From 3fa1ee567caae5f65ac373ba88c7f9cf7e0aed90 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 22 May 2019 14:44:37 +0100 Subject: [PATCH] Set SSL minor version only after validation --- library/ssl_cli.c | 44 ++++++++++++++++++++++++++------------------ library/ssl_srv.c | 47 +++++++++++++++++++++++++++-------------------- 2 files changed, 53 insertions(+), 38 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 7291fd753..87dc25d0d 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1716,27 +1716,35 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) */ buf += mbedtls_ssl_hs_hdr_len( ssl ); - MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); - mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, - ssl->conf->transport, buf + 0 ); - - if( ssl->major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) || - ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) || - ssl->major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) || - ssl->minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " - " min: [%d:%d], server: [%d:%d], max: [%d:%d]", - mbedtls_ssl_conf_get_min_major_ver( ssl->conf ), - mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ), - ssl->major_ver, ssl->minor_ver, - mbedtls_ssl_conf_get_max_major_ver( ssl->conf ), - mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) ); + int major_ver, minor_ver; - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); + MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 ); + mbedtls_ssl_read_version( &major_ver, &minor_ver, + ssl->conf->transport, + buf + 0 ); - return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); + if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) || + minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) || + major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) || + minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - " + " min: [%d:%d], server: [%d:%d], max: [%d:%d]", + mbedtls_ssl_conf_get_min_major_ver( ssl->conf ), + mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ), + major_ver, minor_ver, + mbedtls_ssl_conf_get_max_major_ver( ssl->conf ), + mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) ); + + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); + + return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); + } + + ssl->minor_ver = minor_ver; + ssl->major_ver = major_ver; } MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu", diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 553ded29d..38c841d89 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1621,32 +1621,39 @@ read_record_header: */ MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 ); - mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver, - ssl->conf->transport, buf ); - - ssl->handshake->max_major_ver = ssl->major_ver; - ssl->handshake->max_minor_ver = ssl->minor_ver; - - if( ssl->major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) || - ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" + int minor_ver, major_ver; + mbedtls_ssl_read_version( &major_ver, &minor_ver, + ssl->conf->transport, + buf ); + + ssl->handshake->max_major_ver = major_ver; + ssl->handshake->max_minor_ver = minor_ver; + + if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) || + minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum" " [%d:%d] < [%d:%d]", - ssl->major_ver, ssl->minor_ver, + major_ver, minor_ver, mbedtls_ssl_conf_get_min_major_ver( ssl->conf ), mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) ); - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); - return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); - } + mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION ); + return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); + } - if( ssl->major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ) - { - ssl->major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf ); - ssl->minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ); + if( major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ) + { + major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf ); + minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ); + } + else if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) + minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ); + + ssl->major_ver = major_ver; + ssl->minor_ver = minor_ver; } - else if( ssl->minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) - ssl->minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ); /* * Save client random (inc. Unix time)