More TLS extension related changes.
Submitted by: Peter Sylvester
This commit is contained in:
Bodo Möller
@@ -565,6 +565,7 @@ static int ssl23_get_server_hello(SSL *s)
|
||||
(p[5] == SSL3_MT_SERVER_HELLO))
|
||||
{
|
||||
/* we have sslv3 or tls1 */
|
||||
have_sslv3_or_tls1:
|
||||
|
||||
if (!ssl_init_wbio_buffer(s,1)) goto err;
|
||||
|
||||
@@ -623,6 +624,9 @@ static int ssl23_get_server_hello(SSL *s)
|
||||
cb(s,SSL_CB_READ_ALERT,j);
|
||||
}
|
||||
|
||||
if (p[5] == SSL3_AL_WARNING)
|
||||
goto have_sslv3_or_tls1;
|
||||
|
||||
s->rwstate=SSL_NOTHING;
|
||||
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
|
||||
goto err;
|
||||
|
||||
@@ -258,12 +258,19 @@ int ssl3_connect(SSL *s)
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
{
|
||||
int al;
|
||||
if (ssl_check_tlsext(s,&al) <= 0)
|
||||
switch (ssl_check_tlsext(s,&al))
|
||||
{
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
|
||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
|
||||
ret = -1;
|
||||
goto end;
|
||||
|
||||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||
ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
||||
|
||||
default:
|
||||
;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -283,16 +283,21 @@ int ssl3_accept(SSL *s)
|
||||
if (ret <= 0) goto end;
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
{
|
||||
int al,warn;
|
||||
warn = ssl_check_tlsext(s,&al);
|
||||
if (warn == 0)
|
||||
ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
||||
else if (warn < 0) {
|
||||
int al;
|
||||
switch (ssl_check_tlsext(s,&al))
|
||||
{
|
||||
case SSL_TLSEXT_ERR_ALERT_FATAL:
|
||||
ssl3_send_alert(s,SSL3_AL_FATAL,al);
|
||||
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
|
||||
ret = -1;
|
||||
goto end;
|
||||
}
|
||||
|
||||
case SSL_TLSEXT_ERR_ALERT_WARNING:
|
||||
ssl3_send_alert(s,SSL3_AL_WARNING,al);
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
s->new_session = 2;
|
||||
|
||||
21
ssl/t1_lib.c
21
ssl/t1_lib.c
@@ -389,22 +389,17 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
|
||||
|
||||
int ssl_check_tlsext(SSL *s,int *al)
|
||||
{
|
||||
int ret;
|
||||
int ret=SSL_TLSEXT_ERR_NOACK;
|
||||
|
||||
*al = SSL_AD_UNRECOGNIZED_NAME;
|
||||
if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
|
||||
{
|
||||
|
||||
if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
|
||||
ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
}
|
||||
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
|
||||
{
|
||||
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
|
||||
ret = s->initial_ctx->tlsext_servername_callback(s, al, s->initial_ctx->tlsext_servername_arg);
|
||||
if (ret <= 0)
|
||||
return ret;
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
||||
if (ret == SSL_TLSEXT_ERR_NOACK)
|
||||
s->servername_done=0;
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -180,12 +180,15 @@ SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
|
||||
|
||||
#define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
|
||||
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
|
||||
|
||||
#define SSL_TLSEXT_ERR_OK 0
|
||||
#define SSL_TLSEXT_ERR_ALERT_WARNING 1
|
||||
#define SSL_TLSEXT_ERR_ALERT_FATAL 2
|
||||
#define SSL_TLSEXT_ERR_NOACK 3
|
||||
|
||||
#define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
|
||||
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
|
||||
|
||||
#define SSL_set_tlsext_servername_done(s,t) \
|
||||
SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user