summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libtls/man/tls_config_set_protocols.312
-rw-r--r--src/lib/libtls/tls.c10
-rw-r--r--src/lib/libtls/tls.h14
-rw-r--r--src/lib/libtls/tls_config.c6
-rw-r--r--src/regress/lib/libtls/config/configtest.c23
-rw-r--r--src/regress/lib/libtls/gotls/tls.go2
-rw-r--r--src/regress/lib/libtls/gotls/tls_test.go8
7 files changed, 31 insertions, 44 deletions
diff --git a/src/lib/libtls/man/tls_config_set_protocols.3 b/src/lib/libtls/man/tls_config_set_protocols.3
index 7c62493e83..32b8cce757 100644
--- a/src/lib/libtls/man/tls_config_set_protocols.3
+++ b/src/lib/libtls/man/tls_config_set_protocols.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: tls_config_set_protocols.3,v 1.11 2021/01/02 19:58:44 schwarze Exp $ 1.\" $OpenBSD: tls_config_set_protocols.3,v 1.12 2023/07/02 06:37:27 beck Exp $
2.\" 2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> 3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org> 4.\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
16.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18.\" 18.\"
19.Dd $Mdocdate: January 2 2021 $ 19.Dd $Mdocdate: July 2 2023 $
20.Dt TLS_CONFIG_SET_PROTOCOLS 3 20.Dt TLS_CONFIG_SET_PROTOCOLS 3
21.Os 21.Os
22.Sh NAME 22.Sh NAME
@@ -76,10 +76,6 @@ Possible values are the bitwise OR of:
76.Pp 76.Pp
77.Bl -item -offset indent -compact 77.Bl -item -offset indent -compact
78.It 78.It
79.Dv TLS_PROTOCOL_TLSv1_0
80.It
81.Dv TLS_PROTOCOL_TLSv1_1
82.It
83.Dv TLS_PROTOCOL_TLSv1_2 79.Dv TLS_PROTOCOL_TLSv1_2
84.It 80.It
85.Dv TLS_PROTOCOL_TLSv1_3 81.Dv TLS_PROTOCOL_TLSv1_3
@@ -87,7 +83,7 @@ Possible values are the bitwise OR of:
87.Pp 83.Pp
88Additionally, the values 84Additionally, the values
89.Dv TLS_PROTOCOL_TLSv1 85.Dv TLS_PROTOCOL_TLSv1
90(TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3), 86(TLSv1.2, TLSv1.3),
91.Dv TLS_PROTOCOLS_ALL 87.Dv TLS_PROTOCOLS_ALL
92(all supported protocols) and 88(all supported protocols) and
93.Dv TLS_PROTOCOLS_DEFAULT 89.Dv TLS_PROTOCOLS_DEFAULT
@@ -106,8 +102,6 @@ The protocol string is a comma or colon separated list of keywords.
106Valid keywords are: 102Valid keywords are:
107.Pp 103.Pp
108.Bl -tag -width "tlsv1.3" -offset indent -compact 104.Bl -tag -width "tlsv1.3" -offset indent -compact
109.It Dv tlsv1.0
110.It Dv tlsv1.1
111.It Dv tlsv1.2 105.It Dv tlsv1.2
112.It Dv tlsv1.3 106.It Dv tlsv1.3
113.It Dv all 107.It Dv all
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 8444169bdc..fdb994d733 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.97 2023/06/18 11:43:03 op Exp $ */ 1/* $OpenBSD: tls.c,v 1.98 2023/07/02 06:37:27 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -520,16 +520,12 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
520 520
521 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); 521 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
522 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); 522 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
523 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
524 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
523 525
524 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
525 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
526 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); 526 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
527 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3); 527 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
528 528
529 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
530 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
531 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
532 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
533 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) 529 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
534 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); 530 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
535 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0) 531 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0)
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index b94a6fa6d0..34183745e5 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.62 2022/03/24 15:56:34 tb Exp $ */ 1/* $OpenBSD: tls.h,v 1.63 2023/07/02 06:37:27 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -29,14 +29,18 @@ extern "C" {
29 29
30#define TLS_API 20200120 30#define TLS_API 20200120
31 31
32#define TLS_PROTOCOL_TLSv1_0 (1 << 1) 32/*
33#define TLS_PROTOCOL_TLSv1_1 (1 << 2) 33 * Deprecated versions of TLS. Using these effectively selects
34 * the minimum supported version.
35 */
36#define TLS_PROTOCOL_TLSv1_0 (1 << 3)
37#define TLS_PROTOCOL_TLSv1_1 (1 << 3)
38/* Supported versions of TLS */
34#define TLS_PROTOCOL_TLSv1_2 (1 << 3) 39#define TLS_PROTOCOL_TLSv1_2 (1 << 3)
35#define TLS_PROTOCOL_TLSv1_3 (1 << 4) 40#define TLS_PROTOCOL_TLSv1_3 (1 << 4)
36 41
37#define TLS_PROTOCOL_TLSv1 \ 42#define TLS_PROTOCOL_TLSv1 \
38 (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|\ 43 (TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3)
39 TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3)
40 44
41#define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1 45#define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1
42#define TLS_PROTOCOLS_DEFAULT (TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3) 46#define TLS_PROTOCOLS_DEFAULT (TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3)
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 3efd0ddd57..5eb5b69ac6 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.66 2023/05/14 07:26:25 op Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.67 2023/07/02 06:37:27 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -251,9 +251,9 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
251 if (strcasecmp(p, "tlsv1") == 0) 251 if (strcasecmp(p, "tlsv1") == 0)
252 proto = TLS_PROTOCOL_TLSv1; 252 proto = TLS_PROTOCOL_TLSv1;
253 else if (strcasecmp(p, "tlsv1.0") == 0) 253 else if (strcasecmp(p, "tlsv1.0") == 0)
254 proto = TLS_PROTOCOL_TLSv1_0; 254 proto = TLS_PROTOCOL_TLSv1_2;
255 else if (strcasecmp(p, "tlsv1.1") == 0) 255 else if (strcasecmp(p, "tlsv1.1") == 0)
256 proto = TLS_PROTOCOL_TLSv1_1; 256 proto = TLS_PROTOCOL_TLSv1_2;
257 else if (strcasecmp(p, "tlsv1.2") == 0) 257 else if (strcasecmp(p, "tlsv1.2") == 0)
258 proto = TLS_PROTOCOL_TLSv1_2; 258 proto = TLS_PROTOCOL_TLSv1_2;
259 else if (strcasecmp(p, "tlsv1.3") == 0) 259 else if (strcasecmp(p, "tlsv1.3") == 0)
diff --git a/src/regress/lib/libtls/config/configtest.c b/src/regress/lib/libtls/config/configtest.c
index 47aa03e826..5af5b56ffd 100644
--- a/src/regress/lib/libtls/config/configtest.c
+++ b/src/regress/lib/libtls/config/configtest.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: configtest.c,v 1.2 2020/01/20 08:40:16 jsing Exp $ */ 1/* $OpenBSD: configtest.c,v 1.3 2023/07/02 06:37:27 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -71,30 +71,27 @@ struct parse_protocols_test parse_protocols_tests[] = {
71 { 71 {
72 .protostr = "tlsv1.0:tlsv1.1:tlsv1.2:tlsv1.3", 72 .protostr = "tlsv1.0:tlsv1.1:tlsv1.2:tlsv1.3",
73 .want_return = 0, 73 .want_return = 0,
74 .want_protocols = TLS_PROTOCOL_TLSv1_0 | TLS_PROTOCOL_TLSv1_1 | 74 .want_protocols = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3,
75 TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3,
76 }, 75 },
77 { 76 {
78 .protostr = "tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3", 77 .protostr = "tlsv1.0,tlsv1.1,tlsv1.2,tlsv1.3",
79 .want_return = 0, 78 .want_return = 0,
80 .want_protocols = TLS_PROTOCOL_TLSv1_0 | TLS_PROTOCOL_TLSv1_1 | 79 .want_protocols = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3,
81 TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3,
82 }, 80 },
83 { 81 {
84 .protostr = "tlsv1.1,tlsv1.2,tlsv1.0", 82 .protostr = "tlsv1.1,tlsv1.2,tlsv1.0",
85 .want_return = 0, 83 .want_return = 0,
86 .want_protocols = TLS_PROTOCOL_TLSv1_0 | TLS_PROTOCOL_TLSv1_1 | 84 .want_protocols = TLS_PROTOCOL_TLSv1_2,
87 TLS_PROTOCOL_TLSv1_2,
88 }, 85 },
89 { 86 {
90 .protostr = "tlsv1.1,tlsv1.2,tlsv1.1", 87 .protostr = "tlsv1.1,tlsv1.2,tlsv1.1",
91 .want_return = 0, 88 .want_return = 0,
92 .want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2, 89 .want_protocols = TLS_PROTOCOL_TLSv1_2,
93 }, 90 },
94 { 91 {
95 .protostr = "tlsv1.1,tlsv1.2,!tlsv1.1", 92 .protostr = "tlsv1.1,tlsv1.2,!tlsv1.1",
96 .want_return = 0, 93 .want_return = 0,
97 .want_protocols = TLS_PROTOCOL_TLSv1_2, 94 .want_protocols = 0,
98 }, 95 },
99 { 96 {
100 .protostr = "unknown", 97 .protostr = "unknown",
@@ -114,19 +111,17 @@ struct parse_protocols_test parse_protocols_tests[] = {
114 { 111 {
115 .protostr = "all,!tlsv1.0", 112 .protostr = "all,!tlsv1.0",
116 .want_return = 0, 113 .want_return = 0,
117 .want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | \ 114 .want_protocols = TLS_PROTOCOL_TLSv1_3,
118 TLS_PROTOCOL_TLSv1_3,
119 }, 115 },
120 { 116 {
121 .protostr = "!tlsv1.0", 117 .protostr = "!tlsv1.0",
122 .want_return = 0, 118 .want_return = 0,
123 .want_protocols = TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | \ 119 .want_protocols = TLS_PROTOCOL_TLSv1_3,
124 TLS_PROTOCOL_TLSv1_3,
125 }, 120 },
126 { 121 {
127 .protostr = "!tlsv1.0,!tlsv1.1,!tlsv1.3", 122 .protostr = "!tlsv1.0,!tlsv1.1,!tlsv1.3",
128 .want_return = 0, 123 .want_return = 0,
129 .want_protocols = TLS_PROTOCOL_TLSv1_2, 124 .want_protocols = 0,
130 }, 125 },
131 { 126 {
132 .protostr = "!tlsv1.0,!tlsv1.1,tlsv1.2,!tlsv1.3", 127 .protostr = "!tlsv1.0,!tlsv1.1,tlsv1.2,!tlsv1.3",
diff --git a/src/regress/lib/libtls/gotls/tls.go b/src/regress/lib/libtls/gotls/tls.go
index cf3e84c030..3029d58c35 100644
--- a/src/regress/lib/libtls/gotls/tls.go
+++ b/src/regress/lib/libtls/gotls/tls.go
@@ -45,8 +45,6 @@ const (
45) 45)
46 46
47var protocolNames = map[ProtocolVersion]string{ 47var protocolNames = map[ProtocolVersion]string{
48 ProtocolTLSv10: "TLSv1",
49 ProtocolTLSv11: "TLSv1.1",
50 ProtocolTLSv12: "TLSv1.2", 48 ProtocolTLSv12: "TLSv1.2",
51 ProtocolTLSv13: "TLSv1.3", 49 ProtocolTLSv13: "TLSv1.3",
52 ProtocolsAll: "all", 50 ProtocolsAll: "all",
diff --git a/src/regress/lib/libtls/gotls/tls_test.go b/src/regress/lib/libtls/gotls/tls_test.go
index f6c6cfcdd5..2b7ce2c19e 100644
--- a/src/regress/lib/libtls/gotls/tls_test.go
+++ b/src/regress/lib/libtls/gotls/tls_test.go
@@ -251,11 +251,11 @@ func TestTLSVersions(t *testing.T) {
251 {tls.VersionSSL30, tls.VersionTLS12, ProtocolTLSv12, false}, 251 {tls.VersionSSL30, tls.VersionTLS12, ProtocolTLSv12, false},
252 {tls.VersionTLS10, tls.VersionTLS12, ProtocolTLSv12, false}, 252 {tls.VersionTLS10, tls.VersionTLS12, ProtocolTLSv12, false},
253 {tls.VersionTLS11, tls.VersionTLS12, ProtocolTLSv12, false}, 253 {tls.VersionTLS11, tls.VersionTLS12, ProtocolTLSv12, false},
254 {tls.VersionSSL30, tls.VersionTLS11, ProtocolTLSv11, false}, 254 {tls.VersionSSL30, tls.VersionTLS11, ProtocolTLSv11, true},
255 {tls.VersionSSL30, tls.VersionTLS10, ProtocolTLSv10, false}, 255 {tls.VersionSSL30, tls.VersionTLS10, ProtocolTLSv10, true},
256 {tls.VersionSSL30, tls.VersionSSL30, 0, true}, 256 {tls.VersionSSL30, tls.VersionSSL30, 0, true},
257 {tls.VersionTLS10, tls.VersionTLS10, ProtocolTLSv10, false}, 257 {tls.VersionTLS10, tls.VersionTLS10, ProtocolTLSv10, true},
258 {tls.VersionTLS11, tls.VersionTLS11, ProtocolTLSv11, false}, 258 {tls.VersionTLS11, tls.VersionTLS11, ProtocolTLSv11, true},
259 {tls.VersionTLS12, tls.VersionTLS12, ProtocolTLSv12, false}, 259 {tls.VersionTLS12, tls.VersionTLS12, ProtocolTLSv12, false},
260 } 260 }
261 for i, test := range tests { 261 for i, test := range tests {
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 08:05:52 +0000