]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
As server don't try to send extensions we didn't receive.
authorNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 31 Jul 2015 12:57:33 +0000 (14:57 +0200)
committerNikos Mavrogiannopoulos <nmav@redhat.com>
Fri, 31 Jul 2015 13:00:52 +0000 (15:00 +0200)
lib/gnutls_extensions.c
lib/gnutls_handshake.c
lib/gnutls_int.h

index 72d8bbb85d228cd65233ca06bbb22a35dc85e06a..fece34995ecb8e0bd2459e3d92a096471b327b54 100644 (file)
@@ -120,19 +120,14 @@ static const char *_gnutls_extension_get_name(uint16_t type)
 static int
 _gnutls_extension_list_check(gnutls_session_t session, uint16_t type)
 {
-       if (session->security_parameters.entity == GNUTLS_CLIENT) {
-               int i;
-
-               for (i = 0; i < session->internals.extensions_sent_size;
-                    i++) {
-                       if (type == session->internals.extensions_sent[i])
-                               return 0;       /* ok found */
-               }
+       int i;
 
-               return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION;
+       for (i = 0; i < session->internals.extensions_sent_size; i++) {
+               if (type == session->internals.extensions_sent[i])
+                       return 0;       /* ok found */
        }
 
-       return 0;
+       return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION;
 }
 
 int
@@ -173,10 +168,14 @@ _gnutls_parse_extensions(gnutls_session_t session,
                type = _gnutls_read_uint16(&data[pos]);
                pos += 2;
 
-               if ((ret =
-                    _gnutls_extension_list_check(session, type)) < 0) {
-                       gnutls_assert();
-                       return ret;
+               if (session->security_parameters.entity == GNUTLS_CLIENT) {
+                       if ((ret =
+                            _gnutls_extension_list_check(session, type)) < 0) {
+                               gnutls_assert();
+                               return ret;
+                       }
+               } else {
+                       _gnutls_extension_list_add(session, type);
                }
 
                DECR_LENGTH_RET(next, 2, 0);
@@ -220,17 +219,15 @@ _gnutls_parse_extensions(gnutls_session_t session,
 void _gnutls_extension_list_add(gnutls_session_t session, uint16_t type)
 {
 
-       if (session->security_parameters.entity == GNUTLS_CLIENT) {
-               if (session->internals.extensions_sent_size <
-                   MAX_EXT_TYPES) {
-                       session->internals.extensions_sent[session->
-                                                          internals.extensions_sent_size]
-                           = type;
-                       session->internals.extensions_sent_size++;
-               } else {
-                       _gnutls_handshake_log
-                           ("extensions: Increase MAX_EXT_TYPES\n");
-               }
+       if (session->internals.extensions_sent_size <
+           MAX_EXT_TYPES) {
+               session->internals.extensions_sent[session->
+                                                  internals.extensions_sent_size]
+                   = type;
+               session->internals.extensions_sent_size++;
+       } else {
+               _gnutls_handshake_log
+                   ("extensions: Increase MAX_EXT_TYPES\n");
        }
 }
 
@@ -259,6 +256,14 @@ _gnutls_gen_extensions(gnutls_session_t session,
                    && p->parse_type != parse_type)
                        continue;
 
+               /* ensure we are sending only what we received */
+               if (session->security_parameters.entity == GNUTLS_SERVER) {
+                       if ((ret =
+                            _gnutls_extension_list_check(session, p->type)) < 0) {
+                               continue;
+                       }
+               }
+
                ret = _gnutls_buffer_append_prefix(extdata, 16, p->type);
                if (ret < 0)
                        return gnutls_assert_val(ret);
@@ -282,7 +287,8 @@ _gnutls_gen_extensions(gnutls_session_t session,
 
                        /* add this extension to the extension list
                         */
-                       _gnutls_extension_list_add(session, p->type);
+                       if (session->security_parameters.entity == GNUTLS_CLIENT)
+                               _gnutls_extension_list_add(session, p->type);
 
                        _gnutls_handshake_log
                            ("EXT[%p]: Sending extension %s (%d bytes)\n",
index f02c1715629983fb1b1ec8aba9ac87dcc826a23c..2566bceb353a9011e1b5040bb2fd1bfdbcf8bbb6 100644 (file)
@@ -2072,7 +2072,8 @@ static int send_client_hello(gnutls_session_t session, int again)
                        ret =
                            copy_ciphersuites(session, &extdata,
                                              TRUE);
-                       _gnutls_extension_list_add(session,
+                       if (session->security_parameters.entity == GNUTLS_CLIENT)
+                               _gnutls_extension_list_add(session,
                                                   GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
                } else
                        ret =
index 5a3b668bb019dc1442d08757865bc6ac48363edb..553230b1e6674067f8368f24e317a8fad7baf19e 100644 (file)
@@ -869,8 +869,8 @@ typedef struct {
        struct gnutls_privkey_st *selected_key;
        bool selected_need_free;
 
-       /* holds the extensions we sent to the peer
-        * (in case of a client)
+       /* In case of a client holds the extensions we sent to the peer;
+        * otherwise the extensions we received from the client.
         */
        uint16_t extensions_sent[MAX_EXT_TYPES];
        uint16_t extensions_sent_size;