From 979689aa5cfa100ccbc1f25064e9398be4b7b05c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bodo=20M=C3=B6ller?= Date: Wed, 24 Oct 2001 19:03:22 +0000 Subject: [PATCH] Fix SSL handshake functions and SSL_clear() such that SSL_clear() never resets s->method to s->ctx->method when called from within one of the SSL handshake functions. --- CHANGES | 5 +++++ ssl/s23_clnt.c | 2 +- ssl/s23_srvr.c | 2 +- ssl/s2_clnt.c | 2 +- ssl/s2_srvr.c | 2 +- ssl/s3_clnt.c | 2 +- ssl/s3_srvr.c | 2 +- ssl/ssl_lib.c | 2 +- 8 files changed, 12 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index fbb5d58c29..4ff8e00b44 100644 --- a/CHANGES +++ b/CHANGES @@ -12,6 +12,11 @@ *) applies to 0.9.6a/0.9.6b/0.9.6c and 0.9.7 +) applies to 0.9.7 only + *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() + never resets s->method to s->ctx->method when called from within + one of the SSL handshake functions. + [Bodo Moeller; problem pointed out by Niko Baric] + +) Test for certificates which contain unsupported critical extensions. If such a certificate is found during a verify operation it is rejected by default: this behaviour can be overridden by either diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 1eafb4b446..dd2562af15 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -113,8 +113,8 @@ int ssl23_connect(SSL *s) else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 8c41e1ff01..fe8bd33ce7 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -165,8 +165,8 @@ int ssl23_accept(SSL *s) else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 85b97b61de..8cb7388ef9 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -118,8 +118,8 @@ int ssl2_connect(SSL *s) cb=s->ctx->info_callback; /* init things to blank */ - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index f4f11103b6..f849e2b32a 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -119,8 +119,8 @@ int ssl2_accept(SSL *s) cb=s->ctx->info_callback; /* init things to blank */ - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); if (s->cert == NULL) { diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 734659d7ec..52dda37f6d 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -119,8 +119,8 @@ int ssl3_connect(SSL *s) else if (s->ctx->info_callback != NULL) cb=s->ctx->info_callback; - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); for (;;) { diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 9cea6e31a2..8c5b6e8c9c 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -180,8 +180,8 @@ int ssl3_accept(SSL *s) cb=s->ctx->info_callback; /* init things to blank */ - if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); s->in_handshake++; + if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); if (s->cert == NULL) { diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 7257daa8ff..72821a1fce 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -193,7 +193,7 @@ int SSL_clear(SSL *s) #if 1 /* Check to see if we were changed into a different method, if * so, revert back if we are not doing session-id reuse. */ - if ((s->session == NULL) && (s->method != s->ctx->method)) + if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { s->method->ssl_free(s); s->method=s->ctx->method; -- 2.34.1