On Tue, 2015-08-11 at 19:36 +0100, Matt Caswell wrote: > There are some missing return value checks in the SCTP code. In master this > was causing a compilation failure when config'd with > "--strict-warnings sctp". > > Reviewed-by: Tim Hudson <[email protected]> > --- > ssl/d1_clnt.c | 16 ++++++++++++---- > ssl/d1_srvr.c | 18 +++++++++++++----- > 2 files changed, 25 insertions(+), 9 deletions(-) > > diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c > index 566c154..d411614 100644 > --- a/ssl/d1_clnt.c > +++ b/ssl/d1_clnt.c > @@ -364,11 +364,15 @@ int dtls1_connect(SSL *s) > sizeof(DTLS1_SCTP_AUTH_LABEL), > DTLS1_SCTP_AUTH_LABEL); > > - SSL_export_keying_material(s, sctpauthkey, > + if (SSL_export_keying_material(s, sctpauthkey, > sizeof(sctpauthkey), > labelbuffer, > sizeof(labelbuffer), NULL, 0, > - 0); > + 0) <= 0) { > + ret = -1; > + s->state = SSL_ST_ERR; > + goto end; > + } > > BIO_ctrl(SSL_get_wbio(s), > BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
This commit (d8e8590e) and its backport to 1.0.2 (b3a62dc0) have broken
OpenConnect when SCTP is enabled, because SSL_export_keying_material()
*does* fail there. Perhaps it shouldn't...
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 08e3673..6db4f3a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2231,7 +2231,7 @@ int SSL_export_keying_material(SSL *s, unsigned char
*out, size_t olen,
const unsigned char *p, size_t plen,
int use_context)
{
- if (s->version < TLS1_VERSION)
+ if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
--
David Woodhouse Open Source Technology Centre
[email protected] Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
