Commit b77b58a3 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Don't change version number if session established 

When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
parent f6dfbeed

ssl/s3_pkt.c

+1 −1
Original line number Original line Diff line number Diff line
@@ -348,7 +348,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); 
			if (version != s->version)

			if (version != s->version)

				{

				{

				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);

				SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);

                                if ((s->version & 0xFF00) == (version & 0xFF00))

                                if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)

                                	/* Send back error using their minor version number :-) */

                                	/* Send back error using their minor version number :-) */

					s->version = (unsigned short)version;

					s->version = (unsigned short)version;

				al=SSL_AD_PROTOCOL_VERSION;

				al=SSL_AD_PROTOCOL_VERSION;

ssl/s3_srvr.c

+5 −4
Original line number Original line Diff line number Diff line
@@ -978,12 +978,13 @@ int ssl3_get_client_hello(SSL *s) 
	s->client_version=(((int)p[0])<<8)|(int)p[1];

	s->client_version=(((int)p[0])<<8)|(int)p[1];

	p+=2;

	p+=2;





	if ((SSL_IS_DTLS(s) && s->client_version > s->version

	if (SSL_IS_DTLS(s)  ?	(s->client_version > s->version &&

			&& s->method->version != DTLS_ANY_VERSION) ||

				 s->method->version != DTLS_ANY_VERSION)

	    (!SSL_IS_DTLS(s) && s->client_version < s->version))

			    :	(s->client_version < s->version))

		{

		{

		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);

		SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);

		if ((s->client_version>>8) == SSL3_VERSION_MAJOR)

		if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&

			!s->enc_write_ctx && !s->write_hash)

			{

			{

			/* similar to ssl3_get_record, send alert using remote version number */

			/* similar to ssl3_get_record, send alert using remote version number */

			s->version = s->client_version;

			s->version = s->client_version;