handshake: check inappropriate fallback against the configured max version

That allows to operate on a server which is explicitly configured to utilize earlier than TLS 1.2 versions.
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-08-01 17:02:00 +0200
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2015-08-01 17:03:55 +0200
commit: 20a98e817713764b9df5306286091df1b61190d9 (patch)
tree: 79b918623b0be1550bfa5a4f1f471fa421286b12
parent: 7c5f1955a73778c067786a88a419f337d5d9e5c0 (diff)
download: gnutls-20a98e817713764b9df5306286091df1b61190d9.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c
index 5c2c64ba24..3a2631f921 100644
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -927,13 +927,13 @@ _gnutls_server_select_suite(gnutls_session_t session, uint8_t * data,
 		/* TLS_FALLBACK_SCSV */
 		if (data[i] == GNUTLS_FALLBACK_SCSV_MAJOR &&
 		    data[i + 1] == GNUTLS_FALLBACK_SCSV_MINOR) {
+			unsigned max = _gnutls_version_max(session);
 			_gnutls_handshake_log
 			    ("HSK[%p]: Received fallback CS\n",
 			     session);
 
-			if (gnutls_protocol_get_version(session) !=
-			    GNUTLS_TLS_VERSION_MAX)
-				return GNUTLS_E_INAPPROPRIATE_FALLBACK;
+			if (gnutls_protocol_get_version(session) != max)
+				return gnutls_assert_val(GNUTLS_E_INAPPROPRIATE_FALLBACK);
 		}
 	}
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-08-01 17:02:00 +0200
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2015-08-01 17:03:55 +0200
commit	20a98e817713764b9df5306286091df1b61190d9 (patch)
tree	79b918623b0be1550bfa5a4f1f471fa421286b12
parent	7c5f1955a73778c067786a88a419f337d5d9e5c0 (diff)
download	gnutls-20a98e817713764b9df5306286091df1b61190d9.tar.gz