Move logic for figuring out the record version out of record layer

This calculation is based on lots of information from state machine and elsewhere that the record layer cannot access. In reality it is sufficient to simply tell the record layer what version to use. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19198)
author: Matt Caswell <matt@openssl.org> 2022-08-26 17:34:40 +0100
committer: Matt Caswell <matt@openssl.org> 2022-09-23 14:54:49 +0100
commit: 1d3676778c280ef05044c4c9e696a4f8096530ea (patch)
tree: be15477e46c3378a2c6b2c40db13f457e4af7d59 /ssl/s3_msg.c
parent: e7694c69b5fed37f5cdf72b70f507c7188db7e3d (diff)
download: openssl-new-1d3676778c280ef05044c4c9e696a4f8096530ea.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c
index 01ff53bec0..64e23f3a9b 100644
--- a/ssl/s3_msg.c
+++ b/ssl/s3_msg.c
@@ -93,6 +93,14 @@ int ssl3_dispatch_alert(SSL *s)
     }
 
     templ.type = SSL3_RT_ALERT;
+    templ.version = (sc->version == TLS1_3_VERSION) ? TLS1_2_VERSION
+                                                    : sc->version;
+    if (SSL_get_state(s) == TLS_ST_CW_CLNT_HELLO
+            && !sc->renegotiate
+            && TLS1_get_version(s) > TLS1_VERSION
+            && sc->hello_retry_request == SSL_HRR_NONE) {
+        templ.version = TLS1_VERSION;
+    }
     templ.buf = &sc->s3.send_alert[0];
     templ.buflen = 2;
author	Matt Caswell <matt@openssl.org>	2022-08-26 17:34:40 +0100
committer	Matt Caswell <matt@openssl.org>	2022-09-23 14:54:49 +0100
commit	1d3676778c280ef05044c4c9e696a4f8096530ea (patch)
tree	be15477e46c3378a2c6b2c40db13f457e4af7d59 /ssl/s3_msg.c
parent	e7694c69b5fed37f5cdf72b70f507c7188db7e3d (diff)
download	openssl-new-1d3676778c280ef05044c4c9e696a4f8096530ea.tar.gz