diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 56 |
1 files changed, 16 insertions, 40 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 2d1bee1723..e0a7d78995 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.76 2014/07/12 10:06:04 jsing Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.77 2014/07/12 13:11:53 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -373,13 +373,9 @@ ssl3_accept(SSL *s) | |||
| 373 | 373 | ||
| 374 | case SSL3_ST_SW_CERT_A: | 374 | case SSL3_ST_SW_CERT_A: |
| 375 | case SSL3_ST_SW_CERT_B: | 375 | case SSL3_ST_SW_CERT_B: |
| 376 | /* Check if it is anon DH or anon ECDH, */ | 376 | /* Check if it is anon DH or anon ECDH. */ |
| 377 | /* normal PSK or KRB5 or SRP */ | 377 | if (!(s->s3->tmp.new_cipher->algorithm_auth & |
| 378 | if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) | 378 | SSL_aNULL)) { |
| 379 | && !(s->s3->tmp.new_cipher->algorithm_mkey & | ||
| 380 | SSL_kPSK) | ||
| 381 | && !(s->s3->tmp.new_cipher->algorithm_auth & | ||
| 382 | SSL_aKRB5)) { | ||
| 383 | ret = ssl3_send_server_certificate(s); | 379 | ret = ssl3_send_server_certificate(s); |
| 384 | if (ret <= 0) | 380 | if (ret <= 0) |
| 385 | goto end; | 381 | goto end; |
| @@ -417,10 +413,7 @@ ssl3_accept(SSL *s) | |||
| 417 | 413 | ||
| 418 | /* | 414 | /* |
| 419 | * Only send if a DH key exchange, fortezza or | 415 | * Only send if a DH key exchange, fortezza or |
| 420 | * RSA but we have a sign only certificate | 416 | * RSA but we have a sign only certificate. |
| 421 | * | ||
| 422 | * PSK: send ServerKeyExchange if PSK identity | ||
| 423 | * hint is provided | ||
| 424 | * | 417 | * |
| 425 | * For ECC ciphersuites, we send a serverKeyExchange | 418 | * For ECC ciphersuites, we send a serverKeyExchange |
| 426 | * message only if the cipher suite is either | 419 | * message only if the cipher suite is either |
| @@ -428,13 +421,12 @@ ssl3_accept(SSL *s) | |||
| 428 | * server certificate contains the server's | 421 | * server certificate contains the server's |
| 429 | * public key for key exchange. | 422 | * public key for key exchange. |
| 430 | */ | 423 | */ |
| 431 | if (s->s3->tmp.use_rsa_tmp | 424 | if (s->s3->tmp.use_rsa_tmp || |
| 432 | || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) | 425 | (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH)) || |
| 433 | || (alg_k & SSL_kEECDH) | 426 | (alg_k & SSL_kEECDH) || |
| 434 | || ((alg_k & SSL_kRSA) | 427 | ((alg_k & SSL_kRSA) && |
| 435 | && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == | 428 | (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == |
| 436 | NULL | 429 | NULL))) { |
| 437 | ))) { | ||
| 438 | ret = ssl3_send_server_key_exchange(s); | 430 | ret = ssl3_send_server_key_exchange(s); |
| 439 | if (ret <= 0) | 431 | if (ret <= 0) |
| 440 | goto end; | 432 | goto end; |
| @@ -463,22 +455,13 @@ ssl3_accept(SSL *s) | |||
| 463 | * and in RFC 2246) ... except when the application | 455 | * and in RFC 2246) ... except when the application |
| 464 | * insists on verification (against the specs, but | 456 | * insists on verification (against the specs, but |
| 465 | * s3_clnt.c accepts this for SSL 3). | 457 | * s3_clnt.c accepts this for SSL 3). |
| 466 | * | ||
| 467 | * - We are using a Kerberos ciphersuite. | ||
| 468 | * | ||
| 469 | * - We are using normal PSK certificates and | ||
| 470 | * Certificate Requests are omitted | ||
| 471 | */ | 458 | */ |
| 472 | if (!(s->verify_mode & SSL_VERIFY_PEER) || | 459 | if (!(s->verify_mode & SSL_VERIFY_PEER) || |
| 473 | ((s->session->peer != NULL) && | 460 | ((s->session->peer != NULL) && |
| 474 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || | 461 | (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || |
| 475 | ((s->s3->tmp.new_cipher->algorithm_auth & | 462 | ((s->s3->tmp.new_cipher->algorithm_auth & |
| 476 | SSL_aNULL) && !(s->verify_mode & | 463 | SSL_aNULL) && !(s->verify_mode & |
| 477 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) || | 464 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { |
| 478 | (s->s3->tmp.new_cipher->algorithm_auth & | ||
| 479 | SSL_aKRB5) || | ||
| 480 | (s->s3->tmp.new_cipher->algorithm_mkey & | ||
| 481 | SSL_kPSK)) { | ||
| 482 | /* No cert request */ | 465 | /* No cert request */ |
| 483 | skip = 1; | 466 | skip = 1; |
| 484 | s->s3->tmp.cert_request = 0; | 467 | s->s3->tmp.cert_request = 0; |
| @@ -1605,8 +1588,7 @@ ssl3_send_server_key_exchange(SSL *s) | |||
| 1605 | n += 2 + nr[i]; | 1588 | n += 2 + nr[i]; |
| 1606 | } | 1589 | } |
| 1607 | 1590 | ||
| 1608 | if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) && | 1591 | if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)) { |
| 1609 | !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { | ||
| 1610 | if ((pkey = ssl_get_sign_pkey( | 1592 | if ((pkey = ssl_get_sign_pkey( |
| 1611 | s, s->s3->tmp.new_cipher, &md)) == NULL) { | 1593 | s, s->s3->tmp.new_cipher, &md)) == NULL) { |
| 1612 | al = SSL_AD_DECODE_ERROR; | 1594 | al = SSL_AD_DECODE_ERROR; |
| @@ -2681,15 +2663,9 @@ ssl3_send_server_certificate(SSL *s) | |||
| 2681 | if (s->state == SSL3_ST_SW_CERT_A) { | 2663 | if (s->state == SSL3_ST_SW_CERT_A) { |
| 2682 | x = ssl_get_server_send_cert(s); | 2664 | x = ssl_get_server_send_cert(s); |
| 2683 | if (x == NULL) { | 2665 | if (x == NULL) { |
| 2684 | /* VRS: allow null cert if auth == KRB5 */ | 2666 | SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, |
| 2685 | if ((s->s3->tmp.new_cipher->algorithm_auth != | 2667 | ERR_R_INTERNAL_ERROR); |
| 2686 | SSL_aKRB5) || | 2668 | return (0); |
| 2687 | (s->s3->tmp.new_cipher->algorithm_mkey & | ||
| 2688 | SSL_kKRB5)) { | ||
| 2689 | SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, | ||
| 2690 | ERR_R_INTERNAL_ERROR); | ||
| 2691 | return (0); | ||
| 2692 | } | ||
| 2693 | } | 2669 | } |
| 2694 | 2670 | ||
| 2695 | l = ssl3_output_cert_chain(s, x); | 2671 | l = ssl3_output_cert_chain(s, x); |