diff options
| author |   djm <djm@openbsd.org> | 2005-04-29 05:39:09 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2005-04-29 05:39:09 +0000 |
| commit | 40d8aef356a70d0b13395f0805e3044b85d91347 (patch) | |
| tree | 22edbfd34c49ce1b7988794a7a74d65829c13819 /lib/libssl/src/ssl/s3_srvr.c | |
| parent | import of openssl-0.9.7g; tested on platforms from alpha to zaurus, ok deraadt@ (diff) | |
| download | wireguard-openbsd-40d8aef356a70d0b13395f0805e3044b85d91347.tar.xz wireguard-openbsd-40d8aef356a70d0b13395f0805e3044b85d91347.zip | |
resolve conflicts
Diffstat (limited to 'lib/libssl/src/ssl/s3_srvr.c')
| -rw-r--r-- | lib/libssl/src/ssl/s3_srvr.c | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index deb3cffabeb..c4a1a715238 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -125,6 +125,7 @@ #include <openssl/krb5_asn.h> #endif #include <openssl/md5.h> +#include <openssl/fips.h> static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -955,7 +956,8 @@ static int ssl3_send_server_hello(SSL *s) p=s->s3->server_random; Time=time(NULL); /* Time */ l2n(Time,p); - RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); + if(RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0) + return -1; /* Do the message type and length last */ d=p= &(buf[4]); @@ -1211,6 +1213,8 @@ static int ssl3_send_server_key_exchange(SSL *s) j=0; for (num=2; num > 0; num--) { + EVP_MD_CTX_set_flags(&md_ctx, + EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_DigestInit_ex(&md_ctx,(num == 2) ?s->ctx->md5:s->ctx->sha1, NULL); EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); @@ -1491,7 +1495,8 @@ static int ssl3_get_client_key_exchange(SSL *s) i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; - RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ + if(RAND_pseudo_bytes(p+2, i-2) <= 0) /* should be RAND_bytes, but we cannot work around a failure */ + goto err; } s->session->master_key_length= @@ -1589,7 +1594,7 @@ static int ssl3_get_client_key_exchange(SSL *s) n2s(p,i); enc_ticket.length = i; - if (n < enc_ticket.length + 6) + if (n < (long)enc_ticket.length + 6) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); @@ -1602,7 +1607,7 @@ static int ssl3_get_client_key_exchange(SSL *s) n2s(p,i); authenticator.length = i; - if (n < enc_ticket.length + authenticator.length + 6) + if (n < (long)(enc_ticket.length + authenticator.length + 6)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); @@ -1627,8 +1632,8 @@ static int ssl3_get_client_key_exchange(SSL *s) goto err; } - if (n != enc_ticket.length + authenticator.length + - enc_pms.length + 6) + if (n != (long)(enc_ticket.length + authenticator.length + + enc_pms.length + 6)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); |