From 8a6edc08a45830842f3946562fe23fcb37863e01 Mon Sep 17 00:00:00 2001 From: Pascal Knecht Date: Fri, 4 Sep 2020 18:29:43 +0200 Subject: [PATCH] tls-crypto: Check if TLS versions and cipher suites match Only suggest TLS versions of supported cipher suites. For instance, do not suggest TLS 1.3 if none of its cipher suites (requiring GCM/CCM or ChaPoly) are available. --- src/libtls/tls_crypto.c | 18 +++++++++++++++++- src/libtls/tls_peer.c | 4 +++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index cb2141f8b..06fd9229f 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -1140,7 +1140,7 @@ static void filter_unsupported_suites(suite_algs_t suites[], int *count) static void build_cipher_suite_list(private_tls_crypto_t *this) { suite_algs_t suites[countof(suite_algs)]; - tls_version_t min_version, max_version; + tls_version_t min_version, max_version, new_min_version, new_max_version; bool require_encryption; int count = 0, i; @@ -1198,10 +1198,26 @@ static void build_cipher_suite_list(private_tls_crypto_t *this) this->suites = malloc(sizeof(tls_cipher_suite_t) * count); DBG2(DBG_TLS, "%d supported TLS cipher suites:", count); + new_min_version = max_version; + new_max_version = min_version; for (i = 0; i < count; i++) { DBG2(DBG_TLS, " %N", tls_cipher_suite_names, suites[i].suite); this->suites[i] = suites[i].suite; + + /* set TLS min/max versions appropriate to the final cipher suites */ + new_max_version = max(new_max_version, suites[i].max_version); + new_min_version = min(new_min_version, suites[i].min_version); + } + new_max_version = min(new_max_version, max_version); + new_min_version = max(new_min_version, min_version); + + if (min_version != new_min_version || max_version != new_max_version) + { + this->tls->set_version(this->tls, new_min_version, new_max_version); + DBG2(DBG_TLS, "TLS min/max %N/%N according to the cipher suites", + tls_version_names, new_min_version, + tls_version_names, new_max_version); } } diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index 8e75eecf5..26792f930 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -1217,6 +1217,9 @@ static status_t send_client_hello(private_tls_peer_t *this, } rng->destroy(rng); + /* determine supported suites before the versions as they might change */ + count = this->crypto->get_cipher_suites(this->crypto, &suites); + /* TLS version_max in handshake protocol */ version_max = this->tls->get_version_max(this->tls); version_min = this->tls->get_version_min(this->tls); @@ -1236,7 +1239,6 @@ static status_t send_client_hello(private_tls_peer_t *this, writer->write_data8(writer, this->session); /* add TLS cipher suites */ - count = this->crypto->get_cipher_suites(this->crypto, &suites); if (count <= 0) { DBG1(DBG_TLS, "no supported TLS cipher suite available"); -- 2.47.3