generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>

Browse Source 
Reviewed by: steve
Improved localisation of TLS extension handling and code tidy.
This commit is contained in:
Dr. Stephen Henson 2012-04-24 12:15:17 +00:00
parent 8e7ccf6ff7
commit fe9ce2b7d6
6 changed files with 32 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
ssl/s3_clnt.c
View File

@ -822,7 +822,7 @@ int ssl3_get_server_hello(SSL *s)
STACK_OF(SSL_CIPHER) *sk; STACK_OF(SSL_CIPHER) *sk;
const SSL_CIPHER *c; const SSL_CIPHER *c;
unsigned char *p,*d; unsigned char *p,*d;
int i,al,ok; int i,al=SSL_AD_INTERNAL_ERROR,ok;
unsigned int j; unsigned int j;
long n; long n;
#ifndef OPENSSL_NO_COMP #ifndef OPENSSL_NO_COMP
@ -928,7 +928,6 @@ int ssl3_get_server_hello(SSL *s)
{ {
if (!ssl_get_new_session(s,0)) if (!ssl_get_new_session(s,0))
{ {
al=SSL_AD_INTERNAL_ERROR;
goto f_err; goto f_err;
} }
} }
@ -1002,7 +1001,6 @@ int ssl3_get_server_hello(SSL *s)
*/ */
if (s->session->compress_meth != 0) if (s->session->compress_meth != 0)
{ {
al=SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION); SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
goto f_err; goto f_err;
} }
@ -1039,20 +1037,11 @@ int ssl3_get_server_hello(SSL *s)
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
/* TLS extensions*/ /* TLS extensions*/
if (s->version >= SSL3_VERSION) if (!ssl_parse_serverhello_tlsext(s,&p,d,n))
{ {
if (!ssl_parse_serverhello_tlsext(s,&p,d,n, &al))
{
/* 'al' set by ssl_parse_serverhello_tlsext */
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT); SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLSEXT);
goto f_err;
}
if (ssl_check_serverhello_tlsext(s) <= 0)
{
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
goto err; goto err;
} }
}
#endif #endif
if (p != (d+n)) if (p != (d+n))

6
ssl/s3_srvr.c
View File

@ -914,7 +914,7 @@ int ssl3_check_client_hello(SSL *s)
int ssl3_get_client_hello(SSL *s) int ssl3_get_client_hello(SSL *s)
{ {
int i,j,ok,al,ret= -1; int i,j,ok,al=SSL_AD_INTERNAL_ERROR,ret= -1;
unsigned int cookie_len; unsigned int cookie_len;
long n; long n;
unsigned long id; unsigned long id;
@ -1194,7 +1194,6 @@ int ssl3_get_client_hello(SSL *s)
l2n(Time,pos); l2n(Time,pos);
if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0) if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
{ {
al=SSL_AD_INTERNAL_ERROR;
goto f_err; goto f_err;
} }
} }
@ -1249,7 +1248,6 @@ int ssl3_get_client_hello(SSL *s)
/* Can't disable compression */ /* Can't disable compression */
if (s->options & SSL_OP_NO_COMPRESSION) if (s->options & SSL_OP_NO_COMPRESSION)
{ {
al=SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION); SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
goto f_err; goto f_err;
} }
@ -1265,7 +1263,6 @@ int ssl3_get_client_hello(SSL *s)
} }
if (s->s3->tmp.new_compression == NULL) if (s->s3->tmp.new_compression == NULL)
{ {
al=SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM); SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INVALID_COMPRESSION_ALGORITHM);
goto f_err; goto f_err;
} }
@ -1314,7 +1311,6 @@ int ssl3_get_client_hello(SSL *s)
*/ */
if (s->session->compress_meth != 0) if (s->session->compress_meth != 0)
{ {
al=SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION); SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_INCONSISTENT_COMPRESSION);
goto f_err; goto f_err;
} }

1
ssl/ssl.h
View File

@ -2277,6 +2277,7 @@ void ERR_load_SSL_strings(void);
#define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
#define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
#define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 320 #define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT 320
#define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT 321
#define SSL_F_SSL_SESSION_NEW 189 #define SSL_F_SSL_SESSION_NEW 189
#define SSL_F_SSL_SESSION_PRINT_FP 190 #define SSL_F_SSL_SESSION_PRINT_FP 190
#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312

1
ssl/ssl_err.c
View File

@ -248,6 +248,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"}, {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
{ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"}, {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
{ERR_FUNC(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT), "SSL_SCAN_CLIENTHELLO_TLSEXT"}, {ERR_FUNC(SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT), "SSL_SCAN_CLIENTHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT), "SSL_SCAN_SERVERHELLO_TLSEXT"},
{ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
{ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
{ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"}, {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"},

4
ssl/ssl_locl.h
View File

@ -1123,11 +1123,9 @@ int tls1_shared_list(SSL *s,
unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit); unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n); int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n);
int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_clienthello_tlsext(SSL *s);
int ssl_prepare_serverhello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s);
int ssl_check_clienthello_tlsext(SSL *s);
int ssl_check_serverhello_tlsext(SSL *s);
#ifndef OPENSSL_NO_HEARTBEATS #ifndef OPENSSL_NO_HEARTBEATS
int tls1_heartbeat(SSL *s); int tls1_heartbeat(SSL *s);

27
ssl/t1_lib.c
View File

@ -123,6 +123,8 @@ const char tls1_version_str[]="TLSv1" OPENSSL_VERSION_PTEXT;
static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
const unsigned char *sess_id, int sesslen, const unsigned char *sess_id, int sesslen,
SSL_SESSION **psess); SSL_SESSION **psess);
static int ssl_check_clienthello_tlsext(SSL *s);
int ssl_check_serverhello_tlsext(SSL *s);
#endif #endif
SSL3_ENC_METHOD TLSv1_enc_data={ SSL3_ENC_METHOD TLSv1_enc_data={
@ -1706,7 +1708,7 @@ static char ssl_next_proto_validate(unsigned char *d, unsigned len)
} }
#endif #endif
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
{ {
unsigned short length; unsigned short length;
unsigned short type; unsigned short type;
@ -1960,7 +1962,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) && !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{ {
*al = SSL_AD_HANDSHAKE_FAILURE; *al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT, SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT,
SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
return 0; return 0;
} }
@ -2040,7 +2042,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
return 1; return 1;
} }
int ssl_check_clienthello_tlsext(SSL *s) static int ssl_check_clienthello_tlsext(SSL *s)
{ {
int ret=SSL_TLSEXT_ERR_NOACK; int ret=SSL_TLSEXT_ERR_NOACK;
int al = SSL_AD_UNRECOGNIZED_NAME; int al = SSL_AD_UNRECOGNIZED_NAME;
@ -2277,6 +2279,25 @@ int ssl_check_serverhello_tlsext(SSL *s)
} }
} }
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n)
{
int al = -1;
if (s->version < SSL3_VERSION)
return 1;
if (ssl_scan_serverhello_tlsext(s, p, d, n, &al) <= 0)
{
ssl3_send_alert(s,SSL3_AL_FATAL,al);
return 0;
}
if (ssl_check_serverhello_tlsext(s) <= 0)
{
SSLerr(SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT,SSL_R_SERVERHELLO_TLSEXT);
return 0;
}
return 1;
}
/* Since the server cache lookup is done early on in the processing of the /* Since the server cache lookup is done early on in the processing of the
* ClientHello, and other operations depend on the result, we need to handle * ClientHello, and other operations depend on the result, we need to handle
* any TLS session ticket extension at the same time. * any TLS session ticket extension at the same time.