wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2089 from SparkiDev/tls13_sup_ver

Browse Source 
Make SupportedVersions respect SSL_OP_NO_TLSv*
This commit is contained in:
toddouska
2019-02-15 10:36:32 -08:00
committed by GitHub
parent d9a5898e91 e47797f700
commit 7275ee5f19
1 changed files with 70 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

104
src/tls.c
View File

@ -5066,19 +5066,34 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz)
if (msgType == client_hello) { if (msgType == client_hello) {
/* TLS v1.2 and TLS v1.3 */ /* TLS v1.2 and TLS v1.3 */
int cnt = 2; int cnt = 0;
#ifndef NO_OLD_TLS #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
/* TLS v1.1 */ if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0)
cnt++; #endif
#ifdef WOLFSSL_ALLOW_TLSV10 cnt++;
/* TLS v1.0 */
cnt++; if (ssl->options.downgrade) {
#endif #ifndef WOLFSSL_NO_TLS12
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0)
#endif
cnt++;
#endif #endif
if (!ssl->options.downgrade) #ifndef NO_OLD_TLS
cnt = 1; #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0)
#endif
cnt++;
#ifdef WOLFSSL_ALLOW_TLSV10
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == 0)
#endif
cnt++;
#endif
#endif
}
*pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN); *pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN);
} }
@ -5103,44 +5118,65 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output,
byte msgType, word16* pSz) byte msgType, word16* pSz)
{ {
WOLFSSL* ssl = (WOLFSSL*)data; WOLFSSL* ssl = (WOLFSSL*)data;
ProtocolVersion pv; byte major;
int i; byte* cnt;
int cnt;
if (msgType == client_hello) { if (msgType == client_hello) {
pv = ssl->ctx->method->version; major = ssl->ctx->method->version.major;
/* TLS v1.2 and TLS v1.3 */
cnt = 2;
#ifndef NO_OLD_TLS
/* TLS v1.1 */
cnt++;
#ifdef WOLFSSL_ALLOW_TLSV10
/* TLS v1.0 */
cnt++;
#endif
#endif
if (!ssl->options.downgrade) cnt = output++;
cnt = 1; *cnt = 0;
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
*(output++) = (byte)(cnt * OPAQUE16_LEN); if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0)
for (i = 0; i < cnt; i++) { #endif
{
*cnt += OPAQUE16_LEN;
#ifdef WOLFSSL_TLS13_DRAFT #ifdef WOLFSSL_TLS13_DRAFT
if (pv.minor - i == TLSv1_3_MINOR) {
/* The TLS draft major number. */ /* The TLS draft major number. */
*(output++) = TLS_DRAFT_MAJOR; *(output++) = TLS_DRAFT_MAJOR;
/* Version of draft supported. */ /* Version of draft supported. */
*(output++) = TLS_DRAFT_MINOR; *(output++) = TLS_DRAFT_MINOR;
continue; #else
*(output++) = major;
*(output++) = (byte)TLSv1_3_MINOR;
#endif
}
if (ssl->options.downgrade) {
#ifndef WOLFSSL_NO_TLS12
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0)
#endif
{
*cnt += OPAQUE16_LEN;
*(output++) = major;
*(output++) = (byte)TLSv1_2_MINOR;
} }
#endif #endif
*(output++) = pv.major; #ifndef NO_OLD_TLS
*(output++) = (byte)(pv.minor - i); #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0)
#endif
{
*cnt += OPAQUE16_LEN;
*(output++) = major;
*(output++) = (byte)TLSv1_1_MINOR;
}
#ifdef WOLFSSL_ALLOW_TLSV10
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
if ((ssl->options.mask & SSL_OP_NO_TLSv1) == 0)
#endif
{
*cnt += OPAQUE16_LEN;
*(output++) = major;
*(output++) = (byte)TLSv1_MINOR;
}
#endif
#endif
} }
*pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN); *pSz += (word16)(OPAQUE8_LEN + *cnt);
} }
#ifndef WOLFSSL_TLS13_DRAFT_18 #ifndef WOLFSSL_TLS13_DRAFT_18
else if (msgType == server_hello || msgType == hello_retry_request) { else if (msgType == server_hello || msgType == hello_retry_request) {