diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2015-06-16 14:44:29 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2015-06-23 22:24:09 +0100 |
commit | 124037fdc0571b5bd9022412348e9979a1726a31 (patch) | |
tree | 05ed987e95a605a9cbe076d047c1c4309d263ca5 /ssl/s3_clnt.c | |
parent | 74924dcb3802640d7e2ae2e80ca6515d0a53de7a (diff) | |
download | openssl-124037fdc0571b5bd9022412348e9979a1726a31.tar.gz |
Tidy up ssl3_digest_cached_records logic.
Rewrite ssl3_digest_cached_records handling. Only digest cached records
if digest array is NULL: this means it is safe to call
ssl3_digest_cached_records multiple times (subsequent calls are no op).
Remove flag TLS1_FLAGS_KEEP_HANDSHAKE instead only update handshake buffer
if digest array is NULL.
Add additional "keep" parameter to ssl3_digest_cached_records to indicate
if the handshake buffer should be retained after digesting cached records
(needed for TLS 1.2 client authentication).
Reviewed-by: Matt Caswell <matt@openssl.org>
Diffstat (limited to 'ssl/s3_clnt.c')
-rw-r--r-- | ssl/s3_clnt.c | 21 |
1 files changed, 6 insertions, 15 deletions
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 6b4c860350..a911bb154a 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1168,7 +1168,7 @@ int ssl3_get_server_hello(SSL *s) * Don't digest cached records if no sigalgs: we may need them for client * authentication. */ - if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s)) + if (!SSL_USE_SIGALGS(s) && !ssl3_digest_cached_records(s, 0)) goto f_err; /* lets get the compression algorithm */ /* COMPRESSION */ @@ -2030,10 +2030,8 @@ int ssl3_get_certificate_request(SSL *s) * If we get here we don't need any cached handshake records as we * wont be doing client auth. */ - if (s->s3->handshake_buffer) { - if (!ssl3_digest_cached_records(s)) - goto err; - } + if (!ssl3_digest_cached_records(s, 0)) + goto err; return (1); } @@ -3026,15 +3024,8 @@ int ssl3_send_client_verify(SSL *s) } s2n(u, p); n = u + 4; - /* - * For extended master secret we've already digested cached - * records. - */ - if (s->session->flags & SSL_SESS_FLAG_EXTMS) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; - } else if (!ssl3_digest_cached_records(s)) + /* Digest cached records and discard handshake buffer */ + if (!ssl3_digest_cached_records(s, 0)) goto err; } else #ifndef OPENSSL_NO_RSA @@ -3216,7 +3207,7 @@ int ssl3_send_client_certificate(SSL *s) return (1); } else { s->s3->tmp.cert_req = 2; - if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s)) { + if (!ssl3_digest_cached_records(s, 0)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); s->state = SSL_ST_ERR; return 0; |