generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Further TLS extension improvements

Browse Source 
Submitted by: Peter Sylvester
This commit is contained in:
Bodo Möller 2006-01-13 09:21:10 +00:00
parent c75c096aa8
commit 58ece83395
4 changed files with 42 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
ssl/s3_clnt.c
View File

@ -255,25 +255,7 @@ int ssl3_connect(SSL *s)
case SSL3_ST_CR_SRVR_HELLO_B: case SSL3_ST_CR_SRVR_HELLO_B:
ret=ssl3_get_server_hello(s); ret=ssl3_get_server_hello(s);
if (ret <= 0) goto end; if (ret <= 0) goto end;
#ifndef OPENSSL_NO_TLSEXT
{
int al;
switch (ssl_check_tlsext(s,&al))
{
case SSL_TLSEXT_ERR_ALERT_FATAL:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
ret = -1;
goto end;
case SSL_TLSEXT_ERR_ALERT_WARNING:
ssl3_send_alert(s,SSL3_AL_WARNING,al);
default:
;
}
}
#endif
if (s->hit) if (s->hit)
s->state=SSL3_ST_CR_FINISHED_A; s->state=SSL3_ST_CR_FINISHED_A;
else else
@ -822,6 +804,11 @@ int ssl3_get_server_hello(SSL *s)
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT); SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
goto f_err; goto f_err;
} }
if (ssl_check_tlsext(s,0) <= 0)
{
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
goto err;
}
} }
#endif #endif

50
ssl/s3_srvr.c
View File

@ -281,25 +281,7 @@ int ssl3_accept(SSL *s)
s->shutdown=0; s->shutdown=0;
ret=ssl3_get_client_hello(s); ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end; if (ret <= 0) goto end;
#ifndef OPENSSL_NO_TLSEXT
{
int al;
switch (ssl_check_tlsext(s,&al))
{
case SSL_TLSEXT_ERR_ALERT_FATAL:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
ret = -1;
goto end;
case SSL_TLSEXT_ERR_ALERT_WARNING:
ssl3_send_alert(s,SSL3_AL_WARNING,al);
default:
break;
}
}
#endif
s->new_session = 2; s->new_session = 2;
s->state=SSL3_ST_SW_SRVR_HELLO_A; s->state=SSL3_ST_SW_SRVR_HELLO_A;
s->init_num=0; s->init_num=0;
@ -914,6 +896,23 @@ int ssl3_get_client_hello(SSL *s)
goto f_err; goto f_err;
} }
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (s->version > SSL3_VERSION)
{
if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
{
/* 'al' set by ssl_parse_clienthello_tlsext */
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
goto f_err;
}
}
if (ssl_check_tlsext(s,1) <= 0) {
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
goto err;
}
#endif
/* Worst case, we will use the NULL compression, but if we have other /* Worst case, we will use the NULL compression, but if we have other
* options, we will now look for them. We have i-1 compression * options, we will now look for them. We have i-1 compression
* algorithms from the client, starting at q. */ * algorithms from the client, starting at q. */
@ -945,19 +944,6 @@ int ssl3_get_client_hello(SSL *s)
} }
#endif #endif
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/
if (s->version > SSL3_VERSION)
{
if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
{
/* 'al' set by ssl_parse_clienthello_tlsext */
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
goto f_err;
}
}
#endif
/* Given s->session->ciphers and SSL_get_ciphers, we must /* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */ * pick a cipher */

2
ssl/ssl_locl.h
View File

@ -945,6 +945,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_check_tlsext(SSL *s,int *al); int ssl_check_tlsext(SSL *s, int is_server);
#endif #endif
#endif #endif

25
ssl/t1_lib.c
View File

@ -387,19 +387,30 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
return 1; return 1;
} }
int ssl_check_tlsext(SSL *s,int *al) int ssl_check_tlsext(SSL *s, int is_server)
{ {
int ret=SSL_TLSEXT_ERR_NOACK; int ret=SSL_TLSEXT_ERR_NOACK;
*al = SSL_AD_UNRECOGNIZED_NAME; int al = SSL_AD_UNRECOGNIZED_NAME;
if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg); ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
ret = s->initial_ctx->tlsext_servername_callback(s, al, s->initial_ctx->tlsext_servername_arg); ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
if (ret == SSL_TLSEXT_ERR_NOACK) switch (ret) {
s->servername_done=0; case SSL_TLSEXT_ERR_ALERT_FATAL:
return ret; ssl3_send_alert(s,SSL3_AL_FATAL,al);
return -1;
case SSL_TLSEXT_ERR_ALERT_WARNING:
ssl3_send_alert(s,SSL3_AL_WARNING,al);
return 1;
case SSL_TLSEXT_ERR_NOACK:
s->servername_done=0;
default:
return 1;
} }
}
#endif #endif