summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_versions.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_versions.c')
-rw-r--r--src/lib/libssl/ssl_versions.c98
1 files changed, 56 insertions, 42 deletions
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 3c4801971e..a216de6e81 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_versions.c,v 1.12 2021/02/22 15:59:10 jsing Exp $ */ 1/* $OpenBSD: ssl_versions.c,v 1.13 2021/02/25 17:06:05 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -18,7 +18,7 @@
18#include "ssl_locl.h" 18#include "ssl_locl.h"
19 19
20static int 20static int
21ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, 21ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
22 uint16_t clamp_min, uint16_t clamp_max) 22 uint16_t clamp_min, uint16_t clamp_max)
23{ 23{
24 if (clamp_min > clamp_max || *min_ver > *max_ver) 24 if (clamp_min > clamp_max || *min_ver > *max_ver)
@@ -35,55 +35,71 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
35} 35}
36 36
37int 37int
38ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, 38ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
39 uint16_t *out_ver, uint16_t *out_proto_ver) 39 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
40{ 40{
41 uint16_t min_version, max_version; 41 uint16_t min_version, max_version;
42 42
43 if (ver == 0) { 43 if (proto_ver == 0) {
44 *out_ver = meth->internal->min_version; 44 *out_tls_ver = meth->internal->min_tls_version;
45 *out_proto_ver = 0; 45 *out_proto_ver = 0;
46 return 1; 46 return 1;
47 } 47 }
48 if (meth->internal->dtls) {
49 if (proto_ver != DTLS1_VERSION)
50 return 0;
51 *out_tls_ver = TLS1_1_VERSION;
52 *out_proto_ver = proto_ver;
53 return 1;
54 }
48 55
49 min_version = ver; 56 min_version = proto_ver;
50 max_version = max_ver; 57 max_version = max_tls_ver;
51 58
52 if (!ssl_clamp_version_range(&min_version, &max_version, 59 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
53 meth->internal->min_version, meth->internal->max_version)) 60 meth->internal->min_tls_version, meth->internal->max_tls_version))
54 return 0; 61 return 0;
55 62
56 *out_ver = *out_proto_ver = min_version; 63 *out_tls_ver = min_version;
64 *out_proto_ver = min_version;
57 65
58 return 1; 66 return 1;
59} 67}
60 68
61int 69int
62ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, 70ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
63 uint16_t *out_ver, uint16_t *out_proto_ver) 71 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
64{ 72{
65 uint16_t min_version, max_version; 73 uint16_t min_version, max_version;
66 74
67 if (ver == 0) { 75 if (proto_ver == 0) {
68 *out_ver = meth->internal->max_version; 76 *out_tls_ver = meth->internal->max_tls_version;
69 *out_proto_ver = 0; 77 *out_proto_ver = 0;
70 return 1; 78 return 1;
71 } 79 }
80 if (meth->internal->dtls) {
81 if (proto_ver != DTLS1_VERSION)
82 return 0;
83 *out_tls_ver = TLS1_1_VERSION;
84 *out_proto_ver = proto_ver;
85 return 1;
86 }
72 87
73 min_version = min_ver; 88 min_version = min_tls_ver;
74 max_version = ver; 89 max_version = proto_ver;
75 90
76 if (!ssl_clamp_version_range(&min_version, &max_version, 91 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
77 meth->internal->min_version, meth->internal->max_version)) 92 meth->internal->min_tls_version, meth->internal->max_tls_version))
78 return 0; 93 return 0;
79 94
80 *out_ver = *out_proto_ver = max_version; 95 *out_tls_ver = max_version;
96 *out_proto_ver = max_version;
81 97
82 return 1; 98 return 1;
83} 99}
84 100
85int 101int
86ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) 102ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
87{ 103{
88 uint16_t min_version, max_version; 104 uint16_t min_version, max_version;
89 105
@@ -121,8 +137,8 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
121 return 0; 137 return 0;
122 138
123 /* Limit to configured version range. */ 139 /* Limit to configured version range. */
124 if (!ssl_clamp_version_range(&min_version, &max_version, 140 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
125 s->internal->min_version, s->internal->max_version)) 141 s->internal->min_tls_version, s->internal->max_tls_version))
126 return 0; 142 return 0;
127 143
128 if (min_ver != NULL) 144 if (min_ver != NULL)
@@ -134,26 +150,19 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
134} 150}
135 151
136int 152int
137ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) 153ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
138{ 154{
139 uint16_t min_version, max_version; 155 uint16_t min_version, max_version;
140 156
141 /* DTLS cannot currently be disabled... */ 157 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
142 if (SSL_is_dtls(s)) {
143 min_version = max_version = DTLS1_VERSION;
144 goto done;
145 }
146
147 if (!ssl_enabled_version_range(s, &min_version, &max_version))
148 return 0; 158 return 0;
149 159
150 /* Limit to the versions supported by this method. */ 160 /* Limit to the versions supported by this method. */
151 if (!ssl_clamp_version_range(&min_version, &max_version, 161 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
152 s->method->internal->min_version, 162 s->method->internal->min_tls_version,
153 s->method->internal->max_version)) 163 s->method->internal->max_tls_version))
154 return 0; 164 return 0;
155 165
156 done:
157 if (min_ver != NULL) 166 if (min_ver != NULL)
158 *min_ver = min_version; 167 *min_ver = min_version;
159 if (max_ver != NULL) 168 if (max_ver != NULL)
@@ -167,7 +176,12 @@ ssl_max_supported_version(SSL *s, uint16_t *max_ver)
167{ 176{
168 *max_ver = 0; 177 *max_ver = 0;
169 178
170 if (!ssl_supported_version_range(s, NULL, max_ver)) 179 if (SSL_is_dtls(s)) {
180 *max_ver = DTLS1_VERSION;
181 return 1;
182 }
183
184 if (!ssl_supported_tls_version_range(s, NULL, max_ver))
171 return 0; 185 return 0;
172 186
173 return 1; 187 return 1;
@@ -199,7 +213,7 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
199 else 213 else
200 return 0; 214 return 0;
201 215
202 if (!ssl_supported_version_range(s, &min_version, &max_version)) 216 if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
203 return 0; 217 return 0;
204 218
205 if (shared_version < min_version) 219 if (shared_version < min_version)
@@ -232,12 +246,12 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
232 return 1; 246 return 1;
233 } 247 }
234 248
235 if (!ssl_enabled_version_range(s, &min_version, &max_version)) 249 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
236 return 0; 250 return 0;
237 251
238 if (!ssl_clamp_version_range(&min_version, &max_version, 252 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
239 s->ctx->method->internal->min_version, 253 s->ctx->method->internal->min_tls_version,
240 s->ctx->method->internal->max_version)) 254 s->ctx->method->internal->max_tls_version))
241 return 0; 255 return 0;
242 256
243 *max_ver = max_version; 257 *max_ver = max_version;
@@ -255,7 +269,7 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version)
255 if (SSL_is_dtls(s)) 269 if (SSL_is_dtls(s))
256 return (server_version == DTLS1_VERSION); 270 return (server_version == DTLS1_VERSION);
257 271
258 if (!ssl_supported_version_range(s, &min_version, &max_version)) 272 if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
259 return 0; 273 return 0;
260 274
261 return (server_version >= min_version && server_version <= max_version); 275 return (server_version >= min_version && server_version <= max_version);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-26 12:48:52 +0000