Tweak the check that a ciphersuite has not changed since the HRR

Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/3623)
author: Matt Caswell <matt@openssl.org> 2017-06-16 10:56:40 +0100
committer: Matt Caswell <matt@openssl.org> 2017-06-16 10:57:59 +0100
commit: abeb2a639b7030aeac08aab4fd9d6b52a3be8b04 (patch)
tree: e023deea5b500b852773a68ccf440052da6ea087 /ssl/statem/statem_srvr.c
parent: 3b0e88d3bd79d01c2da519e405849b78646aab8f (diff)
download: openssl-abeb2a639b7030aeac08aab4fd9d6b52a3be8b04.zip
openssl-abeb2a639b7030aeac08aab4fd9d6b52a3be8b04.tar.gz
openssl-abeb2a639b7030aeac08aab4fd9d6b52a3be8b04.tar.bz2
1 files changed, 3 insertions, 2 deletions
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 0f55d26..6f57816 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1615,8 +1615,9 @@ static int tls_early_post_process_client_hello(SSL *s, int *pal)
             al = SSL_AD_HANDSHAKE_FAILURE;
             goto err;
         }
-        if (s->hello_retry_request && s->s3->tmp.new_cipher != NULL
-                && s->s3->tmp.new_cipher->id != cipher->id) {
+        if (s->hello_retry_request
+                && (s->s3->tmp.new_cipher == NULL
+                    || s->s3->tmp.new_cipher->id != cipher->id)) {
             /*
              * A previous HRR picked a different ciphersuite to the one we
              * just selected. Something must have changed.
author	Matt Caswell <matt@openssl.org>	2017-06-16 10:56:40 +0100
committer	Matt Caswell <matt@openssl.org>	2017-06-16 10:57:59 +0100
commit	abeb2a639b7030aeac08aab4fd9d6b52a3be8b04 (patch)
tree	e023deea5b500b852773a68ccf440052da6ea087 /ssl/statem/statem_srvr.c
parent	3b0e88d3bd79d01c2da519e405849b78646aab8f (diff)
download	openssl-abeb2a639b7030aeac08aab4fd9d6b52a3be8b04.zip openssl-abeb2a639b7030aeac08aab4fd9d6b52a3be8b04.tar.gz openssl-abeb2a639b7030aeac08aab4fd9d6b52a3be8b04.tar.bz2