mirror of https://github.com/openssl/openssl
Fix sanity tests for ssl_version_cmp for dtls 1.3 branch
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24293)
This commit is contained in:
parent
49c1e660d7
commit
e554c01533
|
@ -2195,10 +2195,10 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
|
|||
return SSL_R_UNSUPPORTED_PROTOCOL;
|
||||
|
||||
if (suppversions->present) {
|
||||
unsigned int candidate_vers = 0;
|
||||
const unsigned int best_vers_init = SSL_CONNECTION_IS_DTLS(s) ? UINT_MAX
|
||||
: 0;
|
||||
unsigned int best_vers = best_vers_init;
|
||||
int candidate_vers = 0;
|
||||
const int best_vers_init = SSL_CONNECTION_IS_DTLS(s) ? INT_MAX
|
||||
: 0;
|
||||
int best_vers = best_vers_init;
|
||||
const SSL_METHOD *best_method = NULL;
|
||||
PACKET versionslist;
|
||||
|
||||
|
@ -2221,9 +2221,9 @@ int ssl_choose_server_version(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello,
|
|||
if (client_version <= SSL3_VERSION)
|
||||
return SSL_R_BAD_LEGACY_VERSION;
|
||||
|
||||
while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
|
||||
while (PACKET_get_net_2(&versionslist, (unsigned int*)&candidate_vers)) {
|
||||
if (candidate_vers <= 0
|
||||
|| (best_vers != 0
|
||||
|| (best_vers != best_vers_init
|
||||
&& ssl_version_cmp(s, candidate_vers, best_vers) <= 0))
|
||||
continue;
|
||||
if (ssl_version_supported(s, candidate_vers, &best_method))
|
||||
|
|
14
ssl/t1_lib.c
14
ssl/t1_lib.c
|
@ -2504,7 +2504,8 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op,
|
|||
{
|
||||
unsigned char sigalgstr[2];
|
||||
int secbits;
|
||||
int dsa_version_limit;
|
||||
const int version1_3 = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION
|
||||
: TLS1_3_VERSION;
|
||||
|
||||
if (lu == NULL || !lu->enabled)
|
||||
return 0;
|
||||
|
@ -2515,8 +2516,8 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op,
|
|||
* At some point we should fully axe DSA/etc. in ClientHello as per (D)TLSv1.3
|
||||
* spec
|
||||
*/
|
||||
dsa_version_limit = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION;
|
||||
if (!s->server && ssl_version_cmp(s, s->s3.tmp.min_ver, dsa_version_limit) >= 0
|
||||
if (!s->server && s->s3.tmp.min_ver > 0
|
||||
&& ssl_version_cmp(s, s->s3.tmp.min_ver, version1_3) >= 0
|
||||
&& (lu->sig == EVP_PKEY_DSA || lu->hash_idx == SSL_MD_SHA1_IDX
|
||||
|| lu->hash_idx == SSL_MD_MD5_IDX
|
||||
|| lu->hash_idx == SSL_MD_SHA224_IDX))
|
||||
|
@ -2530,14 +2531,14 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op,
|
|||
|| lu->sig == NID_id_GostR3410_2012_512
|
||||
|| lu->sig == NID_id_GostR3410_2001) {
|
||||
int any_version = SSL_CONNECTION_IS_DTLS(s) ? DTLS_ANY_VERSION : TLS_ANY_VERSION;
|
||||
int gost_version_limit = SSL_CONNECTION_IS_DTLS(s) ? DTLS1_3_VERSION : TLS1_3_VERSION;
|
||||
|
||||
/* We never allow GOST sig algs on the server with (D)TLSv1.3 */
|
||||
if (s->server && SSL_CONNECTION_IS_VERSION13(s))
|
||||
return 0;
|
||||
if (!s->server
|
||||
&& SSL_CONNECTION_GET_SSL(s)->method->version == any_version
|
||||
&& ssl_version_cmp(s, s->s3.tmp.max_ver, gost_version_limit) >= 0) {
|
||||
&& s->s3.tmp.max_ver > 0
|
||||
&& ssl_version_cmp(s, s->s3.tmp.max_ver, version1_3) >= 0) {
|
||||
int i, num;
|
||||
STACK_OF(SSL_CIPHER) *sk;
|
||||
|
||||
|
@ -2547,7 +2548,8 @@ static int tls12_sigalg_allowed(const SSL_CONNECTION *s, int op,
|
|||
* ciphersuites enabled.
|
||||
*/
|
||||
|
||||
if (ssl_version_cmp(s, s->s3.tmp.min_ver, gost_version_limit) >= 0)
|
||||
if (s->s3.tmp.min_ver > 0
|
||||
&& ssl_version_cmp(s, s->s3.tmp.min_ver, version1_3) >= 0)
|
||||
return 0;
|
||||
|
||||
sk = SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s));
|
||||
|
|
Loading…
Reference in New Issue