From 51ecc054906eb0b1738c9d5541c7c4dfc15ec5fe Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 9 Nov 2022 14:01:15 +0000
Subject: [tls] Always send maximum supported version in ClientHello

Always send the maximum supported version in our ClientHello message,
even when performing renegotiation (in which case the current version
may already be lower than the maximum supported version).

This is permitted by the specification, and allows the ClientHello to
be reconstructed verbatim at the point of selecting the handshake
digest algorithm in tls_new_server_hello().

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/net/tls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/net/tls.c b/src/net/tls.c
index 0e3e68b6b..af310a58f 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -1134,7 +1134,7 @@ static int tls_send_client_hello ( struct tls_connection *tls ) {
 	hello.type_length = ( cpu_to_le32 ( TLS_CLIENT_HELLO ) |
 			      htonl ( sizeof ( hello ) -
 				      sizeof ( hello.type_length ) ) );
-	hello.version = htons ( tls->version );
+	hello.version = htons ( TLS_VERSION_MAX );
 	memcpy ( &hello.random, &tls->client_random, sizeof ( hello.random ) );
 	hello.session_id_len = tls->session_id_len;
 	memcpy ( hello.session_id, tls->session_id,
-- 
cgit