diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/libtls/tls.c | 19 | ||||
| -rw-r--r-- | src/libtls/tls.h | 3 | ||||
| -rw-r--r-- | src/libtls/tls_peer.c | 6 | ||||
| -rw-r--r-- | src/libtls/tls_server.c | 7 |
4 files changed, 27 insertions, 8 deletions
diff --git a/src/libtls/tls.c b/src/libtls/tls.c index da3b5b4f0..d46ce0084 100644 --- a/src/libtls/tls.c +++ b/src/libtls/tls.c @@ -146,10 +146,25 @@ METHOD(tls_t, get_version, tls_version_t, return this->version; } -METHOD(tls_t, set_version, void, +METHOD(tls_t, set_version, bool, private_tls_t *this, tls_version_t version) { - this->version = version; + if (version > this->version) + { + return FALSE; + } + switch (version) + { + case TLS_1_0: + case TLS_1_1: + case TLS_1_2: + this->version = version; + return TRUE; + case SSL_2_0: + case SSL_3_0: + default: + return FALSE; + } } METHOD(tls_t, get_purpose, tls_purpose_t, diff --git a/src/libtls/tls.h b/src/libtls/tls.h index 6f55075f0..a426d7618 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -146,8 +146,9 @@ struct tls_t { * Set the negotiated TLS/SSL version. * * @param version negotiated TLS version + * @return TRUE if version acceptable */ - void (*set_version)(tls_t *this, tls_version_t version); + bool (*set_version)(tls_t *this, tls_version_t version); /** * Get the purpose of this TLS stack instance. diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index 09364d53b..ddd117a87 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -130,9 +130,11 @@ static status_t process_server_hello(private_tls_peer_t *this, memcpy(this->server_random, random.ptr, sizeof(this->server_random)); - if (version < this->tls->get_version(this->tls)) + if (!this->tls->set_version(this->tls, version)) { - this->tls->set_version(this->tls, version); + DBG1(DBG_TLS, "negotiated version %N not supported", + tls_version_names, version); + return FAILED; } suite = cipher; if (!this->crypto->select_cipher_suite(this->crypto, &suite, 1)) diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index 18aa09df2..3248a0c1a 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -137,11 +137,12 @@ static status_t process_client_hello(private_tls_server_t *this, memcpy(this->client_random, random.ptr, sizeof(this->client_random)); - if (version < this->tls->get_version(this->tls)) + if (!this->tls->set_version(this->tls, version)) { - this->tls->set_version(this->tls, version); + DBG1(DBG_TLS, "negotiated version %N not supported", + tls_version_names, version); + return FAILED; } - count = ciphers.len / sizeof(u_int16_t); suites = alloca(count * sizeof(tls_cipher_suite_t)); DBG2(DBG_TLS, "received %d TLS cipher suites:", count); |