Add custom extension sanity checks.

Reject attempts to use extensions handled internally. Add flags to each extension structure to indicate if an extension has been sent or received. Enforce RFC5246 compliance by rejecting duplicate extensions and unsolicited extensions and only send a server extension if we have sent the corresponding client extension. Reviewed-by: Emilia Käsper <emilia@openssl.org> (cherry picked from commit 28ea0a0c6a5e4e217c405340fa22a8503c7a17db)
author: Dr. Stephen Henson <steve@openssl.org> 2014-08-12 14:25:49 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2014-08-28 18:09:39 +0100
commit: 9346c75cb8bea75d3410be65f5b625289f375b2d (patch)
tree: 699dd1acc44dbd9dfa6acd236efca619f944ef3a /ssl/t1_lib.c
parent: 0a4fe37fc6248e5efadcda34015eff122e01b1db (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3b3e0e334f..f13b3762c9 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1444,7 +1444,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 			}
                 ret += el;
                 }
-
+	custom_ext_init(&s->cert->cli_ext);
 	/* Add custom TLS Extensions to ClientHello */
 	if (!custom_ext_add(s, 0, &ret, limit, al))
 		return NULL;
@@ -2422,6 +2422,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
 	{
 	int al = -1;
+	custom_ext_init(&s->cert->srv_ext);
 	if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
 		{
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
author	Dr. Stephen Henson <steve@openssl.org>	2014-08-12 14:25:49 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2014-08-28 18:09:39 +0100
commit	9346c75cb8bea75d3410be65f5b625289f375b2d (patch)
tree	699dd1acc44dbd9dfa6acd236efca619f944ef3a /ssl/t1_lib.c
parent	0a4fe37fc6248e5efadcda34015eff122e01b1db (diff)