From: Nikos Mavrogiannopoulos Date: Fri, 31 Jul 2015 12:57:33 +0000 (+0200) Subject: As server don't try to send extensions we didn't receive. X-Git-Tag: gnutls_3_5_0~778 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1965e2c2f7243e1476b4e754b5d9ea309ec21d17;p=thirdparty%2Fgnutls.git As server don't try to send extensions we didn't receive. --- diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c index 72d8bbb85d..fece34995e 100644 --- a/lib/gnutls_extensions.c +++ b/lib/gnutls_extensions.c @@ -120,19 +120,14 @@ static const char *_gnutls_extension_get_name(uint16_t type) static int _gnutls_extension_list_check(gnutls_session_t session, uint16_t type) { - if (session->security_parameters.entity == GNUTLS_CLIENT) { - int i; - - for (i = 0; i < session->internals.extensions_sent_size; - i++) { - if (type == session->internals.extensions_sent[i]) - return 0; /* ok found */ - } + int i; - return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION; + for (i = 0; i < session->internals.extensions_sent_size; i++) { + if (type == session->internals.extensions_sent[i]) + return 0; /* ok found */ } - return 0; + return GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION; } int @@ -173,10 +168,14 @@ _gnutls_parse_extensions(gnutls_session_t session, type = _gnutls_read_uint16(&data[pos]); pos += 2; - if ((ret = - _gnutls_extension_list_check(session, type)) < 0) { - gnutls_assert(); - return ret; + if (session->security_parameters.entity == GNUTLS_CLIENT) { + if ((ret = + _gnutls_extension_list_check(session, type)) < 0) { + gnutls_assert(); + return ret; + } + } else { + _gnutls_extension_list_add(session, type); } DECR_LENGTH_RET(next, 2, 0); @@ -220,17 +219,15 @@ _gnutls_parse_extensions(gnutls_session_t session, void _gnutls_extension_list_add(gnutls_session_t session, uint16_t type) { - if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (session->internals.extensions_sent_size < - MAX_EXT_TYPES) { - session->internals.extensions_sent[session-> - internals.extensions_sent_size] - = type; - session->internals.extensions_sent_size++; - } else { - _gnutls_handshake_log - ("extensions: Increase MAX_EXT_TYPES\n"); - } + if (session->internals.extensions_sent_size < + MAX_EXT_TYPES) { + session->internals.extensions_sent[session-> + internals.extensions_sent_size] + = type; + session->internals.extensions_sent_size++; + } else { + _gnutls_handshake_log + ("extensions: Increase MAX_EXT_TYPES\n"); } } @@ -259,6 +256,14 @@ _gnutls_gen_extensions(gnutls_session_t session, && p->parse_type != parse_type) continue; + /* ensure we are sending only what we received */ + if (session->security_parameters.entity == GNUTLS_SERVER) { + if ((ret = + _gnutls_extension_list_check(session, p->type)) < 0) { + continue; + } + } + ret = _gnutls_buffer_append_prefix(extdata, 16, p->type); if (ret < 0) return gnutls_assert_val(ret); @@ -282,7 +287,8 @@ _gnutls_gen_extensions(gnutls_session_t session, /* add this extension to the extension list */ - _gnutls_extension_list_add(session, p->type); + if (session->security_parameters.entity == GNUTLS_CLIENT) + _gnutls_extension_list_add(session, p->type); _gnutls_handshake_log ("EXT[%p]: Sending extension %s (%d bytes)\n", diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index f02c171562..2566bceb35 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -2072,7 +2072,8 @@ static int send_client_hello(gnutls_session_t session, int again) ret = copy_ciphersuites(session, &extdata, TRUE); - _gnutls_extension_list_add(session, + if (session->security_parameters.entity == GNUTLS_CLIENT) + _gnutls_extension_list_add(session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION); } else ret = diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index 5a3b668bb0..553230b1e6 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -869,8 +869,8 @@ typedef struct { struct gnutls_privkey_st *selected_key; bool selected_need_free; - /* holds the extensions we sent to the peer - * (in case of a client) + /* In case of a client holds the extensions we sent to the peer; + * otherwise the extensions we received from the client. */ uint16_t extensions_sent[MAX_EXT_TYPES]; uint16_t extensions_sent_size;