Check requested security strength in DRBG. Add function to retrieve the

[openssl.git] / ssl / s3_pkt.c

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index b30c032b74e01c316f145a3ccab4975dde34e7c4..a168f934a99037e600e997cbb2e4a0e836c47a6f 100644 (file)
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -741,7 +741,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        plen=p; 
        p+=2;
        /* Explicit IV length, block ciphers and TLS version 1.1 or later */
-       if (s->enc_write_ctx && s->version >= TLS1_1_VERSION)
+       if (s->enc_write_ctx && s->version >= TLS1_1_VERSION
+               && EVP_CIPHER_CTX_mode(s->enc_write_ctx) == EVP_CIPH_CBC_MODE)
                {
                eivlen = EVP_CIPHER_CTX_iv_length(s->enc_write_ctx);
                if (eivlen <= 1)
@@ -1280,6 +1281,7 @@ start:
 #else
                        s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
 #endif
+                       s->renegotiate=1;
                        s->new_session=1;
                        }
                i=s->handshake_func(s);
@@ -1374,8 +1376,10 @@ err:
 int ssl3_do_change_cipher_spec(SSL *s)
        {
        int i;
+#ifdef OPENSSL_NO_NEXTPROTONEG
        const char *sender;
        int slen;
+#endif
 
        if (s->state & SSL_ST_ACCEPT)
                i=SSL3_CHANGE_CIPHER_SERVER_READ;
@@ -1398,6 +1402,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
        if (!s->method->ssl3_enc->change_cipher_state(s,i))
                return(0);
 
+#ifdef OPENSSL_NO_NEXTPROTONEG
        /* we have to record the message digest at
         * this point so we can get it before we read
         * the finished message */
@@ -1414,6 +1419,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
 
        s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
                sender,slen,s->s3->tmp.peer_finish_md);
+#endif
 
        return(1);
        }