X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fs3_pkt.c;h=25cf929a55d6decf3d815f28ab5e3ffd8d089b11;hp=d422abfda0e61daaf87d92a1f820a207e3bbb6f3;hb=66299660976540fa59450a5edc700e61ce4685d0;hpb=1895583835239bc44c3f6584e48f0279ad884f3b diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index d422abfda0..25cf929a55 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -347,11 +347,22 @@ static int ssl3_get_record(SSL *s) if (version != s->version) { SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (version & 0xFF00) - && !s->enc_write_ctx && !s->write_hash) + && !s->enc_write_ctx && !s->write_hash) { + if (rr->type == SSL3_RT_ALERT) { + /* + * The record is using an incorrect version number, but + * what we've got appears to be an alert. We haven't + * read the body yet to check whether its a fatal or + * not - but chances are it is. We probably shouldn't + * send a fatal alert back. We'll just end. + */ + goto err; + } /* * Send back error using their minor version number :-) */ s->version = (unsigned short)version; + } al = SSL_AD_PROTOCOL_VERSION; goto f_err; } @@ -1258,7 +1269,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) cb(s, SSL_CB_READ_ALERT, j); } - if (alert_level == 1) { /* warning */ + if (alert_level == SSL3_AL_WARNING) { s->s3->warn_alert = alert_descr; if (alert_descr == SSL_AD_CLOSE_NOTIFY) { s->shutdown |= SSL_RECEIVED_SHUTDOWN; @@ -1281,7 +1292,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) return (0); #endif - } else if (alert_level == 2) { /* fatal */ + } else if (alert_level == SSL3_AL_FATAL) { char tmp[16]; s->rwstate = SSL_NOTHING;