summaryrefslogtreecommitdiff
path: root/app/openssl/ssl/ssl_lib.c
diff options
context:
space:
mode:
authorParménides GV <parmegv@sdf.org>2014-09-23 18:10:57 +0200
committerParménides GV <parmegv@sdf.org>2014-09-23 18:10:57 +0200
commitd0e7ba3029b2fd42582413aa95773fe7dbdede90 (patch)
tree733b8601d6e3a070fc54bde280526e16d0c69507 /app/openssl/ssl/ssl_lib.c
parent248ce016ac2f33df9673e90277733abfd854f27d (diff)
Updated native subprojects from ics-openvpn.
Diffstat (limited to 'app/openssl/ssl/ssl_lib.c')
-rw-r--r--app/openssl/ssl/ssl_lib.c39
1 files changed, 38 insertions, 1 deletions
diff --git a/app/openssl/ssl/ssl_lib.c b/app/openssl/ssl/ssl_lib.c
index 8d2c3a76..3de68a78 100644
--- a/app/openssl/ssl/ssl_lib.c
+++ b/app/openssl/ssl/ssl_lib.c
@@ -1403,6 +1403,10 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
p=buf;
sk=s->session->ciphers;
+
+ if (sk_SSL_CIPHER_num(sk) == 0)
+ return NULL;
+
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
int n;
@@ -2671,6 +2675,10 @@ int SSL_get_error(const SSL *s,int i)
{
return(SSL_ERROR_WANT_X509_LOOKUP);
}
+ if ((i < 0) && SSL_want_channel_id_lookup(s))
+ {
+ return(SSL_ERROR_WANT_CHANNEL_ID_LOOKUP);
+ }
if (i == 0)
{
@@ -3419,12 +3427,41 @@ int SSL_cutthrough_complete(const SSL *s)
s->version >= SSL3_VERSION &&
s->s3->in_read_app_data == 0 && /* cutthrough only applies to write() */
(SSL_get_mode((SSL*)s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* cutthrough enabled */
- SSL_get_cipher_bits(s, NULL) >= 128 && /* strong cipher choosen */
+ ssl3_can_cutthrough(s) && /* cutthrough allowed */
s->s3->previous_server_finished_len == 0 && /* not a renegotiation handshake */
(s->state == SSL3_ST_CR_SESSION_TICKET_A || /* ready to write app-data*/
s->state == SSL3_ST_CR_FINISHED_A));
}
+int ssl3_can_cutthrough(const SSL *s)
+ {
+ const SSL_CIPHER *c;
+
+ /* require a strong enough cipher */
+ if (SSL_get_cipher_bits(s, NULL) < 128)
+ return 0;
+
+ /* require ALPN or NPN extension */
+ if (!s->s3->alpn_selected
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ && !s->s3->next_proto_neg_seen
+#endif
+ )
+ {
+ return 0;
+ }
+
+ /* require a forward-secret cipher */
+ c = SSL_get_current_cipher(s);
+ if (!c || (c->algorithm_mkey != SSL_kEDH &&
+ c->algorithm_mkey != SSL_kEECDH))
+ {
+ return 0;
+ }
+
+ return 1;
+ }
+
/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
* vairable, freeing EVP_MD_CTX previously stored in that variable, if
* any. If EVP_MD pointer is passed, initializes ctx with this md