Verify negotiated TLS version

4 files changed, 27 insertions, 8 deletions

diff --git a/src/libtls/tls.c b/src/libtls/tls.c
index da3b5b4f0..d46ce0084 100644
--- a/src/libtls/tls.c
+++ b/src/libtls/tls.c
@@ -146,10 +146,25 @@ METHOD(tls_t, get_version, tls_version_t,
 	return this->version;
 }
 
-METHOD(tls_t, set_version, void,
+METHOD(tls_t, set_version, bool,
 	private_tls_t *this, tls_version_t version)
 {
-	this->version = version;
+	if (version > this->version)
+	{
+		return FALSE;
+	}
+	switch (version)
+	{
+		case TLS_1_0:
+		case TLS_1_1:
+		case TLS_1_2:
+			this->version = version;
+			return TRUE;
+		case SSL_2_0:
+		case SSL_3_0:
+		default:
+			return FALSE;
+	}
 }
 
 METHOD(tls_t, get_purpose, tls_purpose_t,
diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index 6f55075f0..a426d7618 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -146,8 +146,9 @@ struct tls_t {
 	 * Set the negotiated TLS/SSL version.
 	 *
 	 * @param version	negotiated TLS version
+	 * @return			TRUE if version acceptable
 	 */
-	void (*set_version)(tls_t *this, tls_version_t version);
+	bool (*set_version)(tls_t *this, tls_version_t version);
 
 	/**
 	 * Get the purpose of this TLS stack instance.
diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 09364d53b..ddd117a87 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -130,9 +130,11 @@ static status_t process_server_hello(private_tls_peer_t *this,
 
 	memcpy(this->server_random, random.ptr, sizeof(this->server_random));
 
-	if (version < this->tls->get_version(this->tls))
+	if (!this->tls->set_version(this->tls, version))
 	{
-		this->tls->set_version(this->tls, version);
+		DBG1(DBG_TLS, "negotiated version %N not supported",
+			 tls_version_names, version);
+		return FAILED;
 	}
 	suite = cipher;
 	if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1))
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 18aa09df2..3248a0c1a 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -137,11 +137,12 @@ static status_t process_client_hello(private_tls_server_t *this,
 
 	memcpy(this->client_random, random.ptr, sizeof(this->client_random));
 
-	if (version < this->tls->get_version(this->tls))
+	if (!this->tls->set_version(this->tls, version))
 	{
-		this->tls->set_version(this->tls, version);
+		DBG1(DBG_TLS, "negotiated version %N not supported",
+			 tls_version_names, version);
+		return FAILED;
 	}
-
 	count = ciphers.len / sizeof(u_int16_t);
 	suites = alloca(count * sizeof(tls_cipher_suite_t));
 	DBG2(DBG_TLS, "received %d TLS cipher suites:", count);