Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
大约 1 年 前同步成功

通知 9
Star 18
Fork 1
T
Third Party Openssl

体验新版 GitCode,发现更多精彩内容 >>

提交 c1ca9d32 编写于 作者: D Dr. Stephen Henson
浏览文件
操作

Add Kerberos fix which was in 0.9.8-stable but never committed to HEAD and 

1.0.0. Original fix was on 2007-Mar-09 and had the log message: "Fix kerberos
ciphersuite bugs introduced with PR:1336."
上级 48435b20
隐藏空白更改
内联 并排
Showing with 15 addition and 11 deletion
apps/verify.c
浏览文件 @ c1ca9d32
...@@ -350,6 +350,9 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx) ...@@ -350,6 +350,9 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
ok = 1; ok = 1;
case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
ok = 1;
} }
return ok; return ok;
......
ssl/s3_clnt.c
浏览文件 @ c1ca9d32
...@@ -981,7 +981,9 @@ int ssl3_get_server_certificate(SSL *s) ...@@ -981,7 +981,9 @@ int ssl3_get_server_certificate(SSL *s)
if (!ok) return((int)n); if (!ok) return((int)n);
if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
((s->s3->tmp.new_cipher->algorithms & SSL_aKRB5) &&
(s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
{ {
s->s3->tmp.reuse_message=1; s->s3->tmp.reuse_message=1;
return(1); return(1);
...@@ -2868,13 +2870,6 @@ int ssl3_check_cert_and_algorithm(SSL *s) ...@@ -2868,13 +2870,6 @@ int ssl3_check_cert_and_algorithm(SSL *s)
DH *dh; DH *dh;
#endif #endif
sc=s->session->sess_cert;
if (sc == NULL)
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
goto err;
}
alg_k=s->s3->tmp.new_cipher->algorithm_mkey; alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
alg_a=s->s3->tmp.new_cipher->algorithm_auth; alg_a=s->s3->tmp.new_cipher->algorithm_auth;
...@@ -2882,6 +2877,13 @@ int ssl3_check_cert_and_algorithm(SSL *s) ...@@ -2882,6 +2877,13 @@ int ssl3_check_cert_and_algorithm(SSL *s)
if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK)) if ((alg_a & (SSL_aDH|SSL_aNULL|SSL_aKRB5)) || (alg_k & SSL_kPSK))
return(1); return(1);
sc=s->session->sess_cert;
if (sc == NULL)
{
SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR);
goto err;
}
#ifndef OPENSSL_NO_RSA #ifndef OPENSSL_NO_RSA
rsa=s->session->sess_cert->peer_rsa_tmp; rsa=s->session->sess_cert->peer_rsa_tmp;
#endif #endif
......
ssl/s3_srvr.c
浏览文件 @ c1ca9d32
...@@ -2286,7 +2286,7 @@ int ssl3_get_client_key_exchange(SSL *s) ...@@ -2286,7 +2286,7 @@ int ssl3_get_client_key_exchange(SSL *s)
SSL_R_DATA_LENGTH_TOO_LONG); SSL_R_DATA_LENGTH_TOO_LONG);
goto err; goto err;
} }
if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) if (!((pms[0] == (s->client_version>>8)) && (pms[1] == (s->client_version & 0xff))))
{ {
/* The premaster secret must contain the same version number as the /* The premaster secret must contain the same version number as the
* ClientHello to detect version rollback attacks (strangely, the * ClientHello to detect version rollback attacks (strangely, the
...@@ -2296,8 +2296,7 @@ int ssl3_get_client_key_exchange(SSL *s) ...@@ -2296,8 +2296,7 @@ int ssl3_get_client_key_exchange(SSL *s)
* If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients. * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such clients.
* (Perhaps we should have a separate BUG value for the Kerberos cipher) * (Perhaps we should have a separate BUG value for the Kerberos cipher)
*/ */
if (!((s->options & SSL_OP_TLS_ROLLBACK_BUG) && if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG))
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
{ {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
SSL_AD_DECODE_ERROR); SSL_AD_DECODE_ERROR);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册