summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_clnt.c
diff options
context:
space:
mode:
authorjsing <>2017-01-26 05:31:25 +0000
committerjsing <>2017-01-26 05:31:25 +0000
commit7ba6d48018c99e9b4a6d3f810b4c03e4365bdebd (patch)
tree4e54623d2ff33c8bd1295cf166bf8253188d9d34 /src/lib/libssl/s3_clnt.c
parentfdf235a2a4a2ffd3c42bc4f501e4a86848af719c (diff)
downloadopenbsd-7ba6d48018c99e9b4a6d3f810b4c03e4365bdebd.tar.gz
openbsd-7ba6d48018c99e9b4a6d3f810b4c03e4365bdebd.tar.bz2
openbsd-7ba6d48018c99e9b4a6d3f810b4c03e4365bdebd.zip
Merge the client/server version negotiation into the existing (currently
fixed version) client/server code. ok beck@
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/s3_clnt.c36
1 files changed, 33 insertions, 3 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 0600e7519e..13915c2439 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s3_clnt.c,v 1.174 2017/01/24 15:11:55 jsing Exp $ */ 1/* $OpenBSD: s3_clnt.c,v 1.175 2017/01/26 05:31:25 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -587,6 +587,7 @@ int
587ssl3_client_hello(SSL *s) 587ssl3_client_hello(SSL *s)
588{ 588{
589 unsigned char *bufend, *p, *d; 589 unsigned char *bufend, *p, *d;
590 uint16_t max_version;
590 size_t outlen; 591 size_t outlen;
591 int i; 592 int i;
592 593
@@ -595,6 +596,13 @@ ssl3_client_hello(SSL *s)
595 if (s->internal->state == SSL3_ST_CW_CLNT_HELLO_A) { 596 if (s->internal->state == SSL3_ST_CW_CLNT_HELLO_A) {
596 SSL_SESSION *sess = s->session; 597 SSL_SESSION *sess = s->session;
597 598
599 if (ssl_supported_version_range(s, NULL, &max_version) != 1) {
600 SSLerr(SSL_F_SSL3_CLIENT_HELLO,
601 SSL_R_NO_PROTOCOLS_AVAILABLE);
602 return (-1);
603 }
604 s->client_version = s->version = max_version;
605
598 if ((sess == NULL) || 606 if ((sess == NULL) ||
599 (sess->ssl_version != s->version) || 607 (sess->ssl_version != s->version) ||
600 (!sess->session_id_length && !sess->tlsext_tick) || 608 (!sess->session_id_length && !sess->tlsext_tick) ||
@@ -644,6 +652,7 @@ ssl3_client_hello(SSL *s)
644 * client_version in client hello and not resetting it to 652 * client_version in client hello and not resetting it to
645 * the negotiated version. 653 * the negotiated version.
646 */ 654 */
655
647 *(p++) = s->client_version >> 8; 656 *(p++) = s->client_version >> 8;
648 *(p++) = s->client_version & 0xff; 657 *(p++) = s->client_version & 0xff;
649 658
@@ -719,20 +728,23 @@ ssl3_get_server_hello(SSL *s)
719{ 728{
720 CBS cbs, server_random, session_id; 729 CBS cbs, server_random, session_id;
721 uint16_t server_version, cipher_suite; 730 uint16_t server_version, cipher_suite;
731 uint16_t min_version, max_version;
722 uint8_t compression_method; 732 uint8_t compression_method;
723 STACK_OF(SSL_CIPHER) *sk; 733 STACK_OF(SSL_CIPHER) *sk;
724 const SSL_CIPHER *cipher; 734 const SSL_CIPHER *cipher;
735 const SSL_METHOD *method;
725 unsigned char *p; 736 unsigned char *p;
726 unsigned long alg_k; 737 unsigned long alg_k;
727 size_t outlen; 738 size_t outlen;
728 int i, al, ok; 739 int i, al, ok;
729 long n; 740 long n;
730 741
742 s->internal->first_packet = 1;
731 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, 743 n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
732 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok); 744 SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok);
733
734 if (!ok) 745 if (!ok)
735 return ((int)n); 746 return ((int)n);
747 s->internal->first_packet = 0;
736 748
737 if (n < 0) 749 if (n < 0)
738 goto truncated; 750 goto truncated;
@@ -764,12 +776,27 @@ ssl3_get_server_hello(SSL *s)
764 if (!CBS_get_u16(&cbs, &server_version)) 776 if (!CBS_get_u16(&cbs, &server_version))
765 goto truncated; 777 goto truncated;
766 778
767 if (s->version != server_version) { 779 if (ssl_supported_version_range(s, &min_version, &max_version) != 1) {
780 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
781 SSL_R_NO_PROTOCOLS_AVAILABLE);
782 goto err;
783 }
784
785 if (server_version < min_version || server_version > max_version) {
768 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION); 786 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, SSL_R_WRONG_SSL_VERSION);
769 s->version = (s->version & 0xff00) | (server_version & 0xff); 787 s->version = (s->version & 0xff00) | (server_version & 0xff);
770 al = SSL_AD_PROTOCOL_VERSION; 788 al = SSL_AD_PROTOCOL_VERSION;
771 goto f_err; 789 goto f_err;
772 } 790 }
791 s->version = server_version;
792
793 if ((method = tls1_get_client_method(server_version)) == NULL)
794 method = dtls1_get_client_method(server_version);
795 if (method == NULL) {
796 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
797 goto err;
798 }
799 s->method = method;
773 800
774 /* Server random. */ 801 /* Server random. */
775 if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE)) 802 if (!CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE))
@@ -836,6 +863,7 @@ ssl3_get_server_hello(SSL *s)
836 goto f_err; 863 goto f_err;
837 } 864 }
838 } 865 }
866
839 /* 867 /*
840 * XXX - improve the handling for the case where there is a 868 * XXX - improve the handling for the case where there is a
841 * zero length session identifier. 869 * zero length session identifier.
@@ -844,6 +872,8 @@ ssl3_get_server_hello(SSL *s)
844 sizeof(s->session->session_id), &outlen)) 872 sizeof(s->session->session_id), &outlen))
845 goto err; 873 goto err;
846 s->session->session_id_length = outlen; 874 s->session->session_id_length = outlen;
875
876 s->session->ssl_version = s->version;
847 } 877 }
848 878
849 if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) { 879 if ((cipher = ssl3_get_cipher_by_value(cipher_suite)) == NULL) {
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-09 17:46:58 +0000