Don't return invalid versions in version_from_wire.
This is in preparation for using the supported_versions extension to
experiment with draft TLS 1.3 versions, since we don't wish to restore
the fallback. With versions begin opaque values, we will want
version_from_wire to reject unknown values, not attempt to preserve
order in some way.
This means ClientHello.version processing needs to be separate code.
That's just written out fully in negotiate_version now. It also means
SSL_set_{min,max}_version will notice invalid inputs which aligns us
better with upstream's versions of those APIs.
This CL doesn't replace ssl->version with an internal-representation
version, though follow work should do it once a couple of changes land
in consumers.
BUG=90
Change-Id: Id2f5e1fa72847c823ee7f082e9e69f55e51ce9da
Reviewed-on: https://boringssl-review.googlesource.com/11122
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/tool/server.cc b/tool/server.cc
index e0aeb13..b4a4eb1 100644
--- a/tool/server.cc
+++ b/tool/server.cc
@@ -133,7 +133,9 @@
args_map["-max-version"].c_str());
return false;
}
- SSL_CTX_set_max_version(ctx, version);
+ if (!SSL_CTX_set_max_version(ctx, version)) {
+ return false;
+ }
}
if (args_map.count("-min-version") != 0) {
@@ -143,7 +145,9 @@
args_map["-min-version"].c_str());
return false;
}
- SSL_CTX_set_min_version(ctx, version);
+ if (!SSL_CTX_set_min_version(ctx, version)) {
+ return false;
+ }
}
if (args_map.count("-ocsp-response") != 0 &&