diff options
| author | jsing <> | 2024-07-19 08:56:17 +0000 |
|---|---|---|
| committer | jsing <> | 2024-07-19 08:56:17 +0000 |
| commit | cc7dc6e9b7012526aa3797842d226b3a275a7e70 (patch) | |
| tree | f7c486e99793aa346ba7c649bc01d3ce39f81718 | |
| parent | f8eff50c9ac6772239e96a6d2031a83bac497a15 (diff) | |
| download | openbsd-cc7dc6e9b7012526aa3797842d226b3a275a7e70.tar.gz openbsd-cc7dc6e9b7012526aa3797842d226b3a275a7e70.tar.bz2 openbsd-cc7dc6e9b7012526aa3797842d226b3a275a7e70.zip | |
Annotate issues with tls_session_secret_cb() related code.
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 7 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 10 |
2 files changed, 15 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index feb29ee4a5..6cf0ee4a4a 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.165 2024/02/03 18:03:49 tb Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.166 2024/07/19 08:56:17 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -941,6 +941,11 @@ ssl3_get_server_hello(SSL *s) | |||
| 941 | } | 941 | } |
| 942 | s->session->master_key_length = master_key_length; | 942 | s->session->master_key_length = master_key_length; |
| 943 | 943 | ||
| 944 | /* | ||
| 945 | * XXX - this appears to be completely broken. The | ||
| 946 | * client cannot change the cipher at this stage, | ||
| 947 | * as the server has already made a selection. | ||
| 948 | */ | ||
| 944 | if ((s->session->cipher = pref_cipher) == NULL) | 949 | if ((s->session->cipher = pref_cipher) == NULL) |
| 945 | s->session->cipher = | 950 | s->session->cipher = |
| 946 | ssl3_get_cipher_by_value(cipher_suite); | 951 | ssl3_get_cipher_by_value(cipher_suite); |
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index d6b7de1efd..01155a8d6d 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.162 2024/07/19 08:54:31 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.163 2024/07/19 08:56:17 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1082,6 +1082,13 @@ ssl3_get_client_hello(SSL *s) | |||
| 1082 | s->s3->hs.client_ciphers = ciphers; | 1082 | s->s3->hs.client_ciphers = ciphers; |
| 1083 | ciphers = NULL; | 1083 | ciphers = NULL; |
| 1084 | 1084 | ||
| 1085 | /* | ||
| 1086 | * XXX - this allows the callback to use any client cipher and | ||
| 1087 | * completely ignore the server cipher list. We should ensure | ||
| 1088 | * that the pref_cipher is in both the client list and the | ||
| 1089 | * server list. | ||
| 1090 | */ | ||
| 1091 | |||
| 1085 | /* Check if some cipher was preferred by the callback. */ | 1092 | /* Check if some cipher was preferred by the callback. */ |
| 1086 | if (pref_cipher == NULL) | 1093 | if (pref_cipher == NULL) |
| 1087 | pref_cipher = ssl3_choose_cipher(s, s->s3->hs.client_ciphers, | 1094 | pref_cipher = ssl3_choose_cipher(s, s->s3->hs.client_ciphers, |
| @@ -1093,6 +1100,7 @@ ssl3_get_client_hello(SSL *s) | |||
| 1093 | } | 1100 | } |
| 1094 | s->session->cipher = pref_cipher; | 1101 | s->session->cipher = pref_cipher; |
| 1095 | 1102 | ||
| 1103 | /* XXX - why? */ | ||
| 1096 | sk_SSL_CIPHER_free(s->cipher_list); | 1104 | sk_SSL_CIPHER_free(s->cipher_list); |
| 1097 | s->cipher_list = sk_SSL_CIPHER_dup(s->s3->hs.client_ciphers); | 1105 | s->cipher_list = sk_SSL_CIPHER_dup(s->s3->hs.client_ciphers); |
| 1098 | } | 1106 | } |