summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_client.c
diff options
context:
space:
mode:
authorjsing <>2021-03-10 18:27:02 +0000
committerjsing <>2021-03-10 18:27:02 +0000
commitbec282ffa4cbd669be0dc9e8fab07c4c21ebcb66 (patch)
treed994b83bcf4c074517ad35a21855741c2995e67b /src/lib/libssl/tls13_client.c
parent9108b7f38107e9f7ce1aaa33e615a7935b057ad0 (diff)
downloadopenbsd-bec282ffa4cbd669be0dc9e8fab07c4c21ebcb66.tar.gz
openbsd-bec282ffa4cbd669be0dc9e8fab07c4c21ebcb66.tar.bz2
openbsd-bec282ffa4cbd669be0dc9e8fab07c4c21ebcb66.zip
Improve internal version handling.
Add handshake fields for our minimum TLS version, our maximum TLS version and the TLS version negotiated during the handshake. Initialise our min/max versions at the start of the handshake and leave these unchanged. The negotiated TLS version is set in the client once we receive the ServerHello and in the server at the point we select the highest shared version. Provide an ssl_effective_version() function that returns the negotiated TLS version if known, otherwise our maximum TLS version - this is effectively what is stored in s->version currently. Convert most of the internal code to use one of these three version fields, which greatly simplifies code (especially in the TLS extension handling code). ok tb@
Diffstat (limited to 'src/lib/libssl/tls13_client.c')
-rw-r--r--src/lib/libssl/tls13_client.c20
1 files changed, 12 insertions, 8 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index a7c3bf2c00..4de3d3693b 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_client.c,v 1.73 2021/02/25 17:06:05 jsing Exp $ */ 1/* $OpenBSD: tls13_client.c,v 1.74 2021/03/10 18:27:02 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -31,12 +31,12 @@ tls13_client_init(struct tls13_ctx *ctx)
31 size_t groups_len; 31 size_t groups_len;
32 SSL *s = ctx->ssl; 32 SSL *s = ctx->ssl;
33 33
34 if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version, 34 if (!ssl_supported_tls_version_range(s, &S3I(s)->hs.our_min_tls_version,
35 &ctx->hs->max_version)) { 35 &S3I(s)->hs.our_max_tls_version)) {
36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
37 return 0; 37 return 0;
38 } 38 }
39 s->client_version = s->version = ctx->hs->max_version; 39 s->client_version = s->version = S3I(s)->hs.our_max_tls_version;
40 40
41 tls13_record_layer_set_retry_after_phh(ctx->rl, 41 tls13_record_layer_set_retry_after_phh(ctx->rl,
42 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 42 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -64,7 +64,8 @@ tls13_client_init(struct tls13_ctx *ctx)
64 * legacy session identifier triggers compatibility mode (see RFC 8446 64 * legacy session identifier triggers compatibility mode (see RFC 8446
65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. 65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
66 */ 66 */
67 if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) { 67 if (ctx->middlebox_compat &&
68 S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
68 arc4random_buf(ctx->hs->legacy_session_id, 69 arc4random_buf(ctx->hs->legacy_session_id,
69 sizeof(ctx->hs->legacy_session_id)); 70 sizeof(ctx->hs->legacy_session_id));
70 ctx->hs->legacy_session_id_len = 71 ctx->hs->legacy_session_id_len =
@@ -91,7 +92,7 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
91 SSL *s = ctx->ssl; 92 SSL *s = ctx->ssl;
92 93
93 /* Legacy client version is capped at TLS 1.2. */ 94 /* Legacy client version is capped at TLS 1.2. */
94 client_version = ctx->hs->max_version; 95 client_version = S3I(s)->hs.our_max_tls_version;
95 if (client_version > TLS1_2_VERSION) 96 if (client_version > TLS1_2_VERSION)
96 client_version = TLS1_2_VERSION; 97 client_version = TLS1_2_VERSION;
97 98
@@ -133,7 +134,9 @@ tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
133int 134int
134tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) 135tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
135{ 136{
136 if (ctx->hs->min_version < TLS1_2_VERSION) 137 SSL *s = ctx->ssl;
138
139 if (S3I(s)->hs.our_min_tls_version < TLS1_2_VERSION)
137 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 140 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
138 141
139 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ 142 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
@@ -228,7 +231,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
228 goto err; 231 goto err;
229 232
230 if (tls13_server_hello_is_legacy(cbs)) { 233 if (tls13_server_hello_is_legacy(cbs)) {
231 if (ctx->hs->max_version >= TLS1_3_VERSION) { 234 if (S3I(s)->hs.our_max_tls_version >= TLS1_3_VERSION) {
232 /* 235 /*
233 * RFC 8446 section 4.1.3: we must not downgrade if 236 * RFC 8446 section 4.1.3: we must not downgrade if
234 * the server random value contains the TLS 1.2 or 1.1 237 * the server random value contains the TLS 1.2 or 1.1
@@ -280,6 +283,7 @@ tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
280 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 283 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
281 goto err; 284 goto err;
282 } 285 }
286 S3I(s)->hs.negotiated_tls_version = ctx->hs->server_version;
283 287
284 /* The session_id must match. */ 288 /* The session_id must match. */
285 if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id, 289 if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id,
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 22:59:13 +0000