Enable PSK in FIPS mode.

[oweals/openssl.git] / ssl / d1_clnt.c

diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 1b518d981ea0a2671e65ff51574ce0282f45eba0..48e5e06bdeb473f448394f82d7a50d9c9a45a0ee 100644 (file)
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -329,7 +329,6 @@ int dtls1_connect(SSL *s)
                        if (ret <= 0) goto end;
                        else
                                {
-                               dtls1_stop_timer(s);
                                if (s->hit)
                                        {
 #ifndef OPENSSL_NO_SCTP
@@ -440,6 +439,7 @@ int dtls1_connect(SSL *s)
                case SSL3_ST_CR_SRVR_DONE_B:
                        ret=ssl3_get_server_done(s);
                        if (ret <= 0) goto end;
+                       dtls1_stop_timer(s);
                        if (s->s3->tmp.cert_req)
                                s->s3->tmp.next_state=SSL3_ST_CW_CERT_A;
                        else
@@ -538,13 +538,6 @@ int dtls1_connect(SSL *s)
                                SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
                        if (ret <= 0) goto end;
 
-#ifndef OPENSSL_NO_SCTP
-                       /* Change to new shared key of SCTP-Auth,
-                        * will be ignored if no SCTP used.
-                        */
-                       BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
-#endif
-
                        s->state=SSL3_ST_CW_FINISHED_A;
                        s->init_num=0;
 
@@ -571,6 +564,16 @@ int dtls1_connect(SSL *s)
                                goto end;
                                }
                        
+#ifndef OPENSSL_NO_SCTP
+                               if (s->hit)
+                                       {
+                                       /* Change to new shared key of SCTP-Auth,
+                                        * will be ignored if no SCTP used.
+                                        */
+                                       BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+                                       }
+#endif
+
                        dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
                        break;
 
@@ -613,6 +616,13 @@ int dtls1_connect(SSL *s)
                                }
                        else
                                {
+#ifndef OPENSSL_NO_SCTP
+                               /* Change to new shared key of SCTP-Auth,
+                                * will be ignored if no SCTP used.
+                                */
+                               BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+#endif
+
 #ifndef OPENSSL_NO_TLSEXT
                                /* Allow NewSessionTicket if ticket expected */
                                if (s->tlsext_ticket_expected)
@@ -773,7 +783,7 @@ int dtls1_client_hello(SSL *s)
        unsigned char *buf;
        unsigned char *p,*d;
        unsigned int i,j;
-       unsigned long Time,l;
+       unsigned long l;
        SSL_COMP *comp;
 
        buf=(unsigned char *)s->init_buf->data;
@@ -798,13 +808,11 @@ int dtls1_client_hello(SSL *s)
 
                /* if client_random is initialized, reuse it, we are
                 * required to use same upon reply to HelloVerify */
-               for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ;
+               for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++)
+                       ;
                if (i==sizeof(s->s3->client_random))
-                       {
-                       Time=(unsigned long)time(NULL); /* Time */
-                       l2n(Time,p);
-                       RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4);
-                       }
+                       ssl_fill_hello_random(s, 0, p,
+                                             sizeof(s->s3->client_random));
 
                /* Do the message type and length last */
                d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);