diff options
Diffstat (limited to 'src/lib/libssl/ssl_clnt.c')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index 680cafa8e5..7d55c0dd52 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.79 2021/02/20 08:19:01 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.80 2021/02/20 08:22:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -817,7 +817,12 @@ ssl3_get_dtls_hello_verify(SSL *s) | |||
| 817 | if (CBS_len(&hello_verify_request) != 0) | 817 | if (CBS_len(&hello_verify_request) != 0) |
| 818 | goto truncated; | 818 | goto truncated; |
| 819 | 819 | ||
| 820 | if (ssl_version != s->version) { | 820 | /* |
| 821 | * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always | ||
| 822 | * contain DTLSv1.0 the version that is going to be negotiated. | ||
| 823 | * Tolerate DTLSv1.2 just in case. | ||
| 824 | */ | ||
| 825 | if (ssl_version != DTLS1_VERSION && ssl_version != DTLS1_2_VERSION) { | ||
| 821 | SSLerror(s, SSL_R_WRONG_SSL_VERSION); | 826 | SSLerror(s, SSL_R_WRONG_SSL_VERSION); |
| 822 | s->version = (s->version & 0xff00) | (ssl_version & 0xff); | 827 | s->version = (s->version & 0xff00) | (ssl_version & 0xff); |
| 823 | al = SSL_AD_PROTOCOL_VERSION; | 828 | al = SSL_AD_PROTOCOL_VERSION; |