More TLS extension related changes.
Submitted by: Peter Sylvester
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 66ecbc7..ab29192 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -565,6 +565,7 @@
(p[5] == SSL3_MT_SERVER_HELLO))
{
/* we have sslv3 or tls1 */
+ have_sslv3_or_tls1:
if (!ssl_init_wbio_buffer(s,1)) goto err;
@@ -623,6 +624,9 @@
cb(s,SSL_CB_READ_ALERT,j);
}
+ if (p[5] == SSL3_AL_WARNING)
+ goto have_sslv3_or_tls1;
+
s->rwstate=SSL_NOTHING;
SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]);
goto err;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 5782852..d50f588 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -258,12 +258,19 @@
#ifndef OPENSSL_NO_TLSEXT
{
int al;
- if (ssl_check_tlsext(s,&al) <= 0)
+ switch (ssl_check_tlsext(s,&al))
{
- ssl3_send_alert(s,SSL3_AL_FATAL,al); /* XXX does this *have* to be fatal? */
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SERVERHELLO_TLS_EXT);
ret = -1;
goto end;
+
+ case SSL_TLSEXT_ERR_ALERT_WARNING:
+ ssl3_send_alert(s,SSL3_AL_WARNING,al);
+
+ default:
+ ;
}
}
#endif
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c83505c..28d425a 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -283,16 +283,21 @@
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_TLSEXT
{
- int al,warn;
- warn = ssl_check_tlsext(s,&al);
- if (warn == 0)
- ssl3_send_alert(s,SSL3_AL_WARNING,al);
- else if (warn < 0) {
+ int al;
+ switch (ssl_check_tlsext(s,&al))
+ {
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLS_EXT);
ret = -1;
goto end;
- }
+
+ case SSL_TLSEXT_ERR_ALERT_WARNING:
+ ssl3_send_alert(s,SSL3_AL_WARNING,al);
+
+ default:
+ break;
+ }
}
#endif
s->new_session = 2;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index cea8b8e..1aa5e90 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -389,22 +389,17 @@
int ssl_check_tlsext(SSL *s,int *al)
{
- int ret;
+ int ret=SSL_TLSEXT_ERR_NOACK;
*al = SSL_AD_UNRECOGNIZED_NAME;
- if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
- {
+
+ if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
ret = s->ctx->tlsext_servername_callback(s, al, s->ctx->tlsext_servername_arg);
- if (ret <= 0)
- return ret;
- }
- else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
- {
+ else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
ret = s->initial_ctx->tlsext_servername_callback(s, al, s->initial_ctx->tlsext_servername_arg);
- if (ret <= 0)
- return ret;
- }
-
- return 1;
+
+ if (ret == SSL_TLSEXT_ERR_NOACK)
+ s->servername_done=0;
+ return ret;
}
#endif
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 8e56379..0a9c1ea 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -180,12 +180,15 @@
#define SSL_CTX_set_tlsext_servername_callback(ctx, cb) \
SSL_CTX_callback_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_CB,(void (*)(void))cb)
+
+#define SSL_TLSEXT_ERR_OK 0
+#define SSL_TLSEXT_ERR_ALERT_WARNING 1
+#define SSL_TLSEXT_ERR_ALERT_FATAL 2
+#define SSL_TLSEXT_ERR_NOACK 3
+
#define SSL_CTX_set_tlsext_servername_arg(ctx, arg) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG,0, (void *)arg)
-#define SSL_set_tlsext_servername_done(s,t) \
-SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_SERVERNAME_DONE,t, NULL)
-
#endif
