diff options
Diffstat (limited to 'src/lib/libssl')
| -rw-r--r-- | src/lib/libssl/s3_clnt.c | 1 | ||||
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 14 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 5 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_rsa.c | 4 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_sess.c | 4 |
5 files changed, 21 insertions, 7 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index fae8eadada..eb7daebfdf 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c | |||
| @@ -1769,6 +1769,7 @@ static int ssl3_send_client_verify(SSL *s) | |||
| 1769 | *(d++)=SSL3_MT_CERTIFICATE_VERIFY; | 1769 | *(d++)=SSL3_MT_CERTIFICATE_VERIFY; |
| 1770 | l2n3(n,d); | 1770 | l2n3(n,d); |
| 1771 | 1771 | ||
| 1772 | s->state=SSL3_ST_CW_CERT_VRFY_B; | ||
| 1772 | s->init_num=(int)n+4; | 1773 | s->init_num=(int)n+4; |
| 1773 | s->init_off=0; | 1774 | s->init_off=0; |
| 1774 | } | 1775 | } |
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 58cf774967..881f68b998 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -431,10 +431,11 @@ int ssl3_accept(SSL *s) | |||
| 431 | if (ret == 2) | 431 | if (ret == 2) |
| 432 | s->state = SSL3_ST_SR_CLNT_HELLO_C; | 432 | s->state = SSL3_ST_SR_CLNT_HELLO_C; |
| 433 | else { | 433 | else { |
| 434 | /* could be sent for a DH cert, even if we | 434 | if (s->s3->tmp.cert_request) |
| 435 | * have not asked for it :-) */ | 435 | { |
| 436 | ret=ssl3_get_client_certificate(s); | 436 | ret=ssl3_get_client_certificate(s); |
| 437 | if (ret <= 0) goto end; | 437 | if (ret <= 0) goto end; |
| 438 | } | ||
| 438 | s->init_num=0; | 439 | s->init_num=0; |
| 439 | s->state=SSL3_ST_SR_KEY_EXCH_A; | 440 | s->state=SSL3_ST_SR_KEY_EXCH_A; |
| 440 | } | 441 | } |
| @@ -844,6 +845,9 @@ static int ssl3_get_client_hello(SSL *s) | |||
| 844 | } | 845 | } |
| 845 | 846 | ||
| 846 | /* TLS does not mind if there is extra stuff */ | 847 | /* TLS does not mind if there is extra stuff */ |
| 848 | #if 0 /* SSL 3.0 does not mind either, so we should disable this test | ||
| 849 | * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, | ||
| 850 | * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ | ||
| 847 | if (s->version == SSL3_VERSION) | 851 | if (s->version == SSL3_VERSION) |
| 848 | { | 852 | { |
| 849 | if (p < (d+n)) | 853 | if (p < (d+n)) |
| @@ -855,6 +859,7 @@ static int ssl3_get_client_hello(SSL *s) | |||
| 855 | goto f_err; | 859 | goto f_err; |
| 856 | } | 860 | } |
| 857 | } | 861 | } |
| 862 | #endif | ||
| 858 | 863 | ||
| 859 | /* Given s->session->ciphers and SSL_get_ciphers, we must | 864 | /* Given s->session->ciphers and SSL_get_ciphers, we must |
| 860 | * pick a cipher */ | 865 | * pick a cipher */ |
| @@ -1352,6 +1357,7 @@ static int ssl3_send_certificate_request(SSL *s) | |||
| 1352 | s->init_num += 4; | 1357 | s->init_num += 4; |
| 1353 | #endif | 1358 | #endif |
| 1354 | 1359 | ||
| 1360 | s->state = SSL3_ST_SW_CERT_REQ_B; | ||
| 1355 | } | 1361 | } |
| 1356 | 1362 | ||
| 1357 | /* SSL3_ST_SW_CERT_REQ_B */ | 1363 | /* SSL3_ST_SW_CERT_REQ_B */ |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index ddd8114587..6d69890688 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -473,6 +473,11 @@ void SSL_free(SSL *s) | |||
| 473 | 473 | ||
| 474 | if (s->method != NULL) s->method->ssl_free(s); | 474 | if (s->method != NULL) s->method->ssl_free(s); |
| 475 | 475 | ||
| 476 | #ifndef OPENSSL_NO_KRB5 | ||
| 477 | if (s->kssl_ctx != NULL) | ||
| 478 | kssl_ctx_free(s->kssl_ctx); | ||
| 479 | #endif /* OPENSSL_NO_KRB5 */ | ||
| 480 | |||
| 476 | OPENSSL_free(s); | 481 | OPENSSL_free(s); |
| 477 | } | 482 | } |
| 478 | 483 | ||
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c index 03828b6632..330390519b 100644 --- a/src/lib/libssl/ssl_rsa.c +++ b/src/lib/libssl/ssl_rsa.c | |||
| @@ -207,7 +207,7 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) | |||
| 207 | ok=1; | 207 | ok=1; |
| 208 | else | 208 | else |
| 209 | #endif | 209 | #endif |
| 210 | if (!X509_check_private_key(c->pkeys[i].x509,pkey)) | 210 | if (!X509_check_private_key(c->pkeys[i].x509,pkey)) |
| 211 | { | 211 | { |
| 212 | if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) | 212 | if ((i == SSL_PKEY_DH_RSA) || (i == SSL_PKEY_DH_DSA)) |
| 213 | { | 213 | { |
| @@ -241,6 +241,8 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey) | |||
| 241 | return(0); | 241 | return(0); |
| 242 | } | 242 | } |
| 243 | 243 | ||
| 244 | ERR_clear_error(); /* make sure no error from X509_check_private_key() | ||
| 245 | * is left if we have chosen to ignore it */ | ||
| 244 | if (c->pkeys[i].privatekey != NULL) | 246 | if (c->pkeys[i].privatekey != NULL) |
| 245 | EVP_PKEY_free(c->pkeys[i].privatekey); | 247 | EVP_PKEY_free(c->pkeys[i].privatekey); |
| 246 | CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); | 248 | CRYPTO_add(&pkey->references,1,CRYPTO_LOCK_EVP_PKEY); |
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index fbc30b94e6..fabcdefa6e 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c | |||
| @@ -79,11 +79,11 @@ SSL_SESSION *SSL_get1_session(SSL *ssl) | |||
| 79 | /* Need to lock this all up rather than just use CRYPTO_add so that | 79 | /* Need to lock this all up rather than just use CRYPTO_add so that |
| 80 | * somebody doesn't free ssl->session between when we check it's | 80 | * somebody doesn't free ssl->session between when we check it's |
| 81 | * non-null and when we up the reference count. */ | 81 | * non-null and when we up the reference count. */ |
| 82 | CRYPTO_r_lock(CRYPTO_LOCK_SSL_SESSION); | 82 | CRYPTO_w_lock(CRYPTO_LOCK_SSL_SESSION); |
| 83 | sess = ssl->session; | 83 | sess = ssl->session; |
| 84 | if(sess) | 84 | if(sess) |
| 85 | sess->references++; | 85 | sess->references++; |
| 86 | CRYPTO_r_unlock(CRYPTO_LOCK_SSL_SESSION); | 86 | CRYPTO_w_unlock(CRYPTO_LOCK_SSL_SESSION); |
| 87 | return(sess); | 87 | return(sess); |
| 88 | } | 88 | } |
| 89 | 89 | ||