diff options
| author | guenther <> | 2014-04-16 15:10:07 +0000 |
|---|---|---|
| committer | guenther <> | 2014-04-16 15:10:07 +0000 |
| commit | 07d70e2f624616050545c4fb6f6ba748c12b342e (patch) | |
| tree | cd6b7bd17edfb25d9928b1c38f811f45391e4e97 /src/lib/libssl/ssl_sess.c | |
| parent | 0e08f2db38e867e26107d9826aa489a211882fb1 (diff) | |
| download | openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.tar.gz openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.tar.bz2 openbsd-07d70e2f624616050545c4fb6f6ba748c12b342e.zip | |
Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap from
the SSLv23_* client code. The server continues to accept it. It
also kills the bits for SSL2 SESSIONs; even when the server gets
an SSLv2-style compat handshake, the session that it creates has
the correct version internally.
ok tedu@ beck@
Diffstat (limited to 'src/lib/libssl/ssl_sess.c')
| -rw-r--r-- | src/lib/libssl/ssl_sess.c | 40 |
1 files changed, 13 insertions, 27 deletions
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index b29115862b..0b1c655820 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c | |||
| @@ -301,29 +301,19 @@ ssl_get_new_session(SSL *s, int session) | |||
| 301 | } | 301 | } |
| 302 | 302 | ||
| 303 | if (session) { | 303 | if (session) { |
| 304 | if (s->version == SSL2_VERSION) { | 304 | switch (s->version) { |
| 305 | ss->ssl_version = SSL2_VERSION; | 305 | case SSL3_VERSION: |
| 306 | ss->session_id_length = SSL2_SSL_SESSION_ID_LENGTH; | 306 | case TLS1_VERSION: |
| 307 | } else if (s->version == SSL3_VERSION) { | 307 | case TLS1_1_VERSION: |
| 308 | ss->ssl_version = SSL3_VERSION; | 308 | case TLS1_2_VERSION: |
| 309 | case DTLS1_BAD_VER: | ||
| 310 | case DTLS1_VERSION: | ||
| 311 | ss->ssl_version = s->version; | ||
| 309 | ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; | 312 | ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; |
| 310 | } else if (s->version == TLS1_VERSION) { | 313 | break; |
| 311 | ss->ssl_version = TLS1_VERSION; | 314 | default: |
| 312 | ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; | 315 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, |
| 313 | } else if (s->version == TLS1_1_VERSION) { | 316 | SSL_R_UNSUPPORTED_SSL_VERSION); |
| 314 | ss->ssl_version = TLS1_1_VERSION; | ||
| 315 | ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; | ||
| 316 | } else if (s->version == TLS1_2_VERSION) { | ||
| 317 | ss->ssl_version = TLS1_2_VERSION; | ||
| 318 | ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; | ||
| 319 | } else if (s->version == DTLS1_BAD_VER) { | ||
| 320 | ss->ssl_version = DTLS1_BAD_VER; | ||
| 321 | ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; | ||
| 322 | } else if (s->version == DTLS1_VERSION) { | ||
| 323 | ss->ssl_version = DTLS1_VERSION; | ||
| 324 | ss->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; | ||
| 325 | } else { | ||
| 326 | SSLerr(SSL_F_SSL_GET_NEW_SESSION, SSL_R_UNSUPPORTED_SSL_VERSION); | ||
| 327 | SSL_SESSION_free(ss); | 317 | SSL_SESSION_free(ss); |
| 328 | return (0); | 318 | return (0); |
| 329 | } | 319 | } |
| @@ -359,11 +349,7 @@ ssl_get_new_session(SSL *s, int session) | |||
| 359 | SSL_SESSION_free(ss); | 349 | SSL_SESSION_free(ss); |
| 360 | return (0); | 350 | return (0); |
| 361 | } | 351 | } |
| 362 | /* If the session length was shrunk and we're SSLv2, pad it */ | 352 | ss->session_id_length = tmp; |
| 363 | if ((tmp < ss->session_id_length) && (s->version == SSL2_VERSION)) | ||
| 364 | memset(ss->session_id + tmp, 0, ss->session_id_length - tmp); | ||
| 365 | else | ||
| 366 | ss->session_id_length = tmp; | ||
| 367 | /* Finally, check for a conflict */ | 353 | /* Finally, check for a conflict */ |
| 368 | if (SSL_has_matching_session_id(s, ss->session_id, | 354 | if (SSL_has_matching_session_id(s, ss->session_id, |
| 369 | ss->session_id_length)) { | 355 | ss->session_id_length)) { |