diff options
| author | Matt Caswell <matt@openssl.org> | 2018-03-08 17:44:12 +0000 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-03-09 11:37:58 +0000 |
| commit | e440f51395f10e307f720213bd75393e446024a3 (patch) | |
| tree | ef5595dbe30c53cb2cb5c2e55a2c9ebaa47321a4 /ssl | |
| parent | 532f95783e2bff4d7f4e8086297ed8e0b25561f7 (diff) | |
Give more information in the SSL_stateless return code
Allow users to distinguish between an error occurring and an HRR being
issued.
Fixes #5549
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5562)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/ssl_err.c | 2 | ||||
| -rw-r--r-- | ssl/ssl_lib.c | 5 | ||||
| -rw-r--r-- | ssl/statem/extensions_srvr.c | 9 |
3 files changed, 13 insertions, 3 deletions
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index f0bde60994..34e8ec4076 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -952,6 +952,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { "no client cert method"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COMPRESSION_SPECIFIED), "no compression specified"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_COOKIE_CALLBACK_SET), + "no cookie callback set"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER), "Peer haven't sent GOST certificate, required for selected ciphersuite"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NO_METHOD_SPECIFIED), diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index accef0c0ce..f5219c22d1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5352,7 +5352,10 @@ int SSL_stateless(SSL *s) if (ret > 0 && s->ext.cookieok) return 1; - return 0; + if (s->hello_retry_request == SSL_HRR_PENDING && !ossl_statem_in_error(s)) + return 0; + + return -1; } void SSL_force_post_handshake_auth(SSL *ssl) diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index bcabb858be..b9692f46e4 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1682,10 +1682,15 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context, EVP_PKEY *pkey; int ret = EXT_RETURN_FAIL; - if (s->ctx->app_gen_cookie_cb == NULL - || (s->s3->flags & TLS1_FLAGS_STATELESS) == 0) + if ((s->s3->flags & TLS1_FLAGS_STATELESS) == 0) return EXT_RETURN_NOT_SENT; + if (s->ctx->app_gen_cookie_cb == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE, + SSL_R_NO_COOKIE_CALLBACK_SET); + return EXT_RETURN_FAIL; + } + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_cookie) || !WPACKET_start_sub_packet_u16(pkt) || !WPACKET_start_sub_packet_u16(pkt) |