diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2011-11-25 00:18:10 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2011-11-25 00:18:10 +0000 |
| commit | 2c7d978c2d4db664d1c5d164685480eed818d281 (patch) | |
| tree | c61562b448898555f5f964e86cf62d5a0fc6a805 /ssl/s3_srvr.c | |
| parent | 8cd897a42c973ed3a76ef1946f0d9eda1b6b12ec (diff) | |
PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve
Make SRP conformant to rfc 5054.
Changes are:
- removal of the addition state after client hello
- removal of all pre-rfc srp alert ids
- sending a fatal alert when there is no srp extension but when the
server wants SRP
- removal of unnecessary code in the client.
Diffstat (limited to 'ssl/s3_srvr.c')
| -rw-r--r-- | ssl/s3_srvr.c | 50 |
1 files changed, 16 insertions, 34 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 4088598d23..bae14c17e5 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -180,11 +180,11 @@ static const SSL_METHOD *ssl3_get_server_method(int ver) } #ifndef OPENSSL_NO_SRP -static int SSL_check_srp_ext_ClientHello(SSL *s, int *ad) +static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) { int ret = SSL_ERROR_NONE; - *ad = SSL_AD_UNRECOGNIZED_NAME; + *al = SSL_AD_UNRECOGNIZED_NAME; if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) && (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) @@ -192,12 +192,12 @@ static int SSL_check_srp_ext_ClientHello(SSL *s, int *ad) if(s->srp_ctx.login == NULL) { /* There isn't any srp login extension !!! */ - ret = SSL3_AL_WARNING; - *ad = SSL_AD_MISSING_SRP_USERNAME; + ret = SSL3_AL_FATAL; + *al = SSL_AD_UNKNOWN_PSK_IDENTITY; } else { - ret = SSL_srp_server_param_with_username(s,ad); + ret = SSL_srp_server_param_with_username(s,al); } } return ret; @@ -216,10 +216,6 @@ int ssl3_accept(SSL *s) void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; int new_state,state,skip=0; -#ifndef OPENSSL_NO_SRP - int srp_no_username=0; - int extension_error,al; -#endif RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); @@ -340,35 +336,24 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_CLNT_HELLO_A: case SSL3_ST_SR_CLNT_HELLO_B: case SSL3_ST_SR_CLNT_HELLO_C: -#ifndef OPENSSL_NO_SRP - case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME: -#endif s->shutdown=0; + ret=ssl3_get_client_hello(s); if (ret <= 0) goto end; #ifndef OPENSSL_NO_SRP - extension_error = 0; - if ((al = SSL_check_srp_ext_ClientHello(s,&extension_error)) != SSL_ERROR_NONE) + { + int al; + if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) != SSL_ERROR_NONE) { - ssl3_send_alert(s,al,extension_error); - if (extension_error == SSL_AD_MISSING_SRP_USERNAME) - { - if (srp_no_username) goto end; - ERR_clear_error(); - srp_no_username = 1; - s->state=SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME; - if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1); - if ((ret=BIO_flush(s->wbio)) <= 0) goto end; - s->init_num=0; - break; - } - ret = -1; - SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); - goto end; + ssl3_send_alert(s,SSL3_AL_FATAL,al); + SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT); + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + ret= -1; + goto end; } -#endif - + } +#endif s->renegotiate = 2; s->state=SSL3_ST_SW_SRVR_HELLO_A; s->init_num=0; @@ -914,9 +899,6 @@ int ssl3_get_client_hello(SSL *s) * TLSv1. */ if (s->state == SSL3_ST_SR_CLNT_HELLO_A -#ifndef OPENSSL_NO_SRP - || (s->state == SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME) -#endif ) { s->state=SSL3_ST_SR_CLNT_HELLO_B; |