Enclosed a revised patch to make ssl conformant to the RFC 5054.
The two patches are for the head and the stable release since
the code parts differ too much.
diff -r -c openssl-SNAP-20111123/ssl/s3_clnt.c openssl-SNAP-20111123PS/ssl/s3_clnt.c
*** openssl-SNAP-20111123/ssl/s3_clnt.c 2011-09-05 16:00:06.000000000 +0200
--- openssl-SNAP-20111123PS/ssl/s3_clnt.c 2011-11-23 14:41:25.000000000 +0100
***************
*** 281,300 ****
case SSL3_ST_CR_SRVR_HELLO_A:
case SSL3_ST_CR_SRVR_HELLO_B:
ret=ssl3_get_server_hello(s);
- #ifndef OPENSSL_NO_SRP
- if ((ret == 0) && (s->s3->warn_alert == SSL_AD_MISSING_SRP_USERNAME))
- {
- if (!SRP_have_to_put_srp_username(s))
- {
- SSLerr(SSL_F_SSL3_CONNECT,SSL_R_MISSING_SRP_USERNAME);
- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_USER_CANCELLED);
- goto end;
- }
- s->state=SSL3_ST_CW_CLNT_HELLO_A;
- if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
- break;
- }
- #endif
if (ret <= 0) goto end;
if (s->hit)
--- 281,286 ----
diff -r -c openssl-SNAP-20111123/ssl/s3_srvr.c openssl-SNAP-20111123PS/ssl/s3_srvr.c
*** openssl-SNAP-20111123/ssl/s3_srvr.c 2011-09-05 16:00:06.000000000 +0200
--- openssl-SNAP-20111123PS/ssl/s3_srvr.c 2011-11-23 15:24:22.000000000 +0100
***************
*** 181,204 ****
}
#ifndef OPENSSL_NO_SRP
! static int SSL_check_srp_ext_ClientHello(SSL *s,int *ad)
{
int ret = SSL_ERROR_NONE;
! *ad = SSL_AD_UNRECOGNIZED_NAME;
if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
(s->srp_ctx.TLS_ext_srp_username_callback != NULL))
{
if(s->srp_ctx.login == NULL)
{
! /* There isn't any srp login extension !!! */
! ret = SSL3_AL_WARNING;
! *ad = SSL_AD_MISSING_SRP_USERNAME;
}
else
{
! ret = SSL_srp_server_param_with_username(s,ad);
}
}
return ret;
--- 181,205 ----
}
#ifndef OPENSSL_NO_SRP
! static int ssl_check_srp_ext_ClientHello(SSL *s,int *al)
{
int ret = SSL_ERROR_NONE;
! *al = SSL_AD_UNRECOGNIZED_NAME;
if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
(s->srp_ctx.TLS_ext_srp_username_callback != NULL))
{
if(s->srp_ctx.login == NULL)
{
! /* RFC 5054 says SHOULD reject,
! we do so if There is no srp login name */
! ret = SSL3_AL_FATAL;
! *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
}
else
{
! ret = SSL_srp_server_param_with_username(s,al);
}
}
return ret;
***************
*** 217,225 ****
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state,skip=0;
- #ifndef OPENSSL_NO_SRP
- int srp_no_username =0;
- #endif
RAND_add(&Time,sizeof(Time),0);
ERR_clear_error();
--- 218,223 ----
***************
*** 340,374 ****
case SSL3_ST_SR_CLNT_HELLO_A:
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
- #ifndef OPENSSL_NO_SRP
- case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME:
- #endif
s->shutdown=0;
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_SRP
{
! int extension_error = 0,al;
! if ((al = SSL_check_srp_ext_ClientHello(s,&extension_error)) != SSL_ERROR_NONE)
! {
! ssl3_send_alert(s,al,extension_error);
! if (extension_error == SSL_AD_MISSING_SRP_USERNAME)
! {
! if (srp_no_username) goto end;
! ERR_clear_error();
! srp_no_username = 1;
! s->state=SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME;
! if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
! if ((ret=BIO_flush(s->wbio)) <= 0) goto end;
! s->init_num=0;
! break;
! }
! ret = -1;
! SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
! goto end;
! }
}
#endif
--- 338,359 ----
case SSL3_ST_SR_CLNT_HELLO_A:
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
s->shutdown=0;
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_SRP
{
! int al;
! if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) != SSL_ERROR_NONE)
! {
! ssl3_send_alert(s,SSL3_AL_FATAL,al);
! SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
! ret = SSL_TLSEXT_ERR_ALERT_FATAL;
! ret= -1;
! goto end;
! }
}
#endif
***************
*** 917,925 ****
* TLSv1.
*/
if (s->state == SSL3_ST_SR_CLNT_HELLO_A
- #ifndef OPENSSL_NO_SRP
- || (s->state == SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME)
- #endif
)
{
s->state=SSL3_ST_SR_CLNT_HELLO_B;
--- 902,907 ----
diff -r -c openssl-SNAP-20111123/ssl/ssl3.h openssl-SNAP-20111123PS/ssl/ssl3.h
*** openssl-SNAP-20111123/ssl/ssl3.h 2011-05-20 17:00:05.000000000 +0200
--- openssl-SNAP-20111123PS/ssl/ssl3.h 2011-11-23 14:39:51.000000000 +0100
***************
*** 584,591 ****
#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
- /* a new state to remember that we have already receive a ClientHello without srp username extension */
- #define SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME (0x1E2|SSL_ST_ACCEPT)
/* write to client */
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
--- 584,589 ----
diff -r -c openssl-SNAP-20111123/ssl/ssl.h openssl-SNAP-20111123PS/ssl/ssl.h
*** openssl-SNAP-20111123/ssl/ssl.h 2011-11-16 01:00:16.000000000 +0100
--- openssl-SNAP-20111123PS/ssl/ssl.h 2011-11-23 14:39:51.000000000 +0100
***************
*** 1494,1501 ****
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
- #define SSL_AD_UNKNOWN_SRP_USERNAME TLS1_AD_UNKNOWN_SRP_USERNAME
- #define SSL_AD_MISSING_SRP_USERNAME TLS1_AD_MISSING_SRP_USERNAME
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
--- 1494,1499 ----
diff -r -c openssl-SNAP-20111123/ssl/ssl_stat.c openssl-SNAP-20111123PS/ssl/ssl_stat.c
*** openssl-SNAP-20111123/ssl/ssl_stat.c 2011-11-13 15:00:08.000000000 +0100
--- openssl-SNAP-20111123PS/ssl/ssl_stat.c 2011-11-23 14:39:51.000000000 +0100
***************
*** 210,218 ****
case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
- #ifndef OPENSSL_NO_SRP
- case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME: str="SSLv3 waiting for a SRP username"; break;
- #endif
#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
--- 210,215 ----
diff -r -c openssl-SNAP-20111123/ssl/t1_enc.c openssl-SNAP-20111123PS/ssl/t1_enc.c
*** openssl-SNAP-20111123/ssl/t1_enc.c 2011-11-22 00:00:15.000000000 +0100
--- openssl-SNAP-20111123PS/ssl/t1_enc.c 2011-11-23 14:39:51.000000000 +0100
***************
*** 1242,1250 ****
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
- #ifndef OPENSSL_NO_SRP
- case SSL_AD_MISSING_SRP_USERNAME:return(TLS1_AD_MISSING_SRP_USERNAME);
- #endif
#if 0 /* not appropriate for TLS, not used for DTLS */
case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
(DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
--- 1242,1247 ----
diff -r -c openssl-SNAP-20111123/ssl/tls1.h openssl-SNAP-20111123PS/ssl/tls1.h
*** openssl-SNAP-20111123/ssl/tls1.h 2011-11-16 01:00:16.000000000 +0100
--- openssl-SNAP-20111123PS/ssl/tls1.h 2011-11-23 14:39:51.000000000 +0100
***************
*** 196,203 ****
#define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
#define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */
- #define TLS1_AD_UNKNOWN_SRP_USERNAME 120 /* fatal */
- #define TLS1_AD_MISSING_SRP_USERNAME 121
/* ExtensionType values from RFC3546 / RFC4366 */
#define TLSEXT_TYPE_server_name 0
--- 196,201 ----
diff -r -c openssl-SNAP-20111123/ssl/tls_srp.c openssl-SNAP-20111123PS/ssl/tls_srp.c
*** openssl-SNAP-20111123/ssl/tls_srp.c 2011-04-11 17:00:06.000000000 +0200
--- openssl-SNAP-20111123PS/ssl/tls_srp.c 2011-11-23 14:39:51.000000000 +0100
***************
*** 236,242 ****
unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
int al;
! *ad = SSL_AD_UNKNOWN_SRP_USERNAME;
if ((s->srp_ctx.TLS_ext_srp_username_callback !=NULL) &&
((al = s->srp_ctx.TLS_ext_srp_username_callback(s, ad, s->srp_ctx.SRP_cb_arg))!=SSL_ERROR_NONE))
return al;
--- 236,242 ----
unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
int al;
! *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
if ((s->srp_ctx.TLS_ext_srp_username_callback !=NULL) &&
((al = s->srp_ctx.TLS_ext_srp_username_callback(s, ad, s->srp_ctx.SRP_cb_arg))!=SSL_ERROR_NONE))
return al;
diff -r -c openssl-1.0.1-stable-SNAP-20111123/ssl/s3_clnt.c openssl-1.0.1-stable-SNAP-20111123PS/ssl/s3_clnt.c
*** openssl-1.0.1-stable-SNAP-20111123/ssl/s3_clnt.c 2011-11-13 23:00:19.000000000 +0100
--- openssl-1.0.1-stable-SNAP-20111123PS/ssl/s3_clnt.c 2011-11-23 16:41:53.307130001 +0100
***************
*** 280,299 ****
case SSL3_ST_CR_SRVR_HELLO_A:
case SSL3_ST_CR_SRVR_HELLO_B:
ret=ssl3_get_server_hello(s);
- #ifndef OPENSSL_NO_SRP
- if (ret == 0 && s->s3->warn_alert == SSL_AD_MISSING_SRP_USERNAME)
- {
- if (!SRP_have_to_put_srp_username(s))
- {
- SSLerr(SSL_F_SSL3_CONNECT,SSL_R_MISSING_SRP_USERNAME);
- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_USER_CANCELLED);
- goto end;
- }
- s->state=SSL3_ST_CW_CLNT_HELLO_A;
- if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
- break;
- }
- #endif
if (ret <= 0) goto end;
if (s->hit)
--- 280,285 ----
diff -r -c openssl-1.0.1-stable-SNAP-20111123/ssl/s3_srvr.c openssl-1.0.1-stable-SNAP-20111123PS/ssl/s3_srvr.c
*** openssl-1.0.1-stable-SNAP-20111123/ssl/s3_srvr.c 2011-11-13 23:00:19.000000000 +0100
--- openssl-1.0.1-stable-SNAP-20111123PS/ssl/s3_srvr.c 2011-11-23 16:43:40.847130001 +0100
***************
*** 180,190 ****
}
#ifndef OPENSSL_NO_SRP
! static int SSL_check_srp_ext_ClientHello(SSL *s, int *ad)
{
int ret = SSL_ERROR_NONE;
! *ad = SSL_AD_UNRECOGNIZED_NAME;
if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
(s->srp_ctx.TLS_ext_srp_username_callback != NULL))
--- 180,190 ----
}
#ifndef OPENSSL_NO_SRP
! static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
{
int ret = SSL_ERROR_NONE;
! *al = SSL_AD_UNRECOGNIZED_NAME;
if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
(s->srp_ctx.TLS_ext_srp_username_callback != NULL))
***************
*** 192,203 ****
if(s->srp_ctx.login == NULL)
{
/* There isn't any srp login extension !!! */
! ret = SSL3_AL_WARNING;
! *ad = SSL_AD_MISSING_SRP_USERNAME;
}
else
{
! ret = SSL_srp_server_param_with_username(s,ad);
}
}
return ret;
--- 192,203 ----
if(s->srp_ctx.login == NULL)
{
/* There isn't any srp login extension !!! */
! ret = SSL3_AL_FATAL;
! *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
}
else
{
! ret = SSL_srp_server_param_with_username(s,al);
}
}
return ret;
***************
*** 216,225 ****
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state,skip=0;
- #ifndef OPENSSL_NO_SRP
- int srp_no_username=0;
- int extension_error,al;
- #endif
RAND_add(&Time,sizeof(Time),0);
ERR_clear_error();
--- 216,221 ----
***************
*** 340,374 ****
case SSL3_ST_SR_CLNT_HELLO_A:
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
- #ifndef OPENSSL_NO_SRP
- case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME:
- #endif
s->shutdown=0;
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_SRP
! extension_error = 0;
! if ((al = SSL_check_srp_ext_ClientHello(s,&extension_error)) != SSL_ERROR_NONE)
{
! ssl3_send_alert(s,al,extension_error);
! if (extension_error == SSL_AD_MISSING_SRP_USERNAME)
! {
! if (srp_no_username) goto end;
! ERR_clear_error();
! srp_no_username = 1;
! s->state=SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME;
! if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
! if ((ret=BIO_flush(s->wbio)) <= 0) goto end;
! s->init_num=0;
! break;
! }
! ret = -1;
! SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
! goto end;
}
! #endif
!
s->renegotiate = 2;
s->state=SSL3_ST_SW_SRVR_HELLO_A;
s->init_num=0;
--- 336,359 ----
case SSL3_ST_SR_CLNT_HELLO_A:
case SSL3_ST_SR_CLNT_HELLO_B:
case SSL3_ST_SR_CLNT_HELLO_C:
s->shutdown=0;
+
ret=ssl3_get_client_hello(s);
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_SRP
! {
! int al;
! if ((ret = ssl_check_srp_ext_ClientHello(s,&al)) != SSL_ERROR_NONE)
{
! ssl3_send_alert(s,SSL3_AL_FATAL,al);
! SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);
! ret = SSL_TLSEXT_ERR_ALERT_FATAL;
! ret= -1;
! goto end;
}
! }
! #endif
s->renegotiate = 2;
s->state=SSL3_ST_SW_SRVR_HELLO_A;
s->init_num=0;
***************
*** 914,922 ****
* TLSv1.
*/
if (s->state == SSL3_ST_SR_CLNT_HELLO_A
- #ifndef OPENSSL_NO_SRP
- || (s->state == SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME)
- #endif
)
{
s->state=SSL3_ST_SR_CLNT_HELLO_B;
--- 899,904 ----
diff -r -c openssl-1.0.1-stable-SNAP-20111123/ssl/ssl3.h openssl-1.0.1-stable-SNAP-20111123PS/ssl/ssl3.h
*** openssl-1.0.1-stable-SNAP-20111123/ssl/ssl3.h 2011-11-13 23:00:19.000000000 +0100
--- openssl-1.0.1-stable-SNAP-20111123PS/ssl/ssl3.h 2011-11-23 16:41:53.311130001 +0100
***************
*** 581,588 ****
#define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_B (0x111|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CLNT_HELLO_C (0x112|SSL_ST_ACCEPT)
- /* a new state to remember that we have already receive a ClientHello without srp username extension */
- #define SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME (0x1E2|SSL_ST_ACCEPT)
/* write to client */
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A (0x113|SSL_ST_ACCEPT)
#define DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B (0x114|SSL_ST_ACCEPT)
--- 581,586 ----
diff -r -c openssl-1.0.1-stable-SNAP-20111123/ssl/ssl.h openssl-1.0.1-stable-SNAP-20111123PS/ssl/ssl.h
*** openssl-1.0.1-stable-SNAP-20111123/ssl/ssl.h 2011-11-16 01:00:35.000000000 +0100
--- openssl-1.0.1-stable-SNAP-20111123PS/ssl/ssl.h 2011-11-23 16:41:53.315130001 +0100
***************
*** 1486,1493 ****
#define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
- #define SSL_AD_UNKNOWN_SRP_USERNAME TLS1_AD_UNKNOWN_SRP_USERNAME
- #define SSL_AD_MISSING_SRP_USERNAME TLS1_AD_MISSING_SRP_USERNAME
#define SSL_ERROR_NONE 0
#define SSL_ERROR_SSL 1
--- 1486,1491 ----
diff -r -c openssl-1.0.1-stable-SNAP-20111123/ssl/ssl_stat.c openssl-1.0.1-stable-SNAP-20111123PS/ssl/ssl_stat.c
*** openssl-1.0.1-stable-SNAP-20111123/ssl/ssl_stat.c 2011-11-13 15:00:20.000000000 +0100
--- openssl-1.0.1-stable-SNAP-20111123PS/ssl/ssl_stat.c 2011-11-23 16:41:53.315130001 +0100
***************
*** 210,218 ****
case SSL3_ST_SR_KEY_EXCH_B: str="SSLv3 read client key exchange B"; break;
case SSL3_ST_SR_CERT_VRFY_A: str="SSLv3 read certificate verify A"; break;
case SSL3_ST_SR_CERT_VRFY_B: str="SSLv3 read certificate verify B"; break;
- #ifndef OPENSSL_NO_SRP
- case SSL3_ST_SR_CLNT_HELLO_SRP_USERNAME: str="SSLv3 waiting for a SRP username"; break;
- #endif
#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
--- 210,215 ----
diff -r -c openssl-1.0.1-stable-SNAP-20111123/ssl/t1_enc.c openssl-1.0.1-stable-SNAP-20111123PS/ssl/t1_enc.c
*** openssl-1.0.1-stable-SNAP-20111123/ssl/t1_enc.c 2011-11-22 00:00:45.000000000 +0100
--- openssl-1.0.1-stable-SNAP-20111123PS/ssl/t1_enc.c 2011-11-23 16:41:53.319130001 +0100
***************
*** 1242,1250 ****
case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
- #ifndef OPENSSL_NO_SRP
- case SSL_AD_MISSING_SRP_USERNAME:return(TLS1_AD_MISSING_SRP_USERNAME);
- #endif
#if 0 /* not appropriate for TLS, not used for DTLS */
case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
(DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
--- 1242,1247 ----
diff -r -c openssl-1.0.1-stable-SNAP-20111123/ssl/tls1.h openssl-1.0.1-stable-SNAP-20111123PS/ssl/tls1.h
*** openssl-1.0.1-stable-SNAP-20111123/ssl/tls1.h 2011-11-16 01:00:35.000000000 +0100
--- openssl-1.0.1-stable-SNAP-20111123PS/ssl/tls1.h 2011-11-23 16:41:53.319130001 +0100
***************
*** 196,203 ****
#define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
#define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114
#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */
- #define TLS1_AD_UNKNOWN_SRP_USERNAME 120 /* fatal */
- #define TLS1_AD_MISSING_SRP_USERNAME 121
/* ExtensionType values from RFC3546 / RFC4366 */
#define TLSEXT_TYPE_server_name 0
--- 196,201 ----
diff -r -c openssl-1.0.1-stable-SNAP-20111123/ssl/tls_srp.c openssl-1.0.1-stable-SNAP-20111123PS/ssl/tls_srp.c
*** openssl-1.0.1-stable-SNAP-20111123/ssl/tls_srp.c 2011-05-12 16:00:17.000000000 +0200
--- openssl-1.0.1-stable-SNAP-20111123PS/ssl/tls_srp.c 2011-11-23 16:41:53.319130001 +0100
***************
*** 234,240 ****
unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
int al;
! *ad = SSL_AD_UNKNOWN_SRP_USERNAME;
if ((s->srp_ctx.TLS_ext_srp_username_callback !=NULL) &&
((al = s->srp_ctx.TLS_ext_srp_username_callback(s, ad, s->srp_ctx.SRP_cb_arg))!=SSL_ERROR_NONE))
return al;
--- 234,240 ----
unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
int al;
! *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
if ((s->srp_ctx.TLS_ext_srp_username_callback !=NULL) &&
((al = s->srp_ctx.TLS_ext_srp_username_callback(s, ad, s->srp_ctx.SRP_cb_arg))!=SSL_ERROR_NONE))
return al;
