TLS: reject duplicate extensions

Adapted from BoringSSL. Added a test. The extension parsing code is already attempting to already handle this for some individual extensions, but it is doing so inconsistently. Duplicate efforts in individual extension parsing will be cleaned up in a follow-up. Reviewed-by: Stephen Henson <steve@openssl.org>
author: Emilia Kasper <emilia@openssl.org> 2016-02-19 17:24:44 +0100
committer: Emilia Kasper <emilia@openssl.org> 2016-02-19 17:24:44 +0100
commit: aa474d1fb172aabb29dad04cb6aaeca601a4378c (patch)
tree: 51a82f8896aecd1f989f84e08ea15b0b9e4255e2 /ssl/ssl_err.c
parent: f0496ad71fbacccf5a95f40d31d251bc8cf9dcfb (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index e6b9bbdb9c..46f483febe 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -273,6 +273,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_STATE_MACHINE), "state_machine"},
     {ERR_FUNC(SSL_F_TLS12_CHECK_PEER_SIGALG), "tls12_check_peer_sigalg"},
     {ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "tls1_change_cipher_state"},
+    {ERR_FUNC(SSL_F_TLS1_CHECK_DUPLICATE_EXTENSIONS),
+     "tls1_check_duplicate_extensions"},
     {ERR_FUNC(SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT),
      "TLS1_CHECK_SERVERHELLO_TLSEXT"},
     {ERR_FUNC(SSL_F_TLS1_EXPORT_KEYING_MATERIAL),
author	Emilia Kasper <emilia@openssl.org>	2016-02-19 17:24:44 +0100
committer	Emilia Kasper <emilia@openssl.org>	2016-02-19 17:24:44 +0100
commit	aa474d1fb172aabb29dad04cb6aaeca601a4378c (patch)
tree	51a82f8896aecd1f989f84e08ea15b0b9e4255e2 /ssl/ssl_err.c
parent	f0496ad71fbacccf5a95f40d31d251bc8cf9dcfb (diff)