summaryrefslogtreecommitdiffstats
path: root/lib/libssl/ssl_versions.c
diff options
context:
space:
mode:
authorjsing <jsing@openbsd.org>2021-02-25 17:06:05 +0000
committerjsing <jsing@openbsd.org>2021-02-25 17:06:05 +0000
commit970acf874db22f09b7e42996a54559867b6102e2 (patch)
tree34405a224570d4c15c3de6932b4dfeaaadbcaccd /lib/libssl/ssl_versions.c
parentRename depth to num_untrusted so it identifies what it actually represents. (diff)
downloadwireguard-openbsd-970acf874db22f09b7e42996a54559867b6102e2.tar.xz
wireguard-openbsd-970acf874db22f09b7e42996a54559867b6102e2.zip
Only use TLS versions internally (rather than both TLS and DTLS versions).
DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
Diffstat (limited to 'lib/libssl/ssl_versions.c')
-rw-r--r--lib/libssl/ssl_versions.c98
1 files changed, 56 insertions, 42 deletions
diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c
index 3c4801971e0..a216de6e811 100644
--- a/lib/libssl/ssl_versions.c
+++ b/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.12 2021/02/22 15:59:10 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.13 2021/02/25 17:06:05 jsing Exp $ */
/*
* Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
*
@@ -18,7 +18,7 @@
#include "ssl_locl.h"
static int
-ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
+ssl_clamp_tls_version_range(uint16_t *min_ver, uint16_t *max_ver,
uint16_t clamp_min, uint16_t clamp_max)
{
if (clamp_min > clamp_max || *min_ver > *max_ver)
@@ -35,55 +35,71 @@ ssl_clamp_version_range(uint16_t *min_ver, uint16_t *max_ver,
}
int
-ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
- uint16_t *out_ver, uint16_t *out_proto_ver)
+ssl_version_set_min(const SSL_METHOD *meth, uint16_t proto_ver,
+ uint16_t max_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
{
uint16_t min_version, max_version;
- if (ver == 0) {
- *out_ver = meth->internal->min_version;
+ if (proto_ver == 0) {
+ *out_tls_ver = meth->internal->min_tls_version;
*out_proto_ver = 0;
return 1;
}
+ if (meth->internal->dtls) {
+ if (proto_ver != DTLS1_VERSION)
+ return 0;
+ *out_tls_ver = TLS1_1_VERSION;
+ *out_proto_ver = proto_ver;
+ return 1;
+ }
- min_version = ver;
- max_version = max_ver;
+ min_version = proto_ver;
+ max_version = max_tls_ver;
- if (!ssl_clamp_version_range(&min_version, &max_version,
- meth->internal->min_version, meth->internal->max_version))
+ if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+ meth->internal->min_tls_version, meth->internal->max_tls_version))
return 0;
- *out_ver = *out_proto_ver = min_version;
+ *out_tls_ver = min_version;
+ *out_proto_ver = min_version;
return 1;
}
int
-ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
- uint16_t *out_ver, uint16_t *out_proto_ver)
+ssl_version_set_max(const SSL_METHOD *meth, uint16_t proto_ver,
+ uint16_t min_tls_ver, uint16_t *out_tls_ver, uint16_t *out_proto_ver)
{
uint16_t min_version, max_version;
- if (ver == 0) {
- *out_ver = meth->internal->max_version;
+ if (proto_ver == 0) {
+ *out_tls_ver = meth->internal->max_tls_version;
*out_proto_ver = 0;
return 1;
}
+ if (meth->internal->dtls) {
+ if (proto_ver != DTLS1_VERSION)
+ return 0;
+ *out_tls_ver = TLS1_1_VERSION;
+ *out_proto_ver = proto_ver;
+ return 1;
+ }
- min_version = min_ver;
- max_version = ver;
+ min_version = min_tls_ver;
+ max_version = proto_ver;
- if (!ssl_clamp_version_range(&min_version, &max_version,
- meth->internal->min_version, meth->internal->max_version))
+ if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+ meth->internal->min_tls_version, meth->internal->max_tls_version))
return 0;
- *out_ver = *out_proto_ver = max_version;
+ *out_tls_ver = max_version;
+ *out_proto_ver = max_version;
return 1;
}
int
-ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
+ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
{
uint16_t min_version, max_version;
@@ -121,8 +137,8 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
return 0;
/* Limit to configured version range. */
- if (!ssl_clamp_version_range(&min_version, &max_version,
- s->internal->min_version, s->internal->max_version))
+ if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+ s->internal->min_tls_version, s->internal->max_tls_version))
return 0;
if (min_ver != NULL)
@@ -134,26 +150,19 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
}
int
-ssl_supported_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
+ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver)
{
uint16_t min_version, max_version;
- /* DTLS cannot currently be disabled... */
- if (SSL_is_dtls(s)) {
- min_version = max_version = DTLS1_VERSION;
- goto done;
- }
-
- if (!ssl_enabled_version_range(s, &min_version, &max_version))
+ if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
return 0;
/* Limit to the versions supported by this method. */
- if (!ssl_clamp_version_range(&min_version, &max_version,
- s->method->internal->min_version,
- s->method->internal->max_version))
+ if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+ s->method->internal->min_tls_version,
+ s->method->internal->max_tls_version))
return 0;
- done:
if (min_ver != NULL)
*min_ver = min_version;
if (max_ver != NULL)
@@ -167,7 +176,12 @@ ssl_max_supported_version(SSL *s, uint16_t *max_ver)
{
*max_ver = 0;
- if (!ssl_supported_version_range(s, NULL, max_ver))
+ if (SSL_is_dtls(s)) {
+ *max_ver = DTLS1_VERSION;
+ return 1;
+ }
+
+ if (!ssl_supported_tls_version_range(s, NULL, max_ver))
return 0;
return 1;
@@ -199,7 +213,7 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
else
return 0;
- if (!ssl_supported_version_range(s, &min_version, &max_version))
+ if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
return 0;
if (shared_version < min_version)
@@ -232,12 +246,12 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
return 1;
}
- if (!ssl_enabled_version_range(s, &min_version, &max_version))
+ if (!ssl_enabled_tls_version_range(s, &min_version, &max_version))
return 0;
- if (!ssl_clamp_version_range(&min_version, &max_version,
- s->ctx->method->internal->min_version,
- s->ctx->method->internal->max_version))
+ if (!ssl_clamp_tls_version_range(&min_version, &max_version,
+ s->ctx->method->internal->min_tls_version,
+ s->ctx->method->internal->max_tls_version))
return 0;
*max_ver = max_version;
@@ -255,7 +269,7 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version)
if (SSL_is_dtls(s))
return (server_version == DTLS1_VERSION);
- if (!ssl_supported_version_range(s, &min_version, &max_version))
+ if (!ssl_supported_tls_version_range(s, &min_version, &max_version))
return 0;
return (server_version >= min_version && server_version <= max_version);
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.