summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/ssl_ciphers.c25
-rw-r--r--src/lib/libssl/ssl_lib.c22
-rw-r--r--src/lib/libssl/ssl_locl.h28
-rw-r--r--src/lib/libssl/ssl_methods.c66
-rw-r--r--src/lib/libssl/ssl_packet.c7
-rw-r--r--src/lib/libssl/ssl_versions.c98
-rw-r--r--src/lib/libssl/tls13_client.c4
-rw-r--r--src/lib/libssl/tls13_legacy.c6
-rw-r--r--src/lib/libssl/tls13_server.c4
9 files changed, 132 insertions, 128 deletions
diff --git a/src/lib/libssl/ssl_ciphers.c b/src/lib/libssl/ssl_ciphers.c
index 399e274ad4..85c60b1abb 100644
--- a/src/lib/libssl/ssl_ciphers.c
+++ b/src/lib/libssl/ssl_ciphers.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */ 1/* $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org> 3 * Copyright (c) 2015-2017 Doug Hogan <doug@openbsd.org>
4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2015-2018, 2020 Joel Sing <jsing@openbsd.org>
@@ -36,28 +36,17 @@ ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher)
36} 36}
37 37
38int 38int
39ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, 39ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher, uint16_t min_ver,
40 uint16_t max_ver) 40 uint16_t max_ver)
41{ 41{
42 /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */
43 if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION)
44 min_ver = max_ver = TLS1_1_VERSION;
45
46 switch(cipher->algorithm_ssl) { 42 switch(cipher->algorithm_ssl) {
47 case SSL_SSLV3: 43 case SSL_SSLV3:
48 if (min_ver <= TLS1_2_VERSION) 44 return (min_ver <= TLS1_2_VERSION);
49 return 1;
50 break;
51 case SSL_TLSV1_2: 45 case SSL_TLSV1_2:
52 if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver) 46 return (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver);
53 return 1;
54 break;
55 case SSL_TLSV1_3: 47 case SSL_TLSV1_3:
56 if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver) 48 return (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver);
57 return 1;
58 break;
59 } 49 }
60
61 return 0; 50 return 0;
62} 51}
63 52
@@ -72,13 +61,13 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb)
72 if (ciphers == NULL) 61 if (ciphers == NULL)
73 return 0; 62 return 0;
74 63
75 if (!ssl_supported_version_range(s, &min_vers, &max_vers)) 64 if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
76 return 0; 65 return 0;
77 66
78 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 67 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
79 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) 68 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
80 return 0; 69 return 0;
81 if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, 70 if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
82 max_vers)) 71 max_vers))
83 continue; 72 continue;
84 if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) 73 if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher)))
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 33aca33c92..57d0f4b779 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_lib.c,v 1.248 2021/02/20 14:14:16 tb Exp $ */ 1/* $OpenBSD: ssl_lib.c,v 1.249 2021/02/25 17:06:05 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -254,8 +254,8 @@ SSL_new(SSL_CTX *ctx)
254 if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) 254 if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL)
255 goto err; 255 goto err;
256 256
257 s->internal->min_version = ctx->internal->min_version; 257 s->internal->min_tls_version = ctx->internal->min_tls_version;
258 s->internal->max_version = ctx->internal->max_version; 258 s->internal->max_tls_version = ctx->internal->max_tls_version;
259 s->internal->min_proto_version = ctx->internal->min_proto_version; 259 s->internal->min_proto_version = ctx->internal->min_proto_version;
260 s->internal->max_proto_version = ctx->internal->max_proto_version; 260 s->internal->max_proto_version = ctx->internal->max_proto_version;
261 261
@@ -1336,7 +1336,7 @@ SSL_get1_supported_ciphers(SSL *s)
1336 1336
1337 if (s == NULL) 1337 if (s == NULL)
1338 return NULL; 1338 return NULL;
1339 if (!ssl_supported_version_range(s, &min_vers, &max_vers)) 1339 if (!ssl_supported_tls_version_range(s, &min_vers, &max_vers))
1340 return NULL; 1340 return NULL;
1341 if ((ciphers = SSL_get_ciphers(s)) == NULL) 1341 if ((ciphers = SSL_get_ciphers(s)) == NULL)
1342 return NULL; 1342 return NULL;
@@ -1346,7 +1346,7 @@ SSL_get1_supported_ciphers(SSL *s)
1346 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { 1346 for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
1347 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) 1347 if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL)
1348 goto err; 1348 goto err;
1349 if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, 1349 if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers,
1350 max_vers)) 1350 max_vers))
1351 continue; 1351 continue;
1352 if (!sk_SSL_CIPHER_push(supported_ciphers, cipher)) 1352 if (!sk_SSL_CIPHER_push(supported_ciphers, cipher))
@@ -1829,8 +1829,8 @@ SSL_CTX_new(const SSL_METHOD *meth)
1829 } 1829 }
1830 1830
1831 ret->method = meth; 1831 ret->method = meth;
1832 ret->internal->min_version = meth->internal->min_version; 1832 ret->internal->min_tls_version = meth->internal->min_tls_version;
1833 ret->internal->max_version = meth->internal->max_version; 1833 ret->internal->max_tls_version = meth->internal->max_tls_version;
1834 ret->internal->min_proto_version = 0; 1834 ret->internal->min_proto_version = 0;
1835 ret->internal->max_proto_version = 0; 1835 ret->internal->max_proto_version = 0;
1836 ret->internal->mode = SSL_MODE_AUTO_RETRY; 1836 ret->internal->mode = SSL_MODE_AUTO_RETRY;
@@ -3027,7 +3027,7 @@ int
3027SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) 3027SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version)
3028{ 3028{
3029 return ssl_version_set_min(ctx->method, version, 3029 return ssl_version_set_min(ctx->method, version,
3030 ctx->internal->max_version, &ctx->internal->min_version, 3030 ctx->internal->max_tls_version, &ctx->internal->min_tls_version,
3031 &ctx->internal->min_proto_version); 3031 &ctx->internal->min_proto_version);
3032} 3032}
3033 3033
@@ -3041,7 +3041,7 @@ int
3041SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) 3041SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version)
3042{ 3042{
3043 return ssl_version_set_max(ctx->method, version, 3043 return ssl_version_set_max(ctx->method, version,
3044 ctx->internal->min_version, &ctx->internal->max_version, 3044 ctx->internal->min_tls_version, &ctx->internal->max_tls_version,
3045 &ctx->internal->max_proto_version); 3045 &ctx->internal->max_proto_version);
3046} 3046}
3047 3047
@@ -3055,7 +3055,7 @@ int
3055SSL_set_min_proto_version(SSL *ssl, uint16_t version) 3055SSL_set_min_proto_version(SSL *ssl, uint16_t version)
3056{ 3056{
3057 return ssl_version_set_min(ssl->method, version, 3057 return ssl_version_set_min(ssl->method, version,
3058 ssl->internal->max_version, &ssl->internal->min_version, 3058 ssl->internal->max_tls_version, &ssl->internal->min_tls_version,
3059 &ssl->internal->min_proto_version); 3059 &ssl->internal->min_proto_version);
3060} 3060}
3061int 3061int
@@ -3068,7 +3068,7 @@ int
3068SSL_set_max_proto_version(SSL *ssl, uint16_t version) 3068SSL_set_max_proto_version(SSL *ssl, uint16_t version)
3069{ 3069{
3070 return ssl_version_set_max(ssl->method, version, 3070 return ssl_version_set_max(ssl->method, version,
3071 ssl->internal->min_version, &ssl->internal->max_version, 3071 ssl->internal->min_tls_version, &ssl->internal->max_tls_version,
3072 &ssl->internal->max_proto_version); 3072 &ssl->internal->max_proto_version);
3073} 3073}
3074 3074
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3a4d318987..7ed3094c3e 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_locl.h,v 1.322 2021/02/22 15:59:10 jsing Exp $ */ 1/* $OpenBSD: ssl_locl.h,v 1.323 2021/02/25 17:06:05 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -362,8 +362,8 @@ typedef struct ssl_method_internal_st {
362 int server; 362 int server;
363 int version; 363 int version;
364 364
365 uint16_t min_version; 365 uint16_t min_tls_version;
366 uint16_t max_version; 366 uint16_t max_tls_version;
367 367
368 int (*ssl_new)(SSL *s); 368 int (*ssl_new)(SSL *s);
369 void (*ssl_clear)(SSL *s); 369 void (*ssl_clear)(SSL *s);
@@ -517,8 +517,8 @@ int tls12_record_layer_seal_record(struct tls12_record_layer *rl,
517 CBB *out); 517 CBB *out);
518 518
519typedef struct ssl_ctx_internal_st { 519typedef struct ssl_ctx_internal_st {
520 uint16_t min_version; 520 uint16_t min_tls_version;
521 uint16_t max_version; 521 uint16_t max_tls_version;
522 522
523 /* 523 /*
524 * These may be zero to imply minimum or maximum version supported by 524 * These may be zero to imply minimum or maximum version supported by
@@ -686,8 +686,8 @@ typedef struct ssl_ctx_internal_st {
686typedef struct ssl_internal_st { 686typedef struct ssl_internal_st {
687 struct tls13_ctx *tls13; 687 struct tls13_ctx *tls13;
688 688
689 uint16_t min_version; 689 uint16_t min_tls_version;
690 uint16_t max_version; 690 uint16_t max_tls_version;
691 691
692 /* 692 /*
693 * These may be zero to imply minimum or maximum version supported by 693 * These may be zero to imply minimum or maximum version supported by
@@ -1121,19 +1121,19 @@ struct ssl_aead_ctx_st {
1121extern const SSL_CIPHER ssl3_ciphers[]; 1121extern const SSL_CIPHER ssl3_ciphers[];
1122 1122
1123const char *ssl_version_string(int ver); 1123const char *ssl_version_string(int ver);
1124int ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); 1124int ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
1125int ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); 1125 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
1126int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, 1126int ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
1127 uint16_t *out_ver, uint16_t *out_proto_ver); 1127 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver);
1128int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, 1128int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
1129 uint16_t *out_ver, uint16_t *out_proto_ver); 1129int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver);
1130int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); 1130int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
1131int ssl_max_supported_version(SSL *s, uint16_t *max_ver); 1131int ssl_max_supported_version(SSL *s, uint16_t *max_ver);
1132int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); 1132int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver);
1133int ssl_check_version_from_server(SSL *s, uint16_t server_version); 1133int ssl_check_version_from_server(SSL *s, uint16_t server_version);
1134int ssl_legacy_stack_version(SSL *s, uint16_t version); 1134int ssl_legacy_stack_version(SSL *s, uint16_t version);
1135int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); 1135int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher);
1136int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, 1136int ssl_cipher_allowed_in_tls_version_range(const SSL_CIPHER *cipher,
1137 uint16_t min_ver, uint16_t max_ver); 1137 uint16_t min_ver, uint16_t max_ver);
1138 1138
1139const SSL_METHOD *tls_legacy_method(void); 1139const SSL_METHOD *tls_legacy_method(void);
diff --git a/src/lib/libssl/ssl_methods.c b/src/lib/libssl/ssl_methods.c
index ae532ba16d..084f533f5e 100644
--- a/src/lib/libssl/ssl_methods.c
+++ b/src/lib/libssl/ssl_methods.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_methods.c,v 1.22 2021/02/20 08:33:17 jsing Exp $ */ 1/* $OpenBSD: ssl_methods.c,v 1.23 2021/02/25 17:06:05 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -64,8 +64,8 @@ static const SSL_METHOD_INTERNAL DTLS_method_internal_data = {
64 .dtls = 1, 64 .dtls = 1,
65 .server = 1, 65 .server = 1,
66 .version = DTLS1_2_VERSION, 66 .version = DTLS1_2_VERSION,
67 .min_version = DTLS1_VERSION, 67 .min_tls_version = TLS1_1_VERSION,
68 .max_version = DTLS1_2_VERSION, 68 .max_tls_version = TLS1_2_VERSION,
69 .ssl_new = dtls1_new, 69 .ssl_new = dtls1_new,
70 .ssl_clear = dtls1_clear, 70 .ssl_clear = dtls1_clear,
71 .ssl_free = dtls1_free, 71 .ssl_free = dtls1_free,
@@ -93,8 +93,8 @@ static const SSL_METHOD_INTERNAL DTLS_client_method_internal_data = {
93 .dtls = 1, 93 .dtls = 1,
94 .server = 0, 94 .server = 0,
95 .version = DTLS1_2_VERSION, 95 .version = DTLS1_2_VERSION,
96 .min_version = DTLS1_VERSION, 96 .min_tls_version = TLS1_1_VERSION,
97 .max_version = DTLS1_2_VERSION, 97 .max_tls_version = TLS1_2_VERSION,
98 .ssl_new = dtls1_new, 98 .ssl_new = dtls1_new,
99 .ssl_clear = dtls1_clear, 99 .ssl_clear = dtls1_clear,
100 .ssl_free = dtls1_free, 100 .ssl_free = dtls1_free,
@@ -123,8 +123,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = {
123 .dtls = 1, 123 .dtls = 1,
124 .server = 1, 124 .server = 1,
125 .version = DTLS1_VERSION, 125 .version = DTLS1_VERSION,
126 .min_version = DTLS1_VERSION, 126 .min_tls_version = TLS1_1_VERSION,
127 .max_version = DTLS1_VERSION, 127 .max_tls_version = TLS1_1_VERSION,
128 .ssl_new = dtls1_new, 128 .ssl_new = dtls1_new,
129 .ssl_clear = dtls1_clear, 129 .ssl_clear = dtls1_clear,
130 .ssl_free = dtls1_free, 130 .ssl_free = dtls1_free,
@@ -152,8 +152,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = {
152 .dtls = 1, 152 .dtls = 1,
153 .server = 0, 153 .server = 0,
154 .version = DTLS1_VERSION, 154 .version = DTLS1_VERSION,
155 .min_version = DTLS1_VERSION, 155 .min_tls_version = TLS1_1_VERSION,
156 .max_version = DTLS1_VERSION, 156 .max_tls_version = TLS1_1_VERSION,
157 .ssl_new = dtls1_new, 157 .ssl_new = dtls1_new,
158 .ssl_clear = dtls1_clear, 158 .ssl_clear = dtls1_clear,
159 .ssl_free = dtls1_free, 159 .ssl_free = dtls1_free,
@@ -181,8 +181,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_2_method_internal_data = {
181 .dtls = 1, 181 .dtls = 1,
182 .server = 1, 182 .server = 1,
183 .version = DTLS1_2_VERSION, 183 .version = DTLS1_2_VERSION,
184 .min_version = DTLS1_2_VERSION, 184 .min_tls_version = TLS1_2_VERSION,
185 .max_version = DTLS1_2_VERSION, 185 .max_tls_version = TLS1_2_VERSION,
186 .ssl_new = dtls1_new, 186 .ssl_new = dtls1_new,
187 .ssl_clear = dtls1_clear, 187 .ssl_clear = dtls1_clear,
188 .ssl_free = dtls1_free, 188 .ssl_free = dtls1_free,
@@ -210,8 +210,8 @@ static const SSL_METHOD_INTERNAL DTLSv1_2_client_method_internal_data = {
210 .dtls = 1, 210 .dtls = 1,
211 .server = 0, 211 .server = 0,
212 .version = DTLS1_2_VERSION, 212 .version = DTLS1_2_VERSION,
213 .min_version = DTLS1_2_VERSION, 213 .min_tls_version = TLS1_2_VERSION,
214 .max_version = DTLS1_2_VERSION, 214 .max_tls_version = TLS1_2_VERSION,
215 .ssl_new = dtls1_new, 215 .ssl_new = dtls1_new,
216 .ssl_clear = dtls1_clear, 216 .ssl_clear = dtls1_clear,
217 .ssl_free = dtls1_free, 217 .ssl_free = dtls1_free,
@@ -306,8 +306,8 @@ static const SSL_METHOD_INTERNAL TLS_method_internal_data = {
306 .dtls = 0, 306 .dtls = 0,
307 .server = 1, 307 .server = 1,
308 .version = TLS1_3_VERSION, 308 .version = TLS1_3_VERSION,
309 .min_version = TLS1_VERSION, 309 .min_tls_version = TLS1_VERSION,
310 .max_version = TLS1_3_VERSION, 310 .max_tls_version = TLS1_3_VERSION,
311 .ssl_new = tls1_new, 311 .ssl_new = tls1_new,
312 .ssl_clear = tls1_clear, 312 .ssl_clear = tls1_clear,
313 .ssl_free = tls1_free, 313 .ssl_free = tls1_free,
@@ -336,8 +336,8 @@ static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = {
336 .dtls = 0, 336 .dtls = 0,
337 .server = 1, 337 .server = 1,
338 .version = TLS1_2_VERSION, 338 .version = TLS1_2_VERSION,
339 .min_version = TLS1_VERSION, 339 .min_tls_version = TLS1_VERSION,
340 .max_version = TLS1_2_VERSION, 340 .max_tls_version = TLS1_2_VERSION,
341 .ssl_new = tls1_new, 341 .ssl_new = tls1_new,
342 .ssl_clear = tls1_clear, 342 .ssl_clear = tls1_clear,
343 .ssl_free = tls1_free, 343 .ssl_free = tls1_free,
@@ -366,8 +366,8 @@ static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = {
366 .dtls = 0, 366 .dtls = 0,
367 .server = 0, 367 .server = 0,
368 .version = TLS1_3_VERSION, 368 .version = TLS1_3_VERSION,
369 .min_version = TLS1_VERSION, 369 .min_tls_version = TLS1_VERSION,
370 .max_version = TLS1_3_VERSION, 370 .max_tls_version = TLS1_3_VERSION,
371 .ssl_new = tls1_new, 371 .ssl_new = tls1_new,
372 .ssl_clear = tls1_clear, 372 .ssl_clear = tls1_clear,
373 .ssl_free = tls1_free, 373 .ssl_free = tls1_free,
@@ -397,8 +397,8 @@ static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = {
397 .dtls = 0, 397 .dtls = 0,
398 .server = 0, 398 .server = 0,
399 .version = TLS1_2_VERSION, 399 .version = TLS1_2_VERSION,
400 .min_version = TLS1_VERSION, 400 .min_tls_version = TLS1_VERSION,
401 .max_version = TLS1_2_VERSION, 401 .max_tls_version = TLS1_2_VERSION,
402 .ssl_new = tls1_new, 402 .ssl_new = tls1_new,
403 .ssl_clear = tls1_clear, 403 .ssl_clear = tls1_clear,
404 .ssl_free = tls1_free, 404 .ssl_free = tls1_free,
@@ -427,8 +427,8 @@ static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = {
427 .dtls = 0, 427 .dtls = 0,
428 .server = 1, 428 .server = 1,
429 .version = TLS1_VERSION, 429 .version = TLS1_VERSION,
430 .min_version = TLS1_VERSION, 430 .min_tls_version = TLS1_VERSION,
431 .max_version = TLS1_VERSION, 431 .max_tls_version = TLS1_VERSION,
432 .ssl_new = tls1_new, 432 .ssl_new = tls1_new,
433 .ssl_clear = tls1_clear, 433 .ssl_clear = tls1_clear,
434 .ssl_free = tls1_free, 434 .ssl_free = tls1_free,
@@ -456,8 +456,8 @@ static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = {
456 .dtls = 0, 456 .dtls = 0,
457 .server = 0, 457 .server = 0,
458 .version = TLS1_VERSION, 458 .version = TLS1_VERSION,
459 .min_version = TLS1_VERSION, 459 .min_tls_version = TLS1_VERSION,
460 .max_version = TLS1_VERSION, 460 .max_tls_version = TLS1_VERSION,
461 .ssl_new = tls1_new, 461 .ssl_new = tls1_new,
462 .ssl_clear = tls1_clear, 462 .ssl_clear = tls1_clear,
463 .ssl_free = tls1_free, 463 .ssl_free = tls1_free,
@@ -485,8 +485,8 @@ static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = {
485 .dtls = 0, 485 .dtls = 0,
486 .server = 1, 486 .server = 1,
487 .version = TLS1_1_VERSION, 487 .version = TLS1_1_VERSION,
488 .min_version = TLS1_1_VERSION, 488 .min_tls_version = TLS1_1_VERSION,
489 .max_version = TLS1_1_VERSION, 489 .max_tls_version = TLS1_1_VERSION,
490 .ssl_new = tls1_new, 490 .ssl_new = tls1_new,
491 .ssl_clear = tls1_clear, 491 .ssl_clear = tls1_clear,
492 .ssl_free = tls1_free, 492 .ssl_free = tls1_free,
@@ -514,8 +514,8 @@ static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = {
514 .dtls = 0, 514 .dtls = 0,
515 .server = 0, 515 .server = 0,
516 .version = TLS1_1_VERSION, 516 .version = TLS1_1_VERSION,
517 .min_version = TLS1_1_VERSION, 517 .min_tls_version = TLS1_1_VERSION,
518 .max_version = TLS1_1_VERSION, 518 .max_tls_version = TLS1_1_VERSION,
519 .ssl_new = tls1_new, 519 .ssl_new = tls1_new,
520 .ssl_clear = tls1_clear, 520 .ssl_clear = tls1_clear,
521 .ssl_free = tls1_free, 521 .ssl_free = tls1_free,
@@ -543,8 +543,8 @@ static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = {
543 .dtls = 0, 543 .dtls = 0,
544 .server = 1, 544 .server = 1,
545 .version = TLS1_2_VERSION, 545 .version = TLS1_2_VERSION,
546 .min_version = TLS1_2_VERSION, 546 .min_tls_version = TLS1_2_VERSION,
547 .max_version = TLS1_2_VERSION, 547 .max_tls_version = TLS1_2_VERSION,
548 .ssl_new = tls1_new, 548 .ssl_new = tls1_new,
549 .ssl_clear = tls1_clear, 549 .ssl_clear = tls1_clear,
550 .ssl_free = tls1_free, 550 .ssl_free = tls1_free,
@@ -572,8 +572,8 @@ static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = {
572 .dtls = 0, 572 .dtls = 0,
573 .server = 0, 573 .server = 0,
574 .version = TLS1_2_VERSION, 574 .version = TLS1_2_VERSION,
575 .min_version = TLS1_2_VERSION, 575 .min_tls_version = TLS1_2_VERSION,
576 .max_version = TLS1_2_VERSION, 576 .max_tls_version = TLS1_2_VERSION,
577 .ssl_new = tls1_new, 577 .ssl_new = tls1_new,
578 .ssl_clear = tls1_clear, 578 .ssl_clear = tls1_clear,
579 .ssl_free = tls1_free, 579 .ssl_free = tls1_free,
diff --git a/src/lib/libssl/ssl_packet.c b/src/lib/libssl/ssl_packet.c
index fc1c3c07de..b383fe83e9 100644
--- a/src/lib/libssl/ssl_packet.c
+++ b/src/lib/libssl/ssl_packet.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_packet.c,v 1.9 2020/10/14 16:57:33 jsing Exp $ */ 1/* $OpenBSD: ssl_packet.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -247,12 +247,13 @@ ssl_server_legacy_first_packet(SSL *s)
247 return 1; 247 return 1;
248 248
249 /* Only continue if this is not a version locked method. */ 249 /* Only continue if this is not a version locked method. */
250 if (s->method->internal->min_version == s->method->internal->max_version) 250 if (s->method->internal->min_tls_version ==
251 s->method->internal->max_tls_version)
251 return 1; 252 return 1;
252 253
253 if (ssl_is_sslv2_client_hello(&header) == 1) { 254 if (ssl_is_sslv2_client_hello(&header) == 1) {
254 /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */ 255 /* Only permit SSLv2 client hellos if TLSv1.0 is enabled. */
255 if (ssl_enabled_version_range(s, &min_version, NULL) != 1) { 256 if (ssl_enabled_tls_version_range(s, &min_version, NULL) != 1) {
256 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 257 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
257 return -1; 258 return -1;
258 } 259 }
diff --git a/src/lib/libssl/ssl_versions.c b/src/lib/libssl/ssl_versions.c
index 3c4801971e..a216de6e81 100644
--- a/src/lib/libssl/ssl_versions.c
+++ b/src/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_versions.c,v 1.12 2021/02/22 15:59:10 jsing Exp $ */ 1/* $OpenBSD: ssl_versions.c,v 1.13 2021/02/25 17:06:05 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -18,7 +18,7 @@
18#include "ssl_locl.h" 18#include "ssl_locl.h"
19 19
20static int 20static int
21ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, 21ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
22 uint16_t clamp_min, uint16_t clamp_max) 22 uint16_t clamp_min, uint16_t clamp_max)
23{ 23{
24 if (clamp_min > clamp_max || *min_ver > *max_ver) 24 if (clamp_min > clamp_max || *min_ver > *max_ver)
@@ -35,55 +35,71 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
35} 35}
36 36
37int 37int
38ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, 38ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
39 uint16_t *out_ver, uint16_t *out_proto_ver) 39 uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
40{ 40{
41 uint16_t min_version, max_version; 41 uint16_t min_version, max_version;
42 42
43 if (ver == 0) { 43 if (proto_ver == 0) {
44 *out_ver = meth->internal->min_version; 44 *out_tls_ver = meth->internal->min_tls_version;
45 *out_proto_ver = 0; 45 *out_proto_ver = 0;
46 return 1; 46 return 1;
47 } 47 }
48 if (meth->internal->dtls) {
49 if (proto_ver != DTLS1_VERSION)
50 return 0;
51 *out_tls_ver = TLS1_1_VERSION;
52 *out_proto_ver = proto_ver;
53 return 1;
54 }
48 55
49 min_version = ver; 56 min_version = proto_ver;
50 max_version = max_ver; 57 max_version = max_tls_ver;
51 58
52 if (!ssl_clamp_version_range(&min_version, &max_version, 59 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
53 meth->internal->min_version, meth->internal->max_version)) 60 meth->internal->min_tls_version, meth->internal->max_tls_version))
54 return 0; 61 return 0;
55 62
56 *out_ver = *out_proto_ver = min_version; 63 *out_tls_ver = min_version;
64 *out_proto_ver = min_version;
57 65
58 return 1; 66 return 1;
59} 67}
60 68
61int 69int
62ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, 70ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
63 uint16_t *out_ver, uint16_t *out_proto_ver) 71 uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
64{ 72{
65 uint16_t min_version, max_version; 73 uint16_t min_version, max_version;
66 74
67 if (ver == 0) { 75 if (proto_ver == 0) {
68 *out_ver = meth->internal->max_version; 76 *out_tls_ver = meth->internal->max_tls_version;
69 *out_proto_ver = 0; 77 *out_proto_ver = 0;
70 return 1; 78 return 1;
71 } 79 }
80 if (meth->internal->dtls) {
81 if (proto_ver != DTLS1_VERSION)
82 return 0;
83 *out_tls_ver = TLS1_1_VERSION;
84 *out_proto_ver = proto_ver;
85 return 1;
86 }
72 87
73 min_version = min_ver; 88 min_version = min_tls_ver;
74 max_version = ver; 89 max_version = proto_ver;
75 90
76 if (!ssl_clamp_version_range(&min_version, &max_version, 91 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
77 meth->internal->min_version, meth->internal->max_version)) 92 meth->internal->min_tls_version, meth->internal->max_tls_version))
78 return 0; 93 return 0;
79 94
80 *out_ver = *out_proto_ver = max_version; 95 *out_tls_ver = max_version;
96 *out_proto_ver = max_version;
81 97
82 return 1; 98 return 1;
83} 99}
84 100
85int 101int
86ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) 102ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
87{ 103{
88 uint16_t min_version, max_version; 104 uint16_t min_version, max_version;
89 105
@@ -121,8 +137,8 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
121 return 0; 137 return 0;
122 138
123 /* Limit to configured version range. */ 139 /* Limit to configured version range. */
124 if (!ssl_clamp_version_range(&min_version, &max_version, 140 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
125 s->internal->min_version, s->internal->max_version)) 141 s->internal->min_tls_version, s->internal->max_tls_version))
126 return 0; 142 return 0;
127 143
128 if (min_ver != NULL) 144 if (min_ver != NULL)
@@ -134,26 +150,19 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
134} 150}
135 151
136int 152int
137ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) 153ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
138{ 154{
139 uint16_t min_version, max_version; 155 uint16_t min_version, max_version;
140 156
141 /* DTLS cannot currently be disabled... */ 157 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
142 if (SSL_is_dtls(s)) {
143 min_version = max_version = DTLS1_VERSION;
144 goto done;
145 }
146
147 if (!ssl_enabled_version_range(s, &min_version, &max_version))
148 return 0; 158 return 0;
149 159
150 /* Limit to the versions supported by this method. */ 160 /* Limit to the versions supported by this method. */
151 if (!ssl_clamp_version_range(&min_version, &max_version, 161 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
152 s->method->internal->min_version, 162 s->method->internal->min_tls_version,
153 s->method->internal->max_version)) 163 s->method->internal->max_tls_version))
154 return 0; 164 return 0;
155 165
156 done:
157 if (min_ver != NULL) 166 if (min_ver != NULL)
158 *min_ver = min_version; 167 *min_ver = min_version;
159 if (max_ver != NULL) 168 if (max_ver != NULL)
@@ -167,7 +176,12 @@ ssl_max_supported_version(SSL *s, uint16_t *max_ver)
167{ 176{
168 *max_ver = 0; 177 *max_ver = 0;
169 178
170 if (!ssl_supported_version_range(s, NULL, max_ver)) 179 if (SSL_is_dtls(s)) {
180 *max_ver = DTLS1_VERSION;
181 return 1;
182 }
183
184 if (!ssl_supported_tls_version_range(s, NULL, max_ver))
171 return 0; 185 return 0;
172 186
173 return 1; 187 return 1;
@@ -199,7 +213,7 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
199 else 213 else
200 return 0; 214 return 0;
201 215
202 if (!ssl_supported_version_range(s, &min_version, &max_version)) 216 if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
203 return 0; 217 return 0;
204 218
205 if (shared_version < min_version) 219 if (shared_version < min_version)
@@ -232,12 +246,12 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
232 return 1; 246 return 1;
233 } 247 }
234 248
235 if (!ssl_enabled_version_range(s, &min_version, &max_version)) 249 if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
236 return 0; 250 return 0;
237 251
238 if (!ssl_clamp_version_range(&min_version, &max_version, 252 if (!ssl_clamp_tls_version_range(&min_version, &max_version,
239 s->ctx->method->internal->min_version, 253 s->ctx->method->internal->min_tls_version,
240 s->ctx->method->internal->max_version)) 254 s->ctx->method->internal->max_tls_version))
241 return 0; 255 return 0;
242 256
243 *max_ver = max_version; 257 *max_ver = max_version;
@@ -255,7 +269,7 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version)
255 if (SSL_is_dtls(s)) 269 if (SSL_is_dtls(s))
256 return (server_version == DTLS1_VERSION); 270 return (server_version == DTLS1_VERSION);
257 271
258 if (!ssl_supported_version_range(s, &min_version, &max_version)) 272 if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
259 return 0; 273 return 0;
260 274
261 return (server_version >= min_version && server_version <= max_version); 275 return (server_version >= min_version && server_version <= max_version);
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index fbb84dcc87..a7c3bf2c00 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_client.c,v 1.72 2021/02/22 16:15:49 tb Exp $ */ 1/* $OpenBSD: tls13_client.c,v 1.73 2021/02/25 17:06:05 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -31,7 +31,7 @@ tls13_client_init(struct tls13_ctx *ctx)
31 size_t groups_len; 31 size_t groups_len;
32 SSL *s = ctx->ssl; 32 SSL *s = ctx->ssl;
33 33
34 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 34 if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
35 &ctx->hs->max_version)) { 35 &ctx->hs->max_version)) {
36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
37 return 0; 37 return 0;
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index bacd11b950..f611aa061d 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_legacy.c,v 1.21 2021/01/07 16:26:31 tb Exp $ */ 1/* $OpenBSD: tls13_legacy.c,v 1.22 2021/02/25 17:06:05 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -359,7 +359,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx)
359 return 0; 359 return 0;
360 360
361 s->internal->handshake_func = s->method->internal->ssl_connect; 361 s->internal->handshake_func = s->method->internal->ssl_connect;
362 s->client_version = s->version = s->method->internal->max_version; 362 s->client_version = s->version = s->method->internal->max_tls_version;
363 363
364 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 364 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
365 365
@@ -375,7 +375,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx)
375 return 0; 375 return 0;
376 376
377 s->internal->handshake_func = s->method->internal->ssl_accept; 377 s->internal->handshake_func = s->method->internal->ssl_accept;
378 s->client_version = s->version = s->method->internal->max_version; 378 s->client_version = s->version = s->method->internal->max_tls_version;
379 s->server = 1; 379 s->server = 1;
380 380
381 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 381 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 0b079c1d83..715066fb59 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_server.c,v 1.69 2021/01/09 10:41:48 tb Exp $ */ 1/* $OpenBSD: tls13_server.c,v 1.70 2021/02/25 17:06:05 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -29,7 +29,7 @@ tls13_server_init(struct tls13_ctx *ctx)
29{ 29{
30 SSL *s = ctx->ssl; 30 SSL *s = ctx->ssl;
31 31
32 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 32 if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version,
33 &ctx->hs->max_version)) { 33 &ctx->hs->max_version)) {
34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
35 return 0; 35 return 0;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-03 12:48:12 +0000