projects / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f460e83)
Improve fallback protection
authorMatt Caswell <matt@openssl.org>
Wed, 8 Aug 2018 13:21:33 +0000 (14:21 +0100)
committerMatt Caswell <matt@openssl.org>
Thu, 9 Aug 2018 09:53:09 +0000 (10:53 +0100)
A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.

Fixes #6756

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)

ssl/statem/statem_lib.c patch | blob | history

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 8a7d178a5108a141fec6966a6e14e0df23beabfc..74a2ec11de5e1c3e4d042e3932187cd222f604af 100644 (file)
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1914,6 +1914,9 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
         if (highver != 0 && s->version != vent->version)
             continue;
 
+        if (highver == 0 && (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) != 0)
+            highver = vent->version;
+
         method = vent->cmeth();
         err = ssl_method_error(s, method);
         if (err != 0) {
Unnamed repository; edit this file 'description' to name the repository.