Support TLS_FALLBACK_SCSV. Reviewed-by: Stephen Henson <steve@openssl.org>
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 6405111..5f7a358 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c
@@ -294,6 +294,25 @@ case DTLS_CTRL_LISTEN: ret = dtls1_listen(s, parg); break; + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ + if (s->version == s->ctx->method->version) + return 1; + /* Apparently we're using a version-flexible SSL_METHOD + * (not at its highest protocol version). */ + if (s->ctx->method->version == DTLS_method()->version) + { +#if DTLS_MAX_VERSION != DTLS1_2_VERSION +# error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION. +#endif + if (!(s->options & SSL_OP_NO_DTLSv1_2)) + return s->version == DTLS1_2_VERSION; + if (!(s->options & SSL_OP_NO_DTLSv1)) + return s->version == DTLS1_VERSION; + } + return 0; /* Unexpected state; fail closed. */ default: ret = ssl3_ctrl(s, cmd, larg, parg);