diff options
Diffstat (limited to 'src/lib/libssl/ssl_srvr.c')
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index be9c27f73f..373a20d61b 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.95 2021/02/20 14:16:56 tb Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.96 2021/03/10 18:27:02 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -219,6 +219,14 @@ ssl3_accept(SSL *s) | |||
| 219 | goto end; | 219 | goto end; |
| 220 | } | 220 | } |
| 221 | 221 | ||
| 222 | if (!ssl_supported_tls_version_range(s, | ||
| 223 | &S3I(s)->hs.our_min_tls_version, | ||
| 224 | &S3I(s)->hs.our_max_tls_version)) { | ||
| 225 | SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); | ||
| 226 | ret = -1; | ||
| 227 | goto end; | ||
| 228 | } | ||
| 229 | |||
| 222 | s->internal->type = SSL_ST_ACCEPT; | 230 | s->internal->type = SSL_ST_ACCEPT; |
| 223 | 231 | ||
| 224 | if (!ssl3_setup_init_buffer(s)) { | 232 | if (!ssl3_setup_init_buffer(s)) { |
| @@ -844,7 +852,7 @@ ssl3_get_client_hello(SSL *s) | |||
| 844 | */ | 852 | */ |
| 845 | if (!ssl_downgrade_max_version(s, &max_version)) | 853 | if (!ssl_downgrade_max_version(s, &max_version)) |
| 846 | goto err; | 854 | goto err; |
| 847 | if (ssl_max_shared_version(s, client_version, &shared_version) != 1) { | 855 | if (!ssl_max_shared_version(s, client_version, &shared_version)) { |
| 848 | if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && | 856 | if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && |
| 849 | !tls12_record_layer_write_protected(s->internal->rl)) { | 857 | !tls12_record_layer_write_protected(s->internal->rl)) { |
| 850 | /* | 858 | /* |
| @@ -860,6 +868,12 @@ ssl3_get_client_hello(SSL *s) | |||
| 860 | s->client_version = client_version; | 868 | s->client_version = client_version; |
| 861 | s->version = shared_version; | 869 | s->version = shared_version; |
| 862 | 870 | ||
| 871 | S3I(s)->hs.negotiated_tls_version = ssl_tls_version(shared_version); | ||
| 872 | if (S3I(s)->hs.negotiated_tls_version == 0) { | ||
| 873 | SSLerror(s, ERR_R_INTERNAL_ERROR); | ||
| 874 | goto err; | ||
| 875 | } | ||
| 876 | |||
| 863 | if ((method = ssl_get_method(shared_version)) == NULL) { | 877 | if ((method = ssl_get_method(shared_version)) == NULL) { |
| 864 | SSLerror(s, ERR_R_INTERNAL_ERROR); | 878 | SSLerror(s, ERR_R_INTERNAL_ERROR); |
| 865 | goto err; | 879 | goto err; |
| @@ -1718,6 +1732,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) | |||
| 1718 | int al = -1; | 1732 | int al = -1; |
| 1719 | 1733 | ||
| 1720 | arc4random_buf(fakekey, sizeof(fakekey)); | 1734 | arc4random_buf(fakekey, sizeof(fakekey)); |
| 1735 | |||
| 1736 | /* XXX - peer max protocol version. */ | ||
| 1721 | fakekey[0] = s->client_version >> 8; | 1737 | fakekey[0] = s->client_version >> 8; |
| 1722 | fakekey[1] = s->client_version & 0xff; | 1738 | fakekey[1] = s->client_version & 0xff; |
| 1723 | 1739 | ||
| @@ -1754,6 +1770,7 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) | |||
| 1754 | /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */ | 1770 | /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */ |
| 1755 | } | 1771 | } |
| 1756 | 1772 | ||
| 1773 | /* XXX - peer max version. */ | ||
| 1757 | if ((al == -1) && !((pms[0] == (s->client_version >> 8)) && | 1774 | if ((al == -1) && !((pms[0] == (s->client_version >> 8)) && |
| 1758 | (pms[1] == (s->client_version & 0xff)))) { | 1775 | (pms[1] == (s->client_version & 0xff)))) { |
| 1759 | /* | 1776 | /* |