diff options
Diffstat (limited to 'freebsd/crypto/openssl/ssl/statem/statem_lib.c')
-rw-r--r-- | freebsd/crypto/openssl/ssl/statem/statem_lib.c | 63 |
1 files changed, 26 insertions, 37 deletions
diff --git a/freebsd/crypto/openssl/ssl/statem/statem_lib.c b/freebsd/crypto/openssl/ssl/statem/statem_lib.c index e8c96f27..70ff8dbd 100644 --- a/freebsd/crypto/openssl/ssl/statem/statem_lib.c +++ b/freebsd/crypto/openssl/ssl/statem/statem_lib.c @@ -1,7 +1,7 @@ #include <machine/rtems-bsd-user-space.h> /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -170,9 +170,19 @@ int tls_setup_handshake(SSL *s) static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, void **hdata, size_t *hdatalen) { +#ifdef CHARSET_EBCDIC + static const char *servercontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, + 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, + 0x69, 0x66, 0x79, 0x00 }; + static const char *clientcontext = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, + 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, + 0x69, 0x66, 0x79, 0x00 }; +#else static const char *servercontext = "TLS 1.3, server CertificateVerify"; static const char *clientcontext = "TLS 1.3, client CertificateVerify"; - +#endif if (SSL_IS_TLS13(s)) { size_t hashlen; @@ -398,7 +408,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) #ifdef SSL_DEBUG if (SSL_USE_SIGALGS(s)) - fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md)); + fprintf(stderr, "USING TLSv1.2 HASH %s\n", + md == NULL ? "n/a" : EVP_MD_name(md)); #endif /* Check for broken implementations of GOST ciphersuites */ @@ -441,7 +452,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } #ifdef SSL_DEBUG - fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md)); + fprintf(stderr, "Using client verify alg %s\n", + md == NULL ? "n/a" : EVP_MD_name(md)); #endif if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, @@ -614,13 +626,6 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) { unsigned int updatetype; - s->key_update_count++; - if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) { - SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE, - SSL_R_TOO_MANY_KEY_UPDATES); - return MSG_PROCESS_ERROR; - } - /* * A KeyUpdate message signals a key change so the end of the message must * be on a record boundary. @@ -652,12 +657,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) /* * If we get a request for us to update our sending keys too then, we need * to additionally send a KeyUpdate message. However that message should - * not also request an update (otherwise we get into an infinite loop). We - * ignore a request for us to update our sending keys too if we already - * sent close_notify. + * not also request an update (otherwise we get into an infinite loop). */ - if (updatetype == SSL_KEY_UPDATE_REQUESTED - && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) + if (updatetype == SSL_KEY_UPDATE_REQUESTED) s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; if (!tls13_update_key(s, 0)) { @@ -1030,6 +1032,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) { void (*cb) (const SSL *ssl, int type, int val) = NULL; + int cleanuphand = s->statem.cleanuphand; if (clearbufs) { if (!SSL_IS_DTLS(s)) { @@ -1056,7 +1059,7 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) * Only set if there was a Finished message and this isn't after a TLSv1.3 * post handshake exchange */ - if (s->statem.cleanuphand) { + if (cleanuphand) { /* skipped if we just sent a HelloRequest */ s->renegotiate = 0; s->new_session = 0; @@ -1076,15 +1079,6 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) /* N.B. s->ctx may not equal s->session_ctx */ tsan_counter(&s->ctx->stats.sess_accept_good); s->handshake_func = ossl_statem_accept; - - if (SSL_IS_DTLS(s) && !s->hit) { - /* - * We are finishing after the client. We start the timer going - * in case there are any retransmits of our final flight - * required. - */ - dtls1_start_timer(s); - } } else { if (SSL_IS_TLS13(s)) { /* @@ -1106,15 +1100,6 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) s->handshake_func = ossl_statem_connect; tsan_counter(&s->session_ctx->stats.sess_connect_good); - - if (SSL_IS_DTLS(s) && s->hit) { - /* - * We are finishing after the server. We start the timer going - * in case there are any retransmits of our final flight - * required. - */ - dtls1_start_timer(s); - } } if (SSL_IS_DTLS(s)) { @@ -1134,8 +1119,12 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) /* The callback may expect us to not be in init at handshake done */ ossl_statem_set_in_init(s, 0); - if (cb != NULL) - cb(s, SSL_CB_HANDSHAKE_DONE, 1); + if (cb != NULL) { + if (cleanuphand + || !SSL_IS_TLS13(s) + || SSL_IS_FIRST_HANDSHAKE(s)) + cb(s, SSL_CB_HANDSHAKE_DONE, 1); + } if (!stop) { /* If we've got more work to do we go back into init */ |