diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2013-12-24 19:17:00 +0100 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2014-01-02 16:05:44 +0100 |
| commit | b77b58a398c8b9b4113f3fb6b48e162a3b8d4527 (patch) | |
| tree | d9b6f28c6763e40f396e40ed35587bdf2e76c162 /ssl/s3_srvr.c | |
| parent | Update curve list size. (diff) | |
| download | openssl-b77b58a398c8b9b4113f3fb6b48e162a3b8d4527.tar.xz openssl-b77b58a398c8b9b4113f3fb6b48e162a3b8d4527.zip | |
Don't change version number if session established
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.
Thanks to Marek Majkowski for additional analysis of this issue.
PR#3191
Diffstat (limited to 'ssl/s3_srvr.c')
| -rw-r--r-- | ssl/s3_srvr.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 5d0432f0bf..41a5ba5503 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -978,12 +978,13 @@ int ssl3_get_client_hello(SSL *s) s->client_version=(((int)p[0])<<8)|(int)p[1]; p+=2; - if ((SSL_IS_DTLS(s) && s->client_version > s->version - && s->method->version != DTLS_ANY_VERSION) || - (!SSL_IS_DTLS(s) && s->client_version < s->version)) + if (SSL_IS_DTLS(s) ? (s->client_version > s->version && + s->method->version != DTLS_ANY_VERSION) + : (s->client_version < s->version)) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); - if ((s->client_version>>8) == SSL3_VERSION_MAJOR) + if ((s->client_version>>8) == SSL3_VERSION_MAJOR && + !s->enc_write_ctx && !s->write_hash) { /* similar to ssl3_get_record, send alert using remote version number */ s->version = s->client_version; |