projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Update copyright year
[openssl.git]
/
ssl
/
statem
/
statem_lib.c
diff --git
a/ssl/statem/statem_lib.c
b/ssl/statem/statem_lib.c
index dc2bd20e936d22efbb4f0d2b329d0f57c1c30d98..c0482b0a90563d19d4931d9926c7ccdfeb386894 100644
(file)
--- a/
ssl/statem/statem_lib.c
+++ b/
ssl/statem/statem_lib.c
@@
-1,5
+1,5
@@
/*
/*
- * Copyright 1995-201
8
The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-201
9
The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@
-396,7
+396,8
@@
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
#ifdef SSL_DEBUG
if (SSL_USE_SIGALGS(s))
#ifdef SSL_DEBUG
if (SSL_USE_SIGALGS(s))
- fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
+ fprintf(stderr, "USING TLSv1.2 HASH %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
#endif
/* Check for broken implementations of GOST ciphersuites */
#endif
/* Check for broken implementations of GOST ciphersuites */
@@
-439,7
+440,8
@@
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
}
#ifdef SSL_DEBUG
}
#ifdef SSL_DEBUG
- fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
+ fprintf(stderr, "Using client verify alg %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
#endif
if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
#endif
if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
@@
-612,13
+614,6
@@
MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
{
unsigned int updatetype;
{
unsigned int updatetype;
- s->key_update_count++;
- if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) {
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
- SSL_R_TOO_MANY_KEY_UPDATES);
- return MSG_PROCESS_ERROR;
- }
-
/*
* A KeyUpdate message signals a key change so the end of the message must
* be on a record boundary.
/*
* A KeyUpdate message signals a key change so the end of the message must
* be on a record boundary.
@@
-1028,6
+1023,7
@@
unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
{
void (*cb) (const SSL *ssl, int type, int val) = NULL;
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
{
void (*cb) (const SSL *ssl, int type, int val) = NULL;
+ int cleanuphand = s->statem.cleanuphand;
if (clearbufs) {
if (!SSL_IS_DTLS(s)) {
if (clearbufs) {
if (!SSL_IS_DTLS(s)) {
@@
-1054,7
+1050,7
@@
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
* Only set if there was a Finished message and this isn't after a TLSv1.3
* post handshake exchange
*/
* Only set if there was a Finished message and this isn't after a TLSv1.3
* post handshake exchange
*/
- if (
s->statem.
cleanuphand) {
+ if (cleanuphand) {
/* skipped if we just sent a HelloRequest */
s->renegotiate = 0;
s->new_session = 0;
/* skipped if we just sent a HelloRequest */
s->renegotiate = 0;
s->new_session = 0;
@@
-1074,15
+1070,6
@@
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
/* N.B. s->ctx may not equal s->session_ctx */
tsan_counter(&s->ctx->stats.sess_accept_good);
s->handshake_func = ossl_statem_accept;
/* N.B. s->ctx may not equal s->session_ctx */
tsan_counter(&s->ctx->stats.sess_accept_good);
s->handshake_func = ossl_statem_accept;
-
- if (SSL_IS_DTLS(s) && !s->hit) {
- /*
- * We are finishing after the client. We start the timer going
- * in case there are any retransmits of our final flight
- * required.
- */
- dtls1_start_timer(s);
- }
} else {
if (SSL_IS_TLS13(s)) {
/*
} else {
if (SSL_IS_TLS13(s)) {
/*
@@
-1104,15
+1091,6
@@
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
s->handshake_func = ossl_statem_connect;
tsan_counter(&s->session_ctx->stats.sess_connect_good);
s->handshake_func = ossl_statem_connect;
tsan_counter(&s->session_ctx->stats.sess_connect_good);
-
- if (SSL_IS_DTLS(s) && s->hit) {
- /*
- * We are finishing after the server. We start the timer going
- * in case there are any retransmits of our final flight
- * required.
- */
- dtls1_start_timer(s);
- }
}
if (SSL_IS_DTLS(s)) {
}
if (SSL_IS_DTLS(s)) {
@@
-1132,8
+1110,12
@@
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
/* The callback may expect us to not be in init at handshake done */
ossl_statem_set_in_init(s, 0);
/* The callback may expect us to not be in init at handshake done */
ossl_statem_set_in_init(s, 0);
- if (cb != NULL)
- cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ if (cb != NULL) {
+ if (cleanuphand
+ || !SSL_IS_TLS13(s)
+ || SSL_IS_FIRST_HANDSHAKE(s))
+ cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ }
if (!stop) {
/* If we've got more work to do we go back into init */
if (!stop) {
/* If we've got more work to do we go back into init */
@@
-1506,8
+1488,11
@@
static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
*/
static int is_tls13_capable(const SSL *s)
{
*/
static int is_tls13_capable(const SSL *s)
{
- int i, curve;
+ int i;
+#ifndef OPENSSL_NO_EC
+ int curve;
EC_KEY *eckey;
EC_KEY *eckey;
+#endif
#ifndef OPENSSL_NO_PSK
if (s->psk_server_callback != NULL)
#ifndef OPENSSL_NO_PSK
if (s->psk_server_callback != NULL)
@@
-1530,6
+1515,7
@@
static int is_tls13_capable(const SSL *s)
}
if (!ssl_has_cert(s, i))
continue;
}
if (!ssl_has_cert(s, i))
continue;
+#ifndef OPENSSL_NO_EC
if (i != SSL_PKEY_ECC)
return 1;
/*
if (i != SSL_PKEY_ECC)
return 1;
/*
@@
-1543,6
+1529,9
@@
static int is_tls13_capable(const SSL *s)
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
if (tls_check_sigalg_curve(s, curve))
return 1;
curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
if (tls_check_sigalg_curve(s, curve))
return 1;
+#else
+ return 1;
+#endif
}
return 0;
}
return 0;
@@
-2287,10
+2276,24
@@
int parse_ca_names(SSL *s, PACKET *pkt)
return 0;
}
return 0;
}
-
int construct_ca_names(SSL *s, WPACKET *pkt
)
+
const STACK_OF(X509_NAME) *get_ca_names(SSL *s
)
{
{
- const STACK_OF(X509_NAME) *ca_sk =
SSL_get0_CA_list(s)
;
+ const STACK_OF(X509_NAME) *ca_sk =
NULL;
;
+ if (s->server) {
+ ca_sk = SSL_get_client_CA_list(s);
+ if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
+ ca_sk = NULL;
+ }
+
+ if (ca_sk == NULL)
+ ca_sk = SSL_get0_CA_list(s);
+
+ return ca_sk;
+}
+
+int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
+{
/* Start sub-packet for client CA list */
if (!WPACKET_start_sub_packet_u16(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
/* Start sub-packet for client CA list */
if (!WPACKET_start_sub_packet_u16(pkt)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,