X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=8b6b601cabd88da639489dad0443abc02f3f92da;hb=7ecd974f5f1bb38de6c47c188c8709b86b809245;hp=31f76abd1a3004d4de7992faaecbe18fe2b79e29;hpb=ccc3df8c33a3d48f56b8d3270bfbd4ae0a24736c;p=oweals%2Fopenssl.git diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 31f76abd1a..8b6b601cab 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1000,6 +1000,11 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg) s->max_cert_list=larg; return(l); case SSL_CTRL_SET_MTU: +#ifndef OPENSSL_NO_DTLS1 + if (larg < (long)dtls1_min_mtu()) + return 0; +#endif + if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) { @@ -1299,19 +1304,19 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p, j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); p+=j; } - /* If p == q, no ciphers and caller indicates an error, otherwise - * add MCSV + /* If p == q, no ciphers and caller indicates an error. Otherwise + * add SCSV if not renegotiating. */ - if (p != q) + if (p != q && !s->new_session) { - static SSL_CIPHER msvc = + static SSL_CIPHER scsv = { - 0, NULL, SSL3_CK_MCSV, 0, 0, 0, 0, 0, 0, 0, + 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, }; - j = put_cb ? put_cb(&msvc,p) : ssl_put_cipher_by_char(s,&msvc,p); + j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); p+=j; #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "MCSV sent by client\n"); + fprintf(stderr, "SCSV sent by client\n"); #endif } @@ -1343,15 +1348,22 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, for (i=0; is3 && (n != 3 || !p[0]) && - (p[n-2] == ((SSL3_CK_MCSV >> 8) & 0xff)) && - (p[n-1] == (SSL3_CK_MCSV & 0xff))) + (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && + (p[n-1] == (SSL3_CK_SCSV & 0xff))) { + /* SCSV fatal if renegotiating */ + if (s->new_session) + { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE); + goto err; + } s->s3->send_connection_binding = 1; p += n; #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "MCSV received by server\n"); + fprintf(stderr, "SCSV received by server\n"); #endif continue; } @@ -1594,7 +1606,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth) /* Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ - ret->options = SSL_OP_LEGACY_SERVER_CONNECT; + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; return(ret); err: @@ -1931,17 +1943,15 @@ int check_srvr_ecc_cert_and_alg(X509 *x, SSL_CIPHER *cs) } /* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(SSL *s) +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) { - unsigned long alg,mask,kalg; + unsigned long alg,kalg; CERT *c; - int i,is_export; + int i; c=s->cert; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); alg=s->s3->tmp.new_cipher->algorithms; - is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); - mask=is_export?c->export_mask:c->mask; kalg=alg&(SSL_MKEY_MASK|SSL_AUTH_MASK); if (kalg & SSL_kECDH) @@ -1983,12 +1993,20 @@ X509 *ssl_get_server_send_cert(SSL *s) } else /* if (kalg & SSL_aNULL) */ { - SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR); return(NULL); } - if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); + return c->pkeys + i; + } + +X509 *ssl_get_server_send_cert(const SSL *s) + { + CERT_PKEY *cpk; + cpk = ssl_get_server_send_pkey(s); + if (!cpk) + return NULL; + return cpk->x509; } EVP_PKEY *ssl_get_sign_pkey(SSL *s,SSL_CIPHER *cipher) @@ -2410,7 +2428,9 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { - if (s->cert != NULL) + if (s->server) + return(ssl_get_server_send_cert(s)); + else if (s->cert != NULL) return(s->cert->key->x509); else return(NULL);