Merge the client/server version negotiation into the existing (currently

fixed version) client/server code. ok beck@
author: jsing <> 2017-01-26 05:31:25 +0000
committer: jsing <> 2017-01-26 05:31:25 +0000
commit: 9366f4ef0d67a19fe5eca3feedbc756a4a8966b2 (patch)
tree: 4e54623d2ff33c8bd1295cf166bf8253188d9d34 /src/lib/libssl/s3_srvr.c
parent: c7118cf7a1b4ff8cec6c52fba26ecfbfba0d7919 (diff)
download: openbsd-9366f4ef0d67a19fe5eca3feedbc756a4a8966b2.tar.gz
openbsd-9366f4ef0d67a19fe5eca3feedbc756a4a8966b2.tar.bz2
openbsd-9366f4ef0d67a19fe5eca3feedbc756a4a8966b2.zip
1 files changed, 18 insertions, 7 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index c6d340026a..28f0fc486a 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.153 2017/01/24 14:57:31 jsing Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.154 2017/01/26 05:31:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -730,6 +730,8 @@ ssl3_get_client_hello(SSL *s)
        SSL_CIPHER *c;
        STACK_OF(SSL_CIPHER) *ciphers = NULL;
        unsigned long alg_k;
+        const SSL_METHOD *method;
+        uint16_t shared_version;
        /*
         * We do this so that we will respond with our native type.
@@ -741,6 +743,7 @@ ssl3_get_client_hello(SSL *s)
        if (s->internal->state == SSL3_ST_SR_CLNT_HELLO_A) {
                s->internal->state = SSL3_ST_SR_CLNT_HELLO_B;
        }
        s->internal->first_packet = 1;
        n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
            SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO,
@@ -749,6 +752,7 @@ ssl3_get_client_hello(SSL *s)
        if (!ok)
                return ((int)n);
        s->internal->first_packet = 0;
        d = p = (unsigned char *)s->internal->init_msg;
        if (2 > n)
@@ -760,21 +764,28 @@ ssl3_get_client_hello(SSL *s)
        s->client_version = (((int)p[0]) << 8)|(int)p[1];
        p += 2;
-        if ((s->version == DTLS1_VERSION && s->client_version > s->version) ||
+        if (ssl_max_shared_version(s, s->client_version, &shared_version) != 1) {
-            (s->version != DTLS1_VERSION && s->client_version < s->version)) {
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,
-                    SSL_R_WRONG_VERSION_NUMBER);
                if ((s->client_version >> 8) == SSL3_VERSION_MAJOR &&
-                        !s->internal->enc_write_ctx && !s->internal->write_hash) {
+                    !s->internal->enc_write_ctx && !s->internal->write_hash) {
                        /*
                         * Similar to ssl3_get_record, send alert using remote
-                         * version number
+                         * version number.
                         */
                        s->version = s->client_version;
                }
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
        }
+        s->version = shared_version;
+        if ((method = tls1_get_server_method(shared_version)) == NULL)
+                method = dtls1_get_server_method(shared_version);
+        if (method == NULL) {
+                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+                goto err;
+        }
+        s->method = method;
        /*
         * If we require cookies (DTLS) and this ClientHello doesn't
author	jsing <>	2017-01-26 05:31:25 +0000
committer	jsing <>	2017-01-26 05:31:25 +0000
commit	9366f4ef0d67a19fe5eca3feedbc756a4a8966b2 (patch)
tree	4e54623d2ff33c8bd1295cf166bf8253188d9d34 /src/lib/libssl/s3_srvr.c
parent	c7118cf7a1b4ff8cec6c52fba26ecfbfba0d7919 (diff)
download	openbsd-9366f4ef0d67a19fe5eca3feedbc756a4a8966b2.tar.gz openbsd-9366f4ef0d67a19fe5eca3feedbc756a4a8966b2.tar.bz2 openbsd-9366f4ef0d67a19fe5eca3feedbc756a4a8966b2.zip