2 files changed, 52 insertions, 52 deletions
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 08b416cab8..2e63cfc830 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.45 2015/09/11 18:08:21 jsing Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.46 2015/10/25 15:49:04 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -247,15 +247,14 @@ ssl23_get_client_hello(SSL *s)
                         * SSLv2 header
                         */
                        if ((p[3] == 0x00) && (p[4] == 0x02)) {
-                                v[0] = p[3];
+                                /* SSLv2 support has been removed */
-                                v[1] = p[4];
+                                goto unsupported;
-                                /* SSLv2 */
-                                if (!(s->options & SSL_OP_NO_SSLv2))
-                                        type = 1;
                        } else if (p[3] == SSL3_VERSION_MAJOR) {
                                v[0] = p[3];
                                v[1] = p[4];
-                                /* SSLv3/TLSv1 */
+                                /* SSLv3/TLS */
                                if (p[4] >= TLS1_VERSION_MINOR) {
                                        if (p[4] >= TLS1_2_VERSION_MINOR &&
                                            !(s->options & SSL_OP_NO_TLSv1_2)) {
@@ -270,16 +269,13 @@ ssl23_get_client_hello(SSL *s)
                                                s->version = TLS1_VERSION;
                                                /* type=2; */ /* done later to survive restarts */
                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
-                                        } else if (!(s->options & SSL_OP_NO_SSLv3)) {
+                                        } else {
-                                                type = 1;
+                                                goto unsupported;
-                                        } else if (!(s->options & SSL_OP_NO_SSLv2)) {
-                                                type = 1;
                                        }
-                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
+                                } else {
-                                        type = 1;
+                                        /* SSLv3 support has been removed */
-                                } else if (!(s->options & SSL_OP_NO_SSLv2))
+                                        goto unsupported;
-                                        type = 1;
+                                }
                        }
                } else if ((p[0] == SSL3_RT_HANDSHAKE) &&
                    (p[1] == SSL3_VERSION_MAJOR) &&
@@ -325,13 +321,18 @@ ssl23_get_client_hello(SSL *s)
                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        s->version = TLS1_VERSION;
                                        type = 3;
+                                } else {
+                                        goto unsupported;
                                }
                        } else {
+                                /* SSLv3 */
                                if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        /* we won't be able to use TLS of course,
                                         * but this will send an appropriate alert */
                                        s->version = TLS1_VERSION;
                                        type = 3;
+                                } else {
+                                        goto unsupported;
                                }
                        }
                }
@@ -454,12 +455,7 @@ ssl23_get_client_hello(SSL *s)
        /* imaginary new state (for program structure): */
        /* s->state = SSL23_SR_CLNT_HELLO_C */
-        if (type == 1) {
+        if (type == 2 || type == 3) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
-                return -1;
-        }
-        if ((type == 2) || (type == 3)) {
                /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
                if (!ssl_init_wbio_buffer(s, 1))
@@ -490,12 +486,12 @@ ssl23_get_client_hello(SSL *s)
                        s->method = TLSv1_2_server_method();
                else if (s->version == TLS1_1_VERSION)
                        s->method = TLSv1_1_server_method();
-                else
+                else if (s->version == TLS1_VERSION)
                        s->method = TLSv1_server_method();
+                else
+                        goto unsupported;
                s->handshake_func = s->method->ssl_accept;
-        }
+        } else {
-        if ((type < 1) || (type > 3)) {
                /* bad, very bad */
                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
                return -1;
@@ -503,4 +499,8 @@ ssl23_get_client_hello(SSL *s)
        s->init_num = 0;
        return (SSL_accept(s));
+ unsupported:
+        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
+        return -1;
 }
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index 08b416cab8..2e63cfc830 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s23_srvr.c,v 1.45 2015/09/11 18:08:21 jsing Exp $ */
+/* $OpenBSD: s23_srvr.c,v 1.46 2015/10/25 15:49:04 doug Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -247,15 +247,14 @@ ssl23_get_client_hello(SSL *s)
                         * SSLv2 header
                         */
                        if ((p[3] == 0x00) && (p[4] == 0x02)) {
-                                v[0] = p[3];
+                                /* SSLv2 support has been removed */
-                                v[1] = p[4];
+                                goto unsupported;
-                                /* SSLv2 */
-                                if (!(s->options & SSL_OP_NO_SSLv2))
-                                        type = 1;
                        } else if (p[3] == SSL3_VERSION_MAJOR) {
                                v[0] = p[3];
                                v[1] = p[4];
-                                /* SSLv3/TLSv1 */
+                                /* SSLv3/TLS */
                                if (p[4] >= TLS1_VERSION_MINOR) {
                                        if (p[4] >= TLS1_2_VERSION_MINOR &&
                                            !(s->options & SSL_OP_NO_TLSv1_2)) {
@@ -270,16 +269,13 @@ ssl23_get_client_hello(SSL *s)
                                                s->version = TLS1_VERSION;
                                                /* type=2; */ /* done later to survive restarts */
                                                s->state = SSL23_ST_SR_CLNT_HELLO_B;
-                                        } else if (!(s->options & SSL_OP_NO_SSLv3)) {
+                                        } else {
-                                                type = 1;
+                                                goto unsupported;
-                                        } else if (!(s->options & SSL_OP_NO_SSLv2)) {
-                                                type = 1;
                                        }
-                                } else if (!(s->options & SSL_OP_NO_SSLv3)) {
+                                } else {
-                                        type = 1;
+                                        /* SSLv3 support has been removed */
-                                } else if (!(s->options & SSL_OP_NO_SSLv2))
+                                        goto unsupported;
-                                        type = 1;
+                                }
                        }
                } else if ((p[0] == SSL3_RT_HANDSHAKE) &&
                    (p[1] == SSL3_VERSION_MAJOR) &&
@@ -325,13 +321,18 @@ ssl23_get_client_hello(SSL *s)
                                } else if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        s->version = TLS1_VERSION;
                                        type = 3;
+                                } else {
+                                        goto unsupported;
                                }
                        } else {
+                                /* SSLv3 */
                                if (!(s->options & SSL_OP_NO_TLSv1)) {
                                        /* we won't be able to use TLS of course,
                                         * but this will send an appropriate alert */
                                        s->version = TLS1_VERSION;
                                        type = 3;
+                                } else {
+                                        goto unsupported;
                                }
                        }
                }
@@ -454,12 +455,7 @@ ssl23_get_client_hello(SSL *s)
        /* imaginary new state (for program structure): */
        /* s->state = SSL23_SR_CLNT_HELLO_C */
-        if (type == 1) {
+        if (type == 2 || type == 3) {
-                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
-                return -1;
-        }
-        if ((type == 2) || (type == 3)) {
                /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
                if (!ssl_init_wbio_buffer(s, 1))
@@ -490,12 +486,12 @@ ssl23_get_client_hello(SSL *s)
                        s->method = TLSv1_2_server_method();
                else if (s->version == TLS1_1_VERSION)
                        s->method = TLSv1_1_server_method();
-                else
+                else if (s->version == TLS1_VERSION)
                        s->method = TLSv1_server_method();
+                else
+                        goto unsupported;
                s->handshake_func = s->method->ssl_accept;
-        }
+        } else {
-        if ((type < 1) || (type > 3)) {
                /* bad, very bad */
                SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
                return -1;
@@ -503,4 +499,8 @@ ssl23_get_client_hello(SSL *s)
        s->init_num = 0;
        return (SSL_accept(s));
+ unsupported:
+        SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
+        return -1;
 }

diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c index 08b416cab8..2e63cfc830 100644 --- a/src/lib/libssl/s23_srvr.c +++ b/src/lib/libssl/s23_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s23_srvr.c,v 1.45 2015/09/11 18:08:21 jsing Exp $ */	1	/* $OpenBSD: s23_srvr.c,v 1.46 2015/10/25 15:49:04 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -247,15 +247,14 @@ ssl23_get_client_hello(SSL *s)
247	* SSLv2 header	247	* SSLv2 header
248	*/	248	*/
249	if ((p[3] == 0x00) && (p[4] == 0x02)) {	249	if ((p[3] == 0x00) && (p[4] == 0x02)) {
250	v[0] = p[3];	250	/* SSLv2 support has been removed */
251	v[1] = p[4];	251	goto unsupported;
252	/* SSLv2 */	252
253	if (!(s->options & SSL_OP_NO_SSLv2))
254	type = 1;
255	} else if (p[3] == SSL3_VERSION_MAJOR) {	253	} else if (p[3] == SSL3_VERSION_MAJOR) {
256	v[0] = p[3];	254	v[0] = p[3];
257	v[1] = p[4];	255	v[1] = p[4];
258	/* SSLv3/TLSv1 */	256	/* SSLv3/TLS */
		257
259	if (p[4] >= TLS1_VERSION_MINOR) {	258	if (p[4] >= TLS1_VERSION_MINOR) {
260	if (p[4] >= TLS1_2_VERSION_MINOR &&	259	if (p[4] >= TLS1_2_VERSION_MINOR &&
261	!(s->options & SSL_OP_NO_TLSv1_2)) {	260	!(s->options & SSL_OP_NO_TLSv1_2)) {
@@ -270,16 +269,13 @@ ssl23_get_client_hello(SSL *s)
270	s->version = TLS1_VERSION;	269	s->version = TLS1_VERSION;
271	/* type=2; / / done later to survive restarts */	270	/* type=2; / / done later to survive restarts */
272	s->state = SSL23_ST_SR_CLNT_HELLO_B;	271	s->state = SSL23_ST_SR_CLNT_HELLO_B;
273	} else if (!(s->options & SSL_OP_NO_SSLv3)) {	272	} else {
274	type = 1;	273	goto unsupported;
275	} else if (!(s->options & SSL_OP_NO_SSLv2)) {
276	type = 1;
277	}	274	}
278	} else if (!(s->options & SSL_OP_NO_SSLv3)) {	275	} else {
279	type = 1;	276	/* SSLv3 support has been removed */
280	} else if (!(s->options & SSL_OP_NO_SSLv2))	277	goto unsupported;
281	type = 1;	278	}
282
283	}	279	}
284	} else if ((p[0] == SSL3_RT_HANDSHAKE) &&	280	} else if ((p[0] == SSL3_RT_HANDSHAKE) &&
285	(p[1] == SSL3_VERSION_MAJOR) &&	281	(p[1] == SSL3_VERSION_MAJOR) &&
@@ -325,13 +321,18 @@ ssl23_get_client_hello(SSL *s)
325	} else if (!(s->options & SSL_OP_NO_TLSv1)) {	321	} else if (!(s->options & SSL_OP_NO_TLSv1)) {
326	s->version = TLS1_VERSION;	322	s->version = TLS1_VERSION;
327	type = 3;	323	type = 3;
		324	} else {
		325	goto unsupported;
328	}	326	}
329	} else {	327	} else {
		328	/* SSLv3 */
330	if (!(s->options & SSL_OP_NO_TLSv1)) {	329	if (!(s->options & SSL_OP_NO_TLSv1)) {
331	/* we won't be able to use TLS of course,	330	/* we won't be able to use TLS of course,
332	* but this will send an appropriate alert */	331	* but this will send an appropriate alert */
333	s->version = TLS1_VERSION;	332	s->version = TLS1_VERSION;
334	type = 3;	333	type = 3;
		334	} else {
		335	goto unsupported;
335	}	336	}
336	}	337	}
337	}	338	}
@@ -454,12 +455,7 @@ ssl23_get_client_hello(SSL *s)
454	/* imaginary new state (for program structure): */	455	/* imaginary new state (for program structure): */
455	/* s->state = SSL23_SR_CLNT_HELLO_C */	456	/* s->state = SSL23_SR_CLNT_HELLO_C */
456		457
457	if (type == 1) {	458	if (type == 2 \|\| type == 3) {
458	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
459	return -1;
460	}
461
462	if ((type == 2) \|\| (type == 3)) {
463	/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */	459	/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
464		460
465	if (!ssl_init_wbio_buffer(s, 1))	461	if (!ssl_init_wbio_buffer(s, 1))
@@ -490,12 +486,12 @@ ssl23_get_client_hello(SSL *s)
490	s->method = TLSv1_2_server_method();	486	s->method = TLSv1_2_server_method();
491	else if (s->version == TLS1_1_VERSION)	487	else if (s->version == TLS1_1_VERSION)
492	s->method = TLSv1_1_server_method();	488	s->method = TLSv1_1_server_method();
493	else	489	else if (s->version == TLS1_VERSION)
494	s->method = TLSv1_server_method();	490	s->method = TLSv1_server_method();
		491	else
		492	goto unsupported;
495	s->handshake_func = s->method->ssl_accept;	493	s->handshake_func = s->method->ssl_accept;
496	}	494	} else {
497
498	if ((type < 1) \|\| (type > 3)) {
499	/* bad, very bad */	495	/* bad, very bad */
500	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);	496	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
501	return -1;	497	return -1;
@@ -503,4 +499,8 @@ ssl23_get_client_hello(SSL *s)
503	s->init_num = 0;	499	s->init_num = 0;
504		500
505	return (SSL_accept(s));	501	return (SSL_accept(s));
		502
		503	unsupported:
		504	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
		505	return -1;
506	}	506	}


diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c index 08b416cab8..2e63cfc830 100644 --- a/src/lib/libssl/src/ssl/s23_srvr.c +++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: s23_srvr.c,v 1.45 2015/09/11 18:08:21 jsing Exp $ */	1	/* $OpenBSD: s23_srvr.c,v 1.46 2015/10/25 15:49:04 doug Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -247,15 +247,14 @@ ssl23_get_client_hello(SSL *s)
247	* SSLv2 header	247	* SSLv2 header
248	*/	248	*/
249	if ((p[3] == 0x00) && (p[4] == 0x02)) {	249	if ((p[3] == 0x00) && (p[4] == 0x02)) {
250	v[0] = p[3];	250	/* SSLv2 support has been removed */
251	v[1] = p[4];	251	goto unsupported;
252	/* SSLv2 */	252
253	if (!(s->options & SSL_OP_NO_SSLv2))
254	type = 1;
255	} else if (p[3] == SSL3_VERSION_MAJOR) {	253	} else if (p[3] == SSL3_VERSION_MAJOR) {
256	v[0] = p[3];	254	v[0] = p[3];
257	v[1] = p[4];	255	v[1] = p[4];
258	/* SSLv3/TLSv1 */	256	/* SSLv3/TLS */
		257
259	if (p[4] >= TLS1_VERSION_MINOR) {	258	if (p[4] >= TLS1_VERSION_MINOR) {
260	if (p[4] >= TLS1_2_VERSION_MINOR &&	259	if (p[4] >= TLS1_2_VERSION_MINOR &&
261	!(s->options & SSL_OP_NO_TLSv1_2)) {	260	!(s->options & SSL_OP_NO_TLSv1_2)) {
@@ -270,16 +269,13 @@ ssl23_get_client_hello(SSL *s)
270	s->version = TLS1_VERSION;	269	s->version = TLS1_VERSION;
271	/* type=2; / / done later to survive restarts */	270	/* type=2; / / done later to survive restarts */
272	s->state = SSL23_ST_SR_CLNT_HELLO_B;	271	s->state = SSL23_ST_SR_CLNT_HELLO_B;
273	} else if (!(s->options & SSL_OP_NO_SSLv3)) {	272	} else {
274	type = 1;	273	goto unsupported;
275	} else if (!(s->options & SSL_OP_NO_SSLv2)) {
276	type = 1;
277	}	274	}
278	} else if (!(s->options & SSL_OP_NO_SSLv3)) {	275	} else {
279	type = 1;	276	/* SSLv3 support has been removed */
280	} else if (!(s->options & SSL_OP_NO_SSLv2))	277	goto unsupported;
281	type = 1;	278	}
282
283	}	279	}
284	} else if ((p[0] == SSL3_RT_HANDSHAKE) &&	280	} else if ((p[0] == SSL3_RT_HANDSHAKE) &&
285	(p[1] == SSL3_VERSION_MAJOR) &&	281	(p[1] == SSL3_VERSION_MAJOR) &&
@@ -325,13 +321,18 @@ ssl23_get_client_hello(SSL *s)
325	} else if (!(s->options & SSL_OP_NO_TLSv1)) {	321	} else if (!(s->options & SSL_OP_NO_TLSv1)) {
326	s->version = TLS1_VERSION;	322	s->version = TLS1_VERSION;
327	type = 3;	323	type = 3;
		324	} else {
		325	goto unsupported;
328	}	326	}
329	} else {	327	} else {
		328	/* SSLv3 */
330	if (!(s->options & SSL_OP_NO_TLSv1)) {	329	if (!(s->options & SSL_OP_NO_TLSv1)) {
331	/* we won't be able to use TLS of course,	330	/* we won't be able to use TLS of course,
332	* but this will send an appropriate alert */	331	* but this will send an appropriate alert */
333	s->version = TLS1_VERSION;	332	s->version = TLS1_VERSION;
334	type = 3;	333	type = 3;
		334	} else {
		335	goto unsupported;
335	}	336	}
336	}	337	}
337	}	338	}
@@ -454,12 +455,7 @@ ssl23_get_client_hello(SSL *s)
454	/* imaginary new state (for program structure): */	455	/* imaginary new state (for program structure): */
455	/* s->state = SSL23_SR_CLNT_HELLO_C */	456	/* s->state = SSL23_SR_CLNT_HELLO_C */
456		457
457	if (type == 1) {	458	if (type == 2 \|\| type == 3) {
458	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
459	return -1;
460	}
461
462	if ((type == 2) \|\| (type == 3)) {
463	/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */	459	/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
464		460
465	if (!ssl_init_wbio_buffer(s, 1))	461	if (!ssl_init_wbio_buffer(s, 1))
@@ -490,12 +486,12 @@ ssl23_get_client_hello(SSL *s)
490	s->method = TLSv1_2_server_method();	486	s->method = TLSv1_2_server_method();
491	else if (s->version == TLS1_1_VERSION)	487	else if (s->version == TLS1_1_VERSION)
492	s->method = TLSv1_1_server_method();	488	s->method = TLSv1_1_server_method();
493	else	489	else if (s->version == TLS1_VERSION)
494	s->method = TLSv1_server_method();	490	s->method = TLSv1_server_method();
		491	else
		492	goto unsupported;
495	s->handshake_func = s->method->ssl_accept;	493	s->handshake_func = s->method->ssl_accept;
496	}	494	} else {
497
498	if ((type < 1) \|\| (type > 3)) {
499	/* bad, very bad */	495	/* bad, very bad */
500	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);	496	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
501	return -1;	497	return -1;
@@ -503,4 +499,8 @@ ssl23_get_client_hello(SSL *s)
503	s->init_num = 0;	499	s->init_num = 0;
504		500
505	return (SSL_accept(s));	501	return (SSL_accept(s));
		502
		503	unsupported:
		504	SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL);
		505	return -1;
506	}	506	}