From f97d4c370844081e5e735711bd8b91979313ce7b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 1 Dec 2016 15:21:08 +0000 Subject: [PATCH] Extends extension parsing to take the Certificate Continuing from the previous commit we also need to extend the extensions framework to supply the Certificate we just read during parsing. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2020) --- ssl/statem/extensions.c | 30 +++++++++------ ssl/statem/extensions_clnt.c | 30 +++++++++------ ssl/statem/extensions_srvr.c | 35 ++++++++++------- ssl/statem/statem_clnt.c | 4 +- ssl/statem/statem_locl.h | 73 ++++++++++++++++++++++-------------- ssl/statem/statem_srvr.c | 4 +- 6 files changed, 106 insertions(+), 70 deletions(-) diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c index 2dee62e9d5..7fe80b52ee 100644 --- a/ssl/statem/extensions.c +++ b/ssl/statem/extensions.c @@ -56,9 +56,9 @@ typedef struct extensions_definition_st { */ int (*init)(SSL *s, unsigned int context); /* Parse extension sent from client to server */ - int (*parse_ctos)(SSL *s, PACKET *pkt, int *al); + int (*parse_ctos)(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); /* Parse extension send from server to client */ - int (*parse_stoc)(SSL *s, PACKET *pkt, int *al); + int (*parse_stoc)(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); /* Construct extension sent from server to client */ int (*construct_stoc)(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al); @@ -441,15 +441,18 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, * Runs the parser for a given extension with index |idx|. |exts| contains the * list of all parsed extensions previously collected by * tls_collect_extensions(). The parser is only run if it is applicable for the - * given |context| and the parser has not already been run. Returns 1 on success - * or 0 on failure. In the event of a failure |*al| is populated with a suitable - * alert code. If an extension is not present this counted as success. + * given |context| and the parser has not already been run. If this is for a + * Certificate message, then we also provide the parser with the relevant + * Certificate |x| and its position in the |chain| with 0 being the first + * Certificate. Returns 1 on success or 0 on failure. In the event of a failure + * |*al| is populated with a suitable alert code. If an extension is not present + * this counted as success. */ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, - RAW_EXTENSION *exts, int *al) + RAW_EXTENSION *exts, X509 *x, size_t chain, int *al) { RAW_EXTENSION *currext = &exts[idx]; - int (*parser)(SSL *s, PACKET *pkt, int *al) = NULL; + int (*parser)(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) = NULL; /* Skip if the extension is not present */ if (!currext->present) @@ -478,7 +481,7 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, parser = s->server ? extdef->parse_ctos : extdef->parse_stoc; if (parser != NULL) - return parser(s, &currext->data, al); + return parser(s, &currext->data, x, chain, al); /* * If the parser is NULL we fall through to the custom extension @@ -509,10 +512,13 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, /* * Parse all remaining extensions that have not yet been parsed. Also calls the * finalisation for all extensions at the end, whether we collected them or not. - * Returns 1 for success or 0 for failure. On failure, |*al| is populated with a - * suitable alert code. + * Returns 1 for success or 0 for failure. If we are working on a Certificate + * message then we also pass the Certificate |x| and its position in the + * |chain|, with 0 being the first certificate. On failure, |*al| is populated + * with a suitable alert code. */ -int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, int *al) +int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, X509 *x, + size_t chain, int *al) { size_t i, numexts = OSSL_NELEM(ext_defs); const EXTENSION_DEFINITION *thisexd; @@ -526,7 +532,7 @@ int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, int *al) /* Parse each extension in turn */ for (i = 0; i < numexts; i++) { - if (!tls_parse_extension(s, i, context, exts, al)) + if (!tls_parse_extension(s, i, context, exts, x, chain, al)) return 0; } diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 713999f190..4975c7a831 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -624,7 +624,8 @@ int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, X509 *x, size_t chain, /* * Parse the server's renegotiation binding and abort if it's not right */ -int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { size_t expected_len = s->s3->previous_client_finished_len + s->s3->previous_server_finished_len; @@ -681,7 +682,8 @@ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, int *al) return 1; } -int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { if (s->tlsext_hostname == NULL || PACKET_remaining(pkt) > 0) { *al = SSL_AD_UNRECOGNIZED_NAME; @@ -704,7 +706,8 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, int *al) } #ifndef OPENSSL_NO_EC -int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { unsigned int ecpointformatlist_length; PACKET ecptformatlist; @@ -739,7 +742,8 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, int *al) } #endif -int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { if (s->tls_session_ticket_ext_cb != NULL && !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt), @@ -760,7 +764,8 @@ int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, int *al) } #ifndef OPENSSL_NO_OCSP -int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { /* * MUST be empty and only sent if we've requested a status @@ -780,7 +785,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, int *al) #ifndef OPENSSL_NO_CT -int tls_parse_stoc_sct(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_sct(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { /* * Only take it if we asked for it - i.e if there is no CT validation @@ -833,7 +838,7 @@ static int ssl_next_proto_validate(PACKET *pkt) return 1; } -int tls_parse_stoc_npn(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_npn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { unsigned char *selected; unsigned char selected_len; @@ -883,7 +888,7 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, int *al) } #endif -int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { size_t len; @@ -920,7 +925,7 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, int *al) } #ifndef OPENSSL_NO_SRTP -int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { unsigned int id, ct, mki; int i; @@ -973,7 +978,7 @@ int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, int *al) } #endif -int tls_parse_stoc_etm(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_etm(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { /* Ignore if inappropriate ciphersuite */ if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC) @@ -984,7 +989,7 @@ int tls_parse_stoc_etm(SSL *s, PACKET *pkt, int *al) return 1; } -int tls_parse_stoc_ems(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_ems(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { s->s3->flags |= TLS1_FLAGS_RECEIVED_EXTMS; if (!s->hit) @@ -993,7 +998,8 @@ int tls_parse_stoc_ems(SSL *s, PACKET *pkt, int *al) return 1; } -int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, int *al) +int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { #ifndef OPENSSL_NO_TLS1_3 unsigned int group_id; diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 7f0b80c039..14a8e15b49 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -14,7 +14,8 @@ /* * Parse the client's renegotiation binding and abort if it's not right */ -int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { unsigned int ilen; const unsigned char *data; @@ -72,7 +73,8 @@ int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, int *al) * extension. * - On session reconnect, the servername extension may be absent. */ -int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { unsigned int servname_type; PACKET sni, hostname; @@ -134,7 +136,7 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, int *al) } #ifndef OPENSSL_NO_SRP -int tls_parse_ctos_srp(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { PACKET srp_I; @@ -158,7 +160,8 @@ int tls_parse_ctos_srp(SSL *s, PACKET *pkt, int *al) #endif #ifndef OPENSSL_NO_EC -int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { PACKET ec_point_format_list; @@ -181,7 +184,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, int *al) } #endif /* OPENSSL_NO_EC */ -int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { if (s->tls_session_ticket_ext_cb && !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt), @@ -194,7 +198,7 @@ int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, int *al) return 1; } -int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { PACKET supported_sig_algs; @@ -215,7 +219,8 @@ int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, int *al) } #ifndef OPENSSL_NO_OCSP -int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { PACKET responder_id_list, exts; @@ -309,7 +314,7 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, int *al) #endif #ifndef OPENSSL_NO_NEXTPROTONEG -int tls_parse_ctos_npn(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { /* * We shouldn't accept this extension on a @@ -340,7 +345,7 @@ int tls_parse_ctos_npn(SSL *s, PACKET *pkt, int *al) * extension, not including type and length. |al| is a pointer to the alert * value to send in the event of a failure. Returns: 1 on success, 0 on error. */ -int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { PACKET protocol_list, save_protocol_list, protocol; @@ -373,7 +378,7 @@ int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, int *al) } #ifndef OPENSSL_NO_SRTP -int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; unsigned int ct, mki_len, id; @@ -443,7 +448,7 @@ int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, int *al) } #endif -int tls_parse_ctos_etm(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { if (!(s->options & SSL_OP_NO_ENCRYPT_THEN_MAC)) s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC; @@ -487,7 +492,8 @@ static int check_in_list(SSL *s, unsigned int group_id, * the raw PACKET data for the extension. Returns 1 on success or 0 on failure. * If a failure occurs then |*al| is set to an appropriate alert value. */ -int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { #ifndef OPENSSL_NO_TLS1_3 unsigned int group_id; @@ -616,7 +622,8 @@ int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, int *al) } #ifndef OPENSSL_NO_EC -int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al) { PACKET supported_groups_list; @@ -640,7 +647,7 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, int *al) } #endif -int tls_parse_ctos_ems(SSL *s, PACKET *pkt, int *al) +int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al) { /* The extension must always be empty */ if (PACKET_remaining(pkt) != 0) { diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 3d9fe79335..8400c74944 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1312,7 +1312,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) context = SSL_IS_TLS13(s) ? EXT_TLS1_3_SERVER_HELLO : EXT_TLS1_2_SERVER_HELLO; if (!tls_collect_extensions(s, &extpkt, context, &extensions, &al) - || !tls_parse_all_extensions(s, context, extensions, &al)) + || !tls_parse_all_extensions(s, context, extensions, NULL, 0, &al)) goto f_err; #ifndef OPENSSL_NO_SCTP @@ -3120,7 +3120,7 @@ static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) || !tls_parse_all_extensions(s, EXT_TLS1_3_ENCRYPTED_EXTENSIONS | EXT_TLS1_3_CERTIFICATE, - rawexts, &al)) + rawexts, NULL, 0, &al)) goto err; OPENSSL_free(rawexts); diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h index 7e34aade12..5fa190aada 100644 --- a/ssl/statem/statem_locl.h +++ b/ssl/statem/statem_locl.h @@ -156,37 +156,47 @@ __owur int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt); __owur int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context, RAW_EXTENSION **res, int *al); __owur int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context, - RAW_EXTENSION *exts, int *al); + RAW_EXTENSION *exts, X509 *x, size_t chain, + int *al); __owur int tls_parse_all_extensions(SSL *s, int context, RAW_EXTENSION *exts, - int *al); + X509 *x, size_t chain, int *al); __owur int tls_construct_extensions(SSL *s, WPACKET *pkt, unsigned int context, X509 *x, size_t chain, int *al); /* Server Extension processing */ -int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, int *al); -int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); +int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #ifndef OPENSSL_NO_SRP -int tls_parse_ctos_srp(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_srp(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); #endif #ifndef OPENSSL_NO_EC -int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, int *al); -int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); +int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #endif -int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, int *al); -int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); +int tls_parse_ctos_sig_algs(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #ifndef OPENSSL_NO_OCSP -int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #endif #ifndef OPENSSL_NO_NEXTPROTONEG -int tls_parse_ctos_npn(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); #endif -int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); #ifndef OPENSSL_NO_SRTP -int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #endif -int tls_parse_ctos_etm(SSL *s, PACKET *pkt, int *al); -int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, int *al); -int tls_parse_ctos_ems(SSL *s, PACKET *pkt, int *al); +int tls_parse_ctos_etm(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); +int tls_parse_ctos_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); +int tls_parse_ctos_ems(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); int tls_construct_stoc_renegotiate(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al); @@ -273,25 +283,32 @@ int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al); int tls_construct_ctos_padding(SSL *s, WPACKET *pkt, X509 *x, size_t chain, int *al); -int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, int *al); -int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); +int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #ifndef OPENSSL_NO_EC -int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #endif -int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #ifndef OPENSSL_NO_OCSP -int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #endif #ifndef OPENSSL_NO_CT -int tls_parse_stoc_sct(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_sct(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); #endif #ifndef OPENSSL_NO_NEXTPROTONEG -int tls_parse_stoc_npn(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_npn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); #endif -int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); #ifndef OPENSSL_NO_SRTP -int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_use_srtp(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); #endif -int tls_parse_stoc_etm(SSL *s, PACKET *pkt, int *al); -int tls_parse_stoc_ems(SSL *s, PACKET *pkt, int *al); -int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, int *al); +int tls_parse_stoc_etm(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); +int tls_parse_stoc_ems(SSL *s, PACKET *pkt, X509 *x, size_t chain, int *al); +int tls_parse_stoc_key_share(SSL *s, PACKET *pkt, X509 *x, size_t chain, + int *al); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index d21628f287..5f6d6288f4 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1400,7 +1400,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* We need to do this before getting the session */ if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, EXT_CLIENT_HELLO, - clienthello.pre_proc_exts, &al)) { + clienthello.pre_proc_exts, NULL, 0, &al)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); goto f_err; } @@ -1504,7 +1504,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) /* TLS extensions */ if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO, - clienthello.pre_proc_exts, &al)) { + clienthello.pre_proc_exts, NULL, 0, &al)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); goto f_err; } -- 2.25.1