Backport OCSP fix.
This commit is contained in:
Ben Laurie
parent
f7d2402cab
commit
48bcdad0d5
4 changed files with 50 additions and 14 deletions
|
|
@ -1005,7 +1005,7 @@ int ssl3_get_client_hello(SSL *s)
|
|||
goto f_err;
|
||||
}
|
||||
}
|
||||
if (ssl_check_clienthello_tlsext(s) <= 0) {
|
||||
if (ssl_check_clienthello_tlsext_early(s) <= 0) {
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
|
||||
goto err;
|
||||
}
|
||||
|
|
@ -1131,6 +1131,16 @@ int ssl3_get_client_hello(SSL *s)
|
|||
* s->tmp.new_cipher - the new cipher to use.
|
||||
*/
|
||||
|
||||
/* Handles TLS extensions that we couldn't check earlier */
|
||||
if (s->version >= SSL3_VERSION)
|
||||
{
|
||||
if (ssl_check_clienthello_tlsext_late(s) <= 0)
|
||||
{
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
if (ret < 0) ret=1;
|
||||
if (0)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1943,7 +1943,7 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
|
|||
}
|
||||
|
||||
/* THIS NEEDS CLEANING UP */
|
||||
X509 *ssl_get_server_send_cert(SSL *s)
|
||||
X509 *ssl_get_server_send_cert(const SSL *s)
|
||||
{
|
||||
unsigned long alg,kalg;
|
||||
CERT *c;
|
||||
|
|
@ -2420,7 +2420,9 @@ void ssl_clear_cipher_ctx(SSL *s)
|
|||
/* Fix this function so that it takes an optional type parameter */
|
||||
X509 *SSL_get_certificate(const SSL *s)
|
||||
{
|
||||
if (s->cert != NULL)
|
||||
if (s->server)
|
||||
return(ssl_get_server_send_cert(s));
|
||||
else if (s->cert != NULL)
|
||||
return(s->cert->key->x509);
|
||||
else
|
||||
return(NULL);
|
||||
|
|
|
|||
|
|
@ -740,7 +740,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
|
|||
int ssl_undefined_function(SSL *s);
|
||||
int ssl_undefined_void_function(void);
|
||||
int ssl_undefined_const_function(const SSL *s);
|
||||
X509 *ssl_get_server_send_cert(SSL *);
|
||||
X509 *ssl_get_server_send_cert(const SSL *);
|
||||
EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
|
||||
int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
|
||||
void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
|
||||
|
|
@ -979,7 +979,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
|
|||
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
|
||||
int ssl_prepare_clienthello_tlsext(SSL *s);
|
||||
int ssl_prepare_serverhello_tlsext(SSL *s);
|
||||
int ssl_check_clienthello_tlsext(SSL *s);
|
||||
int ssl_check_clienthello_tlsext_early(SSL *s);
|
||||
int ssl_check_clienthello_tlsext_late(SSL *s);
|
||||
int ssl_check_serverhello_tlsext(SSL *s);
|
||||
|
||||
#ifdef OPENSSL_NO_SHA256
|
||||
|
|
|
|||
41
ssl/t1_lib.c
41
ssl/t1_lib.c
|
|
@ -745,7 +745,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
|||
return 1;
|
||||
}
|
||||
|
||||
int ssl_check_clienthello_tlsext(SSL *s)
|
||||
int ssl_check_clienthello_tlsext_early(SSL *s)
|
||||
{
|
||||
int ret=SSL_TLSEXT_ERR_NOACK;
|
||||
int al = SSL_AD_UNRECOGNIZED_NAME;
|
||||
|
|
@ -755,11 +755,35 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
|||
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
|
||||
ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
|
||||
|
||||
switch (ret)
|
||||
{
|
||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||
ssl3_send_alert(s, SSL3_AL_FATAL, al);
|
||||
return -1;
|
||||
|
||||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||
ssl3_send_alert(s, SSL3_AL_WARNING, al);
|
||||
return 1;
|
||||
|
||||
case SSL_TLSEXT_ERR_NOACK:
|
||||
s->servername_done = 0;
|
||||
|
||||
default:
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
int ssl_check_clienthello_tlsext_late(SSL *s)
|
||||
{
|
||||
int ret = SSL_TLSEXT_ERR_OK;
|
||||
int al;
|
||||
|
||||
/* If status request then ask callback what to do.
|
||||
* Note: this must be called after servername callbacks in case
|
||||
* the certificate has changed.
|
||||
* the certificate has changed, and must be called after the cipher
|
||||
* has been chosen because this may influence which certificate is sent
|
||||
*/
|
||||
if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
|
||||
if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb)
|
||||
{
|
||||
int r;
|
||||
r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
|
||||
|
|
@ -785,7 +809,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
|||
}
|
||||
else
|
||||
s->tlsext_status_expected = 0;
|
||||
err:
|
||||
|
||||
err:
|
||||
switch (ret)
|
||||
{
|
||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||
|
|
@ -795,11 +820,9 @@ int ssl_check_clienthello_tlsext(SSL *s)
|
|||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||
ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
||||
return 1;
|
||||
|
||||
case SSL_TLSEXT_ERR_NOACK:
|
||||
s->servername_done=0;
|
||||
default:
|
||||
return 1;
|
||||
|
||||
default:
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue