diff options
| author | jsing <> | 2014-05-30 14:01:11 +0000 |
|---|---|---|
| committer | jsing <> | 2014-05-30 14:01:11 +0000 |
| commit | d7bb67cc99974281f55641afa52a0f9e8f1ff938 (patch) | |
| tree | feaa5e2dc937f09df0609d84b0849a48c405df08 /src/lib/libssl/s3_clnt.c | |
| parent | 7388822d9393b64a9eb25e34c9bac56fb7f39f15 (diff) | |
| download | openbsd-d7bb67cc99974281f55641afa52a0f9e8f1ff938.tar.gz openbsd-d7bb67cc99974281f55641afa52a0f9e8f1ff938.tar.bz2 openbsd-d7bb67cc99974281f55641afa52a0f9e8f1ff938.zip | |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
Diffstat (limited to 'src/lib/libssl/s3_clnt.c')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index 8dbea3869d..abe5c5a86b 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -848,8 +848,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 848 | if (!ok) | 848 | if (!ok) |
| 849 | return ((int)n); | 849 | return ((int)n); |
| 850 | 850 | ||
| 851 | if (SSL_version(s) == DTLS1_VERSION || | 851 | if (SSL_IS_DTLS(s)) { |
| 852 | SSL_version(s) == DTLS1_BAD_VER) { | ||
| 853 | if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { | 852 | if (s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { |
| 854 | if (s->d1->send_cookie == 0) { | 853 | if (s->d1->send_cookie == 0) { |
| 855 | s->s3->tmp.reuse_message = 1; | 854 | s->s3->tmp.reuse_message = 1; |
| @@ -986,11 +985,10 @@ ssl3_get_server_hello(SSL *s) | |||
| 986 | } | 985 | } |
| 987 | s->s3->tmp.new_cipher = c; | 986 | s->s3->tmp.new_cipher = c; |
| 988 | /* | 987 | /* |
| 989 | * Don't digest cached records if TLS v1.2: we may need them for | 988 | * Don't digest cached records if no sigalgs: we may need them for |
| 990 | * client authentication. | 989 | * client authentication. |
| 991 | */ | 990 | */ |
| 992 | if (TLS1_get_version(s) < TLS1_2_VERSION && | 991 | if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s)) { |
| 993 | !ssl3_digest_cached_records(s)) { | ||
| 994 | al = SSL_AD_INTERNAL_ERROR; | 992 | al = SSL_AD_INTERNAL_ERROR; |
| 995 | goto f_err; | 993 | goto f_err; |
| 996 | } | 994 | } |
| @@ -1592,7 +1590,7 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1592 | 1590 | ||
| 1593 | /* if it was signed, check the signature */ | 1591 | /* if it was signed, check the signature */ |
| 1594 | if (pkey != NULL) { | 1592 | if (pkey != NULL) { |
| 1595 | if (TLS1_get_version(s) >= TLS1_2_VERSION) { | 1593 | if (SSL_USE_SIGALGS(s)) { |
| 1596 | int sigalg = tls12_get_sigid(pkey); | 1594 | int sigalg = tls12_get_sigid(pkey); |
| 1597 | /* Should never happen */ | 1595 | /* Should never happen */ |
| 1598 | if (sigalg == -1) { | 1596 | if (sigalg == -1) { |
| @@ -1634,8 +1632,7 @@ ssl3_get_key_exchange(SSL *s) | |||
| 1634 | goto f_err; | 1632 | goto f_err; |
| 1635 | } | 1633 | } |
| 1636 | 1634 | ||
| 1637 | if (pkey->type == EVP_PKEY_RSA && | 1635 | if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { |
| 1638 | TLS1_get_version(s) < TLS1_2_VERSION) { | ||
| 1639 | int num; | 1636 | int num; |
| 1640 | 1637 | ||
| 1641 | j = 0; | 1638 | j = 0; |
| @@ -1787,7 +1784,7 @@ ssl3_get_certificate_request(SSL *s) | |||
| 1787 | for (i = 0; i < ctype_num; i++) | 1784 | for (i = 0; i < ctype_num; i++) |
| 1788 | s->s3->tmp.ctype[i] = p[i]; | 1785 | s->s3->tmp.ctype[i] = p[i]; |
| 1789 | p += ctype_num; | 1786 | p += ctype_num; |
| 1790 | if (TLS1_get_version(s) >= TLS1_2_VERSION) { | 1787 | if (SSL_USE_SIGALGS(s)) { |
| 1791 | n2s(p, llen); | 1788 | n2s(p, llen); |
| 1792 | /* Check we have enough room for signature algorithms and | 1789 | /* Check we have enough room for signature algorithms and |
| 1793 | * following length value. | 1790 | * following length value. |
| @@ -2612,7 +2609,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2612 | pctx = EVP_PKEY_CTX_new(pkey, NULL); | 2609 | pctx = EVP_PKEY_CTX_new(pkey, NULL); |
| 2613 | EVP_PKEY_sign_init(pctx); | 2610 | EVP_PKEY_sign_init(pctx); |
| 2614 | if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) { | 2611 | if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) { |
| 2615 | if (TLS1_get_version(s) < TLS1_2_VERSION) | 2612 | if (!SSL_USE_SIGALGS(s)) |
| 2616 | s->method->ssl3_enc->cert_verify_mac(s, | 2613 | s->method->ssl3_enc->cert_verify_mac(s, |
| 2617 | NID_sha1, &(data[MD5_DIGEST_LENGTH])); | 2614 | NID_sha1, &(data[MD5_DIGEST_LENGTH])); |
| 2618 | } else { | 2615 | } else { |
| @@ -2622,7 +2619,7 @@ ssl3_send_client_verify(SSL *s) | |||
| 2622 | * For TLS v1.2 send signature algorithm and signature | 2619 | * For TLS v1.2 send signature algorithm and signature |
| 2623 | * using agreed digest and cached handshake records. | 2620 | * using agreed digest and cached handshake records. |
| 2624 | */ | 2621 | */ |
| 2625 | if (TLS1_get_version(s) >= TLS1_2_VERSION) { | 2622 | if (SSL_USE_SIGALGS(s)) { |
| 2626 | long hdatalen = 0; | 2623 | long hdatalen = 0; |
| 2627 | void *hdata; | 2624 | void *hdata; |
| 2628 | const EVP_MD *md = s->cert->key->digest; | 2625 | const EVP_MD *md = s->cert->key->digest; |