diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libssl/ssl_clnt.c | 13 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_locl.h | 6 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_versions.c | 29 |
3 files changed, 36 insertions, 12 deletions
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c index bfff652ff1..70bda982c6 100644 --- a/src/lib/libssl/ssl_clnt.c +++ b/src/lib/libssl/ssl_clnt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_clnt.c,v 1.83 2021/02/20 14:16:56 tb Exp $ */ | 1 | /* $OpenBSD: ssl_clnt.c,v 1.84 2021/02/22 15:59:10 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -655,7 +655,7 @@ ssl3_send_client_hello(SSL *s) | |||
| 655 | if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_A) { | 655 | if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_A) { |
| 656 | SSL_SESSION *sess = s->session; | 656 | SSL_SESSION *sess = s->session; |
| 657 | 657 | ||
| 658 | if (ssl_supported_version_range(s, NULL, &max_version) != 1) { | 658 | if (!ssl_max_supported_version(s, &max_version)) { |
| 659 | SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); | 659 | SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); |
| 660 | return (-1); | 660 | return (-1); |
| 661 | } | 661 | } |
| @@ -852,7 +852,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 852 | { | 852 | { |
| 853 | CBS cbs, server_random, session_id; | 853 | CBS cbs, server_random, session_id; |
| 854 | uint16_t server_version, cipher_suite; | 854 | uint16_t server_version, cipher_suite; |
| 855 | uint16_t min_version, max_version; | 855 | uint16_t max_version; |
| 856 | uint8_t compression_method; | 856 | uint8_t compression_method; |
| 857 | const SSL_CIPHER *cipher; | 857 | const SSL_CIPHER *cipher; |
| 858 | const SSL_METHOD *method; | 858 | const SSL_METHOD *method; |
| @@ -896,12 +896,7 @@ ssl3_get_server_hello(SSL *s) | |||
| 896 | if (!CBS_get_u16(&cbs, &server_version)) | 896 | if (!CBS_get_u16(&cbs, &server_version)) |
| 897 | goto decode_err; | 897 | goto decode_err; |
| 898 | 898 | ||
| 899 | if (ssl_supported_version_range(s, &min_version, &max_version) != 1) { | 899 | if (!ssl_check_version_from_server(s, server_version)) { |
| 900 | SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); | ||
| 901 | goto err; | ||
| 902 | } | ||
| 903 | |||
| 904 | if (server_version < min_version || server_version > max_version) { | ||
| 905 | SSLerror(s, SSL_R_WRONG_SSL_VERSION); | 900 | SSLerror(s, SSL_R_WRONG_SSL_VERSION); |
| 906 | s->version = (s->version & 0xff00) | (server_version & 0xff); | 901 | s->version = (s->version & 0xff00) | (server_version & 0xff); |
| 907 | al = SSL_AD_PROTOCOL_VERSION; | 902 | al = SSL_AD_PROTOCOL_VERSION; |
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h index fc61ffee4f..3a4d318987 100644 --- a/src/lib/libssl/ssl_locl.h +++ b/src/lib/libssl/ssl_locl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_locl.h,v 1.321 2021/02/20 09:43:29 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_locl.h,v 1.322 2021/02/22 15:59:10 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1123,12 +1123,14 @@ extern const SSL_CIPHER ssl3_ciphers[]; | |||
| 1123 | const char *ssl_version_string(int ver); | 1123 | const char *ssl_version_string(int ver); |
| 1124 | int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); | 1124 | int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); |
| 1125 | int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); | 1125 | int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); |
| 1126 | int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); | ||
| 1127 | int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, | 1126 | int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, |
| 1128 | uint16_t *out_ver, uint16_t *out_proto_ver); | 1127 | uint16_t *out_ver, uint16_t *out_proto_ver); |
| 1129 | int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, | 1128 | int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, |
| 1130 | uint16_t *out_ver, uint16_t *out_proto_ver); | 1129 | uint16_t *out_ver, uint16_t *out_proto_ver); |
| 1131 | int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); | 1130 | int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); |
| 1131 | int ssl_max_supported_version(SSL *s, uint16_t *max_ver); | ||
| 1132 | int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); | ||
| 1133 | int ssl_check_version_from_server(SSL *s, uint16_t server_version); | ||
| 1132 | int ssl_legacy_stack_version(SSL *s, uint16_t version); | 1134 | int ssl_legacy_stack_version(SSL *s, uint16_t version); |
| 1133 | int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); | 1135 | int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); |
| 1134 | int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, | 1136 | int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, |
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c index 1ee5ed312c..3c4801971e 100644 --- a/src/lib/libssl/ssl_versions.c +++ b/src/lib/libssl/ssl_versions.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_versions.c,v 1.11 2021/02/20 09:43:29 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_versions.c,v 1.12 2021/02/22 15:59:10 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -163,6 +163,17 @@ ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) | |||
| 163 | } | 163 | } |
| 164 | 164 | ||
| 165 | int | 165 | int |
| 166 | ssl_max_supported_version(SSL *s, uint16_t *max_ver) | ||
| 167 | { | ||
| 168 | *max_ver = 0; | ||
| 169 | |||
| 170 | if (!ssl_supported_version_range(s, NULL, max_ver)) | ||
| 171 | return 0; | ||
| 172 | |||
| 173 | return 1; | ||
| 174 | } | ||
| 175 | |||
| 176 | int | ||
| 166 | ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) | 177 | ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) |
| 167 | { | 178 | { |
| 168 | uint16_t min_version, max_version, shared_version; | 179 | uint16_t min_version, max_version, shared_version; |
| @@ -235,6 +246,22 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver) | |||
| 235 | } | 246 | } |
| 236 | 247 | ||
| 237 | int | 248 | int |
| 249 | ssl_check_version_from_server(SSL *s, uint16_t server_version) | ||
| 250 | { | ||
| 251 | uint16_t min_version, max_version; | ||
| 252 | |||
| 253 | /* Ensure that the version selected by the server is valid. */ | ||
| 254 | |||
| 255 | if (SSL_is_dtls(s)) | ||
| 256 | return (server_version == DTLS1_VERSION); | ||
| 257 | |||
| 258 | if (!ssl_supported_version_range(s, &min_version, &max_version)) | ||
| 259 | return 0; | ||
| 260 | |||
| 261 | return (server_version >= min_version && server_version <= max_version); | ||
| 262 | } | ||
| 263 | |||
| 264 | int | ||
| 238 | ssl_legacy_stack_version(SSL *s, uint16_t version) | 265 | ssl_legacy_stack_version(SSL *s, uint16_t version) |
| 239 | { | 266 | { |
| 240 | if (SSL_is_dtls(s)) | 267 | if (SSL_is_dtls(s)) |