diff options
Diffstat (limited to 'src/ssl/d1_clnt.c')
-rw-r--r-- | src/ssl/d1_clnt.c | 33 |
1 files changed, 14 insertions, 19 deletions
diff --git a/src/ssl/d1_clnt.c b/src/ssl/d1_clnt.c index 73a3f8a..92fb8f6 100644 --- a/src/ssl/d1_clnt.c +++ b/src/ssl/d1_clnt.c @@ -112,8 +112,6 @@ * [including the GNU Public Licence.] */ -#include <openssl/ssl.h> - #include <assert.h> #include <stdio.h> #include <string.h> @@ -130,7 +128,6 @@ #include "internal.h" - static int dtls1_get_hello_verify(SSL *s); int dtls1_connect(SSL *s) { @@ -191,8 +188,9 @@ int dtls1_connect(SSL *s) { case SSL3_ST_CW_CLNT_HELLO_B: s->shutdown = 0; - if (!ssl3_init_handshake_buffer(s)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + /* every DTLS ClientHello resets Finished MAC */ + if (!ssl3_init_finished_mac(s)) { + OPENSSL_PUT_ERROR(SSL, dtls1_connect, ERR_R_INTERNAL_ERROR); ret = -1; goto end; } @@ -263,7 +261,7 @@ int dtls1_connect(SSL *s) { if (s->s3->tmp.certificate_status_expected) { s->state = SSL3_ST_CR_CERT_STATUS_A; } else { - s->state = SSL3_ST_VERIFY_SERVER_CERT; + s->state = SSL3_ST_CR_KEY_EXCH_A; } } else { skip = 1; @@ -272,16 +270,6 @@ int dtls1_connect(SSL *s) { s->init_num = 0; break; - case SSL3_ST_VERIFY_SERVER_CERT: - ret = ssl3_verify_server_cert(s); - if (ret <= 0) { - goto end; - } - - s->state = SSL3_ST_CR_KEY_EXCH_A; - s->init_num = 0; - break; - case SSL3_ST_CR_KEY_EXCH_A: case SSL3_ST_CR_KEY_EXCH_B: ret = ssl3_get_server_key_exchange(s); @@ -290,6 +278,13 @@ int dtls1_connect(SSL *s) { } s->state = SSL3_ST_CR_CERT_REQ_A; s->init_num = 0; + + /* at this point we check that we have the + * required stuff from the server */ + if (!ssl3_check_cert_and_algorithm(s)) { + ret = -1; + goto end; + } break; case SSL3_ST_CR_CERT_REQ_A: @@ -431,7 +426,7 @@ int dtls1_connect(SSL *s) { if (ret <= 0) { goto end; } - s->state = SSL3_ST_VERIFY_SERVER_CERT; + s->state = SSL3_ST_CR_KEY_EXCH_A; s->init_num = 0; break; @@ -488,7 +483,7 @@ int dtls1_connect(SSL *s) { goto end; default: - OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE); + OPENSSL_PUT_ERROR(SSL, dtls1_connect, SSL_R_UNKNOWN_STATE); ret = -1; goto end; } @@ -543,7 +538,7 @@ static int dtls1_get_hello_verify(SSL *s) { !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) || CBS_len(&hello_verify_request) != 0) { al = SSL_AD_DECODE_ERROR; - OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); + OPENSSL_PUT_ERROR(SSL, dtls1_get_hello_verify, SSL_R_DECODE_ERROR); goto f_err; } |