diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 42 | 
1 files changed, 25 insertions, 17 deletions
| diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 903522ab59..80b45eb86f 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -902,22 +902,28 @@ int ssl3_get_client_hello(SSL *s) | |||
| 902 | break; | 902 | break; | 
| 903 | } | 903 | } | 
| 904 | } | 904 | } | 
| 905 | if (j == 0) | 905 | if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) | 
| 906 | { | 906 | { | 
| 907 | if ((s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) | 907 | /* Special case as client bug workaround: the previously used cipher may | 
| 908 | { | 908 | * not be in the current list, the client instead might be trying to | 
| 909 | /* Very bad for multi-threading.... */ | 909 | * continue using a cipher that before wasn't chosen due to server | 
| 910 | s->session->cipher=sk_SSL_CIPHER_value(ciphers, 0); | 910 | * preferences. We'll have to reject the connection if the cipher is not | 
| 911 | } | 911 | * enabled, though. */ | 
| 912 | else | 912 | c = sk_SSL_CIPHER_value(ciphers, 0); | 
| 913 | if (sk_SSL_CIPHER_find(SSL_get_ciphers(s), c) >= 0) | ||
| 913 | { | 914 | { | 
| 914 | /* we need to have the cipher in the cipher | 915 | s->session->cipher = c; | 
| 915 | * list if we are asked to reuse it */ | 916 | j = 1; | 
| 916 | al=SSL_AD_ILLEGAL_PARAMETER; | ||
| 917 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); | ||
| 918 | goto f_err; | ||
| 919 | } | 917 | } | 
| 920 | } | 918 | } | 
| 919 | if (j == 0) | ||
| 920 | { | ||
| 921 | /* we need to have the cipher in the cipher | ||
| 922 | * list if we are asked to reuse it */ | ||
| 923 | al=SSL_AD_ILLEGAL_PARAMETER; | ||
| 924 | SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_REQUIRED_CIPHER_MISSING); | ||
| 925 | goto f_err; | ||
| 926 | } | ||
| 921 | } | 927 | } | 
| 922 | 928 | ||
| 923 | /* compression */ | 929 | /* compression */ | 
| @@ -1172,13 +1178,13 @@ int ssl3_send_server_hello(SSL *s) | |||
| 1172 | *(d++)=SSL3_MT_SERVER_HELLO; | 1178 | *(d++)=SSL3_MT_SERVER_HELLO; | 
| 1173 | l2n3(l,d); | 1179 | l2n3(l,d); | 
| 1174 | 1180 | ||
| 1175 | s->state=SSL3_ST_CW_CLNT_HELLO_B; | 1181 | s->state=SSL3_ST_SW_SRVR_HELLO_B; | 
| 1176 | /* number of bytes to write */ | 1182 | /* number of bytes to write */ | 
| 1177 | s->init_num=p-buf; | 1183 | s->init_num=p-buf; | 
| 1178 | s->init_off=0; | 1184 | s->init_off=0; | 
| 1179 | } | 1185 | } | 
| 1180 | 1186 | ||
| 1181 | /* SSL3_ST_CW_CLNT_HELLO_B */ | 1187 | /* SSL3_ST_SW_SRVR_HELLO_B */ | 
| 1182 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 1188 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 
| 1183 | } | 1189 | } | 
| 1184 | 1190 | ||
| @@ -1202,7 +1208,7 @@ int ssl3_send_server_done(SSL *s) | |||
| 1202 | s->init_off=0; | 1208 | s->init_off=0; | 
| 1203 | } | 1209 | } | 
| 1204 | 1210 | ||
| 1205 | /* SSL3_ST_CW_CLNT_HELLO_B */ | 1211 | /* SSL3_ST_SW_SRVR_DONE_B */ | 
| 1206 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 1212 | return(ssl3_do_write(s,SSL3_RT_HANDSHAKE)); | 
| 1207 | } | 1213 | } | 
| 1208 | 1214 | ||
| @@ -1540,6 +1546,8 @@ int ssl3_send_server_key_exchange(SSL *s) | |||
| 1540 | j=0; | 1546 | j=0; | 
| 1541 | for (num=2; num > 0; num--) | 1547 | for (num=2; num > 0; num--) | 
| 1542 | { | 1548 | { | 
| 1549 | EVP_MD_CTX_set_flags(&md_ctx, | ||
| 1550 | EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | ||
| 1543 | EVP_DigestInit_ex(&md_ctx,(num == 2) | 1551 | EVP_DigestInit_ex(&md_ctx,(num == 2) | 
| 1544 | ?s->ctx->md5:s->ctx->sha1, NULL); | 1552 | ?s->ctx->md5:s->ctx->sha1, NULL); | 
| 1545 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 1553 | EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); | 
| @@ -2558,7 +2566,7 @@ int ssl3_get_client_certificate(SSL *s) | |||
| 2558 | else | 2566 | else | 
| 2559 | { | 2567 | { | 
| 2560 | i=ssl_verify_cert_chain(s,sk); | 2568 | i=ssl_verify_cert_chain(s,sk); | 
| 2561 | if (!i) | 2569 | if (i <= 0) | 
| 2562 | { | 2570 | { | 
| 2563 | al=ssl_verify_alarm_type(s->verify_result); | 2571 | al=ssl_verify_alarm_type(s->verify_result); | 
| 2564 | SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); | 2572 | SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED); | 
