Move no status notification to ssl_check_serverhello_tlsext() to ensure

author Dr. Stephen Henson <steve@openssl.org>

Fri, 28 Sep 2007 17:45:11 +0000 (17:45 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Fri, 28 Sep 2007 17:45:11 +0000 (17:45 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Fri, 28 Sep 2007 17:45:11 +0000 (17:45 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Fri, 28 Sep 2007 17:45:11 +0000 (17:45 +0000)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index 476e4240e5c035fe2f370353e2abaf93d2a9462d..b0b5687c3bb974e9045394127effac17ab0a2672 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -992,35 +992,6 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                         }
                 }
  
-       /* If we've requested certificate status and we wont get one
-        * tell the callback
-        */
-       if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
-                       && s->ctx->tlsext_status_cb)
-               {
-               int r;
-               /* Set resp to NULL, resplen to -1 so callback knows
-                * there is no response.
-                */
-               if (s->tlsext_ocsp_resp)
-                       {
-                       OPENSSL_free(s->tlsext_ocsp_resp);
-                       s->tlsext_ocsp_resp = NULL;
-                       }
-               s->tlsext_ocsp_resplen = -1;
-               r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
-               if (r == 0)
-                       {
-                       *al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
-                       return 0;
-                       }
-               if (r < 0)
-                       {
-                       *al = SSL_AD_INTERNAL_ERROR;
-                       return 0;
-                       }
-               }
-
         *p = data;
         return 1;
         }
@@ -1340,6 +1311,35 @@ int ssl_check_serverhello_tlsext(SSL *s)
                 }
  #endif
  
+       /* If we've requested certificate status and we wont get one
+        * tell the callback
+        */
+       if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected)
+                       && s->ctx->tlsext_status_cb)
+               {
+               int r;
+               /* Set resp to NULL, resplen to -1 so callback knows
+                * there is no response.
+                */
+               if (s->tlsext_ocsp_resp)
+                       {
+                       OPENSSL_free(s->tlsext_ocsp_resp);
+                       s->tlsext_ocsp_resp = NULL;
+                       }
+               s->tlsext_ocsp_resplen = -1;
+               r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+               if (r == 0)
+                       {
+                       al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
+                       ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+                       }
+               if (r < 0)
+                       {
+                       al = SSL_AD_INTERNAL_ERROR;
+                       ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+                       }
+               }
+
         switch (ret)
                 {
                 case SSL_TLSEXT_ERR_ALERT_FATAL:
author	Dr. Stephen Henson <steve@openssl.org>
	Fri, 28 Sep 2007 17:45:11 +0000 (17:45 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Fri, 28 Sep 2007 17:45:11 +0000 (17:45 +0000)