From: Todd Short Date: Sat, 5 Mar 2016 13:47:55 +0000 (-0500) Subject: GH787: Fix ALPN X-Git-Tag: OpenSSL_1_1_0-pre4~244 X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=1316ca80f4e1dc9339572c780d495f995fe0bad0 GH787: Fix ALPN * Perform ALPN after the SNI callback; the SSL_CTX may change due to that processing * Add flags to indicate that we actually sent ALPN, to properly error out if unexpectedly received. * clean up ssl3_free() no need to explicitly clear when doing memset * document ALPN functions Signed-off-by: Rich Salz Reviewed-by: Emilia Käsper Reviewed-by: Rich Salz --- diff --git a/CHANGES b/CHANGES index 9f32b9adfd..a5217e48ba 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,9 @@ [Todd Short] *) Add SSL_CIPHER queries for authentication and key-exchange. + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. [Todd Short] *) Changes to the DEFAULT cipherlist: diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 5059e93748..b26e972697 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -2012,8 +2012,8 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr) { - const SSL_CIPHER *c; - c = ssl->method->get_cipher_by_char(ptr); + const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr); + if (c == NULL || c->valid == 0) return NULL; return c; @@ -2037,10 +2037,8 @@ int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c) int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) { - int i; - if (c == NULL) - return NID_undef; - i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); + int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); + if (i == -1) return NID_undef; return ssl_cipher_table_mac[i].nid; @@ -2049,6 +2047,7 @@ int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c) { int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey); + if (i == -1) return NID_undef; return ssl_cipher_table_kx[i].nid; @@ -2056,7 +2055,8 @@ int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c) int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c) { - int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_auth); + int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth); + if (i == -1) return NID_undef; return ssl_cipher_table_kx[i].nid;