generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Backport OCSP fix.

Browse Source
This commit is contained in:
Ben Laurie 2012-10-05 12:50:24 +00:00
parent f7d2402cab
commit 48bcdad0d5
4 changed files with 50 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ssl/s3_srvr.c
View File

@ -1005,7 +1005,7 @@ int ssl3_get_client_hello(SSL *s)
goto f_err; goto f_err;
} }
} }
if (ssl_check_clienthello_tlsext(s) <= 0) { if (ssl_check_clienthello_tlsext_early(s) <= 0) {
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err; goto err;
} }
@ -1131,6 +1131,16 @@ int ssl3_get_client_hello(SSL *s)
* s->tmp.new_cipher - the new cipher to use. * s->tmp.new_cipher - the new cipher to use.
*/ */
/* Handles TLS extensions that we couldn't check earlier */
if (s->version >= SSL3_VERSION)
{
if (ssl_check_clienthello_tlsext_late(s) <= 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
}
if (ret < 0) ret=1; if (ret < 0) ret=1;
if (0) if (0)
{ {

6
ssl/ssl_lib.c
View File

@ -1943,7 +1943,7 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
} }
/* THIS NEEDS CLEANING UP */ /* THIS NEEDS CLEANING UP */
X509 *ssl_get_server_send_cert(SSL *s) X509 *ssl_get_server_send_cert(const SSL *s)
{ {
unsigned long alg,kalg; unsigned long alg,kalg;
CERT *c; CERT *c;
@ -2420,7 +2420,9 @@ void ssl_clear_cipher_ctx(SSL *s)
/* Fix this function so that it takes an optional type parameter */ /* Fix this function so that it takes an optional type parameter */
X509 *SSL_get_certificate(const SSL *s) X509 *SSL_get_certificate(const SSL *s)
{ {
if (s->cert != NULL) if (s->server)
return(ssl_get_server_send_cert(s));
else if (s->cert != NULL)
return(s->cert->key->x509); return(s->cert->key->x509);
else else
return(NULL); return(NULL);

5
ssl/ssl_locl.h
View File

@ -740,7 +740,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
int ssl_undefined_function(SSL *s); int ssl_undefined_function(SSL *s);
int ssl_undefined_void_function(void); int ssl_undefined_void_function(void);
int ssl_undefined_const_function(const SSL *s); int ssl_undefined_const_function(const SSL *s);
X509 *ssl_get_server_send_cert(SSL *); X509 *ssl_get_server_send_cert(const SSL *);
EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
int ssl_cert_type(X509 *x,EVP_PKEY *pkey); int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher); void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
@ -979,7 +979,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_clienthello_tlsext(SSL *s);
int ssl_prepare_serverhello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s);
int ssl_check_clienthello_tlsext(SSL *s); int ssl_check_clienthello_tlsext_early(SSL *s);
int ssl_check_clienthello_tlsext_late(SSL *s);
int ssl_check_serverhello_tlsext(SSL *s); int ssl_check_serverhello_tlsext(SSL *s);
#ifdef OPENSSL_NO_SHA256 #ifdef OPENSSL_NO_SHA256

33
ssl/t1_lib.c
View File

@ -745,7 +745,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
return 1; return 1;
} }
int ssl_check_clienthello_tlsext(SSL *s) int ssl_check_clienthello_tlsext_early(SSL *s)
{ {
int ret=SSL_TLSEXT_ERR_NOACK; int ret=SSL_TLSEXT_ERR_NOACK;
int al = SSL_AD_UNRECOGNIZED_NAME; int al = SSL_AD_UNRECOGNIZED_NAME;
@ -755,11 +755,35 @@ int ssl_check_clienthello_tlsext(SSL *s)
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
switch (ret)
{
case SSL_TLSEXT_ERR_ALERT_FATAL:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
return -1;
case SSL_TLSEXT_ERR_ALERT_WARNING:
ssl3_send_alert(s, SSL3_AL_WARNING, al);
return 1;
case SSL_TLSEXT_ERR_NOACK:
s->servername_done = 0;
default:
return 1;
}
}
int ssl_check_clienthello_tlsext_late(SSL *s)
{
int ret = SSL_TLSEXT_ERR_OK;
int al;
/* If status request then ask callback what to do. /* If status request then ask callback what to do.
* Note: this must be called after servername callbacks in case * Note: this must be called after servername callbacks in case
* the certificate has changed. * the certificate has changed, and must be called after the cipher
* has been chosen because this may influence which certificate is sent
*/ */
if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb) if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb)
{ {
int r; int r;
r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
@ -785,6 +809,7 @@ int ssl_check_clienthello_tlsext(SSL *s)
} }
else else
s->tlsext_status_expected = 0; s->tlsext_status_expected = 0;
err: err:
switch (ret) switch (ret)
{ {
@ -796,8 +821,6 @@ int ssl_check_clienthello_tlsext(SSL *s)
ssl3_send_alert(s,SSL3_AL_WARNING,al); ssl3_send_alert(s,SSL3_AL_WARNING,al);
return 1; return 1;
case SSL_TLSEXT_ERR_NOACK:
s->servername_done=0;
default: default:
return 1; return 1;
} }