diff options
author | Daiki Ueno <ueno@gnu.org> | 2020-08-16 11:43:35 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2020-09-03 09:57:13 +0200 |
commit | 97f405f5af3c196a6a72cc876e1f693d3ba1407c (patch) | |
tree | b585090355ed0175b51be4159d3dd969e999e9a4 /lib | |
parent | f936f4fb802f745259f765d69bea05a81fd8ef23 (diff) | |
download | gnutls-97f405f5af3c196a6a72cc876e1f693d3ba1407c.tar.gz |
handshake: check TLS version against modified server priorities
The server needs to take into account of multiple factors when
determining the TLS protocol version actually being used:
- the legacy version
- "supported_versions" extension
- user_hello_func that may modify the server's priorities
Only after that it can check whether the TLS version is enabled in the
server's priorities.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/handshake.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/lib/handshake.c b/lib/handshake.c index cb215b223c..b40f84b3d9 100644 --- a/lib/handshake.c +++ b/lib/handshake.c @@ -823,7 +823,17 @@ read_client_hello(gnutls_session_t session, uint8_t * data, return ret; } - _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, session->security_parameters.pversion->name); + /* Only at this point we know the version we are actually going to use + * ("supported_versions" extension is parsed, user_hello_func is called, + * legacy version negotiation is done). */ + vers = get_version(session); + if (unlikely(vers == NULL)) + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); + + if (_gnutls_version_priority(session, vers->id) < 0) + return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_VERSION_PACKET); + + _gnutls_handshake_log("HSK[%p]: Selected version %s\n", session, vers->name); /* select appropriate compression method */ ret = |