diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2013-12-24 18:17:00 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2014-01-02 15:07:51 +0000 |
commit | 8511b5f594381a69824daca44599bfe75210b9e1 (patch) | |
tree | 4edd2e35fb86bc9002153be1e0c0acdaf20fd171 /ssl/s3_srvr.c | |
parent | 546d6760b99d4ee91e3487efd42e1c123246a84e (diff) |
Don't change version number if session established
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.
Thanks to Marek Majkowski for additional analysis of this issue.
PR#3191
(cherry picked from commit b77b58a398c8b9b4113f3fb6b48e162a3b8d4527)
Diffstat (limited to 'ssl/s3_srvr.c')
-rw-r--r-- | ssl/s3_srvr.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 37f3ffb1bf..619c710ca4 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -968,12 +968,13 @@ int ssl3_get_client_hello(SSL *s) s->client_version=(((int)p[0])<<8)|(int)p[1]; p+=2; - if ((SSL_IS_DTLS(s) && s->client_version > s->version - && s->method->version != DTLS_ANY_VERSION) || - (!SSL_IS_DTLS(s) && s->client_version < s->version)) + if (SSL_IS_DTLS(s) ? (s->client_version > s->version && + s->method->version != DTLS_ANY_VERSION) + : (s->client_version < s->version)) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); - if ((s->client_version>>8) == SSL3_VERSION_MAJOR) + if ((s->client_version>>8) == SSL3_VERSION_MAJOR && + !s->enc_write_ctx && !s->write_hash) { /* similar to ssl3_get_record, send alert using remote version number */ s->version = s->client_version; |