diff options
Diffstat (limited to 'src/lib/libssl/ssl_ciphers.c')
| -rw-r--r-- | src/lib/libssl/ssl_ciphers.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c index 85c60b1abb..4e4a0d93a4 100644 --- a/src/lib/libssl/ssl_ciphers.c +++ b/src/lib/libssl/ssl_ciphers.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_ciphers.c,v 1.11 2021/03/11 17:14:46 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> | 3 | * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> |
| 4 | * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> |
| @@ -93,7 +93,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) | |||
| 93 | { | 93 | { |
| 94 | STACK_OF(SSL_CIPHER) *ciphers = NULL; | 94 | STACK_OF(SSL_CIPHER) *ciphers = NULL; |
| 95 | const SSL_CIPHER *cipher; | 95 | const SSL_CIPHER *cipher; |
| 96 | uint16_t cipher_value, max_version; | 96 | uint16_t cipher_value; |
| 97 | unsigned long cipher_id; | 97 | unsigned long cipher_id; |
| 98 | 98 | ||
| 99 | S3I(s)->send_connection_binding = 0; | 99 | S3I(s)->send_connection_binding = 0; |
| @@ -134,9 +134,8 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) | |||
| 134 | * Fail if the current version is an unexpected | 134 | * Fail if the current version is an unexpected |
| 135 | * downgrade. | 135 | * downgrade. |
| 136 | */ | 136 | */ |
| 137 | if (!ssl_downgrade_max_version(s, &max_version)) | 137 | if (S3I(s)->hs.negotiated_tls_version < |
| 138 | goto err; | 138 | S3I(s)->hs.our_max_tls_version) { |
| 139 | if (s->version < max_version) { | ||
| 140 | SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); | 139 | SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); |
| 141 | ssl3_send_alert(s, SSL3_AL_FATAL, | 140 | ssl3_send_alert(s, SSL3_AL_FATAL, |
| 142 | SSL_AD_INAPPROPRIATE_FALLBACK); | 141 | SSL_AD_INAPPROPRIATE_FALLBACK); |