From 7acb8b64c32617788959aee2733ac14fd7b97e5f Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 23 Nov 2016 13:56:15 +0000 Subject: [PATCH] Use ClientHello.legacy_version for the RSA pre-master no matter what MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Don't use what is in supported_versions for the RSA pre-master Reviewed-by: Emilia Käsper --- ssl/ssl_locl.h | 5 ++++- ssl/statem/statem_clnt.c | 4 +--- ssl/statem/statem_lib.c | 12 ++++++++---- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index d269595f6a..e909cadf5a 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1020,7 +1020,10 @@ struct ssl_st { int max_proto_version; size_t max_cert_list; int first_packet; - /* what was passed, used for SSLv3/TLS rollback check */ + /* + * What was passed in ClientHello.legacy_version. Used for RSA pre-master + * secret and SSLv3/TLS (<=1.2) rollback check + */ int client_version; /* * If we're using more than one pipeline how should we divide the data diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 1f4e630c29..ba873ee0a6 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -849,7 +849,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) SSL_COMP *comp; #endif SSL_SESSION *sess = s->session; - int client_version; if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) { /* Should not happen */ @@ -930,8 +929,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt) * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the * supported_versions extension for the real supported versions. */ - client_version = SSL_IS_TLS13(s) ? TLS1_2_VERSION : s->client_version; - if (!WPACKET_put_bytes_u16(pkt, client_version) + if (!WPACKET_put_bytes_u16(pkt, s->client_version) || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) { SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); return 0; diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index a971c51631..a736a09e0a 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -1077,8 +1077,6 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello) * wheter to ignore versions s->client_version) - s->client_version = candidate_vers; if (version_cmp(s, candidate_vers, best_vers) <= 0) continue; for (vent = table; @@ -1299,7 +1297,7 @@ int ssl_get_client_min_max_version(const SSL *s, int *min_version, /* * ssl_set_client_hello_version - Work out what version we should be using for - * the initial ClientHello. + * the initial ClientHello.legacy_version field. * * @s: client SSL handle. * @@ -1314,6 +1312,12 @@ int ssl_set_client_hello_version(SSL *s) if (ret != 0) return ret; - s->client_version = s->version = ver_max; + s->version = ver_max; + + /* TLS1.3 always uses TLS1.2 in the legacy_version field */ + if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) + ver_max = TLS1_2_VERSION; + + s->client_version = ver_max; return 0; } -- 2.40.0