fix incorrect strength bit values for certain Kerberos ciphersuites

[openssl.git] / ssl / d1_pkt.c
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c

index 4e302943c173d287db583c9d4d72b5dd2b6c476d..8a047aeda7a29afe492f429c87e6a0615d1db88d 100644 (file)
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -237,7 +237,13 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority)
         memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
         memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
         
         memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER));
         memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD));
         
-       ssl3_setup_buffers(s);
+       if (!ssl3_setup_buffers(s))
+               {
+               SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
+               OPENSSL_free(rdata);
+               pitem_free(item);
+               return(0);
+               }
         
         return(1);
         }
         
         return(1);
         }
@@ -567,11 +573,7 @@ again:
                 n2s(p,rr->length);
  
                 /* Lets check version */
                 n2s(p,rr->length);
  
                 /* Lets check version */
-               if (s->first_packet)
-                       {
-                       s->first_packet=0;
-                       }
-               else
+               if (!s->first_packet)
                         {
                         if (version != s->version)
                                 {
                         {
                         if (version != s->version)
                                 {
@@ -831,8 +833,14 @@ start:
                         dest = s->d1->alert_fragment;
                         dest_len = &s->d1->alert_fragment_len;
                         }
                         dest = s->d1->alert_fragment;
                         dest_len = &s->d1->alert_fragment_len;
                         }
-               else    /* else it's a CCS message */
-                       OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC);
+                /* else it's a CCS message, or it's wrong */
+                else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
+                        {
+                          /* Not certain if this is the right error handling */
+                          al=SSL_AD_UNEXPECTED_MESSAGE;
+                          SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+                          goto f_err;
+                        }
  
  
                 if (dest_maxlen > 0)
  
  
                 if (dest_maxlen > 0)
@@ -1551,6 +1559,7 @@ int dtls1_dispatch_alert(SSL *s)
         *ptr++ = s->s3->send_alert[0];
         *ptr++ = s->s3->send_alert[1];
  
         *ptr++ = s->s3->send_alert[0];
         *ptr++ = s->s3->send_alert[1];
  
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
         if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                 {       
                 s2n(s->d1->handshake_read_seq, ptr);
         if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
                 {       
                 s2n(s->d1->handshake_read_seq, ptr);
@@ -1566,6 +1575,7 @@ int dtls1_dispatch_alert(SSL *s)
  #endif
                 l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                 }
  #endif
                 l2n3(s->d1->r_msg_hdr.frag_off, ptr);
                 }
+#endif
  
         i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
         if (i <= 0)
  
         i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0);
         if (i <= 0)
@@ -1575,8 +1585,11 @@ int dtls1_dispatch_alert(SSL *s)
                 }
         else
                 {
                 }
         else
                 {
-               if ( s->s3->send_alert[0] == SSL3_AL_FATAL ||
-                       s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE)
+               if (s->s3->send_alert[0] == SSL3_AL_FATAL
+#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+                   || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
+#endif
+                   )
                         (void)BIO_flush(s->wbio);
  
                 if (s->msg_callback)
                         (void)BIO_flush(s->wbio);
  
                 if (s->msg_callback)