Add custom extension sanity checks.

Reject attempts to use extensions handled internally. Add flags to each extension structure to indicate if an extension has been sent or received. Enforce RFC5246 compliance by rejecting duplicate extensions and unsolicited extensions and only send a server extension if we have sent the corresponding client extension. Reviewed-by: Emilia Käsper <emilia@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2014-08-12 14:25:49 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2014-08-28 17:06:52 +0100
commit: 28ea0a0c6a5e4e217c405340fa22a8503c7a17db (patch)
tree: 4ea1ae8b8c4bf685622d2f2627b15f43f8c15b50 /ssl/t1_lib.c
parent: ecf4d660902dcef6e0afc51d52926f00d409ee6b (diff)
download: openssl-28ea0a0c6a5e4e217c405340fa22a8503c7a17db.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 7d0774d5e7..86fb69cb07 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1480,7 +1480,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
 			}
                 ret += el;
                 }
-
+	custom_ext_init(&s->cert->cli_ext);
 	/* Add custom TLS Extensions to ClientHello */
 	if (!custom_ext_add(s, 0, &ret, limit, al))
 		return NULL;
@@ -2485,6 +2485,7 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char
 int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n) 
 	{
 	int al = -1;
+	custom_ext_init(&s->cert->srv_ext);
 	if (ssl_scan_clienthello_tlsext(s, p, d, n, &al) <= 0) 
 		{
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
author	Dr. Stephen Henson <steve@openssl.org>	2014-08-12 14:25:49 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2014-08-28 17:06:52 +0100
commit	28ea0a0c6a5e4e217c405340fa22a8503c7a17db (patch)
tree	4ea1ae8b8c4bf685622d2f2627b15f43f8c15b50 /ssl/t1_lib.c
parent	ecf4d660902dcef6e0afc51d52926f00d409ee6b (diff)
download	openssl-28ea0a0c6a5e4e217c405340fa22a8503c7a17db.tar.gz