TLS: Fix record layer protocol version validation

TLS v1.0 and v1.1 RFCs were not exactly clear on the use of the
protocol version in record later. As such, accept any {03,xx} value
to remain compatible with existing implementations and new protocol
versions.

diff --git a/src/tls/tlsv1_record.c b/src/tls/tlsv1_record.c
index e811f0e33b440145014b61162d71bc81f349ff04..061daddd48f13f7fa481e2b2470229bd2ca761d0 100644 (file)
--- a/src/tls/tlsv1_record.c
+++ b/src/tls/tlsv1_record.c
@@ -1,6 +1,6 @@
 /*
  * TLSv1 Record Protocol
- * Copyright (c) 2006-2007, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2006-2011, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -275,9 +275,14 @@ int tlsv1_record_receive(struct tlsv1_record_layer *rl,
                return -1;
        }
 
-       if (WPA_GET_BE16(in_data + 1) != TLS_VERSION) {
+       /*
+        * TLS v1.0 and v1.1 RFCs were not exactly clear on the use of the
+        * protocol version in record layer. As such, accept any {03,xx} value
+        * to remain compatible with existing implementations.
+        */
+       if (in_data[1] != 0x03) {
                wpa_printf(MSG_DEBUG, "TLSv1: Unexpected protocol version "
-                          "%d.%d", in_data[1], in_data[2]);
+                          "%u.%u", in_data[1], in_data[2]);
                *alert = TLS_ALERT_PROTOCOL_VERSION;
                return -1;
        }