Factor out the legacy stack version checks.

Also check for explicit version numbers, rather than just the major version
value.

ok tb@

diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c
index 4a6e8b0..25164ea 100644 (file)
--- a/lib/libssl/ssl_clnt.c
+++ b/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.76 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.77 2021/02/07 15:04:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -212,18 +212,10 @@ ssl3_connect(SSL *s)
                        if (cb != NULL)
                                cb(s, SSL_CB_HANDSHAKE_START, 1);
 
-                       if (SSL_is_dtls(s)) {
-                               if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
-                                       SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                       ret = -1;
-                                       goto end;
-                               }
-                       } else {
-                               if ((s->version & 0xff00) != 0x0300) {
-                                       SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                       ret = -1;
-                                       goto end;
-                               }
+                       if (!ssl_legacy_stack_version(s, s->version)) {
+                               SSLerror(s, ERR_R_INTERNAL_ERROR);
+                               ret = -1;
+                               goto end;
                        }
 
                        /* s->version=SSL3_VERSION; */

diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h
index d5298d7..b56a99b 100644 (file)
--- a/lib/libssl/ssl_locl.h
+++ b/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.318 2021/01/28 17:00:39 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.319 2021/02/07 15:04:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1115,6 +1115,7 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver,
 int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver,
     uint16_t *out_ver);
 int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver);
+int ssl_legacy_stack_version(SSL *s, uint16_t version);
 int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher);
 int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher,
     uint16_t min_ver, uint16_t max_ver);

diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c
index 3551ee4..15768bb 100644 (file)
--- a/lib/libssl/ssl_srvr.c
+++ b/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.90 2021/01/26 14:22:20 jsing Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.91 2021/02/07 15:04:10 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -213,19 +213,12 @@ ssl3_accept(SSL *s)
                        if (cb != NULL)
                                cb(s, SSL_CB_HANDSHAKE_START, 1);
 
-                       if (SSL_is_dtls(s)) {
-                               if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) {
-                                       SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                       ret = -1;
-                                       goto end;
-                               }
-                       } else {
-                               if ((s->version >> 8) != 3) {
-                                       SSLerror(s, ERR_R_INTERNAL_ERROR);
-                                       ret = -1;
-                                       goto end;
-                               }
+                       if (!ssl_legacy_stack_version(s, s->version)) {
+                               SSLerror(s, ERR_R_INTERNAL_ERROR);
+                               ret = -1;
+                               goto end;
                        }
+
                        s->internal->type = SSL_ST_ACCEPT;
 
                        if (!ssl3_setup_init_buffer(s)) {

diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c
index c5de9d0..83d0d06 100644 (file)
--- a/lib/libssl/ssl_versions.c
+++ b/lib/libssl/ssl_versions.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_versions.c,v 1.8 2021/01/04 19:19:12 tb Exp $ */
+/* $OpenBSD: ssl_versions.c,v 1.9 2021/02/07 15:04:10 jsing Exp $ */
 /*
  * Copyright (c) 2016, 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -231,3 +231,13 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver)
 
        return 1;
 }
+
+int
+ssl_legacy_stack_version(SSL *s, uint16_t version)
+{
+       if (SSL_is_dtls(s))
+               return version == DTLS1_VERSION;
+
+       return version == TLS1_VERSION || version == TLS1_1_VERSION ||
+           version == TLS1_2_VERSION;
+}