]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8e0686a)
crypto/tls: enable TLS_FALLBACK_SCSV in server with default max version
authorBen Burkert <ben@benburkert.com>
Thu, 18 Dec 2014 18:17:54 +0000 (10:17 -0800)
committerAdam Langley <agl@golang.org>
Thu, 18 Dec 2014 19:36:01 +0000 (19:36 +0000)
Fix TLS_FALLBACK_SCSV check when comparing the client version to the
default max version. This enables the TLS_FALLBACK_SCSV check by default
in servers that do not explicitly set a max version in the tls config.

Change-Id: I5a51f9da6d71b79bc6c2ba45032be51d0f704b5e
Reviewed-on: https://go-review.googlesource.com/1776
Reviewed-by: Adam Langley <agl@golang.org>
src/crypto/tls/handshake_server.go patch | blob | history
src/crypto/tls/handshake_server_test.go patch | blob | history

diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 0d907656c6c20cc0698baaaaa2db1ad2cede83b6..8f0ed1f70b47affd49dbd5b102d06eee3273b41a 100644 (file)
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -228,7 +228,7 @@ Curves:
        for _, id := range hs.clientHello.cipherSuites {
                if id == TLS_FALLBACK_SCSV {
                        // The client is doing a fallback connection.
-                       if hs.clientHello.vers < c.config.MaxVersion {
+                       if hs.clientHello.vers < c.config.maxVersion() {
                                c.sendAlert(alertInappropriateFallback)
                                return false, errors.New("tls: client using inppropriate protocol fallback")
                        }
diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go
index 0338af457ee5f8bedccc9b24c646499fe32857be..f9545461a4e669befb71ded83cc396dc9693e274 100644 (file)
--- a/src/crypto/tls/handshake_server_test.go
+++ b/src/crypto/tls/handshake_server_test.go
@@ -716,8 +716,12 @@ func TestResumptionDisabled(t *testing.T) {
 }
 
 func TestFallbackSCSV(t *testing.T) {
+       serverConfig := &Config{
+               Certificates: testConfig.Certificates,
+       }
        test := &serverTest{
-               name: "FallbackSCSV",
+               name:   "FallbackSCSV",
+               config: serverConfig,
                // OpenSSL 1.0.1j is needed for the -fallback_scsv option.
                command: []string{"openssl", "s_client", "-fallback_scsv"},
                expectHandshakeErrorIncluding: "inppropriate protocol fallback",
Go GOST TLS 1.3