diff options
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/s23_clnt.c | 4 | ||||
| -rw-r--r-- | ssl/s3_clnt.c | 11 | ||||
| -rw-r--r-- | ssl/s3_srvr.c | 17 | ||||
| -rw-r--r-- | ssl/t1_lib.c | 21 | ||||
| -rw-r--r-- | ssl/tls1.h | 9 |
5 files changed, 38 insertions, 24 deletions
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 66ecbc7eed..ab291928a1 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -565,6 +565,7 @@ static int ssl23_get_server_hello(SSL *s) (p[5] == SSL3_MT_SERVER_HELLO)) { /* we have sslv3 or tls1 */ + have_sslv3_or_tls1: if (!ssl_init_wbio_buffer(s,1)) goto err; @@ -623,6 +624,9 @@ static int ssl23_get_server_hello(SSL *s) cb(s,SSL_CB_READ_ALERT,j); } + if (p[5] == SSL3_AL_WARNING) + goto have_sslv3_or_tls1; + s->rwstate=SSL_NOTHING; SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); goto err; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 578285230d..d50f588b94 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -258,12 +258,19 @@ int ssl3_connect(SSL *s) #ifndef OPENSSL_NO_TLSEXT { int al; - if (ssl_check_tlsext(s,&al) <= 0) + switch (ssl_check_tlsext(s,&al)) { - ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */ + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s,SSL3_AL_FATAL,al); SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT); ret = -1; goto end; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s,SSL3_AL_WARNING,al); + + default: + ; } } #endif diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index c83505c0a5..28d425a468 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -283,16 +283,21 @@ int ssl3_accept(SSL *s) if (ret <= 0) goto end; #ifndef OPENSSL_NO_TLSEXT { - int al,warn; - warn = ssl_check_tlsext(s,&al); - if (warn == 0) - ssl3_send_alert(s,SSL3_AL_WARNING,al); - else if (warn < 0) { + int al; + switch (ssl_check_tlsext(s,&al)) + { + case SSL_TLSEXT_ERR_ALERT_FATAL: ssl3_send_alert(s,SSL3_AL_FATAL,al); SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT); ret = -1; goto end; - } + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s,SSL3_AL_WARNING,al); + + default: + break; + } } #endif s->new_session = 2; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index cea8b8e851..1aa5e90bbf 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -389,22 +389,17 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in int ssl_check_tlsext(SSL *s,int *al) { - int ret; + int ret=SSL_TLSEXT_ERR_NOACK; *al = SSL_AD_UNRECOGNIZED_NAME; - if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) - { + + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg); - if (ret <= 0) - return ret; - } - else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) - { + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, al, s->initial_ctx->tlsext_servername_arg); - if (ret <= 0) - return ret; - } - - return 1; + + if (ret == SSL_TLSEXT_ERR_NOACK) + s->servername_done=0; + return ret; } #endif diff --git a/ssl/tls1.h b/ssl/tls1.h index 8e56379963..0a9c1ea500 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -180,12 +180,15 @@ SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name) #define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \ SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb) + +#define SSL_TLSEXT_ERR_OK 0 +#define SSL_TLSEXT_ERR_ALERT_WARNING 1 +#define SSL_TLSEXT_ERR_ALERT_FATAL 2 +#define SSL_TLSEXT_ERR_NOACK 3 + #define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg) -#define SSL_set_tlsext_servername_done(s,t) \ -SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL) - #endif |