X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fssl_lib.c;h=e0a592619243fbcd5b678d173c1fd1367affd16a;hp=5c6ca2e666d2ffa6296773e03a6277307b37fc82;hb=7a014dceb61236803270f5c6022b82a2c656e0a1;hpb=0278e15fa358bc1d09bfed8132fb347bb3986a5c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5c6ca2e666..e0a5926192 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -508,8 +508,9 @@ void SSL_free(SSL *s)
 	if (s->cert != NULL) ssl_cert_free(s->cert);
 	/* Free up if allocated */
 
-	if (s->ctx) SSL_CTX_free(s->ctx);
 #ifndef OPENSSL_NO_TLSEXT
+	if (s->tlsext_hostname)
+		OPENSSL_free(s->tlsext_hostname);
 	if (s->initial_ctx) SSL_CTX_free(s->initial_ctx);
 	if (s->tlsext_ocsp_exts)
 		sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
@@ -524,6 +525,8 @@ void SSL_free(SSL *s)
 
 	if (s->method != NULL) s->method->ssl_free(s);
 
+	if (s->ctx) SSL_CTX_free(s->ctx);
+
 #ifndef	OPENSSL_NO_KRB5
 	if (s->kssl_ctx != NULL)
 		kssl_ctx_free(s->kssl_ctx);
@@ -993,7 +996,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
 		s->max_cert_list=larg;
 		return(l);
 	case SSL_CTRL_SET_MTU:
-		if (SSL_version(s) == DTLS1_VERSION)
+		if (SSL_version(s) == DTLS1_VERSION ||
+		    SSL_version(s) == DTLS1_BAD_VER)
 			{
 			s->d1->mtu = larg;
 			return larg;
@@ -1283,6 +1287,22 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
 		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
 		p+=j;
 		}
+	/* If p == q, no ciphers and caller indicates an error, otherwise
+	 * add MCSV
+	 */
+	if (p != q)
+		{
+		static SSL_CIPHER msvc =
+			{
+			0, NULL, SSL3_CK_MCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+			};
+		j = put_cb ? put_cb(&msvc,p) : ssl_put_cipher_by_char(s,&msvc,p);
+		p+=j;
+#ifdef OPENSSL_RI_DEBUG
+		fprintf(stderr, "MCSV sent by client\n");
+#endif
+		}
+
 	return(p-q);
 	}
 
@@ -1293,6 +1313,8 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 	STACK_OF(SSL_CIPHER) *sk;
 	int i,n;
 
+	s->s3->send_connection_binding = 0;
+
 	n=ssl_put_cipher_by_char(s,NULL,NULL);
 	if ((num%n) != 0)
 		{
@@ -1309,6 +1331,19 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 
 	for (i=0; i<num; i+=n)
 		{
+		/* Check for MCSV */
+		if ((n != 3 || !p[0]) &&
+			(p[n-2] == ((SSL3_CK_MCSV >> 8) & 0xff)) &&
+			(p[n-1] == (SSL3_CK_MCSV & 0xff)))
+			{
+			s->s3->send_connection_binding = 1;
+			p += n;
+#ifdef OPENSSL_RI_DEBUG
+			fprintf(stderr, "MCSV received by server\n");
+#endif
+			continue;
+			}
+
 		c=ssl_get_cipher_by_char(s,p);
 		p+=n;
 		if (c != NULL)
@@ -1396,6 +1431,14 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 		return(NULL);
 		}
 
+#ifdef OPENSSL_FIPS
+	if (FIPS_mode() && (meth->version < TLS1_VERSION))	
+		{
+		SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+		return NULL;
+		}
+#endif
+
 	if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0)
 		{
 		SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);