Tweak the check that a ciphersuite has not changed since the HRR

author Matt Caswell <matt@openssl.org>

Fri, 16 Jun 2017 09:56:40 +0000 (10:56 +0100)

committer Matt Caswell <matt@openssl.org>

Fri, 16 Jun 2017 09:57:59 +0000 (10:57 +0100)
author Matt Caswell <matt@openssl.org>
Fri, 16 Jun 2017 09:56:40 +0000 (10:56 +0100)
committer Matt Caswell <matt@openssl.org>
Fri, 16 Jun 2017 09:57:59 +0000 (10:57 +0100)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index 0f55d2652d3e21925001419cbfe69128d39adff8..6f578168101e3d98f486fbe44daa10cad577b412 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1615,8 +1615,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
              al = SSL_AD_HANDSHAKE_FAILURE;
              goto err;
          }
-        if (s->hello_retry_request && s->s3->tmp.new_cipher != NULL
-                && s->s3->tmp.new_cipher->id != cipher->id) {
+        if (s->hello_retry_request
+                && (s->s3->tmp.new_cipher == NULL
+                    || s->s3->tmp.new_cipher->id != cipher->id)) {
              /*
               * A previous HRR picked a different ciphersuite to the one we
               * just selected. Something must have changed.
author	Matt Caswell <matt@openssl.org>
	Fri, 16 Jun 2017 09:56:40 +0000 (10:56 +0100)
committer	Matt Caswell <matt@openssl.org>
	Fri, 16 Jun 2017 09:57:59 +0000 (10:57 +0100)