diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2021-02-20 08:22:56 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2021-02-20 08:22:56 +0000 |
| commit | 577d4eb7a86f8f20a998734332f2ba37a459d752 (patch) | |
| tree | 2b7318ed1cd5afb88ac1fb6bb839094512972018 /lib/libssl/ssl_srvr.c | |
| parent | b3c8bc8cd9dea4bc771ea08e37737072e6e3cc60 (diff) | |
Revise HelloVerifyRequest handling for DTLSv1.2.
Per RFC 6347 section 4.2.1, the HelloVerifyRequest should always contain
DTLSv1.0 - ensure this is the case on the server side, allow both DTLSv1.0
and DTLSv1.2 on the client.
ok tb@
Diffstat (limited to 'lib/libssl/ssl_srvr.c')
| -rw-r--r-- | lib/libssl/ssl_srvr.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 15768bb5650..06ad42c8ff1 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.91 2021/02/07 15:04:10 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.92 2021/02/20 08:22:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1171,10 +1171,15 @@ ssl3_send_dtls_hello_verify_request(SSL *s) return 0; } + /* + * Per RFC 6347 section 4.2.1, the HelloVerifyRequest should + * always contain DTLSv1.0 regardless of the version that is + * going to be negotiated. + */ if (!ssl3_handshake_msg_start(s, &cbb, &verify, DTLS1_MT_HELLO_VERIFY_REQUEST)) goto err; - if (!CBB_add_u16(&verify, s->version)) + if (!CBB_add_u16(&verify, DTLS1_VERSION)) goto err; if (!CBB_add_u8_length_prefixed(&verify, &cookie)) goto err; |