diff options
Diffstat (limited to 'ssl/statem/statem_clnt.c')
-rw-r--r-- | ssl/statem/statem_clnt.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index f1ed43abd3..e5b036390a 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1988,7 +1988,8 @@ WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, return WORK_ERROR; } - if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) { + if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx, + SSL_CONNECTION_GET_CTX(s))) == NULL) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); return WORK_ERROR; } @@ -2434,11 +2435,15 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, PACKET *pkt) { - size_t i; - /* Clear certificate validity flags */ - for (i = 0; i < SSL_PKEY_NUM; i++) - s->s3.tmp.valid_flags[i] = 0; + if (s->s3.tmp.valid_flags != NULL) + memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); + else + s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); + + /* Give up for good if allocation didn't work */ + if (s->s3.tmp.valid_flags == NULL) + return 0; if (SSL_CONNECTION_IS_TLS13(s)) { PACKET reqctx, extensions; @@ -3768,7 +3773,8 @@ int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) return 1; /* This is the passed certificate */ - clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); + clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx, + SSL_CONNECTION_GET_CTX(s)); /* Check certificate is recognised and suitable for cipher */ if (clu == NULL || (alg_a & clu->amask) == 0) { |