diff options
| author | guenther <> | 2014-04-16 15:10:07 +0000 |
|---|---|---|
| committer | guenther <> | 2014-04-16 15:10:07 +0000 |
| commit | 07d70e2f624616050545c4fb6f6ba748c12b342e (patch) | |
| tree | cd6b7bd17edfb25d9928b1c38f811f45391e4e97 /src/lib/libssl/s23_srvr.c | |
| parent | 0e08f2db38e867e26107d9826aa489a211882fb1 (diff) | |
| download | openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.tar.gz openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.tar.bz2 openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.zip | |
Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap from
the SSLv23_* client code. The server continues to accept it. It
also kills the bits for SSL2 SESSIONs; even when the server gets
an SSLv2-style compat handshake, the session that it creates has
the correct version internally.
ok tedu@ beck@
Diffstat (limited to 'src/lib/libssl/s23_srvr.c')
| -rw-r--r-- | src/lib/libssl/s23_srvr.c | 19 |
1 files changed, 12 insertions, 7 deletions
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index a6062667a0..35651183b7 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c | |||
| @@ -118,8 +118,8 @@ | |||
| 118 | 118 | ||
| 119 | static const SSL_METHOD *ssl23_get_server_method(int ver); | 119 | static const SSL_METHOD *ssl23_get_server_method(int ver); |
| 120 | int ssl23_get_client_hello(SSL *s); | 120 | int ssl23_get_client_hello(SSL *s); |
| 121 | static const SSL_METHOD | 121 | static const SSL_METHOD * |
| 122 | *ssl23_get_server_method(int ver) | 122 | ssl23_get_server_method(int ver) |
| 123 | { | 123 | { |
| 124 | if (ver == SSL3_VERSION) | 124 | if (ver == SSL3_VERSION) |
| 125 | return (SSLv3_server_method()); | 125 | return (SSLv3_server_method()); |
| @@ -402,7 +402,8 @@ ssl23_get_client_hello(SSL *s) | |||
| 402 | 402 | ||
| 403 | ssl3_finish_mac(s, s->packet + 2, s->packet_length - 2); | 403 | ssl3_finish_mac(s, s->packet + 2, s->packet_length - 2); |
| 404 | if (s->msg_callback) | 404 | if (s->msg_callback) |
| 405 | s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, s->packet_length-2, s, s->msg_callback_arg); /* CLIENT-HELLO */ | 405 | s->msg_callback(0, SSL2_VERSION, 0, s->packet + 2, |
| 406 | s->packet_length-2, s, s->msg_callback_arg); | ||
| 406 | 407 | ||
| 407 | p = s->packet; | 408 | p = s->packet; |
| 408 | p += 5; | 409 | p += 5; |
| @@ -410,11 +411,15 @@ ssl23_get_client_hello(SSL *s) | |||
| 410 | n2s(p, sil); | 411 | n2s(p, sil); |
| 411 | n2s(p, cl); | 412 | n2s(p, cl); |
| 412 | d = (unsigned char *)s->init_buf->data; | 413 | d = (unsigned char *)s->init_buf->data; |
| 413 | if ((csl + sil + cl + 11) != s->packet_length) /* We can't have TLS extensions in SSL 2.0 format | 414 | if ((csl + sil + cl + 11) != s->packet_length) |
| 414 | * Client Hello, can we ? Error condition should be | ||
| 415 | * '>' otherweise */ | ||
| 416 | { | 415 | { |
| 417 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH); | 416 | /* |
| 417 | * We can't have TLS extensions in SSL 2.0 format | ||
| 418 | * Client Hello, can we ? Error condition should be | ||
| 419 | * '>' otherwise | ||
| 420 | */ | ||
| 421 | SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, | ||
| 422 | SSL_R_RECORD_LENGTH_MISMATCH); | ||
| 418 | goto err; | 423 | goto err; |
| 419 | } | 424 | } |
| 420 | 425 | ||