summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s23_srvr.c
diff options
context:
space:
mode:
authorguenther <>2014-04-16 15:10:07 +0000
committerguenther <>2014-04-16 15:10:07 +0000
commite99c4231309dcede4f056c21685507d8f0400bb4 (patch)
treecd6b7bd17edfb25d9928b1c38f811f45391e4e97 /src/lib/libssl/s23_srvr.c
parent0dc5f46224428f0ddf61596a00e25ce0e1ba18d4 (diff)
downloadopenbsd-e99c4231309dcede4f056c21685507d8f0400bb4.tar.gz
openbsd-e99c4231309dcede4f056c21685507d8f0400bb4.tar.bz2
openbsd-e99c4231309dcede4f056c21685507d8f0400bb4.zip
Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap from
the SSLv23_* client code. The server continues to accept it. It also kills the bits for SSL2 SESSIONs; even when the server gets an SSLv2-style compat handshake, the session that it creates has the correct version internally. ok tedu@ beck@
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s23_srvr.c19
1 files changed, 12 insertions, 7 deletions
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index a6062667a0..35651183b7 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -118,8 +118,8 @@
118 118
119static const SSL_METHOD *ssl23_get_server_method(int ver); 119static const SSL_METHOD *ssl23_get_server_method(int ver);
120int ssl23_get_client_hello(SSL *s); 120int ssl23_get_client_hello(SSL *s);
121static const SSL_METHOD 121static const SSL_METHOD *
122*ssl23_get_server_method(int ver) 122ssl23_get_server_method(int ver)
123{ 123{
124 if (ver == SSL3_VERSION) 124 if (ver == SSL3_VERSION)
125 return (SSLv3_server_method()); 125 return (SSLv3_server_method());
@@ -402,7 +402,8 @@ ssl23_get_client_hello(SSL *s)
402 402
403 ssl3_finish_mac(s, s->packet + 2, s->packet_length - 2); 403 ssl3_finish_mac(s, s->packet + 2, s->packet_length - 2);
404 if (s->msg_callback) 404 if (s->msg_callback)
405 s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */ 405 s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2,
406 s->packet_length-2, s, s->msg_callback_arg);
406 407
407 p = s->packet; 408 p = s->packet;
408 p += 5; 409 p += 5;
@@ -410,11 +411,15 @@ ssl23_get_client_hello(SSL *s)
410 n2s(p, sil); 411 n2s(p, sil);
411 n2s(p, cl); 412 n2s(p, cl);
412 d = (unsigned char *)s->init_buf->data; 413 d = (unsigned char *)s->init_buf->data;
413 if ((csl + sil + cl + 11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format 414 if ((csl + sil + cl + 11) != s->packet_length)
414 * Client Hello, can we ? Error condition should be
415 * '>' otherweise */
416 { 415 {
417 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH); 416 /*
417 * We can't have TLS extensions in SSL 2.0 format
418 * Client Hello, can we ? Error condition should be
419 * '>' otherwise
420 */
421 SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,
422 SSL_R_RECORD_LENGTH_MISMATCH);
418 goto err; 423 goto err;
419 } 424 }
420 425
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-19 23:12:55 +0000