diff options
| author | jsing <> | 2017-11-28 16:46:14 +0000 |
|---|---|---|
| committer | jsing <> | 2017-11-28 16:46:14 +0000 |
| commit | 87fa230da49456f81bbf5b5f65e35d79e48f9664 (patch) | |
| tree | d69dba905ce09a6363913260a62343fdba90a365 | |
| parent | f988a1a2514fd64e3d5b45425e74f5261894320a (diff) | |
| download | openbsd-87fa230da49456f81bbf5b5f65e35d79e48f9664.tar.gz openbsd-87fa230da49456f81bbf5b5f65e35d79e48f9664.tar.bz2 openbsd-87fa230da49456f81bbf5b5f65e35d79e48f9664.zip | |
Correct TLS extensions handling when no extensions are present.
If no TLS extensions are present in a client hello or server hello, omit
the entire extensions block, rather than including it with a length of
zero.
ok beck@ inoguchi@
| -rw-r--r-- | src/lib/libssl/ssl_tlsext.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c index 835c413478..d43ebc6775 100644 --- a/src/lib/libssl/ssl_tlsext.c +++ b/src/lib/libssl/ssl_tlsext.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_tlsext.c,v 1.17 2017/09/25 18:02:27 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_tlsext.c,v 1.18 2017/11/28 16:46:14 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> | 4 | * Copyright (c) 2017 Doug Hogan <doug@openbsd.org> |
| @@ -1296,6 +1296,7 @@ tlsext_clienthello_build(SSL *s, CBB *cbb) | |||
| 1296 | { | 1296 | { |
| 1297 | CBB extensions, extension_data; | 1297 | CBB extensions, extension_data; |
| 1298 | struct tls_extension *tlsext; | 1298 | struct tls_extension *tlsext; |
| 1299 | int extensions_present = 0; | ||
| 1299 | size_t i; | 1300 | size_t i; |
| 1300 | 1301 | ||
| 1301 | if (!CBB_add_u16_length_prefixed(cbb, &extensions)) | 1302 | if (!CBB_add_u16_length_prefixed(cbb, &extensions)) |
| @@ -1313,8 +1314,13 @@ tlsext_clienthello_build(SSL *s, CBB *cbb) | |||
| 1313 | return 0; | 1314 | return 0; |
| 1314 | if (!tls_extensions[i].clienthello_build(s, &extension_data)) | 1315 | if (!tls_extensions[i].clienthello_build(s, &extension_data)) |
| 1315 | return 0; | 1316 | return 0; |
| 1317 | |||
| 1318 | extensions_present = 1; | ||
| 1316 | } | 1319 | } |
| 1317 | 1320 | ||
| 1321 | if (!extensions_present) | ||
| 1322 | CBB_discard_child(cbb); | ||
| 1323 | |||
| 1318 | if (!CBB_flush(cbb)) | 1324 | if (!CBB_flush(cbb)) |
| 1319 | return 0; | 1325 | return 0; |
| 1320 | 1326 | ||
| @@ -1351,6 +1357,7 @@ tlsext_serverhello_build(SSL *s, CBB *cbb) | |||
| 1351 | { | 1357 | { |
| 1352 | CBB extensions, extension_data; | 1358 | CBB extensions, extension_data; |
| 1353 | struct tls_extension *tlsext; | 1359 | struct tls_extension *tlsext; |
| 1360 | int extensions_present = 0; | ||
| 1354 | size_t i; | 1361 | size_t i; |
| 1355 | 1362 | ||
| 1356 | if (!CBB_add_u16_length_prefixed(cbb, &extensions)) | 1363 | if (!CBB_add_u16_length_prefixed(cbb, &extensions)) |
| @@ -1368,8 +1375,13 @@ tlsext_serverhello_build(SSL *s, CBB *cbb) | |||
| 1368 | return 0; | 1375 | return 0; |
| 1369 | if (!tlsext->serverhello_build(s, &extension_data)) | 1376 | if (!tlsext->serverhello_build(s, &extension_data)) |
| 1370 | return 0; | 1377 | return 0; |
| 1378 | |||
| 1379 | extensions_present = 1; | ||
| 1371 | } | 1380 | } |
| 1372 | 1381 | ||
| 1382 | if (!extensions_present) | ||
| 1383 | CBB_discard_child(cbb); | ||
| 1384 | |||
| 1373 | if (!CBB_flush(cbb)) | 1385 | if (!CBB_flush(cbb)) |
| 1374 | return 0; | 1386 | return 0; |
| 1375 | 1387 | ||