diff options
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 70bda982c6..97418f1ac7 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.84 2021/02/22 15:59:10 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.85 2021/03/10 18:27:01 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -218,7 +218,14 @@ ssl3_connect(SSL *s) | |||
| 218 | goto end; | 218 | goto end; |
| 219 | } | 219 | } |
| 220 | 220 | ||
| 221 | /* s->version=SSL3_VERSION; */ | 221 | if (!ssl_supported_tls_version_range(s, |
| 222 | &S3I(s)->hs.our_min_tls_version, | ||
| 223 | &S3I(s)->hs.our_max_tls_version)) { | ||
| 224 | SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); | ||
| 225 | ret = -1; | ||
| 226 | goto end; | ||
| 227 | } | ||
| 228 | |||
| 222 | s->internal->type = SSL_ST_CONNECT; | 229 | s->internal->type = SSL_ST_CONNECT; |
| 223 | 230 | ||
| 224 | if (!ssl3_setup_init_buffer(s)) { | 231 | if (!ssl3_setup_init_buffer(s)) { |
| @@ -904,6 +911,12 @@ ssl3_get_server_hello(SSL *s) | |||
| 904 | } | 911 | } |
| 905 | s->version = server_version; | 912 | s->version = server_version; |
| 906 | 913 | ||
| 914 | S3I(s)->hs.negotiated_tls_version = ssl_tls_version(server_version); | ||
| 915 | if (S3I(s)->hs.negotiated_tls_version == 0) { | ||
| 916 | SSLerror(s, ERR_R_INTERNAL_ERROR); | ||
| 917 | goto err; | ||
| 918 | } | ||
| 919 | |||
| 907 | if ((method = ssl_get_method(server_version)) == NULL) { | 920 | if ((method = ssl_get_method(server_version)) == NULL) { |
| 908 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 921 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 909 | goto err; | 922 | goto err; |
| @@ -1019,7 +1032,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 1019 | 1032 | ||
| 1020 | /* TLS v1.2 only ciphersuites require v1.2 or later. */ | 1033 | /* TLS v1.2 only ciphersuites require v1.2 or later. */ |
| 1021 | if ((cipher->algorithm_ssl & SSL_TLSV1_2) && | 1034 | if ((cipher->algorithm_ssl & SSL_TLSV1_2) && |
| 1022 | (TLS1_get_version(s) < TLS1_2_VERSION)) { | 1035 | S3I(s)->hs.negotiated_tls_version < TLS1_2_VERSION) { |
| 1023 | al = SSL_AD_ILLEGAL_PARAMETER; | 1036 | al = SSL_AD_ILLEGAL_PARAMETER; |
| 1024 | SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); | 1037 | SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); |
| 1025 | goto fatal_err; | 1038 | goto fatal_err; |
| @@ -1982,6 +1995,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) | |||
| 1982 | goto err; | 1995 | goto err; |
| 1983 | } | 1996 | } |
| 1984 | 1997 | ||
| 1998 | /* XXX - our max protocol version. */ | ||
| 1985 | pms[0] = s->client_version >> 8; | 1999 | pms[0] = s->client_version >> 8; |
| 1986 | pms[1] = s->client_version & 0xff; | 2000 | pms[1] = s->client_version & 0xff; |
| 1987 | arc4random_buf(&pms[2], sizeof(pms) - 2); | 2001 | arc4random_buf(&pms[2], sizeof(pms) - 2); |