aboutsummaryrefslogtreecommitdiff
path: root/openssl/ssl/s3_srvr.c
diff options
context:
space:
mode:
authormarha <marha@users.sourceforge.net>2011-01-23 19:50:13 +0000
committermarha <marha@users.sourceforge.net>2011-01-23 19:50:13 +0000
commitb680cf39ed5bc37e0eb7eb86ad8599bf92df3f2b (patch)
tree4722cd31e41fdda28e5c2b37bdf8500d27868384 /openssl/ssl/s3_srvr.c
parent8cd59857a99c534c560f58c931f5c2466d4c1f9b (diff)
downloadvcxsrv-b680cf39ed5bc37e0eb7eb86ad8599bf92df3f2b.tar.gz
vcxsrv-b680cf39ed5bc37e0eb7eb86ad8599bf92df3f2b.tar.bz2
vcxsrv-b680cf39ed5bc37e0eb7eb86ad8599bf92df3f2b.zip
Updated to openssl-1.0.0c
Diffstat (limited to 'openssl/ssl/s3_srvr.c')
-rw-r--r--openssl/ssl/s3_srvr.c18
1 files changed, 15 insertions, 3 deletions
diff --git a/openssl/ssl/s3_srvr.c b/openssl/ssl/s3_srvr.c
index 92f73b668..514f72c97 100644
--- a/openssl/ssl/s3_srvr.c
+++ b/openssl/ssl/s3_srvr.c
@@ -985,6 +985,10 @@ int ssl3_get_client_hello(SSL *s)
break;
}
}
+/* Disabled because it can be used in a ciphersuite downgrade
+ * attack: CVE-2010-4180.
+ */
+#if 0
if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1))
{
/* Special case as client bug workaround: the previously used cipher may
@@ -999,6 +1003,7 @@ int ssl3_get_client_hello(SSL *s)
j = 1;
}
}
+#endif
if (j == 0)
{
/* we need to have the cipher in the cipher
@@ -2579,12 +2584,19 @@ int ssl3_get_client_key_exchange(SSL *s)
{
int ret = 0;
EVP_PKEY_CTX *pkey_ctx;
- EVP_PKEY *client_pub_pkey = NULL;
+ EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
unsigned char premaster_secret[32], *start;
- size_t outlen=32, inlen;
+ size_t outlen=32, inlen;
+ unsigned long alg_a;
/* Get our certificate private key*/
- pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);
+ alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+ if (alg_a & SSL_aGOST94)
+ pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
+ else if (alg_a & SSL_aGOST01)
+ pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
+
+ pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
EVP_PKEY_decrypt_init(pkey_ctx);
/* If client certificate is present and is of the same type, maybe
* use it for key exchange. Don't mind errors from