summaryrefslogtreecommitdiffstats
path: root/lib/libssl/src/ssl/s3_pkt.c
diff options
context:
space:
mode:
authormarkus <markus@openbsd.org>2009-11-10 09:09:40 +0000
committermarkus <markus@openbsd.org>2009-11-10 09:09:40 +0000
commit66a15954f5845cbbe38e8561ce13fc3bb20b68b8 (patch)
treef53091c24474a6910d6836e46486845d29db1196 /lib/libssl/src/ssl/s3_pkt.c
parentfix typo: in the example use ``rate'' instead of ``sample_rate'', (diff)
downloadwireguard-openbsd-66a15954f5845cbbe38e8561ce13fc3bb20b68b8.tar.xz
wireguard-openbsd-66a15954f5845cbbe38e8561ce13fc3bb20b68b8.zip
pull Ben Lauries blind prefix injection fix for CVE-2009-3555 from
openssl 0.9.8l; crank minor version; ok djm@ deraadt@; initially from jsg@
Diffstat (limited to 'lib/libssl/src/ssl/s3_pkt.c')
-rw-r--r--lib/libssl/src/ssl/s3_pkt.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/libssl/src/ssl/s3_pkt.c b/lib/libssl/src/ssl/s3_pkt.c
index 9476dcddf6e..b98b84044fd 100644
--- a/lib/libssl/src/ssl/s3_pkt.c
+++ b/lib/libssl/src/ssl/s3_pkt.c
@@ -985,6 +985,7 @@ start:
if (SSL_is_init_finished(s) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
!s->s3->renegotiate)
{
ssl3_renegotiate(s);
@@ -1117,7 +1118,8 @@ start:
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
{
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
- !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
+ !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
+ (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
{
#if 0 /* worked only because C operator preferences are not as expected (and
* because this is not really needed for clients except for detecting
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.