summaryrefslogtreecommitdiff
path: root/ssl
diff options
context:
space:
mode:
Diffstat (limited to 'ssl')
-rw-r--r--ssl/d1_pkt.c5
-rw-r--r--ssl/d1_srvr.c16
-rw-r--r--ssl/s23_srvr.c6
-rw-r--r--ssl/s3_clnt.c22
-rw-r--r--ssl/s3_pkt.c2
-rw-r--r--ssl/s3_srvr.c18
-rw-r--r--ssl/ssl.h14
-rw-r--r--ssl/ssl_lib.c1
8 files changed, 43 insertions, 41 deletions
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index d12604e6573eb..bc478c240cc3f 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -595,8 +595,6 @@ again:
/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
i=rr->length;
n=ssl3_read_n(s,i,i,1);
- if (n <= 0) return(n); /* error or non-blocking io */
-
/* this packet contained a partial record, dump it */
if ( n != i)
{
@@ -626,7 +624,8 @@ again:
* would be dropped unnecessarily.
*/
if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
- *p == SSL3_MT_CLIENT_HELLO) &&
+ s->packet_length > DTLS1_RT_HEADER_LENGTH &&
+ s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) &&
! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
{
rr->length = 0;
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 0e6bf46c028b7..0e9bb204add7b 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -371,23 +371,11 @@ int dtls1_accept(SSL *s)
/* clear this, it may get reset by
* send_server_key_exchange */
- if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
- && !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
- )
- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
- * even when forbidden by protocol specs
- * (handshake may fail as clients are not required to
- * be able to handle this) */
- s->s3->tmp.use_rsa_tmp=1;
- else
- s->s3->tmp.use_rsa_tmp=0;
+ s->s3->tmp.use_rsa_tmp=0;
/* only send if a DH key exchange, fortezza or
* RSA but we have a sign only certificate */
- if (s->s3->tmp.use_rsa_tmp
- || (l & (SSL_DH|SSL_kFZA))
+ if ((l & (SSL_DH|SSL_kFZA))
|| ((l & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
|| (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 3d0069baf3e2a..5486a3621dcbb 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -559,12 +559,14 @@ int ssl23_get_client_hello(SSL *s)
if ((type == 2) || (type == 3))
{
/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
- s->method = ssl23_get_server_method(s->version);
- if (s->method == NULL)
+ SSL_METHOD *new_method;
+ new_method = ssl23_get_server_method(s->version);
+ if (new_method == NULL)
{
SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
goto err;
}
+ s->method = new_method;
if (!ssl_init_wbio_buffer(s,1)) goto err;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 4828937566939..3352e2d19a165 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1123,8 +1123,21 @@ int ssl3_get_key_exchange(SSL *s)
if (!ok) return((int)n);
+ alg=s->s3->tmp.new_cipher->algorithms;
+ EVP_MD_CTX_init(&md_ctx);
+
if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
{
+ /*
+ * Can't skip server key exchange if this is an ephemeral
+ * ciphersuite.
+ */
+ if (alg & (SSL_kEDH|SSL_kECDHE))
+ {
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
+ al = SSL_AD_UNEXPECTED_MESSAGE;
+ goto f_err;
+ }
s->s3->tmp.reuse_message=1;
return(1);
}
@@ -1162,13 +1175,18 @@ int ssl3_get_key_exchange(SSL *s)
/* Total length of the parameters including the length prefix */
param_len=0;
- alg=s->s3->tmp.new_cipher->algorithms;
- EVP_MD_CTX_init(&md_ctx);
al=SSL_AD_DECODE_ERROR;
#ifndef OPENSSL_NO_RSA
if (alg & SSL_kRSA)
{
+ /* Temporary RSA keys only allowed in export ciphersuites */
+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+ goto f_err;
+ }
if ((rsa=RSA_new()) == NULL)
{
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index a3b45fba9dc1a..1adc30191138c 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -147,6 +147,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
* at once (as long as it fits into the buffer). */
if (SSL_version(s) == DTLS1_VERSION)
{
+ if (s->s3->rbuf.left == 0 && extend)
+ return 0;
if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left)
n = s->s3->rbuf.left;
}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index ca3e77aef668e..496ae80a250fd 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -355,18 +355,7 @@ int ssl3_accept(SSL *s)
/* clear this, it may get reset by
* send_server_key_exchange */
- if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
- && !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
- )
- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
- * even when forbidden by protocol specs
- * (handshake may fail as clients are not required to
- * be able to handle this) */
- s->s3->tmp.use_rsa_tmp=1;
- else
- s->s3->tmp.use_rsa_tmp=0;
+ s->s3->tmp.use_rsa_tmp=0;
/* only send if a DH key exchange, fortezza or
@@ -378,8 +367,7 @@ int ssl3_accept(SSL *s)
* server certificate contains the server's
* public key for key exchange.
*/
- if (s->s3->tmp.use_rsa_tmp
- || (l & SSL_kECDHE)
+ if ((l & SSL_kECDHE)
|| (l & (SSL_DH|SSL_kFZA))
|| ((l & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
@@ -2412,7 +2400,7 @@ int ssl3_get_cert_verify(SSL *s)
if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
{
s->s3->tmp.reuse_message=1;
- if ((peer != NULL) && (type | EVP_PKT_SIGN))
+ if (peer != NULL)
{
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 6435c5966dbf5..8420100cf01a6 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -526,9 +526,8 @@ typedef struct ssl_session_st
#define SSL_OP_SINGLE_ECDH_USE 0x00080000L
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x00100000L
-/* Set to always use the tmp_rsa key when doing RSA operations,
- * even when this violates protocol specs */
-#define SSL_OP_EPHEMERAL_RSA 0x00200000L
+/* Does nothing: retained for compatibiity */
+#define SSL_OP_EPHEMERAL_RSA 0x0
/* Set on servers to choose the cipher according to the server's
* preferences */
#define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
@@ -564,8 +563,13 @@ typedef struct ssl_session_st
/* Don't attempt to automatically build certificate chain */
#define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
/* Send TLS_FALLBACK_SCSV in the ClientHello.
- * To be set by applications that reconnect with a downgraded protocol
- * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+ * To be set only by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details.
+ *
+ * DO NOT ENABLE THIS if your application attempts a normal handshake.
+ * Only use this in explicit fallback retries, following the guidance
+ * in draft-ietf-tls-downgrade-scsv-00.
+ */
#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5db0b5276e3f1..542ab5a558499 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1401,6 +1401,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
goto err;
}
+ p += n;
continue;
}