Further TLS extension improvements
Submitted by: Peter Sylvester
This commit is contained in:
Bodo Möller
parent
c75c096aa8
commit
58ece83395
4 changed files with 42 additions and 58 deletions
|
|
@ -255,25 +255,7 @@ int ssl3_connect(SSL *s)
|
|||
case SSL3_ST_CR_SRVR_HELLO_B:
|
||||
ret=ssl3_get_server_hello(s);
|
||||
if (ret <= 0) goto end;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
{
|
||||
int al;
|
||||
switch (ssl_check_tlsext(s,&al))
|
||||
{
|
||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
|
||||
ret = -1;
|
||||
goto end;
|
||||
|
||||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||
ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
||||
|
||||
default:
|
||||
;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if (s->hit)
|
||||
s->state=SSL3_ST_CR_FINISHED_A;
|
||||
else
|
||||
|
|
@ -822,6 +804,11 @@ int ssl3_get_server_hello(SSL *s)
|
|||
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
|
||||
goto f_err;
|
||||
}
|
||||
if (ssl_check_tlsext(s,0) <= 0)
|
||||
{
|
||||
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
|
|||
|
|
@ -281,25 +281,7 @@ int ssl3_accept(SSL *s)
|
|||
s->shutdown=0;
|
||||
ret=ssl3_get_client_hello(s);
|
||||
if (ret <= 0) goto end;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
{
|
||||
int al;
|
||||
switch (ssl_check_tlsext(s,&al))
|
||||
{
|
||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
|
||||
ret = -1;
|
||||
goto end;
|
||||
|
||||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||
ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
s->new_session = 2;
|
||||
s->state=SSL3_ST_SW_SRVR_HELLO_A;
|
||||
s->init_num=0;
|
||||
|
|
@ -914,6 +896,23 @@ int ssl3_get_client_hello(SSL *s)
|
|||
goto f_err;
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
/* TLS extensions*/
|
||||
if (s->version > SSL3_VERSION)
|
||||
{
|
||||
if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
|
||||
{
|
||||
/* 'al' set by ssl_parse_clienthello_tlsext */
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
|
||||
goto f_err;
|
||||
}
|
||||
}
|
||||
if (ssl_check_tlsext(s,1) <= 0) {
|
||||
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
|
||||
goto err;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Worst case, we will use the NULL compression, but if we have other
|
||||
* options, we will now look for them. We have i-1 compression
|
||||
* algorithms from the client, starting at q. */
|
||||
|
|
@ -945,19 +944,6 @@ int ssl3_get_client_hello(SSL *s)
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
/* TLS extensions*/
|
||||
if (s->version > SSL3_VERSION)
|
||||
{
|
||||
if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
|
||||
{
|
||||
/* 'al' set by ssl_parse_clienthello_tlsext */
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
|
||||
goto f_err;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Given s->session->ciphers and SSL_get_ciphers, we must
|
||||
* pick a cipher */
|
||||
|
||||
|
|
|
|||
|
|
@ -945,6 +945,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
|
|||
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
|
||||
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
|
||||
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
|
||||
int ssl_check_tlsext(SSL *s,int *al);
|
||||
int ssl_check_tlsext(SSL *s, int is_server);
|
||||
#endif
|
||||
#endif
|
||||
|
|
|
|||
25
ssl/t1_lib.c
25
ssl/t1_lib.c
|
|
@ -387,19 +387,30 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
|||
return 1;
|
||||
}
|
||||
|
||||
int ssl_check_tlsext(SSL *s,int *al)
|
||||
int ssl_check_tlsext(SSL *s, int is_server)
|
||||
{
|
||||
int ret=SSL_TLSEXT_ERR_NOACK;
|
||||
|
||||
*al = SSL_AD_UNRECOGNIZED_NAME;
|
||||
int al = SSL_AD_UNRECOGNIZED_NAME;
|
||||
|
||||
if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
|
||||
ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
|
||||
ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
|
||||
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
|
||||
ret = s->initial_ctx->tlsext_servername_callback(s, al, s->initial_ctx->tlsext_servername_arg);
|
||||
ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
|
||||
|
||||
if (ret == SSL_TLSEXT_ERR_NOACK)
|
||||
s->servername_done=0;
|
||||
return ret;
|
||||
switch (ret) {
|
||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||
return -1;
|
||||
|
||||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||
ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
||||
return 1;
|
||||
|
||||
case SSL_TLSEXT_ERR_NOACK:
|
||||
s->servername_done=0;
|
||||
default:
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
|
|
|||
Loading…
Reference in a new issue