summaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2018-07-04 16:02:20 +0100
committerMatt Caswell <matt@openssl.org>2018-07-13 18:14:29 +0100
commit4fd12788ebd352308e3f3c5f0f9bc607ababc867 (patch)
tree43f2355fe44977b5bf68597885e0e9ebac919e83 /ssl
parent871980a9ada476fa54cec2e5174aa916d09efd11 (diff)
Use ssl_version_supported() when choosing server version
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6650)
Diffstat (limited to 'ssl')
-rw-r--r--ssl/ssl_locl.h3
-rw-r--r--ssl/statem/statem_clnt.c2
-rw-r--r--ssl/statem/statem_lib.c25
3 files changed, 11 insertions, 19 deletions
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 0bf3f16f35..b38052f614 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2368,7 +2368,8 @@ __owur int ssl3_handshake_write(SSL *s);
__owur int ssl_allow_compression(SSL *s);
-__owur int ssl_version_supported(const SSL *s, int version);
+__owur int ssl_version_supported(const SSL *s, int version,
+ const SSL_METHOD **meth);
__owur int ssl_set_client_hello_version(SSL *s);
__owur int ssl_check_version_downgrade(SSL *s);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 88c343761f..ad79fef83c 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1119,7 +1119,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
}
if (sess == NULL
- || !ssl_version_supported(s, sess->ssl_version)
+ || !ssl_version_supported(s, sess->ssl_version, NULL)
|| !SSL_SESSION_is_resumable(sess)) {
if (s->hello_retry_request == SSL_HRR_NONE
&& !ssl_get_new_session(s, 0)) {
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 61fc3caa1c..cf7c28a46b 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1494,7 +1494,7 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
*
* Returns 1 when supported, otherwise 0
*/
-int ssl_version_supported(const SSL *s, int version)
+int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
{
const version_info *vent;
const version_info *table;
@@ -1517,6 +1517,8 @@ int ssl_version_supported(const SSL *s, int version)
if (vent->cmeth != NULL &&
version_cmp(s, version, vent->version) == 0 &&
ssl_method_error(s, vent->cmeth()) == 0) {
+ if (meth != NULL)
+ *meth = vent->cmeth();
return 1;
}
}
@@ -1625,11 +1627,11 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
{
if (vers == TLS1_2_VERSION
- && ssl_version_supported(s, TLS1_3_VERSION)) {
+ && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
*dgrd = DOWNGRADE_TO_1_2;
} else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION
- && (ssl_version_supported(s, TLS1_2_VERSION)
- || ssl_version_supported(s, TLS1_3_VERSION))) {
+ && (ssl_version_supported(s, TLS1_2_VERSION, NULL)
+ || ssl_version_supported(s, TLS1_3_VERSION, NULL))) {
*dgrd = DOWNGRADE_TO_1_1;
} else {
*dgrd = DOWNGRADE_NONE;
@@ -1735,19 +1737,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
*/
if (version_cmp(s, candidate_vers, best_vers) <= 0)
continue;
- for (vent = table;
- vent->version != 0 && vent->version != (int)candidate_vers;
- ++vent)
- continue;
- if (vent->version != 0 && vent->smeth != NULL) {
- const SSL_METHOD *method;
-
- method = vent->smeth();
- if (ssl_method_error(s, method) == 0) {
- best_vers = candidate_vers;
- best_method = method;
- }
- }
+ if (ssl_version_supported(s, candidate_vers, &best_method))
+ best_vers = candidate_vers;
}
if (PACKET_remaining(&versionslist) != 0) {
/* Trailing data? */
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 10:22:06 +0000