projects
/
openssl.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Add SSL_get_pending_cipher()
[openssl.git]
/
ssl
/
ssl_lib.c
diff --git
a/ssl/ssl_lib.c
b/ssl/ssl_lib.c
index 74767f6e15e2592e5729c9589f000d134623379f..ed2113caa5f76559689964277bc7ebaefb2680b4 100644
(file)
--- a/
ssl/ssl_lib.c
+++ b/
ssl/ssl_lib.c
@@
-20,6
+20,8
@@
#include <openssl/engine.h>
#include <openssl/async.h>
#include <openssl/ct.h>
#include <openssl/engine.h>
#include <openssl/async.h>
#include <openssl/ct.h>
+#include "internal/cryptlib.h"
+#include "internal/rand.h"
const char SSL_version_str[] = OPENSSL_VERSION_TEXT;
const char SSL_version_str[] = OPENSSL_VERSION_TEXT;
@@
-618,10
+620,20
@@
SSL *SSL_new(SSL_CTX *ctx)
goto err;
s->lock = CRYPTO_THREAD_lock_new();
goto err;
s->lock = CRYPTO_THREAD_lock_new();
- if (s->lock == NULL) {
- SSLerr(SSL_F_SSL_NEW, ERR_R_MALLOC_FAILURE);
- OPENSSL_free(s);
- return NULL;
+ if (s->lock == NULL)
+ goto err;
+
+ /*
+ * If not using the standard RAND (say for fuzzing), then don't use a
+ * chained DRBG.
+ */
+ if (RAND_get_rand_method() == RAND_OpenSSL()) {
+ s->drbg = RAND_DRBG_new(NID_aes_128_ctr, RAND_DRBG_FLAG_CTR_USE_DF,
+ RAND_DRBG_get0_global());
+ if (s->drbg == NULL) {
+ CRYPTO_THREAD_lock_free(s->lock);
+ goto err;
+ }
}
RECORD_LAYER_init(&s->rlayer, s);
}
RECORD_LAYER_init(&s->rlayer, s);
@@
-1129,6
+1141,7
@@
void SSL_free(SSL *s)
sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
#endif
sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
#endif
+ RAND_DRBG_free(s->drbg);
CRYPTO_THREAD_lock_free(s->lock);
OPENSSL_free(s);
CRYPTO_THREAD_lock_free(s->lock);
OPENSSL_free(s);
@@
-3156,10
+3169,11
@@
void ssl_update_cache(SSL *s, int mode)
return;
i = s->session_ctx->session_cache_mode;
return;
i = s->session_ctx->session_cache_mode;
- if ((i & mode) && (!s->hit)
- && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE)
+ if ((i & mode) != 0
+ && (!s->hit || SSL_IS_TLS13(s))
+ && ((i & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0
|| SSL_CTX_add_session(s->session_ctx, s->session))
|| SSL_CTX_add_session(s->session_ctx, s->session))
- &&
(s->session_ctx->new_session_cb != NULL)
) {
+ &&
s->session_ctx->new_session_cb != NULL
) {
SSL_SESSION_up_ref(s->session);
if (!s->session_ctx->new_session_cb(s, s->session))
SSL_SESSION_free(s->session);
SSL_SESSION_up_ref(s->session);
if (!s->session_ctx->new_session_cb(s, s->session))
SSL_SESSION_free(s->session);
@@
-3315,6
+3329,12
@@
int SSL_do_handshake(SSL *s)
s->method->ssl_renegotiate_check(s, 0);
s->method->ssl_renegotiate_check(s, 0);
+ if (SSL_is_server(s)) {
+ /* clear SNI settings at server-side */
+ OPENSSL_free(s->ext.hostname);
+ s->ext.hostname = NULL;
+ }
+
if (SSL_in_init(s) || SSL_in_before(s)) {
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
struct ssl_async_args args;
if (SSL_in_init(s) || SSL_in_before(s)) {
if ((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
struct ssl_async_args args;
@@
-3593,6
+3613,11
@@
const SSL_CIPHER *SSL_get_current_cipher(const SSL *s)
return (NULL);
}
return (NULL);
}
+const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
+{
+ return s->s3->tmp.new_cipher;
+}
+
const COMP_METHOD *SSL_get_current_compression(SSL *s)
{
#ifndef OPENSSL_NO_COMP
const COMP_METHOD *SSL_get_current_compression(SSL *s)
{
#ifndef OPENSSL_NO_COMP
@@
-5073,3
+5098,10
@@
uint32_t SSL_get_max_early_data(const SSL *s)
{
return s->max_early_data;
}
{
return s->max_early_data;
}
+
+int ssl_randbytes(SSL *s, unsigned char *rnd, size_t size)
+{
+ if (s->drbg != NULL)
+ return RAND_DRBG_generate(s->drbg, rnd, size, 0, NULL, 0);
+ return RAND_bytes(rnd, (int)size);
+}