Import OpenSSL 1.1.1l

2021-08-26 19:30:20 +01:00
parent b439f09b29
commit b123b12c0d
104 changed files with 2011 additions and 524 deletions
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3753,6 +3753,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)

    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
+    sk = NULL;

    /*
     * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
@@ -3767,7 +3768,6 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
     * Inconsistency alert: cert_chain does *not* include the peer's own
     * certificate, while we do include it in statem_clnt.c
     */
-    sk = NULL;

    /* Save the current hash state for when we receive the CertificateVerify */
    if (SSL_IS_TLS13(s)) {
@@ -4139,9 +4139,12 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
    }

    if (tctx->generate_ticket_cb != NULL &&
-        tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
+        tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) {
+        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
+                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+                 ERR_R_INTERNAL_ERROR);
        goto err;
-
+    }
    /*
     * If we are using anti-replay protection then we behave as if
     * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there