projects
/
oweals
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Set next version.
[oweals/openssl.git]
/
ssl
/
ssl_lib.c
diff --git
a/ssl/ssl_lib.c
b/ssl/ssl_lib.c
index 31f76abd1a3004d4de7992faaecbe18fe2b79e29..8b6b601cabd88da639489dad0443abc02f3f92da 100644
(file)
--- a/
ssl/ssl_lib.c
+++ b/
ssl/ssl_lib.c
@@
-1000,6
+1000,11
@@
long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
s->max_cert_list=larg;
return(l);
case SSL_CTRL_SET_MTU:
s->max_cert_list=larg;
return(l);
case SSL_CTRL_SET_MTU:
+#ifndef OPENSSL_NO_DTLS1
+ if (larg < (long)dtls1_min_mtu())
+ return 0;
+#endif
+
if (SSL_version(s) == DTLS1_VERSION ||
SSL_version(s) == DTLS1_BAD_VER)
{
if (SSL_version(s) == DTLS1_VERSION ||
SSL_version(s) == DTLS1_BAD_VER)
{
@@
-1299,19
+1304,19
@@
int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
p+=j;
}
j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
p+=j;
}
- /* If p == q, no ciphers and caller indicates an error
, o
therwise
- * add
MCSV
+ /* If p == q, no ciphers and caller indicates an error
. O
therwise
+ * add
SCSV if not renegotiating.
*/
*/
- if (p != q)
+ if (p != q
&& !s->new_session
)
{
{
- static SSL_CIPHER
msvc
=
+ static SSL_CIPHER
scsv
=
{
{
- 0, NULL, SSL3_CK_
M
CSV, 0, 0, 0, 0, 0, 0, 0,
+ 0, NULL, SSL3_CK_
S
CSV, 0, 0, 0, 0, 0, 0, 0,
};
};
- j = put_cb ? put_cb(&
msvc,p) : ssl_put_cipher_by_char(s,&msvc
,p);
+ j = put_cb ? put_cb(&
scsv,p) : ssl_put_cipher_by_char(s,&scsv
,p);
p+=j;
#ifdef OPENSSL_RI_DEBUG
p+=j;
#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr, "
M
CSV sent by client\n");
+ fprintf(stderr, "
S
CSV sent by client\n");
#endif
}
#endif
}
@@
-1343,15
+1348,22
@@
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
for (i=0; i<num; i+=n)
{
for (i=0; i<num; i+=n)
{
- /* Check for
M
CSV */
+ /* Check for
S
CSV */
if (s->s3 && (n != 3 || !p[0]) &&
if (s->s3 && (n != 3 || !p[0]) &&
- (p[n-2] == ((SSL3_CK_
M
CSV >> 8) & 0xff)) &&
- (p[n-1] == (SSL3_CK_
M
CSV & 0xff)))
+ (p[n-2] == ((SSL3_CK_
S
CSV >> 8) & 0xff)) &&
+ (p[n-1] == (SSL3_CK_
S
CSV & 0xff)))
{
{
+ /* SCSV fatal if renegotiating */
+ if (s->new_session)
+ {
+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ goto err;
+ }
s->s3->send_connection_binding = 1;
p += n;
#ifdef OPENSSL_RI_DEBUG
s->s3->send_connection_binding = 1;
p += n;
#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr, "
M
CSV received by server\n");
+ fprintf(stderr, "
S
CSV received by server\n");
#endif
continue;
}
#endif
continue;
}
@@
-1594,7
+1606,7
@@
SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
/* Default is to connect to non-RI servers. When RI is more widely
* deployed might change this.
*/
/* Default is to connect to non-RI servers. When RI is more widely
* deployed might change this.
*/
- ret->options = SSL_OP_LEGACY_SERVER_CONNECT;
+ ret->options
|
= SSL_OP_LEGACY_SERVER_CONNECT;
return(ret);
err:
return(ret);
err:
@@
-1931,17
+1943,15
@@
int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs)
}
/* THIS NEEDS CLEANING UP */
}
/* THIS NEEDS CLEANING UP */
-
X509 *ssl_get_server_send_cert(
SSL *s)
+
CERT_PKEY *ssl_get_server_send_pkey(const
SSL *s)
{
{
- unsigned long alg,
mask,
kalg;
+ unsigned long alg,kalg;
CERT *c;
CERT *c;
- int i
,is_export
;
+ int i;
c=s->cert;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
alg=s->s3->tmp.new_cipher->algorithms;
c=s->cert;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
alg=s->s3->tmp.new_cipher->algorithms;
- is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
- mask=is_export?c->export_mask:c->mask;
kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
if (kalg & SSL_kECDH)
kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK);
if (kalg & SSL_kECDH)
@@
-1983,12
+1993,20
@@
X509 *ssl_get_server_send_cert(SSL *s)
}
else /* if (kalg & SSL_aNULL) */
{
}
else /* if (kalg & SSL_aNULL) */
{
- SSLerr(SSL_F_SSL_GET_SERVER_SEND_
CERT
,ERR_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL_GET_SERVER_SEND_
PKEY
,ERR_R_INTERNAL_ERROR);
return(NULL);
}
return(NULL);
}
- if (c->pkeys[i].x509 == NULL) return(NULL);
- return(c->pkeys[i].x509);
+ return c->pkeys + i;
+ }
+
+X509 *ssl_get_server_send_cert(const SSL *s)
+ {
+ CERT_PKEY *cpk;
+ cpk = ssl_get_server_send_pkey(s);
+ if (!cpk)
+ return NULL;
+ return cpk->x509;
}
EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
}
EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher)
@@
-2410,7
+2428,9
@@
void ssl_clear_cipher_ctx(SSL *s)
/* Fix this function so that it takes an optional type parameter */
X509 *SSL_get_certificate(const SSL *s)
{
/* Fix this function so that it takes an optional type parameter */
X509 *SSL_get_certificate(const SSL *s)
{
- if (s->cert != NULL)
+ if (s->server)
+ return(ssl_get_server_send_cert(s));
+ else if (s->cert != NULL)
return(s->cert->key->x509);
else
return(NULL);
return(s->cert->key->x509);
else
return(NULL);