Merge pull request #526 from dongbeiouba/fix/513

Fix NTLS failed when set min and max version for TLS
Tongsuo-Project · Dec 4, 2023 · 89c5db1 · 89c5db1
2 parents bda0791 + b779bae
commit 89c5db1
Show file tree

Hide file tree

Showing 9 changed files with 241 additions and 544 deletions.
diff --git a/include/openssl/prov_ssl.h b/include/openssl/prov_ssl.h
@@ -20,6 +20,8 @@ extern "C" {
 # define SSL_MAX_MASTER_KEY_LENGTH 48
 
 # define NTLS1_1_VERSION                 0x0101
+# define NTLS_MAX_VERSION                NTLS1_1_VERSION
+
 # define SSL3_VERSION                    0x0300
 # define TLS1_VERSION                    0x0301
 # define TLS1_1_VERSION                  0x0302

diff --git a/ssl/statem_ntls/ntls_extensions.c b/ssl/statem_ntls/ntls_extensions.c
@@ -758,7 +758,7 @@ int tls_construct_extensions_ntls(SSL *s, WPACKET *pkt, unsigned int context,
                              X509 *x, size_t chainidx)
 {
     size_t i;
-    int min_version, max_version = 0, reason;
+    int max_version = NTLS_MAX_VERSION;
     const EXTENSION_DEFINITION *thisexd;
 
     if (!WPACKET_start_sub_packet_u16(pkt)
@@ -775,14 +775,6 @@ int tls_construct_extensions_ntls(SSL *s, WPACKET *pkt, unsigned int context,
         return 0;
     }
 
-    if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
-        reason = ssl_get_min_max_version_ntls(s, &min_version, &max_version, NULL);
-        if (reason != 0) {
-            SSLfatal_ntls(s, SSL_AD_INTERNAL_ERROR, reason);
-            return 0;
-        }
-    }
-
     /* Add custom extensions first */
     if ((context & SSL_EXT_CLIENT_HELLO) != 0) {
         /* On the server side with initialise during ClientHello parsing */

diff --git a/ssl/statem_ntls/ntls_ssl_local.h b/ssl/statem_ntls/ntls_ssl_local.h
@@ -36,16 +36,11 @@ __owur int ssl_allow_compression_ntls(SSL *s);
 __owur int ssl_version_supported_ntls(const SSL *s, int version,
                                  const SSL_METHOD **meth);
 
-__owur int ssl_set_client_hello_version_ntls(SSL *s);
-__owur int ssl_check_version_downgrade_ntls(SSL *s);
 __owur int ssl_set_version_bound_ntls(int method_version, int version, int *bound);
 __owur int ssl_choose_server_version_ntls(SSL *s, CLIENTHELLO_MSG *hello,
                                      DOWNGRADE *dgrd);
 __owur int ssl_choose_client_version_ntls(SSL *s, int version,
                                      RAW_EXTENSION *extensions);
-__owur int ssl_get_min_max_version_ntls(const SSL *s, int *min_version,
-                                   int *max_version, int *real_max);
-
 __owur int ntls_alert_code(int code);
 __owur int send_certificate_request_ntls(SSL *s);
 

diff --git a/ssl/statem_ntls/ntls_statem_clnt.c b/ssl/statem_ntls/ntls_statem_clnt.c
@@ -743,33 +743,23 @@ int tls_construct_client_hello_ntls(SSL *s, WPACKET *pkt)
 {
     unsigned char *p;
     size_t sess_id_len;
-    int i, protverr;
     SSL_SESSION *sess = s->session;
     unsigned char *session_id;
 
-    /* Work out what SSL/TLS version to use */
-    protverr = ssl_set_client_hello_version_ntls(s);
-    if (protverr != 0) {
-        SSLfatal_ntls(s, SSL_AD_INTERNAL_ERROR, protverr);
-        return 0;
-    }
-
     if (sess == NULL
             || !ssl_version_supported_ntls(s, sess->ssl_version, NULL)
             || !SSL_SESSION_is_resumable(sess)) {
-        if (s->hello_retry_request == SSL_HRR_NONE
-                && !ssl_get_new_session(s, 0)) {
+        if (!ssl_get_new_session(s, 0)) {
             /* SSLfatal_ntls() already called */
             return 0;
         }
     }
     /* else use the pre-loaded session */
 
     p = s->s3.client_random;
-    i = (s->hello_retry_request == SSL_HRR_NONE);
 
-    if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
-                                   DOWNGRADE_NONE) <= 0) {
+    if (ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
+                              DOWNGRADE_NONE) <= 0) {
         SSLfatal_ntls(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return 0;
     }