aboutsummaryrefslogtreecommitdiffstats
path: root/ssl/s3_lib.c
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2016-01-28 18:41:59 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2016-01-28 18:41:59 +0000
commitc188d4cade9cba451816aef2371942bea4ff837f (patch)
tree7af4d87a03d869e528631ede778e4423dd6a281a /ssl/s3_lib.c
parent737d7e8d3945c206c037e139055821aa0c64bb8e (diff)
downloadsrc-c188d4cade9cba451816aef2371942bea4ff837f.tar.gz
src-c188d4cade9cba451816aef2371942bea4ff837f.zip
Import OpenSSL 1.0.2f.vendor/openssl/1.0.2f
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=295001 svn path=/vendor-crypto/openssl/1.0.2f/; revision=295002; tag=vendor/openssl/1.0.2f
Diffstat (limited to 'ssl/s3_lib.c')
-rw-r--r--ssl/s3_lib.c34
1 files changed, 19 insertions, 15 deletions
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 64793d6af34f..f846cb5b7b01 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3206,13 +3206,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
return (ret);
}
- if (!(s->options & SSL_OP_SINGLE_DH_USE)) {
- if (!DH_generate_key(dh)) {
- DH_free(dh);
- SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB);
- return (ret);
- }
- }
if (s->cert->dh_tmp != NULL)
DH_free(s->cert->dh_tmp);
s->cert->dh_tmp = dh;
@@ -3263,6 +3256,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#ifndef OPENSSL_NO_TLSEXT
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name) {
+ size_t len;
+
if (s->tlsext_hostname != NULL)
OPENSSL_free(s->tlsext_hostname);
s->tlsext_hostname = NULL;
@@ -3270,7 +3265,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
ret = 1;
if (parg == NULL)
break;
- if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) {
+ len = strlen((char *)parg);
+ if (len == 0 || len > TLSEXT_MAXLEN_host_name) {
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
return 0;
}
@@ -3710,13 +3706,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB);
return 0;
}
- if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) {
- if (!DH_generate_key(new)) {
- SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB);
- DH_free(new);
- return 0;
- }
- }
if (cert->dh_tmp != NULL)
DH_free(cert->dh_tmp);
cert->dh_tmp = new;
@@ -4337,6 +4326,21 @@ int ssl3_shutdown(SSL *s)
}
#endif
} else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
+ if (SSL_in_init(s)) {
+ /*
+ * We can't shutdown properly if we are in the middle of a
+ * handshake. Doing so is problematic because the peer may send a
+ * CCS before it acts on our close_notify. However we should not
+ * continue to process received handshake messages or CCS once our
+ * close_notify has been sent. Therefore any close_notify from
+ * the peer will be unreadable because we have not moved to the next
+ * cipher state. Its best just to avoid this can-of-worms. Return
+ * an error if we are wanting to wait for a close_notify from the
+ * peer and we are in init.
+ */
+ SSLerr(SSL_F_SSL3_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
+ return -1;
+ }
/*
* If we are waiting for a close from our peer, we are closed
*/