Security framework. (b362ccab) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

ssl/s23_clnt.c

+12 −2

Original line number	Diff line number	Diff line
		@@ -259,10 +259,13 @@ static int ssl23_no_ssl2_ciphers(SSL *s)
		SSL_CIPHER *cipher;
		STACK_OF(SSL_CIPHER) *ciphers;
		int i;
		ssl_set_client_disabled(s);
		ciphers = SSL_get_ciphers(s);
		for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++)
		{
		cipher = sk_SSL_CIPHER_value(ciphers, i);
		if (ssl_cipher_disabled(s, cipher, SSL_SECOP_CIPHER_SUPPORTED))
		continue;
		if (cipher->algorithm_ssl == SSL_SSLV2)
		return 0;
		}
		@@ -309,6 +312,8 @@ static int ssl23_client_hello(SSL *s)

		ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1;

		if (ssl2_compat && !ssl_security(s, SSL_SECOP_SSL2_COMPAT, 0, 0, NULL))
		ssl2_compat = 0;
		if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
		ssl2_compat = 0;

		@@ -533,8 +538,7 @@ static int ssl23_client_hello(SSL *s)
		#ifdef OPENSSL_NO_COMP
		*(p++)=1;
		#else
		if ((s->options & SSL_OP_NO_COMPRESSION)
		\|\| !s->ctx->comp_methods)
		if (!ssl_allow_compression(s) \|\| !s->ctx->comp_methods)
		j=0;
		else
		j=sk_SSL_COMP_num(s->ctx->comp_methods);
		@@ -750,6 +754,12 @@ static int ssl23_get_server_hello(SSL *s)
		goto err;
		}

		if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))
		{
		SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_VERSION_TOO_LOW);
		goto err;
		}

		if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
		{
		/* fatal alert */

+6 −0

Original line number	Diff line number	Diff line
		@@ -441,6 +441,12 @@ int ssl23_get_client_hello(SSL *s)
		}
		#endif

		if (!ssl_security(s, SSL_SECOP_VERSION, 0, s->version, NULL))
		{
		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_VERSION_TOO_LOW);
		goto err;
		}

		if (s->state == SSL23_ST_SR_CLNT_HELLO_B)
		{
		/* we have SSLv3/TLSv1 in an SSLv2 header

+6 −0

Original line number	Diff line number	Diff line
		@@ -1056,6 +1056,12 @@ int ssl2_set_certificate(SSL s, int type, int len, const unsigned char data)
		ERR_clear_error(); /* but we keep s->verify_result */
		s->session->verify_result = s->verify_result;

		if (i > 1)
		{
		SSLerr(SSL_F_SSL2_SET_CERTIFICATE, i);
		goto err;
		}

		/* server's cert for this session */
		sc=ssl_sess_cert_new();
		if (sc == NULL)

+6 −0

Original line number	Diff line number	Diff line
		@@ -1053,6 +1053,12 @@ static int request_certificate(SSL *s)

		i=ssl_verify_cert_chain(s,sk);

		if (i > 1)
		{
		SSLerr(SSL_F_REQUEST_CERTIFICATE, i);
		goto msg_end;
		}

		if (i > 0) /* we like the packet, now check the chksum */
		{
		EVP_MD_CTX ctx;

+9 −2

Original line number	Diff line number	Diff line
		@@ -695,7 +695,7 @@ int ssl3_setup_read_buffer(SSL *s)
		len += SSL3_RT_MAX_EXTRA;
		}
		#ifndef OPENSSL_NO_COMP
		if (!(s->options & SSL_OP_NO_COMPRESSION))
		if (ssl_allow_compression(s))
		len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
		#endif
		if ((p=freelist_extract(s->ctx, 1, len)) == NULL)
		@@ -732,7 +732,7 @@ int ssl3_setup_write_buffer(SSL *s)
		+ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
		+ headerlen + align;
		#ifndef OPENSSL_NO_COMP
		if (!(s->options & SSL_OP_NO_COMPRESSION))
		if (ssl_allow_compression(s))
		len += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
		#endif
		if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
		@@ -782,3 +782,10 @@ int ssl3_release_read_buffer(SSL *s)
		return 1;
		}

		int ssl_allow_compression(SSL *s)
		{
		if (s->options & SSL_OP_NO_COMPRESSION)
		return 0;
		return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
		}