commit d261004048e25f2ad81fede16cca6736e8697713
author David Benjamin <davidben@google.com> Tue Jan 03 10:49:28 2017 -0500
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Jan 11 22:19:17 2017 +0000
tree 24bbb69d5e84efbe39416f599ab85acf441c2685
parent 7f539fa0087497374ff6b263034e60eca912d5fd

Report TLS 1.3 as supporting secure renegotiation.

TLS 1.3 doesn't support renegotiation in the first place, but so callers
don't report TLS 1.3 servers as missing it, always report it as
(vacuously) protected against this bug.

BUG=chromium:680281

Change-Id: Ibfec03102b2aec7eaa773c331d6844292e7bb685
Reviewed-on: https://boringssl-review.googlesource.com/13046
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/ssl_lib.c

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a60bf81..e0ab803 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1506,7 +1506,11 @@
 }
 
 int SSL_get_secure_renegotiation_support(const SSL *ssl) {
-  return ssl->s3->send_connection_binding;
+  if (!ssl->s3->have_version) {
+    return 0;
+  }
+  return ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
+         ssl->s3->send_connection_binding;
 }
 
 LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx) { return ctx->sessions; }