commit 2dc0204603f777597e2f97662e42887d1af5013f
author David Benjamin <davidben@google.com> Mon Sep 19 19:57:37 2016 -0400
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Sep 21 19:51:45 2016 +0000
tree 51be5e0d7c4e766c6a5d08bccaa7c961338d0c15
parent c027999c28db2f448ea5795798080f6a5aaa01d6

Don't return invalid versions in version_from_wire.

This is in preparation for using the supported_versions extension to
experiment with draft TLS 1.3 versions, since we don't wish to restore
the fallback. With versions begin opaque values, we will want
version_from_wire to reject unknown values, not attempt to preserve
order in some way.

This means ClientHello.version processing needs to be separate code.
That's just written out fully in negotiate_version now. It also means
SSL_set_{min,max}_version will notice invalid inputs which aligns us
better with upstream's versions of those APIs.

This CL doesn't replace ssl->version with an internal-representation
version, though follow work should do it once a couple of changes land
in consumers.

BUG=90

Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da
Reviewed-on: https://boringssl-review.googlesource.com/11122
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

ssl/test/runner/runner.go

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 039cd5c..99d7fac 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -4221,6 +4221,17 @@
 		expectedError: ":UNSUPPORTED_PROTOCOL:",
 	})
 
+	testCases = append(testCases, testCase{
+		name: "ServerBogusVersion",
+		config: Config{
+			Bugs: ProtocolBugs{
+				SendServerHelloVersion: 0x1234,
+			},
+		},
+		shouldFail:    true,
+		expectedError: ":UNSUPPORTED_PROTOCOL:",
+	})
+
 	// Test TLS 1.3's downgrade signal.
 	testCases = append(testCases, testCase{
 		name: "Downgrade-TLS12-Client",