use TLS1_get_version macro to check version so TLS v1.2 changes don't interfere with...

author Dr. Stephen Henson <steve@openssl.org>

Wed, 25 May 2011 11:43:07 +0000 (11:43 +0000)

committer Dr. Stephen Henson <steve@openssl.org>

Wed, 25 May 2011 11:43:07 +0000 (11:43 +0000)
author Dr. Stephen Henson <steve@openssl.org>
Wed, 25 May 2011 11:43:07 +0000 (11:43 +0000)
committer Dr. Stephen Henson <steve@openssl.org>
Wed, 25 May 2011 11:43:07 +0000 (11:43 +0000)
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c

index 0633c099c62a6a98fced8fb59ba7c0d9c148d54b..9e52ed4f01668685443df4b372490763c0994e4c 100644 (file)
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -928,7 +928,7 @@ int ssl3_get_server_hello(SSL *s)
         /* Don't digest cached records if TLS v1.2: we may need them for
          * client authentication.
          */
-       if (s->version < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
+       if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
                 goto f_err;
         /* lets get the compression algorithm */
         /* COMPRESSION */
@@ -1659,7 +1659,7 @@ int ssl3_get_key_exchange(SSL *s)
         /* if it was signed, check the signature */
         if (pkey != NULL)
                 {
-               if (s->version >= TLS1_2_VERSION)
+               if (TLS1_get_version(s) >= TLS1_2_VERSION)
                         {
                         int sigalg = tls12_get_sigid(pkey);
                         /* Should never happen */
@@ -1704,7 +1704,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                         }
  
  #ifndef OPENSSL_NO_RSA
-               if (pkey->type == EVP_PKEY_RSA && s->version < TLS1_2_VERSION)
+               if (pkey->type == EVP_PKEY_RSA && TLS1_get_version(s) < TLS1_2_VERSION)
                         {
                         int num;
  
@@ -1864,8 +1864,7 @@ int ssl3_get_certificate_request(SSL *s)
         for (i=0; i<ctype_num; i++)
                 s->s3->tmp.ctype[i]= p[i];
         p+=ctype_num;
-       /* HACK! For now just skip over signatature algorithms */
-       if (s->version >= TLS1_2_VERSION)
+       if (TLS1_get_version(s) >= TLS1_2_VERSION)
                 {
                 n2s(p, llen);
                 /* Check we have enough room for signature algorithms and
@@ -2886,7 +2885,7 @@ int ssl3_send_client_verify(SSL *s)
                 EVP_PKEY_sign_init(pctx);
                 if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1())>0)
                         {
-                       if (s->version < TLS1_2_VERSION)
+                       if (TLS1_get_version(s) < TLS1_2_VERSION)
                                 s->method->ssl3_enc->cert_verify_mac(s,
                                                 NID_sha1,
                                                 &(data[MD5_DIGEST_LENGTH]));
@@ -2898,7 +2897,7 @@ int ssl3_send_client_verify(SSL *s)
                 /* For TLS v1.2 send signature algorithm and signature
                  * using agreed digest and cached handshake records.
                  */
-               if (s->version >= TLS1_2_VERSION)
+               if (TLS1_get_version(s) >= TLS1_2_VERSION)
                         {
                         long hdatalen = 0;
                         void *hdata;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c

index b147935dc980c0caf505174fbccc7fd26af9fc1c..028e996f5aa4c431d2fe396518ad8f8dd48273a2 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3780,7 +3780,7 @@ need to go to SSL_ST_ACCEPT.
  long ssl_get_algorithm2(SSL *s)
         {
         long alg2 = s->s3->tmp.new_cipher->algorithm2;
-       if (s->version >= TLS1_2_VERSION &&
+       if (TLS1_get_version(s) >= TLS1_2_VERSION &&
             alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
                 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
         return alg2;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c

index 9a2be883929b793f59f0cca4e6626f813e8b4409..74af5dcf14291553e0c119586be2643b3dde7859 100644 (file)
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -611,7 +611,7 @@ int ssl3_accept(SSL *s)
  #endif
                                 s->init_num = 0;
                                 }
-                       else if (s->version >= TLS1_2_VERSION)
+                       else if (TLS1_get_version(s) >= TLS1_2_VERSION)
                                 {
                                 s->state=SSL3_ST_SR_CERT_VRFY_A;
                                 s->init_num=0;
@@ -1380,7 +1380,7 @@ int ssl3_get_client_hello(SSL *s)
                 s->s3->tmp.new_cipher=s->session->cipher;
                 }
  
-       if (s->version < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
+       if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
                 {
                 if (!ssl3_digest_cached_records(s))
                         goto f_err;
@@ -1915,7 +1915,7 @@ int ssl3_send_server_key_exchange(SSL *s)
                          * and p points to the space at the end. */
  #ifndef OPENSSL_NO_RSA
                         if (pkey->type == EVP_PKEY_RSA
-                                       && s->version < TLS1_2_VERSION)
+                                       && TLS1_get_version(s) < TLS1_2_VERSION)
                                 {
                                 q=md_buf;
                                 j=0;
@@ -1948,7 +1948,7 @@ int ssl3_send_server_key_exchange(SSL *s)
                                 {
                                 /* For TLS1.2 and later send signature
                                  * algorithm */
-                               if (s->version >= TLS1_2_VERSION)
+                               if (TLS1_get_version(s) >= TLS1_2_VERSION)
                                         {
                                         if (!tls12_get_sigandhash(p, pkey, md))
                                                 {
@@ -1975,7 +1975,7 @@ int ssl3_send_server_key_exchange(SSL *s)
                                         }
                                 s2n(i,p);
                                 n+=i+2;
-                               if (s->version >= TLS1_2_VERSION)
+                               if (TLS1_get_version(s) >= TLS1_2_VERSION)
                                         n+= 2;
                                 }
                         else
@@ -2031,7 +2031,7 @@ int ssl3_send_certificate_request(SSL *s)
                 p+=n;
                 n++;
  
-               if (s->version >= TLS1_2_VERSION)
+               if (TLS1_get_version(s) >= TLS1_2_VERSION)
                         {
                         nl = tls12_get_req_sig_algs(s, p + 2);
                         s2n(nl, p);
@@ -2964,7 +2964,7 @@ int ssl3_get_cert_verify(SSL *s)
                 } 
         else 
                 {       
-               if (s->version >= TLS1_2_VERSION)
+               if (TLS1_get_version(s) >= TLS1_2_VERSION)
                         {
                         int sigalg = tls12_get_sigid(pkey);
                         /* Should never happen */
@@ -3011,7 +3011,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
                 goto f_err;
                 }
  
-       if (s->version >= TLS1_2_VERSION)
+       if (TLS1_get_version(s) >= TLS1_2_VERSION)
                 {
                 long hdatalen = 0;
                 void *hdata;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c

index 77b5b5e41bef1fdde253e28e9c303cbd728724b8..9f25c6cc70cc2f86c98232075accd5998dbab7f6 100644 (file)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2226,7 +2226,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
                         SSLerr(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG, SSL_R_ECC_CERT_NOT_FOR_KEY_AGREEMENT);
                         return 0;
                         }
-               if ((alg_k & SSL_kECDHe) && s->version < TLS1_2_VERSION)
+               if ((alg_k & SSL_kECDHe) && TLS1_get_version(s) < TLS1_2_VERSION)
                         {
                         /* signature alg must be ECDSA */
                         if (signature_nid != NID_ecdsa_with_SHA1)
@@ -2235,7 +2235,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
                                 return 0;
                                 }
                         }
-               if ((alg_k & SSL_kECDHr) && s->version < TLS1_2_VERSION)
+               if ((alg_k & SSL_kECDHr) && TLS1_get_version(s) < TLS1_2_VERSION)
                         {
                         /* signature alg must be RSA */
  
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c

index 414e4c2c71b013929c04462ab15f116dc2a707cf..e673ec007c6551d2c77fadc0cf6bd0986ba00df4 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -502,7 +502,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                 }
                 skip_ext:
  
-       if (s->version >= TLS1_2_VERSION)
+       if (TLS1_get_version(s) >= TLS1_2_VERSION)
                 {
                 if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
                         return NULL; 
@@ -2100,7 +2100,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
         const EVP_MD *md;
         CERT *c = s->cert;
         /* Extension ignored for TLS versions below 1.2 */
-       if (s->version < TLS1_2_VERSION)
+       if (TLS1_get_version(s) < TLS1_2_VERSION)
                 return 1;
         /* Should never happen */
         if (!c)
diff --git a/ssl/tls1.h b/ssl/tls1.h

index 35efebee5954c57296f6a206e0764323d941d82f..f8d2fdaff6383c2b5d2061bc50759b569de1cda6 100644 (file)
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -171,6 +171,9 @@ extern "C" {
  #define TLS1_VERSION_MAJOR             0x03
  #define TLS1_VERSION_MINOR             0x01
  
+#define TLS1_get_version(s) \
+               ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
+
  #define TLS1_AD_DECRYPTION_FAILED      21
  #define TLS1_AD_RECORD_OVERFLOW                22
  #define TLS1_AD_UNKNOWN_CA             48      /* fatal */
author	Dr. Stephen Henson <steve@openssl.org>
	Wed, 25 May 2011 11:43:07 +0000 (11:43 +0000)
committer	Dr. Stephen Henson <steve@openssl.org>
	Wed, 25 May 2011 11:43:07 +0000 (11:43 +0000)
ssl/s3_clnt.c		patch \| blob \| history
ssl/s3_lib.c		patch \| blob \| history
ssl/s3_srvr.c		patch \| blob \| history
ssl/ssl_lib.c		patch \| blob \| history
ssl/t1_lib.c		patch \| blob \| history
ssl/tls1.h		patch \| blob \| history