From abeb2a639b7030aeac08aab4fd9d6b52a3be8b04 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 16 Jun 2017 10:56:40 +0100 Subject: [PATCH] Tweak the check that a ciphersuite has not changed since the HRR Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/3623) --- ssl/statem/statem_srvr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 0f55d2652d..6f57816810 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1615,8 +1615,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal) al = SSL_AD_HANDSHAKE_FAILURE; goto err; } - if (s->hello_retry_request && s->s3->tmp.new_cipher != NULL - && s->s3->tmp.new_cipher->id != cipher->id) { + if (s->hello_retry_request + && (s->s3->tmp.new_cipher == NULL + || s->s3->tmp.new_cipher->id != cipher->id)) { /* * A previous HRR picked a different ciphersuite to the one we * just selected. Something must have changed. -- GitLab