case SSL3_ST_CR_SRVR_HELLO_B:
ret=ssl3_get_server_hello(s);
if (ret <= 0) goto end;
-#ifndef OPENSSL_NO_TLSEXT
- {
- int al;
- switch (ssl_check_tlsext(s,&al))
- {
- case SSL_TLSEXT_ERR_ALERT_FATAL:
- ssl3_send_alert(s,SSL3_AL_FATAL,al);
- SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
- ret = -1;
- goto end;
- case SSL_TLSEXT_ERR_ALERT_WARNING:
- ssl3_send_alert(s,SSL3_AL_WARNING,al);
-
- default:
- ;
- }
- }
-#endif
if (s->hit)
s->state=SSL3_ST_CR_FINISHED_A;
else
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_PARSE_TLS_EXT);
goto f_err;
}
+ if (ssl_check_tlsext(s,0) <= 0)
+ {
+ SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
+ goto err;
+ }
}
#endif
s->shutdown=0;
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
-#ifndef OPENSSL_NO_TLSEXT
- {
- int al;
- switch (ssl_check_tlsext(s,&al))
- {
- case SSL_TLSEXT_ERR_ALERT_FATAL:
- ssl3_send_alert(s,SSL3_AL_FATAL,al);
- SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
- ret = -1;
- goto end;
-
- case SSL_TLSEXT_ERR_ALERT_WARNING:
- ssl3_send_alert(s,SSL3_AL_WARNING,al);
-
- default:
- break;
- }
- }
-#endif
+
s->new_session = 2;
s->state=SSL3_ST_SW_SRVR_HELLO_A;
s->init_num=0;
goto f_err;
}
+#ifndef OPENSSL_NO_TLSEXT
+ /* TLS extensions*/
+ if (s->version > SSL3_VERSION)
+ {
+ if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
+ {
+ /* 'al' set by ssl_parse_clienthello_tlsext */
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
+ goto f_err;
+ }
+ }
+ if (ssl_check_tlsext(s,1) <= 0) {
+ SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
+ goto err;
+ }
+#endif
+
/* Worst case, we will use the NULL compression, but if we have other
* options, we will now look for them. We have i-1 compression
* algorithms from the client, starting at q. */
}
#endif
-#ifndef OPENSSL_NO_TLSEXT
- /* TLS extensions*/
- if (s->version > SSL3_VERSION)
- {
- if (!ssl_parse_clienthello_tlsext(s,&p,d,n, &al))
- {
- /* 'al' set by ssl_parse_clienthello_tlsext */
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_PARSE_TLS_EXT);
- goto f_err;
- }
- }
-#endif
-
/* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned char *limit);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
-int ssl_check_tlsext(SSL *s,int *al);
+int ssl_check_tlsext(SSL *s, int is_server);
#endif
#endif
return 1;
}
-int ssl_check_tlsext(SSL *s,int *al)
+int ssl_check_tlsext(SSL *s, int is_server)
{
int ret=SSL_TLSEXT_ERR_NOACK;
- *al = SSL_AD_UNRECOGNIZED_NAME;
+ int al = SSL_AD_UNRECOGNIZED_NAME;
if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
- ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
+ ret = s->ctx->tlsext_servername_callback(s, &al, s->ctx->tlsext_servername_arg);
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
- ret = s->initial_ctx->tlsext_servername_callback(s, al, s->initial_ctx->tlsext_servername_arg);
+ ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
- if (ret == SSL_TLSEXT_ERR_NOACK)
- s->servername_done=0;
- return ret;
+ switch (ret) {
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ return -1;
+
+ case SSL_TLSEXT_ERR_ALERT_WARNING:
+ ssl3_send_alert(s,SSL3_AL_WARNING,al);
+ return 1;
+
+ case SSL_TLSEXT_ERR_NOACK:
+ s->servername_done=0;
+ default:
+ return 1;
}
+}
#endif
projects / oweals / openssl.git / commitdiff