if (ret == 3) - { - s->state=SSL3_ST_CR_SUPPLEMENTAL_DATA_A; - s->init_num=0; - break; - } if (ret == 2) { s->hit = 1; @@ -416,14 +401,10 @@ } } #endif -#ifndef OPENSSL_NO_TLSEXT - s->state=SSL3_ST_CW_SUPPLEMENTAL_DATA_A; -#else if (s->s3->tmp.cert_req) s->state=SSL3_ST_CW_CERT_A; else s->state=SSL3_ST_CW_KEY_EXCH_A; -#endif s->init_num=0; break; @@ -530,19 +511,6 @@ break; #endif -#ifndef OPENSSL_NO_TLSEXT - case SSL3_ST_CW_SUPPLEMENTAL_DATA_A: - case SSL3_ST_CW_SUPPLEMENTAL_DATA_B: - ret = tls1_send_client_supplemental_data(s, &skip); - if (ret <= 0) goto end; - if (s->s3->tmp.cert_req) - s->state=SSL3_ST_CW_CERT_A; - else - s->state=SSL3_ST_CW_KEY_EXCH_A; - s->init_num=0; - break; -#endif - case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: ret=ssl3_send_finished(s, @@ -3611,10 +3579,11 @@ int ok; long n; - /* Read the message to see if it is supplemental data, - * regardless if there is a session ticket this function is - * called when we really expect a Certificate message, so - * permit appropriate message length */ + /* If we have no ticket it cannot be a resumed session. */ + if (!s->session->tlsext_tick) + return 1; + /* this function is called when we really expect a Certificate + * message, so permit appropriate message length */ n=s->method->ssl_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, @@ -3624,11 +3593,6 @@ if (!ok) return((int)n); s->s3->tmp.reuse_message = 1; - if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA) - return 3; - /* If we have no ticket it cannot be a resumed session. */ - if (!s->session->tlsext_tick) - return 1; if ((s->s3->tmp.message_type == SSL3_MT_FINISHED) || (s->s3->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) return 2; @@ -3654,155 +3618,3 @@ i = s->ctx->client_cert_cb(s,px509,ppkey); return i; } - -#ifndef OPENSSL_NO_TLSEXT -int tls1_send_client_supplemental_data(SSL *s, int *skip) - { - int al = 0; - if (s->ctx->cli_supp_data_records_count) - { - unsigned char *p = NULL; - unsigned char *size_loc = NULL; - cli_supp_data_record *record = NULL; - size_t length = 0; - size_t i = 0; - - for (i = 0; i < s->ctx->cli_supp_data_records_count; i++) - { - const unsigned char *out = NULL; - unsigned short outlen = 0; - int cb_retval = 0; - record = &s->ctx->cli_supp_data_records[i]; - - /* NULL callback or -1 omits supp data entry*/ - if (!record->fn2) - continue; - cb_retval = record->fn2(s, record->supp_data_type, - &out, &outlen, &al, - record->arg); - if (cb_retval == -1) - continue; /* skip this supp data entry */ - if (cb_retval == 0) - { - SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - goto f_err; - } - if (outlen == 0 || TLSEXT_MAXLEN_supplemental_data < outlen + 4 + length) - { - SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - /* if first entry, write handshake message type */ - if (length == 0) - { - if (!BUF_MEM_grow_clean(s->init_buf, 4)) - { - SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - p = (unsigned char *)s->init_buf->data; - *(p++) = SSL3_MT_SUPPLEMENTAL_DATA; - /* update message length when all - * callbacks complete */ - size_loc = p; - /* skip over handshake length field (3 - * bytes) and supp_data length field - * (3 bytes) */ - p += 3 + 3; - length += 1 +3 +3; - } - if (!BUF_MEM_grow(s->init_buf, outlen + 4)) - { - SSLerr(SSL_F_TLS1_SEND_CLIENT_SUPPLEMENTAL_DATA,ERR_R_BUF_LIB); - return 0; - } - s2n(record->supp_data_type, p); - s2n(outlen, p); - memcpy(p, out, outlen); - length += (outlen + 4); - p += outlen; - } - if (length > 0) - { - /* write handshake length */ - l2n3(length - 4, size_loc); - /* supp_data length */ - l2n3(length - 7, size_loc); - s->state = SSL3_ST_CW_SUPPLEMENTAL_DATA_B; - s->init_num = length; - s->init_off = 0; - return ssl3_do_write(s, SSL3_RT_HANDSHAKE); - } - } - - /* no supp data message sent */ - *skip = 1; - s->init_num = 0; - s->init_off = 0; - return 1; - - f_err: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return 0; - } - -int tls1_get_server_supplemental_data(SSL *s) - { - int al = 0; - int ok; - long n; - const unsigned char *p, *d; - unsigned short supp_data_entry_type = 0; - unsigned short supp_data_entry_len = 0; - unsigned long supp_data_len = 0; - size_t i; - int cb_retval = 0; - - n=s->method->ssl_get_message(s, - SSL3_ST_CR_SUPPLEMENTAL_DATA_A, - SSL3_ST_CR_SUPPLEMENTAL_DATA_B, - SSL3_MT_SUPPLEMENTAL_DATA, - /* use default limit */ - TLSEXT_MAXLEN_supplemental_data, - &ok); - - if (!ok) return((int)n); - - p = (unsigned char *)s->init_msg; - d = p; - /* The message cannot be empty */ - if (n < 3) - { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA,SSL_R_LENGTH_MISMATCH); - goto f_err; - } - n2l3(p, supp_data_len); - while (p < d+supp_data_len) - { - n2s(p, supp_data_entry_type); - n2s(p, supp_data_entry_len); - /* if there is a callback for this supp data type, send it */ - for (i=0; i < s->ctx->cli_supp_data_records_count; i++) - { - if (s->ctx->cli_supp_data_records[i].supp_data_type == supp_data_entry_type && - s->ctx->cli_supp_data_records[i].fn1) - { - cb_retval = s->ctx->cli_supp_data_records[i].fn1(s, supp_data_entry_type, p, - supp_data_entry_len, &al, - s->ctx->cli_supp_data_records[i].arg); - if (cb_retval == 0) - { - SSLerr(SSL_F_TLS1_GET_SERVER_SUPPLEMENTAL_DATA, ERR_R_SSL_LIB); - goto f_err; - } - } - } - p += supp_data_entry_len; - } - return 1; -f_err: - ssl3_send_alert(s,SSL3_AL_FATAL,al); - return -1; - } -#endif