Upgrade to OpenSSL 1.0.1h
sha1sum of distribution:
b2239599c8bf8f7fc48590a55205c26abe560bf8 openssl-1.0.1h.tar.gz
Bug: 15442813
Change-Id: I9abd00afcb7efb0e80b27bf7beade3c6dc511082
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 8d2c3a7..3de68a7 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1403,6 +1403,10 @@
p=buf;
sk=s->session->ciphers;
+
+ if (sk_SSL_CIPHER_num(sk) == 0)
+ return NULL;
+
for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
{
int n;
@@ -2671,6 +2675,10 @@
{
return(SSL_ERROR_WANT_X509_LOOKUP);
}
+ if ((i < 0) && SSL_want_channel_id_lookup(s))
+ {
+ return(SSL_ERROR_WANT_CHANNEL_ID_LOOKUP);
+ }
if (i == 0)
{
@@ -3419,12 +3427,41 @@
s->version >= SSL3_VERSION &&
s->s3->in_read_app_data == 0 && /* cutthrough only applies to write() */
(SSL_get_mode((SSL*)s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* cutthrough enabled */
- SSL_get_cipher_bits(s, NULL) >= 128 && /* strong cipher choosen */
+ ssl3_can_cutthrough(s) && /* cutthrough allowed */
s->s3->previous_server_finished_len == 0 && /* not a renegotiation handshake */
(s->state == SSL3_ST_CR_SESSION_TICKET_A || /* ready to write app-data*/
s->state == SSL3_ST_CR_FINISHED_A));
}
+int ssl3_can_cutthrough(const SSL *s)
+ {
+ const SSL_CIPHER *c;
+
+ /* require a strong enough cipher */
+ if (SSL_get_cipher_bits(s, NULL) < 128)
+ return 0;
+
+ /* require ALPN or NPN extension */
+ if (!s->s3->alpn_selected
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ && !s->s3->next_proto_neg_seen
+#endif
+ )
+ {
+ return 0;
+ }
+
+ /* require a forward-secret cipher */
+ c = SSL_get_current_cipher(s);
+ if (!c || (c->algorithm_mkey != SSL_kEDH &&
+ c->algorithm_mkey != SSL_kEECDH))
+ {
+ return 0;
+ }
+
+ return 1;
+ }
+
/* Allocates new EVP_MD_CTX and sets pointer to it into given pointer
* vairable, freeing EVP_MD_CTX previously stored in that variable, if
* any. If EVP_MD pointer is passed, initializes ctx with this md