generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Support retries in certificate callback

Browse Source 
(cherry picked from commit 0ebc965b9c)

Conflicts:

	ssl/s3_srvr.c
	ssl/ssl3.h
This commit is contained in:
Dr. Stephen Henson 2014-01-25 13:31:07 +00:00
parent 5e7329d156
commit ede90b1121
3 changed files with 36 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
ssl/s3_clnt.c
View File

@ -3301,11 +3301,20 @@ int ssl3_send_client_certificate(SSL *s)
if (s->state == SSL3_ST_CW_CERT_A) if (s->state == SSL3_ST_CW_CERT_A)
{ {
/* Let cert callback update client certificates if required */ /* Let cert callback update client certificates if required */
if (s->cert->cert_cb if (s->cert->cert_cb)
&& s->cert->cert_cb(s, s->cert->cert_cb_arg) <= 0)
{ {
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR); i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
return 0; if (i < 0)
{
s->rwstate=SSL_X509_LOOKUP;
return -1;
}
if (i == 0)
{
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
return 0;
}
s->rwstate=SSL_NOTHING;
} }
if (ssl3_check_client_certificate(s)) if (ssl3_check_client_certificate(s))
s->state=SSL3_ST_CW_CERT_C; s->state=SSL3_ST_CW_CERT_C;

32
ssl/s3_srvr.c
View File

@ -353,12 +353,11 @@ int ssl3_accept(SSL *s)
case SSL3_ST_SR_CLNT_HELLO_C: case SSL3_ST_SR_CLNT_HELLO_C:
s->shutdown=0; s->shutdown=0;
if (s->rwstate != SSL_X509_LOOKUP) ret=ssl3_get_client_hello(s);
{ if (ret <= 0) goto end;
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
}
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
s->state = SSL3_ST_SR_CLNT_HELLO_D;
case SSL3_ST_SR_CLNT_HELLO_D:
{ {
int al; int al;
if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0) if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) < 0)
@ -940,6 +939,9 @@ int ssl3_get_client_hello(SSL *s)
#endif #endif
STACK_OF(SSL_CIPHER) *ciphers=NULL; STACK_OF(SSL_CIPHER) *ciphers=NULL;
if (s->state == SSL3_ST_SR_CLNT_HELLO_C)
goto retry_cert;
/* We do this so that we will respond with our native type. /* We do this so that we will respond with our native type.
* If we are TLSv1 and we get SSLv3, we will respond with TLSv1, * If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
* This down switching should be handled by a different method. * This down switching should be handled by a different method.
@ -1384,12 +1386,22 @@ int ssl3_get_client_hello(SSL *s)
} }
ciphers=NULL; ciphers=NULL;
/* Let cert callback update server certificates if required */ /* Let cert callback update server certificates if required */
if (s->cert->cert_cb retry_cert:
&& s->cert->cert_cb(s, s->cert->cert_cb_arg) <= 0) if (s->cert->cert_cb)
{ {
al=SSL_AD_INTERNAL_ERROR; int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CERT_CB_ERROR); if (rv == 0)
goto f_err; {
al=SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CERT_CB_ERROR);
goto f_err;
}
if (rv < 0)
{
s->rwstate=SSL_X509_LOOKUP;
return -1;
}
s->rwstate = SSL_NOTHING;
} }
c=ssl3_choose_cipher(s,s->session->ciphers, c=ssl3_choose_cipher(s,s->session->ciphers,
SSL_get_ciphers(s)); SSL_get_ciphers(s));

1
ssl/ssl3.h
View File

@ -669,6 +669,7 @@ typedef struct ssl3_state_st
#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT) #define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT) #define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT) #define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_D (0x115|SSL_ST_ACCEPT)
/* write to client */ /* write to client */
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT) #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT) #define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)