Backport OCSP fix.

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 5ada1f155070cbd258555ed03889d50255e038cc..e49fc959c417e4c06dde0c6707d56dbb86dabf44 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1005,7 +1005,7 @@ int ssl3_get_client_hello(SSL *s)
                        goto f_err;
                        }
                }
-               if (ssl_check_clienthello_tlsext(s) <= 0) {
+               if (ssl_check_clienthello_tlsext_early(s) <= 0) {
                        SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
                        goto err;
                }
@@ -1131,6 +1131,16 @@ int ssl3_get_client_hello(SSL *s)
         * s->tmp.new_cipher    - the new cipher to use.
         */
 
+       /* Handles TLS extensions that we couldn't check earlier */
+       if (s->version >= SSL3_VERSION)
+               {
+               if (ssl_check_clienthello_tlsext_late(s) <= 0)
+                       {
+                       SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
+                       goto err;
+                       }
+               }
+
        if (ret < 0) ret=1;
        if (0)
                {

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 23de3151bf632ce783a6b567d36da620204510e9..25e95fd9d2f64a1dae807fddbb785b1f60a46646 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1943,7 +1943,7 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
        }
 
 /* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
+X509 *ssl_get_server_send_cert(const SSL *s)
        {
        unsigned long alg,kalg;
        CERT *c;
@@ -2420,7 +2420,9 @@ void ssl_clear_cipher_ctx(SSL *s)
 /* Fix this function so that it takes an optional type parameter */
 X509 *SSL_get_certificate(const SSL *s)
        {
-       if (s->cert != NULL)
+       if (s->server)
+               return(ssl_get_server_send_cert(s));
+       else if (s->cert != NULL)
                return(s->cert->key->x509);
        else
                return(NULL);

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 3d581f1f2fe46715e2704ad30d99d4b98fae0d16..b9a2543bf222489eb7281ad345d467edc79eb107 100644 (file)
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -740,7 +740,7 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
 int ssl_undefined_void_function(void);
 int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
+X509 *ssl_get_server_send_cert(const SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
 void ssl_set_cert_masks(CERT *c, SSL_CIPHER *cipher);
@@ -979,7 +979,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
 int ssl_prepare_clienthello_tlsext(SSL *s);
 int ssl_prepare_serverhello_tlsext(SSL *s);
-int ssl_check_clienthello_tlsext(SSL *s);
+int ssl_check_clienthello_tlsext_early(SSL *s);
+int ssl_check_clienthello_tlsext_late(SSL *s);
 int ssl_check_serverhello_tlsext(SSL *s);
 
 #ifdef OPENSSL_NO_SHA256

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index cc97258ae5368780e74785454b799e3a73d2dc55..c4cd9cd5f0ca7c467db191a6067813a2bf7fe7e8 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -745,7 +745,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        return 1;
        }
 
-int ssl_check_clienthello_tlsext(SSL *s)
+int ssl_check_clienthello_tlsext_early(SSL *s)
        {
        int ret=SSL_TLSEXT_ERR_NOACK;
        int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -755,11 +755,35 @@ int ssl_check_clienthello_tlsext(SSL *s)
        else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)             
                ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
 
+       switch (ret)
+               {
+               case SSL_TLSEXT_ERR_ALERT_FATAL:
+                       ssl3_send_alert(s, SSL3_AL_FATAL, al); 
+                       return -1;
+
+               case SSL_TLSEXT_ERR_ALERT_WARNING:
+                       ssl3_send_alert(s, SSL3_AL_WARNING, al);
+                       return 1; 
+                                       
+               case SSL_TLSEXT_ERR_NOACK:
+                       s->servername_done = 0;
+
+               default:
+                       return 1;
+               }
+       }
+
+int ssl_check_clienthello_tlsext_late(SSL *s)
+       {
+       int ret = SSL_TLSEXT_ERR_OK;
+       int al;
+
        /* If status request then ask callback what to do.
         * Note: this must be called after servername callbacks in case 
-        * the certificate has changed.
+        * the certificate has changed, and must be called after the cipher
+        * has been chosen because this may influence which certificate is sent
         */
-       if ((s->tlsext_status_type != -1) && s->ctx->tlsext_status_cb)
+       if (s->tlsext_status_type != -1 && s->ctx && s->ctx->tlsext_status_cb)
                {
                int r;
                r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
@@ -785,7 +809,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
                }
        else
                s->tlsext_status_expected = 0;
-       err:
+
+ err:
        switch (ret)
                {
                case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -795,11 +820,9 @@ int ssl_check_clienthello_tlsext(SSL *s)
                case SSL_TLSEXT_ERR_ALERT_WARNING:
                        ssl3_send_alert(s,SSL3_AL_WARNING,al);
                        return 1; 
-                                       
-               case SSL_TLSEXT_ERR_NOACK:
-                       s->servername_done=0;
-                       default:
-               return 1;
+
+               default:
+                       return 1;
                }
        }