diff options
| author | jkim <jkim@FreeBSD.org> | 2016-01-28 20:15:22 +0000 |
|---|---|---|
| committer | jkim <jkim@FreeBSD.org> | 2016-01-28 20:15:22 +0000 |
| commit | f91c9c279859e792ca6fea3a5d5a9074b72c0e44 (patch) | |
| tree | d1486d18bb9fa5f51cadbaccb04f3c3879e273ec /crypto/openssl/ssl/s3_lib.c | |
| parent | d04bd9e9248a5b28fa75fdc94acf9ecb1c4cf4a4 (diff) | |
| parent | 71cece53f20ad0348c8e6a83b032a4bcfa42cdcf (diff) | |
| download | FreeBSD-src-f91c9c279859e792ca6fea3a5d5a9074b72c0e44.zip FreeBSD-src-f91c9c279859e792ca6fea3a5d5a9074b72c0e44.tar.gz | |
Merge OpenSSL 1.0.2f.
Relnotes: yes
Diffstat (limited to 'crypto/openssl/ssl/s3_lib.c')
| -rw-r--r-- | crypto/openssl/ssl/s3_lib.c | 34 |
1 files changed, 19 insertions, 15 deletions
diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index 64793d6..f846cb5 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -3206,13 +3206,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); return (ret); } - if (!(s->options & SSL_OP_SINGLE_DH_USE)) { - if (!DH_generate_key(dh)) { - DH_free(dh); - SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); - return (ret); - } - } if (s->cert->dh_tmp != NULL) DH_free(s->cert->dh_tmp); s->cert->dh_tmp = dh; @@ -3263,6 +3256,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { + size_t len; + if (s->tlsext_hostname != NULL) OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; @@ -3270,7 +3265,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; if (parg == NULL) break; - if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { + len = strlen((char *)parg); + if (len == 0 || len > TLSEXT_MAXLEN_host_name) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } @@ -3710,13 +3706,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); return 0; } - if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) { - if (!DH_generate_key(new)) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); - DH_free(new); - return 0; - } - } if (cert->dh_tmp != NULL) DH_free(cert->dh_tmp); cert->dh_tmp = new; @@ -4337,6 +4326,21 @@ int ssl3_shutdown(SSL *s) } #endif } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { + if (SSL_in_init(s)) { + /* + * We can't shutdown properly if we are in the middle of a + * handshake. Doing so is problematic because the peer may send a + * CCS before it acts on our close_notify. However we should not + * continue to process received handshake messages or CCS once our + * close_notify has been sent. Therefore any close_notify from + * the peer will be unreadable because we have not moved to the next + * cipher state. Its best just to avoid this can-of-worms. Return + * an error if we are wanting to wait for a close_notify from the + * peer and we are in init. + */ + SSLerr(SSL_F_SSL3_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT); + return -1; + } /* * If we are waiting for a close from our peer, we are closed */ |
