X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fs2_clnt.c;h=6e1e296b968f1f2c2e21ce04c0c9dd7eda2c5879;hb=0da945bb201f65ed81fa405767e63452d6b7cfa1;hp=e4e9660cb4b1f66ad956ac7e86f93bfd27682348;hpb=2557eaeac81c93f9e12534ac64a7634ab2bdb0fc;p=oweals%2Fopenssl.git diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index e4e9660cb4..6e1e296b96 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -57,7 +57,7 @@ */ #include "ssl_locl.h" -#ifndef NO_SSL2 +#ifndef OPENSSL_NO_SSL2 #include #include #include @@ -245,7 +245,7 @@ int ssl2_connect(SSL *s) /* ERR_clear_error();*/ /* If we want to cache session-ids in the client - * and we sucessfully add the session-id to the + * and we successfully add the session-id to the * cache, and there is a callback, then pass it out. * 26/11/96 - eay - only add if not a re-used session. */ @@ -287,7 +287,7 @@ static int get_server_hello(SSL *s) unsigned char *buf; unsigned char *p; int i,j; - STACK_OF(SSL_CIPHER) *sk=NULL,*cl; + STACK_OF(SSL_CIPHER) *sk=NULL,*cl, *prio, *allow; buf=(unsigned char *)s->init_buf->data; p=buf; @@ -368,7 +368,7 @@ static int get_server_hello(SSL *s) */ #endif - /* we need to do this incase we were trying to reuse a + /* we need to do this in case we were trying to reuse a * client session but others are already reusing it. * If this was a new 'blank' session ID, the session-id * length will still be 0 */ @@ -414,33 +414,49 @@ static int get_server_hello(SSL *s) sk_SSL_CIPHER_set_cmp_func(sk,ssl_cipher_ptr_id_cmp); /* get the array of ciphers we will accept */ - cl=ssl_get_ciphers_by_id(s); - + cl=SSL_get_ciphers(s); + sk_SSL_CIPHER_set_cmp_func(cl,ssl_cipher_ptr_id_cmp); + + /* + * If server preference flag set, choose the first + * (highest priority) cipher the server sends, otherwise + * client preference has priority. + */ + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) + { + prio = sk; + allow = cl; + } + else + { + prio = cl; + allow = sk; + } /* In theory we could have ciphers sent back that we * don't want to use but that does not matter since we - * will check against the list we origionally sent and + * will check against the list we originally sent and * for performance reasons we should not bother to match * the two lists up just to check. */ - for (i=0; i= 0) + if (sk_SSL_CIPHER_find(allow, + sk_SSL_CIPHER_value(prio,i)) >= 0) break; } - if (i >= sk_SSL_CIPHER_num(cl)) + if (i >= sk_SSL_CIPHER_num(prio)) { ssl2_return_error(s,SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_SERVER_HELLO,SSL_R_NO_CIPHER_MATCH); return(-1); } - s->session->cipher=sk_SSL_CIPHER_value(cl,i); + s->session->cipher=sk_SSL_CIPHER_value(prio,i); if (s->session->peer != NULL) /* can't happen*/ { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return(-1); } @@ -453,7 +469,7 @@ static int get_server_hello(SSL *s) /* can't happen */ { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_SERVER_HELLO, SSL_R_INTERNAL_ERROR); + SSLerr(SSL_F_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); return(-1); } @@ -768,7 +784,7 @@ static int client_certificate(SSL *s) { /* this is not good. If things have failed it * means there so something wrong with the key. - * We will contiune with a 0 length signature + * We will continue with a 0 length signature */ } memset(&ctx,0,sizeof(ctx)); @@ -920,6 +936,8 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data) SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; } + ERR_clear_error(); /* but we keep s->verify_result */ + s->session->verify_result = s->verify_result; /* server's cert for this session */ sc=ssl_sess_cert_new(); @@ -983,7 +1001,7 @@ end: EVP_PKEY_free(pkey); return(i); } -#else /* !NO_SSL2 */ +#else /* !OPENSSL_NO_SSL2 */ # if PEDANTIC static void *dummy=&dummy;