diff options
| -rw-r--r-- | lib/libssl/Makefile | 4 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 157 | ||||
| -rw-r--r-- | lib/libssl/ssl_versions.c | 172 |
3 files changed, 175 insertions, 158 deletions
diff --git a/lib/libssl/Makefile b/lib/libssl/Makefile index 24606d1862e..e80863719b7 100644 --- a/lib/libssl/Makefile +++ b/lib/libssl/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.29 2017/01/26 05:51:54 jsing Exp $ +# $OpenBSD: Makefile,v 1.30 2017/01/26 06:01:44 jsing Exp $ .include <bsd.own.mk> .ifndef NOMAN @@ -32,7 +32,7 @@ SRCS= \ ssl_ciph.c ssl_stat.c ssl_rsa.c \ ssl_asn1.c ssl_txt.c ssl_algs.c \ bio_ssl.c ssl_err.c t1_reneg.c \ - ssl_packet.c pqueue.c + ssl_packet.c ssl_versions.c pqueue.c SRCS+= s3_cbc.c SRCS+= bs_ber.c bs_cbb.c bs_cbs.c diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 649b238bd99..6f31d6dcdf7 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.151 2017/01/26 00:42:44 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.152 2017/01/26 06:01:44 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2492,161 +2492,6 @@ SSL_get_version(const SSL *s) return ssl_version_string(s->version); } -static int -ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, - uint16_t clamp_min, uint16_t clamp_max) -{ - if (clamp_min > clamp_max || *min_ver > *max_ver) - return 0; - if (clamp_max < *min_ver || clamp_min > *max_ver) - return 0; - - if (*min_ver < clamp_min) - *min_ver = clamp_min; - if (*max_ver > clamp_max) - *max_ver = clamp_max; - - return 1; -} - -int -ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) -{ - uint16_t min_version, max_version; - - /* - * The enabled versions have to be a contiguous range, which means we - * cannot enable and disable single versions at our whim, even though - * this is what the OpenSSL flags allow. The historical way this has - * been handled is by making a flag mean that all higher versions - * are disabled, if any version lower than the flag is enabled. - */ - - min_version = 0; - max_version = TLS1_2_VERSION; - - if ((s->internal->options & SSL_OP_NO_TLSv1) == 0) - min_version = TLS1_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0) - min_version = TLS1_1_VERSION; - else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0) - min_version = TLS1_2_VERSION; - - if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) - max_version = TLS1_1_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) - max_version = TLS1_VERSION; - if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) - max_version = 0; - - /* Everything has been disabled... */ - if (min_version == 0 || max_version == 0) - return 0; - - /* Limit to configured version range. */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->internal->min_version, s->internal->max_version)) - return 0; - - if (min_ver != NULL) - *min_ver = min_version; - if (max_ver != NULL) - *max_ver = max_version; - - return 1; -} - -int -ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) -{ - uint16_t min_version, max_version; - - /* DTLS cannot currently be disabled... */ - if (SSL_IS_DTLS(s)) { - min_version = max_version = DTLS1_VERSION; - goto done; - } - - if (!ssl_enabled_version_range(s, &min_version, &max_version)) - return 0; - - /* Limit to the versions supported by this method. */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->method->internal->min_version, - s->method->internal->max_version)) - return 0; - - done: - if (min_ver != NULL) - *min_ver = min_version; - if (max_ver != NULL) - *max_ver = max_version; - - return 1; -} - -int -ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) -{ - uint16_t min_version, max_version, shared_version; - - *max_ver = 0; - - if (SSL_IS_DTLS(s)) { - if (peer_ver >= DTLS1_VERSION) { - *max_ver = DTLS1_VERSION; - return 1; - } - return 0; - } - - if (peer_ver >= TLS1_2_VERSION) - shared_version = TLS1_2_VERSION; - else if (peer_ver >= TLS1_1_VERSION) - shared_version = TLS1_1_VERSION; - else if (peer_ver >= TLS1_VERSION) - shared_version = TLS1_VERSION; - else - return 0; - - if (!ssl_supported_version_range(s, &min_version, &max_version)) - return 0; - - if (shared_version < min_version) - return 0; - - if (shared_version > max_version) - shared_version = max_version; - - *max_ver = shared_version; - - return 1; -} - -uint16_t -ssl_max_server_version(SSL *s) -{ - uint16_t max_version, min_version = 0; - - if (SSL_IS_DTLS(s)) - return (DTLS1_VERSION); - - if (!ssl_enabled_version_range(s, &min_version, &max_version)) - return 0; - - /* - * Limit to the versions supported by this method. The SSL method - * will be changed during version negotiation, as such we want to - * use the SSL method from the context. - */ - if (!ssl_clamp_version_range(&min_version, &max_version, - s->ctx->method->internal->min_version, - s->ctx->method->internal->max_version)) - return 0; - - return (max_version); -} - SSL * SSL_dup(SSL *s) { diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c new file mode 100644 index 00000000000..415d935fa5d --- /dev/null +++ b/lib/libssl/ssl_versions.c @@ -0,0 +1,172 @@ +/* + * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_locl.h" + +static int +ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver, + uint16_t clamp_min, uint16_t clamp_max) +{ + if (clamp_min > clamp_max || *min_ver > *max_ver) + return 0; + if (clamp_max < *min_ver || clamp_min > *max_ver) + return 0; + + if (*min_ver < clamp_min) + *min_ver = clamp_min; + if (*max_ver > clamp_max) + *max_ver = clamp_max; + + return 1; +} + +int +ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +{ + uint16_t min_version, max_version; + + /* + * The enabled versions have to be a contiguous range, which means we + * cannot enable and disable single versions at our whim, even though + * this is what the OpenSSL flags allow. The historical way this has + * been handled is by making a flag mean that all higher versions + * are disabled, if any version lower than the flag is enabled. + */ + + min_version = 0; + max_version = TLS1_2_VERSION; + + if ((s->internal->options & SSL_OP_NO_TLSv1) == 0) + min_version = TLS1_VERSION; + else if ((s->internal->options & SSL_OP_NO_TLSv1_1) == 0) + min_version = TLS1_1_VERSION; + else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0) + min_version = TLS1_2_VERSION; + + if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) + max_version = TLS1_1_VERSION; + if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) + max_version = TLS1_VERSION; + if ((s->internal->options & SSL_OP_NO_TLSv1) && min_version < TLS1_VERSION) + max_version = 0; + + /* Everything has been disabled... */ + if (min_version == 0 || max_version == 0) + return 0; + + /* Limit to configured version range. */ + if (!ssl_clamp_version_range(&min_version, &max_version, + s->internal->min_version, s->internal->max_version)) + return 0; + + if (min_ver != NULL) + *min_ver = min_version; + if (max_ver != NULL) + *max_ver = max_version; + + return 1; +} + +int +ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) +{ + uint16_t min_version, max_version; + + /* DTLS cannot currently be disabled... */ + if (SSL_IS_DTLS(s)) { + min_version = max_version = DTLS1_VERSION; + goto done; + } + + if (!ssl_enabled_version_range(s, &min_version, &max_version)) + return 0; + + /* Limit to the versions supported by this method. */ + if (!ssl_clamp_version_range(&min_version, &max_version, + s->method->internal->min_version, + s->method->internal->max_version)) + return 0; + + done: + if (min_ver != NULL) + *min_ver = min_version; + if (max_ver != NULL) + *max_ver = max_version; + + return 1; +} + +int +ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) +{ + uint16_t min_version, max_version, shared_version; + + *max_ver = 0; + + if (SSL_IS_DTLS(s)) { + if (peer_ver >= DTLS1_VERSION) { + *max_ver = DTLS1_VERSION; + return 1; + } + return 0; + } + + if (peer_ver >= TLS1_2_VERSION) + shared_version = TLS1_2_VERSION; + else if (peer_ver >= TLS1_1_VERSION) + shared_version = TLS1_1_VERSION; + else if (peer_ver >= TLS1_VERSION) + shared_version = TLS1_VERSION; + else + return 0; + + if (!ssl_supported_version_range(s, &min_version, &max_version)) + return 0; + + if (shared_version < min_version) + return 0; + + if (shared_version > max_version) + shared_version = max_version; + + *max_ver = shared_version; + + return 1; +} + +uint16_t +ssl_max_server_version(SSL *s) +{ + uint16_t max_version, min_version = 0; + + if (SSL_IS_DTLS(s)) + return (DTLS1_VERSION); + + if (!ssl_enabled_version_range(s, &min_version, &max_version)) + return 0; + + /* + * Limit to the versions supported by this method. The SSL method + * will be changed during version negotiation, as such we want to + * use the SSL method from the context. + */ + if (!ssl_clamp_version_range(&min_version, &max_version, + s->ctx->method->internal->min_version, + s->ctx->method->internal->max_version)) + return 0; + + return (max_version); +} |