From f4ad7c2f73c6a1b0d4f28caced249fc88a938c5e Mon Sep 17 00:00:00 2001 From: Frederik Wedel-Heinen Date: Fri, 8 Dec 2023 21:00:43 +0100 Subject: [PATCH] Handle tls and dtls server version selection similarly Reviewed-by: Tomas Mraz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22989) --- ssl/statem/statem_srvr.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 853af8c0aa9..b0f700dda40 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1735,16 +1735,14 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) s->client_version = clienthello->legacy_version; } /* - * Do SSL/TLS version negotiation if applicable. For DTLS we just check - * versions are potentially compatible. Version negotiation comes later. + * Do SSL/TLS version negotiation if applicable. */ - if (!SSL_CONNECTION_IS_DTLS(s)) { - protverr = ssl_choose_server_version(s, clienthello, &dgrd); - } else if (ssl->method->version != DTLS_ANY_VERSION && - DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) { + if (SSL_CONNECTION_IS_DTLS(s) + && ssl->method->version != DTLS_ANY_VERSION + && DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) { protverr = SSL_R_VERSION_TOO_LOW; } else { - protverr = 0; + protverr = ssl_choose_server_version(s, clienthello, &dgrd); } if (protverr) { @@ -1783,14 +1781,6 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } s->d1->cookie_verified = 1; } - if (ssl->method->version == DTLS_ANY_VERSION) { - protverr = ssl_choose_server_version(s, clienthello, &dgrd); - if (protverr != 0) { - s->version = s->client_version; - SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr); - goto err; - } - } } s->hit = 0; -- 2.47.2