Sanity check the HRR version field

The previous commit removed version negotiation on an HRR. However we should still sanity check the contents of the version field. Reviewed-by: N Tim Hudson <tjh@openssl.org> Reviewed-by: N Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4527)

Sanity check the HRR version field
The previous commit removed version negotiation on an HRR. However we should still sanity check the contents of the version field. Reviewed-by: N Tim Hudson <tjh@openssl.org> Reviewed-by: N Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4527)
61278ff3 · Matt Caswell · a2b97bdf · 61278ff3
隐藏空白更改
内联并排

Showing with 7 addition and 0 deletion

ssl/statem/statem_clnt.c ssl/statem/statem_clnt.c +7 -0

未找到文件。
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1569,6 +1569,13 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt)
        goto f_err;
    }

+    /* TODO(TLS1.3): Remove the TLS1_3_VERSION_DRAFT clause before release */
+    if (sversion != TLS1_3_VERSION && sversion != TLS1_3_VERSION_DRAFT) {
+        SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_WRONG_SSL_VERSION);
+        al = SSL_AD_PROTOCOL_VERSION;
+        goto f_err;
+    }
+
    s->hello_retry_request = 1;

    /*