diff options
author | Daiki Ueno <ueno@gnu.org> | 2020-08-16 11:43:35 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2020-08-17 07:52:48 +0200 |
commit | 926e05eba90173afca886e7238da0054507d18ed (patch) | |
tree | b814b8c7715a4c0c304ee777433ac00df45282e3 /lib/handshake.c | |
parent | 606b77a2422c7e4124d80904bd191184323205fc (diff) | |
download | gnutls-tmp-tls12-version-checks.tar.gz |
handshake: check TLS version against modified server prioritiestmp-tls12-version-checks
The server needs to take into account of multiple factors when
determining the TLS protocol version actually being used:
- the legacy version
- "supported_versions" extension
- user_hello_func that may modify the server's priorities
Only after that it can check whether the TLS version is enabled in the
server's priorities.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib/handshake.c')
-rw-r--r-- | lib/handshake.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/lib/handshake.c b/lib/handshake.c index 8d58fa48e7..4ee814ee38 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -823,7 +823,17 @@ read_client_hello(gnutls_session_t session, uint8_t * data, return ret; } - _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, session->security_parameters.pversion->name); + /* Only at this point we know the version we are actually going to use + * ("supported_versions" extension is parsed, user_hello_func is called, + * legacy version negotiation is done). */ + vers = get_version(session); + if (unlikely(vers == NULL)) + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); + + if (_gnutls_version_priority(session, vers->id) < 0) + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); + + _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, vers->name); /* select appropriate compression method */ ret = |