diff options
| author | David Benjamin <davidben@google.com> | 2016-06-21 17:33:21 +0300 |
|---|---|---|
| committer | David Benjamin <davidben@google.com> | 2016-07-01 00:56:01 +0300 |
| commit | b6a0a518a3ee815cf64443c91b52a5b6b26ebcb0 (patch) | |
| tree | 308bd8ec26ade25596c794860b0a0fd2a87ed54d /include/openssl/ssl.h | |
| parent | f11f2336efb9b4ce48e6293fc3a56e392ad627a1 (diff) | |
Simplify version configuration.
OpenSSL's SSL_OP_NO_* flags allow discontinuous version ranges. This is a
nuisance for two reasons. First it makes it unnecessarily difficult to answer
"are any versions below TLS 1.3 enabled?". Second the protocol does not allow
discontinuous version ranges on the client anyway. OpenSSL instead picks the
first continous range of enabled versions on the client, but not the server.
This is bizarrely inconsistent. It also doesn't quite do this as the
ClientHello sending logic does this, but not the ServerHello processing logic.
So we actually break some invariants slightly. The logic is also cumbersome in
DTLS which kindly inverts the comparison logic.
First, switch min_version/max_version's storage to normalized versions. Next
replace all the ad-hoc version-related functions with a single
ssl_get_version_range function. Client and server now consistently pick a
contiguous range of versions. Note this is a slight behavior change for
servers. Version-range-sensitive logic is rewritten to use this new function.
BUG=66
Change-Id: Iad0d64f2b7a917603fc7da54c9fc6656c5fbdb24
Reviewed-on: https://boringssl-review.googlesource.com/8513
Reviewed-by: David Benjamin <davidben@google.com>
Diffstat (limited to 'include/openssl/ssl.h')
| -rw-r--r-- | include/openssl/ssl.h | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 797da389..59096e4c 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -3626,10 +3626,12 @@ struct ssl_ctx_st { /* lock is used to protect various operations on this object. */ CRYPTO_MUTEX lock; - /* max_version is the maximum acceptable wire protocol version. */ + /* max_version is the maximum acceptable protocol version. Note this version + * is normalized in DTLS. */ uint16_t max_version; - /* min_version is the minimum acceptable wire protocol version. */ + /* min_version is the minimum acceptable protocol version. Note this version + * is normalized in DTLS. */ uint16_t min_version; struct ssl_cipher_preference_list_st *cipher_list; @@ -3873,10 +3875,12 @@ struct ssl_st { /* version is the protocol version. */ int version; - /* max_version is the maximum acceptable wire protocol version. */ + /* max_version is the maximum acceptable protocol version. Note this version + * is normalized in DTLS. */ uint16_t max_version; - /* min_version is the minimum acceptable wire protocol version. */ + /* min_version is the minimum acceptable protocol version. Note this version + * is normalized in DTLS. */ uint16_t min_version; /* method is the method table corresponding to the current protocol (DTLS or |