There have been a number of complaints from a number of sources that names

[openssl.git] / ssl / s3_clnt.c

diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index cec0e3b35ae5e7b27649e444e9924aef3e077119..19777079477a5faef01410f7137a76bf66473116 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -69,7 +69,7 @@ static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ssl3_client_hello(SSL *s);
 static int ssl3_get_server_hello(SSL *s);
 static int ssl3_get_certificate_request(SSL *s);
-static int ca_dn_cmp(X509_NAME **a,X509_NAME **b);
+static int ca_dn_cmp(const X509_NAME * const *a,const X509_NAME * const *b);
 static int ssl3_get_server_done(SSL *s);
 static int ssl3_send_client_verify(SSL *s);
 static int ssl3_send_client_certificate(SSL *s);
@@ -764,6 +764,7 @@ static int ssl3_get_server_certificate(SSL *s)
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
                goto f_err; 
                }
+       ERR_clear_error(); /* but we keep s->verify_result */
 
        sc=ssl_sess_cert_new();
        if (sc == NULL) goto err;
@@ -772,6 +773,8 @@ static int ssl3_get_server_certificate(SSL *s)
        s->session->sess_cert=sc;
 
        sc->cert_chain=sk;
+       /* Inconsistency alert: cert_chain does include the peer's
+        * certificate, which we don't include in s3_srvr.c */
        x=sk_X509_value(sk,0);
        sk=NULL;
 
@@ -1225,7 +1228,7 @@ fclose(out);
 
                if ((xn=d2i_X509_NAME(NULL,&q,l)) == NULL)
                        {
-                       /* If netscape tollerance is on, ignore errors */
+                       /* If netscape tolerance is on, ignore errors */
                        if (s->options & SSL_OP_NETSCAPE_CA_DN_BUG)
                                goto cont;
                        else
@@ -1258,7 +1261,7 @@ cont:
                ERR_clear_error();
                }
 
-       /* we should setup a certficate to return.... */
+       /* we should setup a certificate to return.... */
        s->s3->tmp.cert_req=1;
        s->s3->tmp.ctype_num=ctype_num;
        if (s->s3->tmp.ca_names != NULL)
@@ -1272,7 +1275,7 @@ err:
        return(ret);
        }
 
-static int ca_dn_cmp(X509_NAME **a, X509_NAME **b)
+static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
        {
        return(X509_NAME_cmp(*a,*b));
        }
@@ -1688,13 +1691,13 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
 #endif
 #endif
 
-       if (SSL_IS_EXPORT(algs) && !has_bits(i,EVP_PKT_EXP))
+       if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
                {
 #ifndef NO_RSA
                if (algs & SSL_kRSA)
                        {
                        if (rsa == NULL
-                           || RSA_size(rsa) > SSL_EXPORT_PKEYLENGTH(algs))
+                           || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
                                {
                                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY);
                                goto f_err;
@@ -1706,7 +1709,7 @@ static int ssl3_check_cert_and_algorithm(SSL *s)
                        if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd))
                            {
                            if (dh == NULL
-                               || DH_size(dh) > SSL_EXPORT_PKEYLENGTH(algs))
+                               || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher))
                                {
                                SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY);
                                goto f_err;