On Tue, 2015-08-11 at 19:36 +0100, Matt Caswell wrote:
> There are some missing return value checks in the SCTP code. In master this
> was causing a compilation failure when config'd with
> "--strict-warnings sctp".
>
> Reviewed-by: Tim Hudson <t...@openssl.org>
> ---
> ssl/d1_clnt.c | 16 ++++++++++++----
> ssl/d1_srvr.c | 18 +++++++++++++-----
> 2 files changed, 25 insertions(+), 9 deletions(-)
>
> diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
> index 566c154..d411614 100644
> --- a/ssl/d1_clnt.c
> +++ b/ssl/d1_clnt.c
> @@ -364,11 +364,15 @@ int dtls1_connect(SSL *s)
> sizeof(DTLS1_SCTP_AUTH_LABEL),
> DTLS1_SCTP_AUTH_LABEL);
>
> - SSL_export_keying_material(s, sctpauthkey,
> + if (SSL_export_keying_material(s, sctpauthkey,
> sizeof(sctpauthkey),
> labelbuffer,
> sizeof(labelbuffer), NULL, 0,
> - 0);
> + 0) <= 0) {
> + ret = -1;
> + s->state = SSL_ST_ERR;
> + goto end;
> + }
>
> BIO_ctrl(SSL_get_wbio(s),
> BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
This commit (d8e8590e) and its backport to 1.0.2 (b3a62dc0) have broken
OpenConnect when SCTP is enabled, because SSL_export_keying_material()
*does* fail there. Perhaps it shouldn't...
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 08e3673..6db4f3a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2231,7 +2231,7 @@ int SSL_export_keying_material(SSL *s, unsigned char
*out, size_t olen,
const unsigned char *p, size_t plen,
int use_context)
{
- if (s->version < TLS1_VERSION)
+ if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
--
David Woodhouse Open Source Technology Centre
david.woodho...@intel.com Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
