generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Don't change version number if session established

Browse Source 
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
This commit is contained in:
Dr. Stephen Henson
2013-12-24 18:17:00 +00:00
parent f6dfbeed3c
commit b77b58a398
2 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ssl/s3_srvr.c
View File

@@ -978,12 +978,13 @@ int ssl3_get_client_hello(SSL *s)
s->client_version=(((int)p[0])<<8)|(int)p[1];
p+=2;
if ((SSL_IS_DTLS(s) && s->client_version > s->version
&& s->method->version != DTLS_ANY_VERSION) ||
(!SSL_IS_DTLS(s) && s->client_version < s->version))
if (SSL_IS_DTLS(s) ? (s->client_version > s->version &&
s->method->version != DTLS_ANY_VERSION)
: (s->client_version < s->version))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
!s->enc_write_ctx && !s->write_hash)
{
/* similar to ssl3_get_record, send alert using remote version number */
s->version = s->client_version;