From: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Thu, 12 Oct 2023 11:55:32 +0000 (+0200)
Subject: Don't allow renegotiation for DTLS 1.3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3165d63294945b3d8a119248e7ecb4ada4f85179;p=thirdparty%2Fopenssl.git

Don't allow renegotiation for DTLS 1.3

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22362)
---

diff --git a/apps/include/s_apps.h b/apps/include/s_apps.h
index 33c3b6278c8..85eb6dcf364 100644
--- a/apps/include/s_apps.h
+++ b/apps/include/s_apps.h
@@ -16,7 +16,9 @@
 #define PROTOCOL        "tcp"
 
 #define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \
-    (SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
+    ((SSL_is_dtls(s) && (SSL_version(s) > DTLS1_3_VERSION \
+                         || SSL_version(s) == DTLS1_BAD_VER)) \
+     || (!SSL_is_dtls(s) && SSL_version(s) < TLS1_3_VERSION))
 
 typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
 void get_sock_info_address(int asock, char **hostname, char **service);