PR: 2505

[oweals/openssl.git] / ssl / s3_pkt.c

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index b30c032b74e01c316f145a3ccab4975dde34e7c4..e166a510b97a3bd259b4db7a6328202a15588392 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -741,7 +741,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        plen=p; 
        p+=2;
        /* Explicit IV length, block ciphers and TLS version 1.1 or later */
-       if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
+       if (s->enc_write_ctx && s->version >= TLS1_1_VERSION
+               && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)
                {
                eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
                if (eivlen <= 1)
@@ -1202,6 +1203,10 @@ start:
                                SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION);
                                goto f_err;
                                }
+#ifdef SSL_AD_MISSING_SRP_USERNAME
+                       if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
+                               return(0);
+#endif
                        }
                else if (alert_level == 2) /* fatal */
                        {
@@ -1280,6 +1285,7 @@ start:
 #else
                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
 #endif
+                       s->renegotiate=1;
                        s->new_session=1;
                        }
                i=s->handshake_func(s);
@@ -1313,7 +1319,9 @@ start:
                {
        default:
 #ifndef OPENSSL_NO_TLS
-               /* TLS just ignores unknown message types */
+               /* TLS up to v1.1 just ignores unknown message types:
+                * TLS v1.2 give an unexpected message alert.
+                */
                if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION)
                        {
                        rr->length = 0;