[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Tue Apr 24 09:00:26 UTC 2018 

The branch OpenSSL_1_1_0-stable has been updated
       via  ba2fd95037b9550e3efb4547034951151cc0e273 (commit)
      from  0abb903b7618ad404c83ac9b44b2c1bf162b90de (commit)


- Log -----------------------------------------------------------------
commit ba2fd95037b9550e3efb4547034951151cc0e273
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Apr 23 17:14:47 2018 +0100

    In a reneg use the same client_version we used last time
    
    In 1.0.2 and below we always send the same client_version in a reneg
    ClientHello that we sent the first time around, regardless of what
    version eventually gets negotiated. According to a comment in
    statem_clnt.c this is a workaround for some buggy servers that choked if
    we changed the version used in the RSA encrypted premaster secret.
    
    In 1.1.0+ this behaviour no longer occurs. This restores the original
    behaviour.
    
    Fixes #1651
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6060)

-----------------------------------------------------------------------

Summary of changes:
 ssl/ssl_locl.h          | 3 +++
 ssl/statem/statem_lib.c | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d86bd7e..85c7549 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -347,6 +347,9 @@
 
 /* we have used 0000003f - 26 bits left to go */
 
+# define SSL_IS_FIRST_HANDSHAKE(S) ((s)->s3->tmp.finish_md_len == 0 \
+                                    || (s)->s3->tmp.peer_finish_md_len == 0)
+
 /* Check if an SSL structure is using DTLS */
 # define SSL_IS_DTLS(s)  (s->method->ssl3_enc->enc_flags & SSL_ENC_FLAG_DTLS)
 /* See if we need explicit IV */
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 36d410b..c4d4f26 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1073,6 +1073,13 @@ int ssl_set_client_hello_version(SSL *s)
 {
     int ver_min, ver_max, ret;
 
+    /*
+     * In a renegotiation we always send the same client_version that we sent
+     * last time, regardless of which version we eventually negotiated.
+     */
+    if (!SSL_IS_FIRST_HANDSHAKE(s))
+        return 0;
+
     ret = ssl_get_client_min_max_version(s, &ver_min, &ver_max);
 
     if (ret != 0)

More information about the openssl-commits mailing list