diff options
| author | Scott Deboy <sdeboy@secondstryke.com> | 2013-09-12 12:03:40 -0700 |
|---|---|---|
| committer | Ben Laurie <ben@links.org> | 2014-02-05 18:25:46 +0000 |
| commit | ac20719d994729970eb3b775c7bffa81f0e9f960 (patch) | |
| tree | 968d561cc089196fff817ca36bee1bdc9cbc2f78 /ssl/ssl_rsa.c | |
| parent | a51f767645c117667d337f77fe1dd9c0a66d8410 (diff) | |
Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.
Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
Diffstat (limited to 'ssl/ssl_rsa.c')
| -rw-r--r-- | ssl/ssl_rsa.c | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index 7fcd8460a3..063eea5ecb 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -848,20 +848,59 @@ static int serverinfo_srv_first_cb(SSL *s, unsigned short ext_type, unsigned short inlen, int *al, void *arg) { + size_t i = 0; if (inlen != 0) { *al = SSL_AD_DECODE_ERROR; return 0; } + //if already in list, error out + for (i = 0; i < s->s3->serverinfo_client_tlsext_custom_types_count; i++) + { + if (s->s3->serverinfo_client_tlsext_custom_types[i] == ext_type) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + } + s->s3->serverinfo_client_tlsext_custom_types_count++; + s->s3->serverinfo_client_tlsext_custom_types = OPENSSL_realloc( + s->s3->serverinfo_client_tlsext_custom_types, + s->s3->serverinfo_client_tlsext_custom_types_count * 2); + if (s->s3->serverinfo_client_tlsext_custom_types == NULL) + { + s->s3->serverinfo_client_tlsext_custom_types_count = 0; + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->s3->serverinfo_client_tlsext_custom_types[ + s->s3->serverinfo_client_tlsext_custom_types_count - 1] = ext_type; + return 1; } static int serverinfo_srv_second_cb(SSL *s, unsigned short ext_type, const unsigned char **out, unsigned short *outlen, - void *arg) + int *al, void *arg) { const unsigned char *serverinfo = NULL; size_t serverinfo_length = 0; + size_t i = 0; + unsigned int match = 0; + /* Did the client send a TLS extension for this type? */ + for (i = 0; i < s->s3->serverinfo_client_tlsext_custom_types_count; i++) + { + if (s->s3->serverinfo_client_tlsext_custom_types[i] == ext_type) + { + match = 1; + break; + } + } + if (!match) + { + //extension not sent by client...don't send extension + return -1; + } /* Is there serverinfo data for the chosen server cert? */ if ((ssl_get_server_cert_serverinfo(s, &serverinfo, |