[openssl-dev] [PATCH] Add support for minimum and maximum protocol version supported by a cipher
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Jul 8 19:13:03 UTC 2016
On Fri, Jul 08, 2016 at 07:30:26PM +0100, David Woodhouse wrote:
> > I tried the naïvely obvious step of changing all instances of
> > DTLS1_VERSION as the minimum, to DTLS1_BAD_VER. That didn't help.
>
> Of course, it's because DTLS_VERSION_LT and friends are doing precisely
> the opposite of what their names imply, numerically. I hesitate to call
> this a 'fix' but it highlights the issue:
Yes, unfortunately, the DTLS "bad" version of 0x0100 looks like a
very high DTLS version. So comparisons require a special case.
Given that DTLS1_VERSION is 0xFEFF, indeed the next "lower" version
is 0xFF00 as you suggest below:
> diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
> index ef5eb8c..218dcce 100644
> --- a/ssl/ssl_locl.h
> +++ b/ssl/ssl_locl.h
> @@ -259,10 +259,11 @@
> c[1]=(unsigned char)(((l)>> 8)&0xff), \
> c[2]=(unsigned char)(((l) )&0xff)),c+=3)
>
> -#define DTLS_VERSION_GT(v1, v2) ((v1) < (v2))
> -#define DTLS_VERSION_GE(v1, v2) ((v1) <= (v2))
> -#define DTLS_VERSION_LT(v1, v2) ((v1) > (v2))
> -#define DTLS_VERSION_LE(v1, v2) ((v1) >= (v2))
> +#define dtls_ver_cmp(v1) (((v1) == DTLS1_BAD_VER) ? 0xff00 : (v1))
> +#define DTLS_VERSION_GT(v1, v2) (dtls_ver_cmp(v1) < dtls_ver_cmp(v2))
> +#define DTLS_VERSION_GE(v1, v2) (dtls_ver_cmp(v1) <= dtls_ver_cmp(v2))
> +#define DTLS_VERSION_LT(v1, v2) (dtls_ver_cmp(v1) > dtls_ver_cmp(v2))
> +#define DTLS_VERSION_LE(v1, v2) (dtls_ver_cmp(v1) >= dtls_ver_cmp(v2))
Perhaps rename dtls_ver_cmp() to dtls_ver_ordinal(), "cmp" suggests
that you're actually doing a comparison. Given this macro, one
might consider complementing the versions, so that the ordinals
compare in the usual way:
#define dtls_ver_ordinal(v) (((v) == DTLS1_BAD_VER) ? 0x00ff : (0xffff ^ (v)))
--
Viktor.
More information about the openssl-dev
mailing list