diff options
| author | jsing <> | 2021-02-25 17:06:05 +0000 |
|---|---|---|
| committer | jsing <> | 2021-02-25 17:06:05 +0000 |
| commit | 72c7f20e4fbcb3386178960b8f88ab2fbc042567 (patch) | |
| tree | 5a334628a895bbe67688cd0dbadfdc68524f02de /src/lib/libssl/ssl_versions.c | |
| parent | aed0a5deca305a997de3f6234733204b383f094f (diff) | |
| download | openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.tar.gz openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.tar.bz2 openbsd-72c7f20e4fbcb3386178960b8f88ab2fbc042567.zip | |
Only use TLS versions internally (rather than both TLS and DTLS versions).
DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.
Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).
ok tb@
Diffstat (limited to 'src/lib/libssl/ssl_versions.c')
| -rw-r--r-- | src/lib/libssl/ssl_versions.c | 98 |
1 files changed, 56 insertions, 42 deletions
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index 3c4801971e..a216de6e81 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_versions.c,v 1.12 2021/02/22 15:59:10 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_versions.c,v 1.13 2021/02/25 17:06:05 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -18,7 +18,7 @@ | |||
| 18 | #include "ssl_locl.h" | 18 | #include "ssl_locl.h" |
| 19 | 19 | ||
| 20 | static int | 20 | static int |
| 21 | ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, | 21 | ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver, |
| 22 | uint16_t clamp_min, uint16_t clamp_max) | 22 | uint16_t clamp_min, uint16_t clamp_max) |
| 23 | { | 23 | { |
| 24 | if (clamp_min > clamp_max || *min_ver > *max_ver) | 24 | if (clamp_min > clamp_max || *min_ver > *max_ver) |
| @@ -35,55 +35,71 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, | |||
| 35 | } | 35 | } |
| 36 | 36 | ||
| 37 | int | 37 | int |
| 38 | ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, | 38 | ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver, |
| 39 | uint16_t *out_ver, uint16_t *out_proto_ver) | 39 | uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) |
| 40 | { | 40 | { |
| 41 | uint16_t min_version, max_version; | 41 | uint16_t min_version, max_version; |
| 42 | 42 | ||
| 43 | if (ver == 0) { | 43 | if (proto_ver == 0) { |
| 44 | *out_ver = meth->internal->min_version; | 44 | *out_tls_ver = meth->internal->min_tls_version; |
| 45 | *out_proto_ver = 0; | 45 | *out_proto_ver = 0; |
| 46 | return 1; | 46 | return 1; |
| 47 | } | 47 | } |
| 48 | if (meth->internal->dtls) { | ||
| 49 | if (proto_ver != DTLS1_VERSION) | ||
| 50 | return 0; | ||
| 51 | *out_tls_ver = TLS1_1_VERSION; | ||
| 52 | *out_proto_ver = proto_ver; | ||
| 53 | return 1; | ||
| 54 | } | ||
| 48 | 55 | ||
| 49 | min_version = ver; | 56 | min_version = proto_ver; |
| 50 | max_version = max_ver; | 57 | max_version = max_tls_ver; |
| 51 | 58 | ||
| 52 | if (!ssl_clamp_version_range(&min_version, &max_version, | 59 | if (!ssl_clamp_tls_version_range(&min_version, &max_version, |
| 53 | meth->internal->min_version, meth->internal->max_version)) | 60 | meth->internal->min_tls_version, meth->internal->max_tls_version)) |
| 54 | return 0; | 61 | return 0; |
| 55 | 62 | ||
| 56 | *out_ver = *out_proto_ver = min_version; | 63 | *out_tls_ver = min_version; |
| 64 | *out_proto_ver = min_version; | ||
| 57 | 65 | ||
| 58 | return 1; | 66 | return 1; |
| 59 | } | 67 | } |
| 60 | 68 | ||
| 61 | int | 69 | int |
| 62 | ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, | 70 | ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver, |
| 63 | uint16_t *out_ver, uint16_t *out_proto_ver) | 71 | uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver) |
| 64 | { | 72 | { |
| 65 | uint16_t min_version, max_version; | 73 | uint16_t min_version, max_version; |
| 66 | 74 | ||
| 67 | if (ver == 0) { | 75 | if (proto_ver == 0) { |
| 68 | *out_ver = meth->internal->max_version; | 76 | *out_tls_ver = meth->internal->max_tls_version; |
| 69 | *out_proto_ver = 0; | 77 | *out_proto_ver = 0; |
| 70 | return 1; | 78 | return 1; |
| 71 | } | 79 | } |
| 80 | if (meth->internal->dtls) { | ||
| 81 | if (proto_ver != DTLS1_VERSION) | ||
| 82 | return 0; | ||
| 83 | *out_tls_ver = TLS1_1_VERSION; | ||
| 84 | *out_proto_ver = proto_ver; | ||
| 85 | return 1; | ||
| 86 | } | ||
| 72 | 87 | ||
| 73 | min_version = min_ver; | 88 | min_version = min_tls_ver; |
| 74 | max_version = ver; | 89 | max_version = proto_ver; |
| 75 | 90 | ||
| 76 | if (!ssl_clamp_version_range(&min_version, &max_version, | 91 | if (!ssl_clamp_tls_version_range(&min_version, &max_version, |
| 77 | meth->internal->min_version, meth->internal->max_version)) | 92 | meth->internal->min_tls_version, meth->internal->max_tls_version)) |
| 78 | return 0; | 93 | return 0; |
| 79 | 94 | ||
| 80 | *out_ver = *out_proto_ver = max_version; | 95 | *out_tls_ver = max_version; |
| 96 | *out_proto_ver = max_version; | ||
| 81 | 97 | ||
| 82 | return 1; | 98 | return 1; |
| 83 | } | 99 | } |
| 84 | 100 | ||
| 85 | int | 101 | int |
| 86 | ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) | 102 | ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) |
| 87 | { | 103 | { |
| 88 | uint16_t min_version, max_version; | 104 | uint16_t min_version, max_version; |
| 89 | 105 | ||
| @@ -121,8 +137,8 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) | |||
| 121 | return 0; | 137 | return 0; |
| 122 | 138 | ||
| 123 | /* Limit to configured version range. */ | 139 | /* Limit to configured version range. */ |
| 124 | if (!ssl_clamp_version_range(&min_version, &max_version, | 140 | if (!ssl_clamp_tls_version_range(&min_version, &max_version, |
| 125 | s->internal->min_version, s->internal->max_version)) | 141 | s->internal->min_tls_version, s->internal->max_tls_version)) |
| 126 | return 0; | 142 | return 0; |
| 127 | 143 | ||
| 128 | if (min_ver != NULL) | 144 | if (min_ver != NULL) |
| @@ -134,26 +150,19 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) | |||
| 134 | } | 150 | } |
| 135 | 151 | ||
| 136 | int | 152 | int |
| 137 | ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) | 153 | ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) |
| 138 | { | 154 | { |
| 139 | uint16_t min_version, max_version; | 155 | uint16_t min_version, max_version; |
| 140 | 156 | ||
| 141 | /* DTLS cannot currently be disabled... */ | 157 | if (!ssl_enabled_tls_version_range(s, &min_version, &max_version)) |
| 142 | if (SSL_is_dtls(s)) { | ||
| 143 | min_version = max_version = DTLS1_VERSION; | ||
| 144 | goto done; | ||
| 145 | } | ||
| 146 | |||
| 147 | if (!ssl_enabled_version_range(s, &min_version, &max_version)) | ||
| 148 | return 0; | 158 | return 0; |
| 149 | 159 | ||
| 150 | /* Limit to the versions supported by this method. */ | 160 | /* Limit to the versions supported by this method. */ |
| 151 | if (!ssl_clamp_version_range(&min_version, &max_version, | 161 | if (!ssl_clamp_tls_version_range(&min_version, &max_version, |
| 152 | s->method->internal->min_version, | 162 | s->method->internal->min_tls_version, |
| 153 | s->method->internal->max_version)) | 163 | s->method->internal->max_tls_version)) |
| 154 | return 0; | 164 | return 0; |
| 155 | 165 | ||
| 156 | done: | ||
| 157 | if (min_ver != NULL) | 166 | if (min_ver != NULL) |
| 158 | *min_ver = min_version; | 167 | *min_ver = min_version; |
| 159 | if (max_ver != NULL) | 168 | if (max_ver != NULL) |
| @@ -167,7 +176,12 @@ ssl_max_supported_version(SSL *s, uint16_t *max_ver) | |||
| 167 | { | 176 | { |
| 168 | *max_ver = 0; | 177 | *max_ver = 0; |
| 169 | 178 | ||
| 170 | if (!ssl_supported_version_range(s, NULL, max_ver)) | 179 | if (SSL_is_dtls(s)) { |
| 180 | *max_ver = DTLS1_VERSION; | ||
| 181 | return 1; | ||
| 182 | } | ||
| 183 | |||
| 184 | if (!ssl_supported_tls_version_range(s, NULL, max_ver)) | ||
| 171 | return 0; | 185 | return 0; |
| 172 | 186 | ||
| 173 | return 1; | 187 | return 1; |
| @@ -199,7 +213,7 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) | |||
| 199 | else | 213 | else |
| 200 | return 0; | 214 | return 0; |
| 201 | 215 | ||
| 202 | if (!ssl_supported_version_range(s, &min_version, &max_version)) | 216 | if (!ssl_supported_tls_version_range(s, &min_version, &max_version)) |
| 203 | return 0; | 217 | return 0; |
| 204 | 218 | ||
| 205 | if (shared_version < min_version) | 219 | if (shared_version < min_version) |
| @@ -232,12 +246,12 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver) | |||
| 232 | return 1; | 246 | return 1; |
| 233 | } | 247 | } |
| 234 | 248 | ||
| 235 | if (!ssl_enabled_version_range(s, &min_version, &max_version)) | 249 | if (!ssl_enabled_tls_version_range(s, &min_version, &max_version)) |
| 236 | return 0; | 250 | return 0; |
| 237 | 251 | ||
| 238 | if (!ssl_clamp_version_range(&min_version, &max_version, | 252 | if (!ssl_clamp_tls_version_range(&min_version, &max_version, |
| 239 | s->ctx->method->internal->min_version, | 253 | s->ctx->method->internal->min_tls_version, |
| 240 | s->ctx->method->internal->max_version)) | 254 | s->ctx->method->internal->max_tls_version)) |
| 241 | return 0; | 255 | return 0; |
| 242 | 256 | ||
| 243 | *max_ver = max_version; | 257 | *max_ver = max_version; |
| @@ -255,7 +269,7 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version) | |||
| 255 | if (SSL_is_dtls(s)) | 269 | if (SSL_is_dtls(s)) |
| 256 | return (server_version == DTLS1_VERSION); | 270 | return (server_version == DTLS1_VERSION); |
| 257 | 271 | ||
| 258 | if (!ssl_supported_version_range(s, &min_version, &max_version)) | 272 | if (!ssl_supported_tls_version_range(s, &min_version, &max_version)) |
| 259 | return 0; | 273 | return 0; |
| 260 | 274 | ||
| 261 | return (server_version >= min_version && server_version <= max_version); | 275 | return (server_version >= min_version && server_version <= max_version); |