Don't change version number if session established

[openssl.git] / ssl / s3_srvr.c

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 0a8f206f9f96b44efdcd8fda127c993ae23a19eb..41a5ba550361945c7900eb54de0c97fd4f938451 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -903,9 +903,7 @@ int ssl3_check_client_hello(SSL *s)
        s->s3->tmp.reuse_message = 1;
 #ifndef OPENSSL_NO_TLSEXT
        if (s->s3->tmp.message_type == SSL3_MT_SUPPLEMENTAL_DATA)
-               {
                return 3;
-               }
 #endif
        if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
                {
@@ -980,12 +978,13 @@ int ssl3_get_client_hello(SSL *s)
        s->client_version=(((int)p[0])<<8)|(int)p[1];
        p+=2;
 
-       if ((SSL_IS_DTLS(s) && s->client_version > s->version
-                       && s->method->version != DTLS_ANY_VERSION) ||
-           (!SSL_IS_DTLS(s) && s->client_version < s->version))
+       if (SSL_IS_DTLS(s)  ?   (s->client_version > s->version &&
+                                s->method->version != DTLS_ANY_VERSION)
+                           :   (s->client_version < s->version))
                {
                SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-               if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
+               if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
+                       !s->enc_write_ctx && !s->write_hash)
                        {
                        /* similar to ssl3_get_record, send alert using remote version number */
                        s->version = s->client_version;
@@ -1248,12 +1247,9 @@ int ssl3_get_client_hello(SSL *s)
         * server_random before calling tls_session_secret_cb in order to allow
         * SessionTicket processing to use it in key derivation. */
        {
-               unsigned long Time;
                unsigned char *pos;
-               Time=(unsigned long)time(NULL);                 /* Time */
                pos=s->s3->server_random;
-               l2n(Time,pos);
-               if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
+               if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0)
                        {
                        goto f_err;
                        }
@@ -1498,19 +1494,13 @@ int ssl3_send_server_hello(SSL *s)
        unsigned char *p,*d;
        int i,sl;
        unsigned long l;
-#ifdef OPENSSL_NO_TLSEXT
-       unsigned long Time;
-#endif
 
        if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
                {
                buf=(unsigned char *)s->init_buf->data;
 #ifdef OPENSSL_NO_TLSEXT
                p=s->s3->server_random;
-               /* Generate server_random if it was not needed previously */
-               Time=(unsigned long)time(NULL);                 /* Time */
-               l2n(Time,p);
-               if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+               if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
                        return -1;
 #endif
                /* Do the message type and length last */
@@ -2117,12 +2107,12 @@ int ssl3_send_certificate_request(SSL *s)
                                {
                                name=sk_X509_NAME_value(sk,i);
                                j=i2d_X509_NAME(name,NULL);
-                               if (!BUF_MEM_grow_clean(buf,4+n+j+2))
+                               if (!BUF_MEM_grow_clean(buf,SSL_HM_HEADER_LENGTH(s)+n+j+2))
                                        {
                                        SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
                                        goto err;
                                        }
-                               p=(unsigned char *)&(buf->data[4+n]);
+                               p = ssl_handshake_start(s) + n;
                                if (!(s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
                                        {
                                        s2n(j,p);