summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/s3_srvr.c')
-rw-r--r--src/lib/libssl/s3_srvr.c39
1 files changed, 16 insertions, 23 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 9ac19c05f2..118939fabb 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -191,8 +191,7 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
191 { 191 {
192 if(s->srp_ctx.login == NULL) 192 if(s->srp_ctx.login == NULL)
193 { 193 {
194 /* RFC 5054 says SHOULD reject, 194 /* There isn't any srp login extension !!! */
195 we do so if There is no srp login name */
196 ret = SSL3_AL_FATAL; 195 ret = SSL3_AL_FATAL;
197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 196 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
198 } 197 }
@@ -379,7 +378,6 @@ int ssl3_accept(SSL *s)
379 } 378 }
380 } 379 }
381#endif 380#endif
382
383 s->renegotiate = 2; 381 s->renegotiate = 2;
384 s->state=SSL3_ST_SW_SRVR_HELLO_A; 382 s->state=SSL3_ST_SW_SRVR_HELLO_A;
385 s->init_num=0; 383 s->init_num=0;
@@ -958,8 +956,7 @@ int ssl3_get_client_hello(SSL *s)
958 (s->version != DTLS1_VERSION && s->client_version < s->version)) 956 (s->version != DTLS1_VERSION && s->client_version < s->version))
959 { 957 {
960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 958 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
961 if ((s->client_version>>8) == SSL3_VERSION_MAJOR && 959 if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
962 !s->enc_write_ctx && !s->write_hash)
963 { 960 {
964 /* similar to ssl3_get_record, send alert using remote version number */ 961 /* similar to ssl3_get_record, send alert using remote version number */
965 s->version = s->client_version; 962 s->version = s->client_version;
@@ -1184,7 +1181,7 @@ int ssl3_get_client_hello(SSL *s)
1184 goto f_err; 1181 goto f_err;
1185 } 1182 }
1186 } 1183 }
1187 if (ssl_check_clienthello_tlsext_early(s) <= 0) { 1184 if (ssl_check_clienthello_tlsext(s) <= 0) {
1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1185 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
1189 goto err; 1186 goto err;
1190 } 1187 }
@@ -1194,9 +1191,12 @@ int ssl3_get_client_hello(SSL *s)
1194 * server_random before calling tls_session_secret_cb in order to allow 1191 * server_random before calling tls_session_secret_cb in order to allow
1195 * SessionTicket processing to use it in key derivation. */ 1192 * SessionTicket processing to use it in key derivation. */
1196 { 1193 {
1194 unsigned long Time;
1197 unsigned char *pos; 1195 unsigned char *pos;
1196 Time=(unsigned long)time(NULL); /* Time */
1198 pos=s->s3->server_random; 1197 pos=s->s3->server_random;
1199 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) 1198 l2n(Time,pos);
1199 if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
1200 { 1200 {
1201 al=SSL_AD_INTERNAL_ERROR; 1201 al=SSL_AD_INTERNAL_ERROR;
1202 goto f_err; 1202 goto f_err;
@@ -1389,10 +1389,7 @@ int ssl3_get_client_hello(SSL *s)
1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
1390 { 1390 {
1391 if (!ssl3_digest_cached_records(s)) 1391 if (!ssl3_digest_cached_records(s))
1392 {
1393 al = SSL_AD_INTERNAL_ERROR;
1394 goto f_err; 1392 goto f_err;
1395 }
1396 } 1393 }
1397 1394
1398 /* we now have the following setup. 1395 /* we now have the following setup.
@@ -1406,16 +1403,6 @@ int ssl3_get_client_hello(SSL *s)
1406 * s->tmp.new_cipher - the new cipher to use. 1403 * s->tmp.new_cipher - the new cipher to use.
1407 */ 1404 */
1408 1405
1409 /* Handles TLS extensions that we couldn't check earlier */
1410 if (s->version >= SSL3_VERSION)
1411 {
1412 if (ssl_check_clienthello_tlsext_late(s) <= 0)
1413 {
1414 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1415 goto err;
1416 }
1417 }
1418
1419 if (ret < 0) ret=1; 1406 if (ret < 0) ret=1;
1420 if (0) 1407 if (0)
1421 { 1408 {
@@ -1433,13 +1420,19 @@ int ssl3_send_server_hello(SSL *s)
1433 unsigned char *p,*d; 1420 unsigned char *p,*d;
1434 int i,sl; 1421 int i,sl;
1435 unsigned long l; 1422 unsigned long l;
1423#ifdef OPENSSL_NO_TLSEXT
1424 unsigned long Time;
1425#endif
1436 1426
1437 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1427 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
1438 { 1428 {
1439 buf=(unsigned char *)s->init_buf->data; 1429 buf=(unsigned char *)s->init_buf->data;
1440#ifdef OPENSSL_NO_TLSEXT 1430#ifdef OPENSSL_NO_TLSEXT
1441 p=s->s3->server_random; 1431 p=s->s3->server_random;
1442 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) 1432 /* Generate server_random if it was not needed previously */
1433 Time=(unsigned long)time(NULL); /* Time */
1434 l2n(Time,p);
1435 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
1443 return -1; 1436 return -1;
1444#endif 1437#endif
1445 /* Do the message type and length last */ 1438 /* Do the message type and length last */
@@ -1830,7 +1823,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1823 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1831 goto f_err; 1824 goto f_err;
1832 } 1825 }
1833 for (i=0; i < 4 && r[i] != NULL; i++) 1826 for (i=0; r[i] != NULL && i<4; i++)
1834 { 1827 {
1835 nr[i]=BN_num_bytes(r[i]); 1828 nr[i]=BN_num_bytes(r[i]);
1836#ifndef OPENSSL_NO_SRP 1829#ifndef OPENSSL_NO_SRP
@@ -1866,7 +1859,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1866 d=(unsigned char *)s->init_buf->data; 1859 d=(unsigned char *)s->init_buf->data;
1867 p= &(d[4]); 1860 p= &(d[4]);
1868 1861
1869 for (i=0; i < 4 && r[i] != NULL; i++) 1862 for (i=0; r[i] != NULL && i<4; i++)
1870 { 1863 {
1871#ifndef OPENSSL_NO_SRP 1864#ifndef OPENSSL_NO_SRP
1872 if ((i == 2) && (type & SSL_kSRP)) 1865 if ((i == 2) && (type & SSL_kSRP))
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-15 05:56:38 +0000