X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fs3_pkt.c;h=33be6badbc6f07863fa122523859ee0e53cfc052;hb=dd0ddc3e784204c8970c0b95fff8e55072294bec;hp=b30c032b74e01c316f145a3ccab4975dde34e7c4;hpb=35cae95032c71cd3523d38246401a1b7d7a74c37;p=oweals%2Fopenssl.git diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index b30c032b74..33be6badbc 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -247,7 +247,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) if (i <= 0) { rb->left = left; - if (s->mode & SSL_MODE_RELEASE_BUFFERS) + if (s->mode & SSL_MODE_RELEASE_BUFFERS && + SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) if (len+left == 0) ssl3_release_read_buffer(s); return(i); @@ -743,8 +744,17 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, /* Explicit IV length, block ciphers and TLS version 1.1 or later */ if (s->enc_write_ctx && s->version >= TLS1_1_VERSION) { - eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); - if (eivlen <= 1) + int mode = EVP_CIPHER_CTX_mode(s->enc_write_ctx); + if (mode == EVP_CIPH_CBC_MODE) + { + eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx); + if (eivlen <= 1) + eivlen = 0; + } + /* Need explicit part of IV for GCM mode */ + else if (mode == EVP_CIPH_GCM_MODE) + eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; + else eivlen = 0; } else @@ -865,7 +875,8 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, { wb->left=0; wb->offset+=i; - if (s->mode & SSL_MODE_RELEASE_BUFFERS) + if (s->mode & SSL_MODE_RELEASE_BUFFERS && + SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) ssl3_release_write_buffer(s); s->rwstate=SSL_NOTHING; return(s->s3->wpend_ret); @@ -1202,6 +1213,10 @@ start: SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_NO_RENEGOTIATION); goto f_err; } +#ifdef SSL_AD_MISSING_SRP_USERNAME + if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) + return(0); +#endif } else if (alert_level == 2) /* fatal */ { @@ -1280,6 +1295,7 @@ start: #else s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; #endif + s->renegotiate=1; s->new_session=1; } i=s->handshake_func(s); @@ -1313,7 +1329,9 @@ start: { default: #ifndef OPENSSL_NO_TLS - /* TLS just ignores unknown message types */ + /* TLS up to v1.1 just ignores unknown message types: + * TLS v1.2 give an unexpected message alert. + */ if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) { rr->length = 0;