[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Mon May 25 22:12:58 UTC 2015
The branch OpenSSL_1_0_2-stable has been updated
via 11414f17d93ec04d2d056d5f3a87e964a7412431 (commit)
from 0a59e2dc308e6d6a7078e6b3e4e714101a2db538 (commit)
- Log -----------------------------------------------------------------
commit 11414f17d93ec04d2d056d5f3a87e964a7412431
Author: Matt Caswell <matt at openssl.org>
Date: Sat May 23 21:51:21 2015 +0100
Don't send an alert if we've just received one
If the record received is for a version that we don't support, previously we
were sending an alert back. However if the incoming record already looks
like an alert then probably we shouldn't do that. So suppress an outgoing
alert if it looks like we've got one incoming.
Reviewed-by: Kurt Roeckx <kurt at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_pkt.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 8440f1e..603c285 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -361,11 +361,22 @@ static int ssl3_get_record(SSL *s)
if (version != s->version) {
SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
if ((s->version & 0xFF00) == (version & 0xFF00)
- && !s->enc_write_ctx && !s->write_hash)
+ && !s->enc_write_ctx && !s->write_hash) {
+ if (rr->type == SSL3_RT_ALERT) {
+ /*
+ * The record is using an incorrect version number, but
+ * what we've got appears to be an alert. We haven't
+ * read the body yet to check whether its a fatal or
+ * not - but chances are it is. We probably shouldn't
+ * send a fatal alert back. We'll just end.
+ */
+ goto err;
+ }
/*
* Send back error using their minor version number :-)
*/
s->version = (unsigned short)version;
+ }
al = SSL_AD_PROTOCOL_VERSION;
goto f_err;
}
More information about the openssl-commits
mailing list