From: Frederik Wedel-Heinen Date: Wed, 24 Apr 2024 10:03:32 +0000 (+0200) Subject: Fix renegotiation check that was added in https://github.com/openssl/openssl/pull... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=86b4c0a05f14fcbfe088c873b71d647258dd6dc6;p=thirdparty%2Fopenssl.git Fix renegotiation check that was added in https://github.com/openssl/openssl/pull/24161 Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22275) --- diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 5b0144187d9..d07d2ee187f 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -17,16 +17,15 @@ EXT_RETURN tls_construct_ctos_renegotiate(SSL_CONNECTION *s, WPACKET *pkt, size_t chainidx) { if (!s->renegotiate) { - /* If not renegotiating, send an empty RI extension to indicate support */ - -#if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION -# error Internal DTLS version error -#endif + const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION + : TLS1_3_VERSION; - if (!SSL_CONNECTION_IS_DTLS(s) - && (s->min_proto_version >= TLS1_3_VERSION - || (ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) - && s->min_proto_version <= TLS1_VERSION))) { + /* If not renegotiating, send an empty RI extension to indicate support */ + if ((s->min_proto_version != 0 + && ssl_version_cmp(s, s->min_proto_version, version1_3) >= 0) + || (!SSL_CONNECTION_IS_DTLS(s) + && ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) + && s->min_proto_version <= TLS1_VERSION)) { /* * For TLS <= 1.0 SCSV is used instead, and for TLS 1.3 this * extension isn't used at all.