generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use version in SSL_METHOD not SSL structure.

Browse Source 
When deciding whether to use TLS 1.2 PRF and record hash algorithms
use the version number in the corresponding SSL_METHOD structure
instead of the SSL structure. The SSL structure version is sometimes
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449)
This commit is contained in:
Dr. Stephen Henson
2013-12-19 14:37:39 +00:00
parent 2ec4181ba9
commit ca989269a2
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/s3_lib.c
View File

@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
long ssl_get_algorithm2(SSL *s) long ssl_get_algorithm2(SSL *s)
{ {
long alg2 = s->s3->tmp.new_cipher->algorithm2; long alg2 = s->s3->tmp.new_cipher->algorithm2;
if (TLS1_get_version(s) >= TLS1_2_VERSION && if (s->method->version == TLS1_2_VERSION &&
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2; return alg2;