Skip to content

Commit

Permalink
Fix dtls regression
Browse files Browse the repository at this point in the history
  • Loading branch information
fwh-dc committed Dec 29, 2023
1 parent 3b1a2a7 commit 8c78c9a
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 13 deletions.
1 change: 1 addition & 0 deletions ssl/ssl_local.h
Original file line number Diff line number Diff line change
Expand Up @@ -2629,6 +2629,7 @@ __owur int ssl3_handshake_write(SSL_CONNECTION *s);

__owur int ssl_allow_compression(SSL_CONNECTION *s);

__owur int ssl_version_cmp(const SSL_CONNECTION *s, int a, int b);
__owur int ssl_version_supported(const SSL_CONNECTION *s, int version,
const SSL_METHOD **meth);

Expand Down
6 changes: 4 additions & 2 deletions ssl/statem/statem_clnt.c
Original file line number Diff line number Diff line change
Expand Up @@ -4063,9 +4063,11 @@ int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
{
int i;
size_t totlen = 0, len, maxlen, maxverok = 0;
int min_proto_version_limit = SSL_CONNECTION_IS_DTLS(s)
? DTLS1_3_VERSION : TLS1_3_VERSION;
int empty_reneg_info_scsv = !s->renegotiate
&& ((SSL_CONNECTION_IS_DTLS(s) && DTLS_VERSION_LT(s->min_proto_version, DTLS1_3_VERSION))
|| (!SSL_CONNECTION_IS_DTLS(s) && s->min_proto_version < TLS1_3_VERSION));
&& (ssl_version_cmp(s, s->min_proto_version, min_proto_version_limit) < 0
|| s->min_proto_version == 0);
SSL *ssl = SSL_CONNECTION_GET_SSL(s);

/* Set disabled masks for this session */
Expand Down
22 changes: 11 additions & 11 deletions ssl/statem/statem_lib.c
Original file line number Diff line number Diff line change
Expand Up @@ -1783,7 +1783,7 @@ int ssl_allow_compression(SSL_CONNECTION *s)
return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
}

static int version_cmp(const SSL_CONNECTION *s, int a, int b)
int ssl_version_cmp(const SSL_CONNECTION *s, int a, int b)
{
int dtls = SSL_CONNECTION_IS_DTLS(s);

Expand Down Expand Up @@ -1868,12 +1868,12 @@ static int ssl_method_error(const SSL_CONNECTION *s, const SSL_METHOD *method)
int version = method->version;

if ((s->min_proto_version != 0 &&
version_cmp(s, version, s->min_proto_version) < 0) ||
ssl_version_cmp(s, version, s->min_proto_version) < 0) ||
ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
return SSL_R_VERSION_TOO_LOW;

if (s->max_proto_version != 0 &&
version_cmp(s, version, s->max_proto_version) > 0)
ssl_version_cmp(s, version, s->max_proto_version) > 0)
return SSL_R_VERSION_TOO_HIGH;

if ((s->options & method->mask) != 0)
Expand Down Expand Up @@ -1961,7 +1961,7 @@ int ssl_version_supported(const SSL_CONNECTION *s, int version,
switch (SSL_CONNECTION_GET_SSL(s)->method->version) {
default:
/* Version should match method version for non-ANY method */
return version_cmp(s, version, s->version) == 0;
return ssl_version_cmp(s, version, s->version) == 0;
case TLS_ANY_VERSION:
table = tls_version_table;
break;
Expand All @@ -1971,11 +1971,11 @@ int ssl_version_supported(const SSL_CONNECTION *s, int version,
}

for (vent = table;
vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
vent->version != 0 && ssl_version_cmp(s, version, vent->version) <= 0;
++vent) {
if (vent->cmeth != NULL
&& version_cmp(s, version, vent->version) == 0
&& ssl_method_error(s, vent->cmeth()) == 0
&& ssl_version_cmp(s, version, vent->version) == 0
&& ssl_method_error(s, vent->cmeth()) == 0
&& (!s->server
|| (version != TLS1_3_VERSION && version != DTLS1_3_VERSION)
|| is_tls13_capable(s))) {
Expand Down Expand Up @@ -2148,7 +2148,7 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
switch (server_version) {
default:
if (!(SSL_CONNECTION_IS_TLS13(s) || SSL_CONNECTION_IS_DTLS13(s))) {
if (version_cmp(s, client_version, s->version) < 0)
if (ssl_version_cmp(s, client_version, s->version) < 0)
return SSL_R_WRONG_SSL_VERSION;
*dgrd = DOWNGRADE_NONE;
/*
Expand Down Expand Up @@ -2205,7 +2205,7 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
return SSL_R_BAD_LEGACY_VERSION;

while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
if (version_cmp(s, candidate_vers, best_vers) <= 0)
if (ssl_version_cmp(s, candidate_vers, best_vers) <= 0)
continue;
if (ssl_version_supported(s, candidate_vers, &best_method))
best_vers = candidate_vers;
Expand Down Expand Up @@ -2243,7 +2243,7 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
*/
const int version = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION;
const int forcedversion = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_2_VERSION : TLS1_2_VERSION;
if (version_cmp(s, client_version, version) >= 0)
if (ssl_version_cmp(s, client_version, version) >= 0)
client_version = forcedversion;

/*
Expand All @@ -2254,7 +2254,7 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
const SSL_METHOD *method;

if (vent->smeth == NULL ||
version_cmp(s, client_version, vent->version) < 0)
ssl_version_cmp(s, client_version, vent->version) < 0)
continue;
method = vent->smeth();
if (ssl_method_error(s, method) == 0) {
Expand Down

0 comments on commit 8c78c9a

Please sign in to comment.