Fix SSL_set_{min,max}_proto_version APIs in invalid versions.
SSL_set_max_proto_version(TLS1_3_DRAFT_VERSION) worked unintentionally.
Fix that. Also add an error when it fails.
Change-Id: I1048fede7b163e1c170e17bf4370b468221a7077
Reviewed-on: https://boringssl-review.googlesource.com/17525
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/ssl_versions.c b/ssl/ssl_versions.c
index 6565688..80b62cc 100644
--- a/ssl/ssl_versions.c
+++ b/ssl/ssl_versions.c
@@ -95,12 +95,21 @@
/* The public API uses wire versions, except we use |TLS1_3_VERSION|
* everywhere to refer to any draft TLS 1.3 versions. In this direction, we
* map it to some representative TLS 1.3 draft version. */
+ if (version == TLS1_3_DRAFT_VERSION) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
+ return 0;
+ }
if (version == TLS1_3_VERSION) {
version = TLS1_3_DRAFT_VERSION;
}
- return method_supports_version(method, version) &&
- ssl_protocol_version_from_wire(out, version);
+ if (!method_supports_version(method, version) ||
+ !ssl_protocol_version_from_wire(out, version)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_SSL_VERSION);
+ return 0;
+ }
+
+ return 1;
}
static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
