diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-01-16 14:16:58 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2015-01-16 14:18:16 +0100 |
commit | a1efe5f916eb1cf374181f0693eae32d4194286f (patch) | |
tree | c57ffbd70f8e293d593eaf3141c5c7676d648621 | |
parent | bfdc62f929c3b3b0fc39004762a61e5969d833ee (diff) | |
download | gnutls-a1efe5f916eb1cf374181f0693eae32d4194286f.tar.gz |
Added the notion of obsolete versions
That prevents using these versions as record version numbers, unless
they are the only protocol supported. This avoids the issues with
servers that have banned SSL 3.0 record versions.
-rw-r--r-- | lib/algorithms/protocols.c | 27 | ||||
-rw-r--r-- | lib/gnutls_int.h | 1 |
2 files changed, 18 insertions, 10 deletions
diff --git a/lib/algorithms/protocols.c b/lib/algorithms/protocols.c index 8251da098c..35208b4ac6 100644 --- a/lib/algorithms/protocols.c +++ b/lib/algorithms/protocols.c @@ -27,13 +27,13 @@ /* TLS Versions */ static const version_entry_st sup_versions[] = { - {"SSL3.0", GNUTLS_SSL3, 0, 3, 0, GNUTLS_STREAM, 1, 0, 0, 0, 0}, - {"TLS1.0", GNUTLS_TLS1, 1, 3, 1, GNUTLS_STREAM, 1, 0, 1, 0, 0}, - {"TLS1.1", GNUTLS_TLS1_1, 2, 3, 2, GNUTLS_STREAM, 1, 1, 1, 0, 0}, - {"TLS1.2", GNUTLS_TLS1_2, 3, 3, 3, GNUTLS_STREAM, 1, 1, 1, 1, 1}, - {"DTLS0.9", GNUTLS_DTLS0_9, 200, 1, 0, GNUTLS_DGRAM, 1, 1, 1, 0, 0}, /* Cisco AnyConnect (based on about OpenSSL 0.9.8e) */ - {"DTLS1.0", GNUTLS_DTLS1_0, 201, 254, 255, GNUTLS_DGRAM, 1, 1, 1, 0, 0}, /* 1.1 over datagram */ - {"DTLS1.2", GNUTLS_DTLS1_2, 202, 254, 253, GNUTLS_DGRAM, 1, 1, 1, 1, 1}, /* 1.2 over datagram */ + {"SSL3.0", GNUTLS_SSL3, 0, 3, 0, GNUTLS_STREAM, 1, 0, 0, 0, 0, 1}, + {"TLS1.0", GNUTLS_TLS1, 1, 3, 1, GNUTLS_STREAM, 1, 0, 1, 0, 0, 0}, + {"TLS1.1", GNUTLS_TLS1_1, 2, 3, 2, GNUTLS_STREAM, 1, 1, 1, 0, 0, 0}, + {"TLS1.2", GNUTLS_TLS1_2, 3, 3, 3, GNUTLS_STREAM, 1, 1, 1, 1, 1, 0}, + {"DTLS0.9", GNUTLS_DTLS0_9, 200, 1, 0, GNUTLS_DGRAM, 1, 1, 1, 0, 0, 0}, /* Cisco AnyConnect (based on about OpenSSL 0.9.8e) */ + {"DTLS1.0", GNUTLS_DTLS1_0, 201, 254, 255, GNUTLS_DGRAM, 1, 1, 1, 0, 0, 0}, /* 1.1 over datagram */ + {"DTLS1.2", GNUTLS_DTLS1_2, 202, 254, 253, GNUTLS_DGRAM, 1, 1, 1, 1, 1, 0}, /* 1.2 over datagram */ {0, 0, 0, 0, 0} }; @@ -52,7 +52,7 @@ const version_entry_st *version_to_entry(gnutls_protocol_t version) static int version_is_valid_for_session(gnutls_session_t session, - const version_entry_st *v) + const version_entry_st *v) { if (v->supported && v->transport == session->internals.transport) { return 1; @@ -83,6 +83,7 @@ const version_entry_st *_gnutls_version_lowest(gnutls_session_t session) unsigned int i; gnutls_protocol_t cur_prot; const version_entry_st *v, *min_v = NULL; + const version_entry_st *backup = NULL; for (i=0;i < session->internals.priorities.protocol.algorithms;i++) { cur_prot = @@ -91,13 +92,19 @@ const version_entry_st *_gnutls_version_lowest(gnutls_session_t session) if (v != NULL && version_is_valid_for_session(session, v)) { if (min_v == NULL) { - min_v = v; - } else if (v->age < min_v->age) { + if (v->obsolete != 0) + backup = v; + else + min_v = v; + } else if (v->obsolete == 0 && v->age < min_v->age) { min_v = v; } } } + if (min_v == NULL) + return backup; + return min_v; } diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h index d3adbf0d6e..942ec322fe 100644 --- a/lib/gnutls_int.h +++ b/lib/gnutls_int.h @@ -495,6 +495,7 @@ typedef struct { bool extensions; /* whether it supports extensions */ bool selectable_sighash; /* whether signatures can be selected */ bool selectable_prf; /* whether the PRF is ciphersuite-defined */ + bool obsolete; /* Do not use this protocol version as record version */ } version_entry_st; |