[openssl-commits] [openssl] master update
Kurt Roeckx
kurt at openssl.org
Mon Mar 23 20:17:15 UTC 2015
The branch master has been updated
via 4dcb4b91db26de8716c2f43ffb710175fc3279fc (commit)
via 93f1c13619c5b41f2dcfdbf6ae666f867922a87a (commit)
via 24a0d3933d24059942a3cf99695d486c8fadd576 (commit)
from 06e6aa47de1b4da912069eef2e3458952ac79335 (commit)
- Log -----------------------------------------------------------------
commit 4dcb4b91db26de8716c2f43ffb710175fc3279fc
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sun Mar 15 00:26:26 2015 +0100
return unexpected message when receiving kx with kDHr or kDHd
It was saying that it was an illegal parameter / unsupported cipher
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 93f1c13619c5b41f2dcfdbf6ae666f867922a87a
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sat Mar 14 23:23:26 2015 +0100
Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.
Reviewed-by: Matt Caswell <matt at openssl.org>
commit 24a0d3933d24059942a3cf99695d486c8fadd576
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Wed Mar 18 19:02:50 2015 +0100
Make sure that cert is never NULL
Also removes for it being NULL
Reviewed-by: Matt Caswell <matt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/d1_srvr.c | 6 +-----
ssl/s3_clnt.c | 5 -----
ssl/s3_srvr.c | 4 ----
ssl/ssl.h | 1 -
ssl/ssl_err.c | 2 --
ssl/ssl_lib.c | 47 +++++++++++++++++++----------------------------
6 files changed, 20 insertions(+), 45 deletions(-)
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 24361ae..b55af35 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -199,10 +199,6 @@ int dtls1_accept(SSL *s)
s->in_handshake, NULL);
#endif
- if (s->cert == NULL) {
- SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
- return (-1);
- }
#ifndef OPENSSL_NO_HEARTBEATS
/*
* If we're awaiting a HeartbeatResponse, pretend we already got and
@@ -488,7 +484,7 @@ int dtls1_accept(SSL *s)
#ifndef OPENSSL_NO_PSK
|| ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
#endif
- || (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd))
+ || (alg_k & SSL_kDHE)
|| (alg_k & SSL_kECDHE)
|| ((alg_k & SSL_kRSA)
&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 81381ef..f4b60be 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1722,11 +1722,6 @@ int ssl3_get_key_exchange(SSL *s)
s->session->sess_cert->peer_dh_tmp = dh;
dh = NULL;
- } else if ((alg_k & SSL_kDHr) || (alg_k & SSL_kDHd)) {
- al = SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
- SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER);
- goto f_err;
}
#endif /* !OPENSSL_NO_DH */
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index ccccd54..0efe3dd 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -231,10 +231,6 @@ int ssl3_accept(SSL *s)
return -1;
}
- if (s->cert == NULL) {
- SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_NO_CERTIFICATE_SET);
- return (-1);
- }
#ifndef OPENSSL_NO_HEARTBEATS
/*
* If we're awaiting a HeartbeatResponse, pretend we already got and
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 3a6f9fb..dec3abc 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -2387,7 +2387,6 @@ void ERR_load_SSL_strings(void);
# define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157
# define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
# define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234
-# define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER 235
# define SSL_R_UNABLE_TO_DECODE_DH_CERTS 236
# define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS 313
# define SSL_R_UNABLE_TO_FIND_DH_PARAMETERS 238
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 75ca684..5792906 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -665,8 +665,6 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
"tls peer did not respond with certificate list"},
{ERR_REASON(SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG),
"tls rsa encrypted value length is wrong"},
- {ERR_REASON(SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER),
- "tried to use unsupported cipher"},
{ERR_REASON(SSL_R_UNABLE_TO_DECODE_DH_CERTS), "unable to decode dh certs"},
{ERR_REASON(SSL_R_UNABLE_TO_DECODE_ECDH_CERTS),
"unable to decode ecdh certs"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 0c9f4f7..54974df 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -883,8 +883,6 @@ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
*/
void SSL_copy_session_id(SSL *t, const SSL *f)
{
- CERT *tmp;
-
/* Do we need to to SSL locking? */
if(!SSL_set_session(t, SSL_get_session(f))) {
/* How do we handle this!! void function */
@@ -900,14 +898,9 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
t->method->ssl_new(t); /* setup new */
}
- tmp = t->cert;
- if (f->cert != NULL) {
- CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
- t->cert = f->cert;
- } else
- t->cert = NULL;
- if (tmp != NULL)
- ssl_cert_free(tmp);
+ CRYPTO_add(&f->cert->references, 1, CRYPTO_LOCK_SSL_CERT);
+ ssl_cert_free(t->cert);
+ t->cert = f->cert;
if(!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) {
/* Really should do something about this..but void function - ignore */
;
@@ -918,7 +911,7 @@ void SSL_copy_session_id(SSL *t, const SSL *f)
int SSL_CTX_check_private_key(const SSL_CTX *ctx)
{
if ((ctx == NULL) ||
- (ctx->cert == NULL) || (ctx->cert->key->x509 == NULL)) {
+ (ctx->cert->key->x509 == NULL)) {
SSLerr(SSL_F_SSL_CTX_CHECK_PRIVATE_KEY,
SSL_R_NO_CERTIFICATE_ASSIGNED);
return (0);
@@ -939,10 +932,6 @@ int SSL_check_private_key(const SSL *ssl)
SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
return (0);
}
- if (ssl->cert == NULL) {
- SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED);
- return 0;
- }
if (ssl->cert->key->x509 == NULL) {
SSLerr(SSL_F_SSL_CHECK_PRIVATE_KEY, SSL_R_NO_CERTIFICATE_ASSIGNED);
return (0);
@@ -3055,26 +3044,28 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
{
- CERT *ocert = ssl->cert;
+ CERT *new_cert;
if (ssl->ctx == ctx)
return ssl->ctx;
#ifndef OPENSSL_NO_TLSEXT
if (ctx == NULL)
ctx = ssl->initial_ctx;
#endif
- ssl->cert = ssl_cert_dup(ctx->cert);
- if (ocert) {
- /* Preserve any already negotiated parameters */
- if (ssl->server) {
- ssl->cert->peer_sigalgs = ocert->peer_sigalgs;
- ssl->cert->peer_sigalgslen = ocert->peer_sigalgslen;
- ocert->peer_sigalgs = NULL;
- ssl->cert->ciphers_raw = ocert->ciphers_raw;
- ssl->cert->ciphers_rawlen = ocert->ciphers_rawlen;
- ocert->ciphers_raw = NULL;
- }
- ssl_cert_free(ocert);
+ new_cert = ssl_cert_dup(ctx->cert);
+ if (new_cert == NULL) {
+ return NULL;
}
+ /* Preserve any already negotiated parameters */
+ if (ssl->server) {
+ new_cert->peer_sigalgs = ssl->cert->peer_sigalgs;
+ new_cert->peer_sigalgslen = ssl->cert->peer_sigalgslen;
+ ssl->cert->peer_sigalgs = NULL;
+ new_cert->ciphers_raw = ssl->cert->ciphers_raw;
+ new_cert->ciphers_rawlen = ssl->cert->ciphers_rawlen;
+ ssl->cert->ciphers_raw = NULL;
+ }
+ ssl_cert_free(ssl->cert);
+ ssl->cert = new_cert;
/*
* Program invariant: |sid_ctx| has fixed size (SSL_MAX_SID_CTX_LENGTH),
More information about the openssl-commits
mailing list