diff options
| author |   markus <markus@openbsd.org> | 2003-09-30 21:30:28 +0000 |
|---|---|---|
| committer | markus <markus@openbsd.org> | 2003-09-30 21:30:28 +0000 |
| commit | 1a10cb15b15d0ef8ab498a0dafabf062fd8e9ad4 (patch) | |
| tree | ba3db069422f2e0f31839a9e0bebfafdbdbfd979 | |
| parent | sync (diff) | |
| download | wireguard-openbsd-1a10cb15b15d0ef8ab498a0dafabf062fd8e9ad4.tar.xz wireguard-openbsd-1a10cb15b15d0ef8ab498a0dafabf062fd8e9ad4.zip | |
more fixes from 0.9.7c, ok deraadt, cloder
| -rw-r--r-- | lib/libssl/s3_clnt.c | 1 | ||||
| -rw-r--r-- | lib/libssl/s3_srvr.c | 14 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s3_clnt.c | 1 | ||||
| -rw-r--r-- | lib/libssl/src/ssl/s3_srvr.c | 14 |
4 files changed, 22 insertions, 8 deletions
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c index b35d1b0107d..d51b60e3439 100644 --- a/lib/libssl/s3_clnt.c +++ b/lib/libssl/s3_clnt.c @@ -1768,6 +1768,7 @@ static int ssl3_send_client_verify(SSL *s) *(d++)=SSL3_MT_CERTIFICATE_VERIFY; l2n3(n,d); + s->state=SSL3_ST_CW_CERT_VRFY_B; s->init_num=(int)n+4; s->init_off=0; } diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c index cd7b88eeb52..57f1d3f52a8 100644 --- a/lib/libssl/s3_srvr.c +++ b/lib/libssl/s3_srvr.c @@ -432,10 +432,11 @@ int ssl3_accept(SSL *s) if (ret == 2) s->state = SSL3_ST_SR_CLNT_HELLO_C; else { - /* could be sent for a DH cert, even if we - * have not asked for it :-) */ - ret=ssl3_get_client_certificate(s); - if (ret <= 0) goto end; + if (s->s3->tmp.cert_request) + { + ret=ssl3_get_client_certificate(s); + if (ret <= 0) goto end; + } s->init_num=0; s->state=SSL3_ST_SR_KEY_EXCH_A; } @@ -845,6 +846,9 @@ static int ssl3_get_client_hello(SSL *s) } /* TLS does not mind if there is extra stuff */ +#if 0 /* SSL 3.0 does not mind either, so we should disable this test + * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, + * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ if (s->version == SSL3_VERSION) { if (p < (d+n)) @@ -856,6 +860,7 @@ static int ssl3_get_client_hello(SSL *s) goto f_err; } } +#endif /* Given s->session->ciphers and SSL_get_ciphers, we must * pick a cipher */ @@ -1353,6 +1358,7 @@ static int ssl3_send_certificate_request(SSL *s) s->init_num += 4; #endif + s->state = SSL3_ST_SW_CERT_REQ_B; } /* SSL3_ST_SW_CERT_REQ_B */ diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c index b35d1b0107d..d51b60e3439 100644 --- a/lib/libssl/src/ssl/s3_clnt.c +++ b/lib/libssl/src/ssl/s3_clnt.c @@ -1768,6 +1768,7 @@ static int ssl3_send_client_verify(SSL *s) *(d++)=SSL3_MT_CERTIFICATE_VERIFY; l2n3(n,d); + s->state=SSL3_ST_CW_CERT_VRFY_B; s->init_num=(int)n+4; s->init_off=0; } diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index cd7b88eeb52..57f1d3f52a8 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -432,10 +432,11 @@ int ssl3_accept(SSL *s) if (ret == 2) s->state = SSL3_ST_SR_CLNT_HELLO_C; else { - /* could be sent for a DH cert, even if we - * have not asked for it :-) */ - ret=ssl3_get_client_certificate(s); - if (ret <= 0) goto end; + if (s->s3->tmp.cert_request) + { + ret=ssl3_get_client_certificate(s); + if (ret <= 0) goto end; + } s->init_num=0; s->state=SSL3_ST_SR_KEY_EXCH_A; } @@ -845,6 +846,9 @@ static int ssl3_get_client_hello(SSL *s) } /* TLS does not mind if there is extra stuff */ +#if 0 /* SSL 3.0 does not mind either, so we should disable this test + * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, + * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ if (s->version == SSL3_VERSION) { if (p < (d+n)) @@ -856,6 +860,7 @@ static int ssl3_get_client_hello(SSL *s) goto f_err; } } +#endif /* Given s->session->ciphers and SSL_get_ciphers, we must * pick a cipher */ @@ -1353,6 +1358,7 @@ static int ssl3_send_certificate_request(SSL *s) s->init_num += 4; #endif + s->state = SSL3_ST_SW_CERT_REQ_B; } /* SSL3_ST_SW_CERT_REQ_B */ |