aboutsummaryrefslogtreecommitdiff
path: root/ssl/statem
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2021-02-16 19:54:02 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2021-02-16 19:54:02 +0000
commit4f55bd5321b72491d4eff396e4928e9ab0706735 (patch)
tree46adf486ba58f712ebd071b5d2dbeda04c45833b /ssl/statem
parentc25134eb4f5842c16f8f372a1e28849794d70883 (diff)
downloadsrc-4f55bd5321b72491d4eff396e4928e9ab0706735.tar.gz
src-4f55bd5321b72491d4eff396e4928e9ab0706735.zip
Import OpenSSL 1.1.1j.vendor/openssl/1.1.1j
Diffstat (limited to 'ssl/statem')
-rw-r--r--ssl/statem/extensions.c5
-rw-r--r--ssl/statem/statem_clnt.c3
-rw-r--r--ssl/statem/statem_lib.c15
3 files changed, 17 insertions, 6 deletions
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index c785ab785d38..9f51a6eb28d9 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -966,7 +966,8 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
* context, to avoid the confusing situation of having sess_accept_good
* exceed sess_accept (zero) for the new context.
*/
- if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx) {
+ if (SSL_IS_FIRST_HANDSHAKE(s) && s->ctx != s->session_ctx
+ && s->hello_retry_request == SSL_HRR_NONE) {
tsan_counter(&s->ctx->stats.sess_accept);
tsan_decr(&s->session_ctx->stats.sess_accept);
}
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 3420ce65c7c7..d84cc0460f4e 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -1960,7 +1960,6 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
goto err;
}
}
- s->session->peer_type = certidx;
X509_free(s->session->peer);
X509_up_ref(x);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 364f77f08a4e..c3b6f8f4569a 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1504,8 +1504,8 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
/*
* Only called by servers. Returns 1 if the server has a TLSv1.3 capable
- * certificate type, or has PSK or a certificate callback configured. Otherwise
- * returns 0.
+ * certificate type, or has PSK or a certificate callback configured, or has
+ * a servername callback configured. Otherwise returns 0.
*/
static int is_tls13_capable(const SSL *s)
{
@@ -1515,6 +1515,17 @@ static int is_tls13_capable(const SSL *s)
EC_KEY *eckey;
#endif
+ if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
+ return 0;
+
+ /*
+ * A servername callback can change the available certs, so if a servername
+ * cb is set then we just assume TLSv1.3 will be ok
+ */
+ if (s->ctx->ext.servername_cb != NULL
+ || s->session_ctx->ext.servername_cb != NULL)
+ return 1;
+
#ifndef OPENSSL_NO_PSK
if (s->psk_server_callback != NULL)
return 1;