Loading ssl/s3_srvr.c +11 −1 Original line number Diff line number Diff line Loading @@ -1005,7 +1005,7 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } } if (ssl_check_clienthello_tlsext(s) <= 0) { if (ssl_check_clienthello_tlsext_early(s) <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } Loading Loading @@ -1131,6 +1131,16 @@ int ssl3_get_client_hello(SSL *s) * s->tmp.new_cipher - the new cipher to use. */ /* Handles TLS extensions that we couldn't check earlier */ if (s->version >= SSL3_VERSION) { if (ssl_check_clienthello_tlsext_late(s) <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } } if (ret < 0) ret=1; if (0) { Loading ssl/ssl_lib.c +4 −2 Original line number Diff line number Diff line Loading @@ -1943,7 +1943,7 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs) } /* THIS NEEDS CLEANING UP */ X509 *ssl_get_server_send_cert(SSL *s) X509 *ssl_get_server_send_cert(const SSL *s) { unsigned long alg,kalg; CERT *c; Loading Loading @@ -2420,7 +2420,9 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { if (s->cert != NULL) if (s->server) return(ssl_get_server_send_cert(s)); else if (s->cert != NULL) return(s->cert->key->x509); else return(NULL); Loading ssl/ssl_locl.h +3 −2 Original line number Diff line number Diff line Loading @@ -740,7 +740,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); X509 *ssl_get_server_send_cert(SSL *); X509 *ssl_get_server_send_cert(const SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher); Loading Loading @@ -979,7 +979,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s); int ssl_check_clienthello_tlsext(SSL *s); int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); #ifdef OPENSSL_NO_SHA256 Loading ssl/t1_lib.c +32 −9 Original line number Diff line number Diff line Loading @@ -745,7 +745,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in return 1; } int ssl_check_clienthello_tlsext(SSL *s) int ssl_check_clienthello_tlsext_early(SSL *s) { int ret=SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; Loading @@ -755,11 +755,35 @@ int ssl_check_clienthello_tlsext(SSL *s) else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s, SSL3_AL_WARNING, al); return 1; case SSL_TLSEXT_ERR_NOACK: s->servername_done = 0; default: return 1; } } int ssl_check_clienthello_tlsext_late(SSL *s) { int ret = SSL_TLSEXT_ERR_OK; int al; /* If status request then ask callback what to do. * Note: this must be called after servername callbacks in case * the certificate has changed. * the certificate has changed, and must be called after the cipher * has been chosen because this may influence which certificate is sent */ if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb) if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) { int r; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); Loading @@ -785,6 +809,7 @@ int ssl_check_clienthello_tlsext(SSL *s) } else s->tlsext_status_expected = 0; err: switch (ret) { Loading @@ -796,8 +821,6 @@ int ssl_check_clienthello_tlsext(SSL *s) ssl3_send_alert(s,SSL3_AL_WARNING,al); return 1; case SSL_TLSEXT_ERR_NOACK: s->servername_done=0; default: return 1; } Loading Loading
ssl/s3_srvr.c +11 −1 Original line number Diff line number Diff line Loading @@ -1005,7 +1005,7 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } } if (ssl_check_clienthello_tlsext(s) <= 0) { if (ssl_check_clienthello_tlsext_early(s) <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } Loading Loading @@ -1131,6 +1131,16 @@ int ssl3_get_client_hello(SSL *s) * s->tmp.new_cipher - the new cipher to use. */ /* Handles TLS extensions that we couldn't check earlier */ if (s->version >= SSL3_VERSION) { if (ssl_check_clienthello_tlsext_late(s) <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } } if (ret < 0) ret=1; if (0) { Loading
ssl/ssl_lib.c +4 −2 Original line number Diff line number Diff line Loading @@ -1943,7 +1943,7 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs) } /* THIS NEEDS CLEANING UP */ X509 *ssl_get_server_send_cert(SSL *s) X509 *ssl_get_server_send_cert(const SSL *s) { unsigned long alg,kalg; CERT *c; Loading Loading @@ -2420,7 +2420,9 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { if (s->cert != NULL) if (s->server) return(ssl_get_server_send_cert(s)); else if (s->cert != NULL) return(s->cert->key->x509); else return(NULL); Loading
ssl/ssl_locl.h +3 −2 Original line number Diff line number Diff line Loading @@ -740,7 +740,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); X509 *ssl_get_server_send_cert(SSL *); X509 *ssl_get_server_send_cert(const SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher); Loading Loading @@ -979,7 +979,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s); int ssl_check_clienthello_tlsext(SSL *s); int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); #ifdef OPENSSL_NO_SHA256 Loading
ssl/t1_lib.c +32 −9 Original line number Diff line number Diff line Loading @@ -745,7 +745,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in return 1; } int ssl_check_clienthello_tlsext(SSL *s) int ssl_check_clienthello_tlsext_early(SSL *s) { int ret=SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; Loading @@ -755,11 +755,35 @@ int ssl_check_clienthello_tlsext(SSL *s) else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: ssl3_send_alert(s, SSL3_AL_FATAL, al); return -1; case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s, SSL3_AL_WARNING, al); return 1; case SSL_TLSEXT_ERR_NOACK: s->servername_done = 0; default: return 1; } } int ssl_check_clienthello_tlsext_late(SSL *s) { int ret = SSL_TLSEXT_ERR_OK; int al; /* If status request then ask callback what to do. * Note: this must be called after servername callbacks in case * the certificate has changed. * the certificate has changed, and must be called after the cipher * has been chosen because this may influence which certificate is sent */ if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb) if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb) { int r; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); Loading @@ -785,6 +809,7 @@ int ssl_check_clienthello_tlsext(SSL *s) } else s->tlsext_status_expected = 0; err: switch (ret) { Loading @@ -796,8 +821,6 @@ int ssl_check_clienthello_tlsext(SSL *s) ssl3_send_alert(s,SSL3_AL_WARNING,al); return 1; case SSL_TLSEXT_ERR_NOACK: s->servername_done=0; default: return 1; } Loading
