diff options
| author | tb <> | 2024-08-02 15:00:01 +0000 |
|---|---|---|
| committer | tb <> | 2024-08-02 15:00:01 +0000 |
| commit | 69b88701f563e2efc9523720168674a54f6bc069 (patch) | |
| tree | 61d7fc5b40064d7fad6956a89b7a64bd8e33c1a9 /src | |
| parent | 569dd285cc3b327709860038464e095a0f007936 (diff) | |
| download | openbsd-69b88701f563e2efc9523720168674a54f6bc069.tar.gz openbsd-69b88701f563e2efc9523720168674a54f6bc069.tar.bz2 openbsd-69b88701f563e2efc9523720168674a54f6bc069.zip | |
libtls: fix legacy protocol parsing
Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same
as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the
accompanying regress tests. The protocol string all:tlsv1.0 would disable
TLSv1.2 (so only enable TLSv1.3) and tlsv1.2:!tlsv1.1 would disable all
protocols.
It makes more sense to ignore any setting of TLSv1.0 and TLSv1.1, so if
you request 'tlsv1.1' you get no protocol, but 'all:!tlsv1.1' will enable
the two supported protocols TLSv1.3 and TLSv1.2.
Restore the defines to their original values and adjust the parsing code
to set/unset them.
Issue reported by Kenjiro Nakayama
Fixes https://github.com/libressl/openbsd/issues/151
with/ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libtls/tls.h | 6 | ||||
| -rw-r--r-- | src/lib/libtls/tls_config.c | 6 |
2 files changed, 6 insertions, 6 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index 67804d7cd8..6b36886dc3 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.h,v 1.66 2024/03/27 07:35:30 joshua Exp $ */ | 1 | /* $OpenBSD: tls.h,v 1.67 2024/08/02 15:00:01 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -33,8 +33,8 @@ extern "C" { | |||
| 33 | * Deprecated versions of TLS. Using these effectively selects | 33 | * Deprecated versions of TLS. Using these effectively selects |
| 34 | * the minimum supported version. | 34 | * the minimum supported version. |
| 35 | */ | 35 | */ |
| 36 | #define TLS_PROTOCOL_TLSv1_0 (1 << 3) | 36 | #define TLS_PROTOCOL_TLSv1_0 (1 << 1) |
| 37 | #define TLS_PROTOCOL_TLSv1_1 (1 << 3) | 37 | #define TLS_PROTOCOL_TLSv1_1 (1 << 2) |
| 38 | /* Supported versions of TLS */ | 38 | /* Supported versions of TLS */ |
| 39 | #define TLS_PROTOCOL_TLSv1_2 (1 << 3) | 39 | #define TLS_PROTOCOL_TLSv1_2 (1 << 3) |
| 40 | #define TLS_PROTOCOL_TLSv1_3 (1 << 4) | 40 | #define TLS_PROTOCOL_TLSv1_3 (1 << 4) |
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 10dc5003cb..22fa8455a1 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.70 2024/03/28 06:55:02 joshua Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.71 2024/08/02 15:00:01 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -261,9 +261,9 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr) | |||
| 261 | if (strcasecmp(p, "tlsv1") == 0) | 261 | if (strcasecmp(p, "tlsv1") == 0) |
| 262 | proto = TLS_PROTOCOL_TLSv1; | 262 | proto = TLS_PROTOCOL_TLSv1; |
| 263 | else if (strcasecmp(p, "tlsv1.0") == 0) | 263 | else if (strcasecmp(p, "tlsv1.0") == 0) |
| 264 | proto = TLS_PROTOCOL_TLSv1_2; | 264 | proto = TLS_PROTOCOL_TLSv1_0; |
| 265 | else if (strcasecmp(p, "tlsv1.1") == 0) | 265 | else if (strcasecmp(p, "tlsv1.1") == 0) |
| 266 | proto = TLS_PROTOCOL_TLSv1_2; | 266 | proto = TLS_PROTOCOL_TLSv1_1; |
| 267 | else if (strcasecmp(p, "tlsv1.2") == 0) | 267 | else if (strcasecmp(p, "tlsv1.2") == 0) |
| 268 | proto = TLS_PROTOCOL_TLSv1_2; | 268 | proto = TLS_PROTOCOL_TLSv1_2; |
| 269 | else if (strcasecmp(p, "tlsv1.3") == 0) | 269 | else if (strcasecmp(p, "tlsv1.3") == 0) |