diff options
| author | tb <> | 2022-06-30 11:17:50 +0000 |
|---|---|---|
| committer | tb <> | 2022-06-30 11:17:50 +0000 |
| commit | 5f574489be242a7d86373038f340aaf574a0b228 (patch) | |
| tree | fb1aefe52767d19838deec117e17af2cbf6cd936 | |
| parent | 727d040aad78fde5a0f1d575255736d37d0c721c (diff) | |
| download | openbsd-5f574489be242a7d86373038f340aaf574a0b228.tar.gz openbsd-5f574489be242a7d86373038f340aaf574a0b228.tar.bz2 openbsd-5f574489be242a7d86373038f340aaf574a0b228.zip | |
Add checks to ensure we do not initiate or negotiate handshakes with
versions below the minimum required by the security level.
input & ok jsing
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 9 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 3 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_seclevel.c | 8 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_srvr.c | 9 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_versions.c | 12 |
5 files changed, 34 insertions, 7 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index d49d8ef056..604b55277c 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.148 2022/06/29 08:34:04 tb Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.149 2022/06/30 11:17:49 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -221,6 +221,13 @@ ssl3_connect(SSL *s) | |||
| 221 | goto end; | 221 | goto end; |
| 222 | } | 222 | } |
| 223 | 223 | ||
| 224 | if (!ssl_security_version(s, | ||
| 225 | s->s3->hs.our_min_tls_version)) { | ||
| 226 | SSLerror(s, SSL_R_VERSION_TOO_LOW); | ||
| 227 | ret = -1; | ||
| 228 | goto end; | ||
| 229 | } | ||
| 230 | |||
| 224 | if (!ssl3_setup_init_buffer(s)) { | 231 | if (!ssl3_setup_init_buffer(s)) { |
| 225 | ret = -1; | 232 | ret = -1; |
| 226 | goto end; | 233 | goto end; |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index b46e37f5eb..d466b59642 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.407 2022/06/29 21:18:04 tb Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.408 2022/06/30 11:17:49 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1301,6 +1301,7 @@ int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid, | |||
| 1301 | int ssl_security(const SSL *ssl, int op, int bits, int nid, void *other); | 1301 | int ssl_security(const SSL *ssl, int op, int bits, int nid, void *other); |
| 1302 | int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh); | 1302 | int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh); |
| 1303 | int ssl_security_dh(const SSL *ssl, DH *dh); | 1303 | int ssl_security_dh(const SSL *ssl, DH *dh); |
| 1304 | int ssl_security_version(const SSL *ssl, int version); | ||
| 1304 | int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, | 1305 | int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, |
| 1305 | int is_peer, int *out_error); | 1306 | int is_peer, int *out_error); |
| 1306 | int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, | 1307 | int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, |
diff --git a/src/lib/libssl/ssl_seclevel.c b/src/lib/libssl/ssl_seclevel.c index b174f57f0c..2fe6e3f222 100644 --- a/src/lib/libssl/ssl_seclevel.c +++ b/src/lib/libssl/ssl_seclevel.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_seclevel.c,v 1.11 2022/06/30 07:09:45 tb Exp $ */ | 1 | /* $OpenBSD: ssl_seclevel.c,v 1.12 2022/06/30 11:17:49 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> | 3 | * Copyright (c) 2020 Theo Buehler <tb@openbsd.org> |
| 4 | * | 4 | * |
| @@ -233,6 +233,12 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other) | |||
| 233 | } | 233 | } |
| 234 | 234 | ||
| 235 | int | 235 | int |
| 236 | ssl_security_version(const SSL *ssl, int tls_version) | ||
| 237 | { | ||
| 238 | return ssl_security(ssl, SSL_SECOP_VERSION, 0, tls_version, NULL); | ||
| 239 | } | ||
| 240 | |||
| 241 | int | ||
| 236 | ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) | 242 | ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) |
| 237 | { | 243 | { |
| 238 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) | 244 | #if defined(LIBRESSL_HAS_SECURITY_LEVEL) |
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c index e37f9cfdb7..8f110831e4 100644 --- a/src/lib/libssl/ssl_srvr.c +++ b/src/lib/libssl/ssl_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_srvr.c,v 1.145 2022/06/29 08:27:51 tb Exp $ */ | 1 | /* $OpenBSD: ssl_srvr.c,v 1.146 2022/06/30 11:17:50 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -223,6 +223,13 @@ ssl3_accept(SSL *s) | |||
| 223 | goto end; | 223 | goto end; |
| 224 | } | 224 | } |
| 225 | 225 | ||
| 226 | if (!ssl_security_version(s, | ||
| 227 | s->s3->hs.our_min_tls_version)) { | ||
| 228 | SSLerror(s, SSL_R_VERSION_TOO_LOW); | ||
| 229 | ret = -1; | ||
| 230 | goto end; | ||
| 231 | } | ||
| 232 | |||
| 226 | if (!ssl3_setup_init_buffer(s)) { | 233 | if (!ssl3_setup_init_buffer(s)) { |
| 227 | ret = -1; | 234 | ret = -1; |
| 228 | goto end; | 235 | goto end; |
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index 4069670dc9..06e26b8059 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_versions.c,v 1.22 2022/02/05 14:54:10 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_versions.c,v 1.23 2022/06/30 11:17:50 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -329,6 +329,9 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) | |||
| 329 | return 0; | 329 | return 0; |
| 330 | } | 330 | } |
| 331 | 331 | ||
| 332 | if (!ssl_security_version(s, shared_version)) | ||
| 333 | return 0; | ||
| 334 | |||
| 332 | *max_ver = shared_version; | 335 | *max_ver = shared_version; |
| 333 | 336 | ||
| 334 | return 1; | 337 | return 1; |
| @@ -352,8 +355,11 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version) | |||
| 352 | &max_tls_version)) | 355 | &max_tls_version)) |
| 353 | return 0; | 356 | return 0; |
| 354 | 357 | ||
| 355 | return (server_tls_version >= min_tls_version && | 358 | if (server_tls_version < min_tls_version || |
| 356 | server_tls_version <= max_tls_version); | 359 | server_tls_version > max_tls_version) |
| 360 | return 0; | ||
| 361 | |||
| 362 | return ssl_security_version(s, server_tls_version); | ||
| 357 | } | 363 | } |
| 358 | 364 | ||
| 359 | int | 365 | int |