artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9e45fc4)
Add checks to ensure we do not initiate or negotiate handshakes with
authortb <tb@openbsd.org>
Thu, 30 Jun 2022 11:17:49 +0000 (11:17 +0000)
committertb <tb@openbsd.org>
Thu, 30 Jun 2022 11:17:49 +0000 (11:17 +0000)
versions below the minimum required by the security level.

input & ok jsing

lib/libssl/ssl_clnt.c patch | blob | history
lib/libssl/ssl_locl.h patch | blob | history
lib/libssl/ssl_seclevel.c patch | blob | history
lib/libssl/ssl_srvr.c patch | blob | history
lib/libssl/ssl_versions.c patch | blob | history

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index d49d8ef..604b552 100644 (file)
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.148 2022/06/29 08:34:04 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.149 2022/06/30 11:17:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -221,6 +221,13 @@ ssl3_connect(SSL *s)
                                goto end;
                        }
 
+                       if (!ssl_security_version(s,
+                           s->s3->hs.our_min_tls_version)) {
+                               SSLerror(s, SSL_R_VERSION_TOO_LOW);
+                               ret = -1;
+                               goto end;
+                       }
+
                        if (!ssl3_setup_init_buffer(s)) {
                                ret = -1;
                                goto end;
diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index b46e37f..d466b59 100644 (file)
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.407 2022/06/29 21:18:04 tb Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.408 2022/06/30 11:17:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1301,6 +1301,7 @@ int ssl_ctx_security(const SSL_CTX *ctx, int op, int bits, int nid,
 int ssl_security(const SSL *ssl, int op, int bits, int nid, void *other);
 int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh);
 int ssl_security_dh(const SSL *ssl, DH *dh);
+int ssl_security_version(const SSL *ssl, int version);
 int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509,
     int is_peer, int *out_error);
 int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
diff --git a/lib/libssl/ssl_seclevel.c b/lib/libssl/ssl_seclevel.c
index b174f57..2fe6e3f 100644 (file)
--- a/lib/libssl/ssl_seclevel.c
+++ b/lib/libssl/ssl_seclevel.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ssl_seclevel.c,v 1.11 2022/06/30 07:09:45 tb Exp $ */
+/*     $OpenBSD: ssl_seclevel.c,v 1.12 2022/06/30 11:17:49 tb Exp $ */
 /*
  * Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
  *
@@ -232,6 +232,12 @@ ssl_security(const SSL *ssl, int op, int bits, int nid, void *other)
            ssl->cert->security_ex_data);
 }
 
+int
+ssl_security_version(const SSL *ssl, int tls_version)
+{
+       return ssl_security(ssl, SSL_SECOP_VERSION, 0, tls_version, NULL);
+}
+
 int
 ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh)
 {
diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index e37f9cf..8f11083 100644 (file)
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.145 2022/06/29 08:27:51 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.146 2022/06/30 11:17:50 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -223,6 +223,13 @@ ssl3_accept(SSL *s)
                                goto end;
                        }
 
+                       if (!ssl_security_version(s,
+                           s->s3->hs.our_min_tls_version)) {
+                               SSLerror(s, SSL_R_VERSION_TOO_LOW);
+                               ret = -1;
+                               goto end;
+                       }
+
                        if (!ssl3_setup_init_buffer(s)) {
                                ret = -1;
                                goto end;
diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c
index 4069670..06e26b8 100644 (file)
--- a/lib/libssl/ssl_versions.c
+++ b/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.22 2022/02/05 14:54:10 jsing Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.23 2022/06/30 11:17:50 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -329,6 +329,9 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver)
                        return 0;
        }
 
+       if (!ssl_security_version(s, shared_version))
+               return 0;
+
        *max_ver = shared_version;
 
        return 1;
@@ -352,8 +355,11 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version)
            &max_tls_version))
                return 0;
 
-       return (server_tls_version >= min_tls_version &&
-           server_tls_version <= max_tls_version);
+       if (server_tls_version < min_tls_version ||
+           server_tls_version > max_tls_version)
+               return 0;
+
+       return ssl_security_version(s, server_tls_version);
 }
 
 int
OpenBSD src
by Ahmet Artu Yildirim