X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=3fbb48953944d7f610aae5eadb032ab2e61fc8fe;hb=a006fef78e56b078549a80f4bb4518b6a02eba84;hp=0efb961f016507bd27ad8bdd4ccbb7b0056fb549;hpb=e5db9c3b67deb80e274f66e3832a9cfba931670c;p=oweals%2Fopenssl.git

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 0efb961f01..3fbb489539 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1132,6 +1132,17 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
 		return(s->cert->cert_flags|=larg);
 	case SSL_CTRL_CLEAR_CERT_FLAGS:
 		return(s->cert->cert_flags &=~larg);
+
+	case SSL_CTRL_GET_RAW_CIPHERLIST:
+		if (parg)
+			{
+			if (s->cert->ciphers_raw == NULL)
+				return 0;
+			*(unsigned char **)parg = s->cert->ciphers_raw;
+			return (int)s->cert->ciphers_rawlen;
+			}
+		else
+			return ssl_put_cipher_by_char(s,NULL,NULL);
 	default:
 		return(s->method->ssl_ctrl(s,cmd,larg,parg));
 		}
@@ -1158,6 +1169,20 @@ LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx)
 long SSL_CTX_ctrl(SSL_CTX *ctx,int cmd,long larg,void *parg)
 	{
 	long l;
+	/* For some cases with ctx == NULL perform syntax checks */
+	if (ctx == NULL)
+		{
+		switch (cmd)
+			{
+		case SSL_CTRL_SET_CURVES_LIST:
+			return tls1_set_curves_list(NULL, NULL, parg);
+		case SSL_CTRL_SET_SIGALGS_LIST:
+		case SSL_CTRL_SET_CLIENT_SIGALGS_LIST:
+			return tls1_set_sigalgs_list(NULL, parg, 0);
+		default:
+			return 0;
+			}
+		}
 
 	switch (cmd)
 		{
@@ -1412,6 +1437,7 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 	SSL_CIPHER *c;
 	CERT *ct = s->cert;
 	unsigned char *q;
+	int no_scsv = s->renegotiate;
 	/* Set disabled masks for this session */
 	ssl_set_client_disabled(s);
 
@@ -1426,13 +1452,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 			c->algorithm_mkey & ct->mask_k ||
 			c->algorithm_auth & ct->mask_a)
 			continue;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+		if (c->id == SSL3_CK_SCSV)
+			{
+			if (no_scsv)
+				continue;
+			else
+				no_scsv = 1;
+			}
+#endif
 		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
 		p+=j;
 		}
 	/* If p == q, no ciphers and caller indicates an error. Otherwise
 	 * add SCSV if not renegotiating.
 	 */
-	if (p != q && !s->renegotiate)
+	if (p != q && !no_scsv)
 		{
 		static SSL_CIPHER scsv =
 			{
@@ -1471,6 +1506,16 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 		sk_SSL_CIPHER_zero(sk);
 		}
 
+	if (s->cert->ciphers_raw)
+		OPENSSL_free(s->cert->ciphers_raw);
+	s->cert->ciphers_raw = BUF_memdup(p, num);
+	if (s->cert->ciphers_raw == NULL)
+		{
+		SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+	s->cert->ciphers_rawlen = (size_t)num;
+
 	for (i=0; i<num; i+=n)
 		{
 		/* Check for SCSV */
@@ -2359,7 +2404,7 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
 	/* Broken protocol test: return last used certificate: which may
 	 * mismatch the one expected.
 	 */
-	if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTCOL)
+	if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
 		return c->key;
 #endif
 
@@ -2386,7 +2431,7 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
 	/* Broken protocol test: use last key: which may
 	 * mismatch the one expected.
 	 */
-	if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTCOL)
+	if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
 		idx = c->key - c->pkeys;
 	else
 #endif