Don't change version number if session established

When sending an invalid version number alert don't change the version number to the client version if a session is already established. Thanks to Marek Majkowski for additional analysis of this issue. PR#3191 (cherry picked from commit b77b58a398c8b9b4113f3fb6b48e162a3b8d4527)
author: Dr. Stephen Henson <steve@openssl.org> 2013-12-24 18:17:00 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2014-01-02 15:07:51 +0000
commit: 8511b5f594381a69824daca44599bfe75210b9e1 (patch)
tree: 4edd2e35fb86bc9002153be1e0c0acdaf20fd171 /ssl/s3_srvr.c
parent: 546d6760b99d4ee91e3487efd42e1c123246a84e (diff)
1 files changed, 5 insertions, 4 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 37f3ffb1bf..619c710ca4 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -968,12 +968,13 @@ int ssl3_get_client_hello(SSL *s)
 	s->client_version=(((int)p[0])<<8)|(int)p[1];
 	p+=2;
 
-	if ((SSL_IS_DTLS(s) && s->client_version > s->version
-			&& s->method->version != DTLS_ANY_VERSION) ||
-	    (!SSL_IS_DTLS(s) && s->client_version < s->version))
+	if (SSL_IS_DTLS(s)  ?	(s->client_version > s->version &&
+				 s->method->version != DTLS_ANY_VERSION)
+			    :	(s->client_version < s->version))
 		{
 		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-		if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
+		if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
+			!s->enc_write_ctx && !s->write_hash)
 			{
 			/* similar to ssl3_get_record, send alert using remote version number */
 			s->version = s->client_version;
author	Dr. Stephen Henson <steve@openssl.org>	2013-12-24 18:17:00 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2014-01-02 15:07:51 +0000
commit	8511b5f594381a69824daca44599bfe75210b9e1 (patch)
tree	4edd2e35fb86bc9002153be1e0c0acdaf20fd171 /ssl/s3_srvr.c
parent	546d6760b99d4ee91e3487efd42e1c123246a84e (diff)