ret = -1;
goto end;
}
+
+ if (!ssl_security(s, SSL_SECOP_VERSION, 0,
+ s->version, NULL))
+ {
+ SSLerr(SSL_F_SSL3_CONNECT, SSL_R_VERSION_TOO_LOW);
+ return -1;
+ }
/* s->version=SSL3_VERSION; */
s->type=SSL_ST_CONNECT;
s->method->ssl3_enc->client_finished_label,
s->method->ssl3_enc->client_finished_label_len);
if (ret <= 0) goto end;
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
s->state=SSL3_ST_CW_FLUSH;
/* clear flags */
case SSL3_ST_CR_FINISHED_A:
case SSL3_ST_CR_FINISHED_B:
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
SSL3_ST_CR_FINISHED_B);
if (ret <= 0) goto end;
*(p++)=1;
#else
- if ((s->options & SSL_OP_NO_COMPRESSION)
- || !s->ctx->comp_methods)
+ if (!ssl_allow_compression(s) || !s->ctx->comp_methods)
j=0;
else
j=sk_SSL_COMP_num(s->ctx->comp_methods);
{
s->session->cipher = pref_cipher ?
pref_cipher : ssl_get_cipher_by_char(s, p+j);
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
}
}
#endif /* OPENSSL_NO_TLSEXT */
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
goto f_err;
}
+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
s->hit=1;
}
else /* a miss or crap from the other end */
/* If it is a disabled cipher we didn't send it in client hello,
* so return an error.
*/
- if (ssl_cipher_disabled(s, c))
+ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK))
{
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
}
if (j == 0)
comp=NULL;
- else if (s->options & SSL_OP_NO_COMPRESSION)
+ else if (!ssl_allow_compression(s))
{
al=SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_COMPRESSION_DISABLED);
goto f_err;
}
ERR_clear_error(); /* but we keep s->verify_result */
+ if (i > 1)
+ {
+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE, i);
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ goto f_err;
+ }
sc=ssl_sess_cert_new();
if (sc == NULL) goto err;
p+=i;
n-=param_len;
+ if (!ssl_security(s, SSL_SECOP_TMP_DH,
+ DH_security_bits(dh), 0, dh))
+ {
+ al=SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_DH_KEY_TOO_SMALL);
+ goto f_err;
+ }
+
#ifndef OPENSSL_NO_RSA
if (alg_a & SSL_aRSA)
pkey=X509_get_pubkey(s->session->sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509);
int ecdh_clnt_cert = 0;
int field_size = 0;
+ if (s->session->sess_cert == NULL)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+ goto err;
+ }
+
/* Did we send out the client's
* ECDH share for use in premaster
* computation as part of client certificate?
if (s->state == SSL3_ST_CW_CERT_C)
{
s->state=SSL3_ST_CW_CERT_D;
- ssl3_output_cert_chain(s,
- (s->s3->tmp.cert_req == 2)?NULL:s->cert->key);
+ if (!ssl3_output_cert_chain(s,
+ (s->s3->tmp.cert_req == 2)?NULL:s->cert->key))
+ {
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+ return 0;
+ }
}
/* SSL3_ST_CW_CERT_D */
return ssl_do_write(s);
projects / openssl.git / blobdiff