Google Git
Sign in
boringssl / boringssl.git / 68161cb8ba059e1581f34d22c311fa913071fcb2^! / . / ssl / handshake_server.c
commit68161cb8ba059e1581f34d22c311fa913071fcb2[log] [tgz]
authorDavid Benjamin <davidben@google.com>Tue Jun 20 14:49:43 2017 -0400
committerSteven Valdez <svaldez@google.com>Tue Jun 20 20:13:09 2017 +0000
tree59b50c6e3a7915b1f41cd686e88b619659cfcf1c
parentfc08dfc4cd639180f9062f7ba2c1f83e6a913e7a [diff] [blame]
Stash the computed version range in SSL_HANDSHAKE.

Avoid dealing with that function call everywhere.

Change-Id: I7de64b59c8d17e8286c18a6b20c704e8ba8b9ebe
Reviewed-on: https://boringssl-review.googlesource.com/17267
Reviewed-by: Steven Valdez <svaldez@google.com>

diff --git a/ssl/handshake_server.c b/ssl/handshake_server.c
index 615302a..d591c80 100644
--- a/ssl/handshake_server.c
+++ b/ssl/handshake_server.c

@@ -471,12 +471,6 @@
                              const SSL_CLIENT_HELLO *client_hello) {
   SSL *const ssl = hs->ssl;
   assert(!ssl->s3->have_version);
-  uint16_t min_version, max_version;
-  if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
-    *out_alert = SSL_AD_PROTOCOL_VERSION;
-    return 0;
-  }
-
   uint16_t version = 0;
   /* Check supported_versions extension if it is present. */
   CBS supported_versions;
@@ -505,8 +499,8 @@
       if (!ssl->method->version_from_wire(&ext_version, ext_version)) {
         continue;
       }
-      if (min_version <= ext_version &&
-          ext_version <= max_version &&
+      if (hs->min_version <= ext_version &&
+          ext_version <= hs->max_version &&
           (!found_version || version < ext_version)) {
         version = ext_version;
         found_version = 1;
@@ -542,11 +536,11 @@
     }
 
     /* Apply our minimum and maximum version. */
-    if (version > max_version) {
-      version = max_version;
+    if (version > hs->max_version) {
+      version = hs->max_version;
     }
 
-    if (version < min_version) {
+    if (version < hs->min_version) {
       goto unsupported_protocol;
     }
   }
@@ -554,7 +548,7 @@
   /* Handle FALLBACK_SCSV. */
   if (ssl_client_cipher_list_contains_cipher(client_hello,
                                              SSL3_CK_FALLBACK_SCSV & 0xffff) &&
-      version < max_version) {
+      version < hs->max_version) {
     OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
     *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK;
     return 0;
@@ -754,6 +748,11 @@
     }
   }
 
+  /* Freeze the version range after the early callback. */
+  if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) {
+    return -1;
+  }
+
   uint8_t alert = SSL_AD_DECODE_ERROR;
   if (!negotiate_version(hs, &alert, &client_hello)) {
     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);