From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 1 Aug 2015 15:02:00 +0000 (+0200)
Subject: handshake: check inappropriate fallback against the configured max version
X-Git-Tag: gnutls_3_5_0~763
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e016123405c76cd4a200834079e2dba1ddf0b6bb;p=thirdparty%2Fgnutls.git

handshake: check inappropriate fallback against the configured max version

That allows to operate on a server which is explicitly configured to
utilize earlier than TLS 1.2 versions.
---

diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 5c2c64ba24..3a2631f921 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -927,13 +927,13 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
 		/* TLS_FALLBACK_SCSV */
 		if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
 		    data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
+			unsigned max = _gnutls_version_max(session);
 			_gnutls_handshake_log
 			    ("HSK[%p]: Received fallback CS\n",
 			     session);
 
-			if (gnutls_protocol_get_version(session) !=
-			    GNUTLS_TLS_VERSION_MAX)
-				return GNUTLS_E_INAPPROPRIATE_FALLBACK;
+			if (gnutls_protocol_get_version(session) != max)
+				return gnutls_assert_val(GNUTLS_E_INAPPROPRIATE_FALLBACK);
 		}
 	}