Commit 4fd12788 authored by Matt Caswell's avatar Matt Caswell
Browse files

Use ssl_version_supported() when choosing server version 



Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)
parent 871980a9

ssl/ssl_locl.h

+2 −1
Original line number Diff line number Diff line
@@ -2368,7 +2368,8 @@ __owur int ssl3_handshake_write(SSL *s); 


__owur int ssl_allow_compression(SSL *s);



__owur int ssl_version_supported(const SSL *s, int version);

__owur int ssl_version_supported(const SSL *s, int version,

                                 const SSL_METHOD **meth);



__owur int ssl_set_client_hello_version(SSL *s);

__owur int ssl_check_version_downgrade(SSL *s);

ssl/statem/statem_clnt.c

+1 −1
Original line number Diff line number Diff line
@@ -1119,7 +1119,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) 
    }



    if (sess == NULL

            || !ssl_version_supported(s, sess->ssl_version)

            || !ssl_version_supported(s, sess->ssl_version, NULL)

            || !SSL_SESSION_is_resumable(sess)) {

        if (s->hello_retry_request == SSL_HRR_NONE

                && !ssl_get_new_session(s, 0)) {

ssl/statem/statem_lib.c

+8 −17
Original line number Diff line number Diff line
@@ -1494,7 +1494,7 @@ static int ssl_method_error(const SSL *s, const SSL_METHOD *method) 
 *

 * Returns 1 when supported, otherwise 0

 */

int ssl_version_supported(const SSL *s, int version)

int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)

{

    const version_info *vent;

    const version_info *table;
@@ -1517,6 +1517,8 @@ int ssl_version_supported(const SSL *s, int version) 
        if (vent->cmeth != NULL &&

            version_cmp(s, version, vent->version) == 0 &&

            ssl_method_error(s, vent->cmeth()) == 0) {

            if (meth != NULL)

                *meth = vent->cmeth();

            return 1;

        }

    }
@@ -1625,11 +1627,11 @@ int ssl_set_version_bound(int method_version, int version, int *bound) 
static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)

{

    if (vers == TLS1_2_VERSION

            && ssl_version_supported(s, TLS1_3_VERSION)) {

            && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {

        *dgrd = DOWNGRADE_TO_1_2;

    } else if (!SSL_IS_DTLS(s) && vers < TLS1_2_VERSION

            && (ssl_version_supported(s, TLS1_2_VERSION)

                || ssl_version_supported(s, TLS1_3_VERSION))) {

            && (ssl_version_supported(s, TLS1_2_VERSION, NULL)

                || ssl_version_supported(s, TLS1_3_VERSION, NULL))) {

        *dgrd = DOWNGRADE_TO_1_1;

    } else {

        *dgrd = DOWNGRADE_NONE;
@@ -1735,19 +1737,8 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) 
             */

            if (version_cmp(s, candidate_vers, best_vers) <= 0)

                continue;

            for (vent = table;

                 vent->version != 0 && vent->version != (int)candidate_vers;

                 ++vent)

                continue;

            if (vent->version != 0 && vent->smeth != NULL) {

                const SSL_METHOD *method;



                method = vent->smeth();

                if (ssl_method_error(s, method) == 0) {

            if (ssl_version_supported(s, candidate_vers, &best_method))

                best_vers = candidate_vers;

                    best_method = method;

                }

            }

        }

        if (PACKET_remaining(&versionslist) != 0) {

            /* Trailing data? */