From c35453897494d2b488961f7a446b4df8e24c6f31 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 15 Jun 2014 22:21:10 +0200 Subject: Update OpenSSL to 1.0.1h --- main/openssl/ssl/ssl_lib.c | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) (limited to 'main/openssl/ssl/ssl_lib.c') diff --git a/main/openssl/ssl/ssl_lib.c b/main/openssl/ssl/ssl_lib.c index 8d2c3a76..3de68a78 100644 --- a/main/openssl/ssl/ssl_lib.c +++ b/main/openssl/ssl/ssl_lib.c @@ -1403,6 +1403,10 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len) p=buf; sk=s->session->ciphers; + + if (sk_SSL_CIPHER_num(sk) == 0) + return NULL; + for (i=0; iversion >= SSL3_VERSION && s->s3->in_read_app_data == 0 && /* cutthrough only applies to write() */ (SSL_get_mode((SSL*)s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* cutthrough enabled */ - SSL_get_cipher_bits(s, NULL) >= 128 && /* strong cipher choosen */ + ssl3_can_cutthrough(s) && /* cutthrough allowed */ s->s3->previous_server_finished_len == 0 && /* not a renegotiation handshake */ (s->state == SSL3_ST_CR_SESSION_TICKET_A || /* ready to write app-data*/ s->state == SSL3_ST_CR_FINISHED_A)); } +int ssl3_can_cutthrough(const SSL *s) + { + const SSL_CIPHER *c; + + /* require a strong enough cipher */ + if (SSL_get_cipher_bits(s, NULL) < 128) + return 0; + + /* require ALPN or NPN extension */ + if (!s->s3->alpn_selected +#ifndef OPENSSL_NO_NEXTPROTONEG + && !s->s3->next_proto_neg_seen +#endif + ) + { + return 0; + } + + /* require a forward-secret cipher */ + c = SSL_get_current_cipher(s); + if (!c || (c->algorithm_mkey != SSL_kEDH && + c->algorithm_mkey != SSL_kEECDH)) + { + return 0; + } + + return 1; + } + /* Allocates new EVP_MD_CTX and sets pointer to it into given pointer * vairable, freeing EVP_MD_CTX previously stored in that variable, if * any. If EVP_MD pointer is passed, initializes ctx with this md -- cgit v1.2.3