diff options
| author | Todd Short <tshort@akamai.com> | 2016-03-05 08:47:55 -0500 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-03-08 09:24:56 -0500 |
| commit | 1316ca80f4e1dc9339572c780d495f995fe0bad0 (patch) | |
| tree | abf1a69887b37b2d85b2c69698cf58c002209107 | |
| parent | 892b9376b3f6e22ca7d7ea68e1402bf2e91035a9 (diff) | |
| download | openssl-1316ca80f4e1dc9339572c780d495f995fe0bad0.zip openssl-1316ca80f4e1dc9339572c780d495f995fe0bad0.tar.gz openssl-1316ca80f4e1dc9339572c780d495f995fe0bad0.tar.bz2 | |
GH787: Fix ALPN
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
that processing
* Add flags to indicate that we actually sent ALPN, to properly error
out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
| -rw-r--r-- | CHANGES | 3 | ||||
| -rw-r--r-- | ssl/ssl_ciph.c | 14 |
2 files changed, 10 insertions, 7 deletions
@@ -9,6 +9,9 @@ [Todd Short] *) Add SSL_CIPHER queries for authentication and key-exchange. + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. [Todd Short] *) Changes to the DEFAULT cipherlist: diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 5059e93..b26e972 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -2012,8 +2012,8 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c) const SSL_CIPHER *ssl_get_cipher_by_char(SSL *ssl, const unsigned char *ptr) { - const SSL_CIPHER *c; - c = ssl->method->get_cipher_by_char(ptr); + const SSL_CIPHER *c = ssl->method->get_cipher_by_char(ptr); + if (c == NULL || c->valid == 0) return NULL; return c; @@ -2037,10 +2037,8 @@ int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c) int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) { - int i; - if (c == NULL) - return NID_undef; - i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); + int i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac); + if (i == -1) return NID_undef; return ssl_cipher_table_mac[i].nid; @@ -2049,6 +2047,7 @@ int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c) int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c) { int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_mkey); + if (i == -1) return NID_undef; return ssl_cipher_table_kx[i].nid; @@ -2056,7 +2055,8 @@ int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c) int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c) { - int i = ssl_cipher_info_lookup(ssl_cipher_table_kx, c->algorithm_auth); + int i = ssl_cipher_info_lookup(ssl_cipher_table_auth, c->algorithm_auth); + if (i == -1) return NID_undef; return ssl_cipher_table_kx[i].nid; |