From 1927d7790dff19472852783a67316f330febbddb Mon Sep 17 00:00:00 2001 From: jsing Date: Thu, 11 Mar 2021 17:14:46 +0000 Subject: [PATCH] Remove ssl_downgrade_max_version(). Now that we store our maximum TLS version at the start of the handshake, we can check against that directly. ok inoguchi@ tb@ --- lib/libssl/ssl_ciphers.c | 9 ++++----- lib/libssl/ssl_clnt.c | 11 ++++------- lib/libssl/ssl_locl.h | 3 +-- lib/libssl/ssl_srvr.c | 12 +++++------- lib/libssl/ssl_versions.c | 34 +--------------------------------- 5 files changed, 15 insertions(+), 54 deletions(-) diff --git a/lib/libssl/ssl_ciphers.c b/lib/libssl/ssl_ciphers.c index 85c60b1abb0..4e4a0d93a4a 100644 --- a/lib/libssl/ssl_ciphers.c +++ b/lib/libssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.10 2021/02/25 17:06:05 jsing Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.11 2021/03/11 17:14:46 jsing Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan * Copyright (c) 2015-2018, 2020 Joel Sing @@ -93,7 +93,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) { STACK_OF(SSL_CIPHER) *ciphers = NULL; const SSL_CIPHER *cipher; - uint16_t cipher_value, max_version; + uint16_t cipher_value; unsigned long cipher_id; S3I(s)->send_connection_binding = 0; @@ -134,9 +134,8 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) * Fail if the current version is an unexpected * downgrade. */ - if (!ssl_downgrade_max_version(s, &max_version)) - goto err; - if (s->version < max_version) { + if (S3I(s)->hs.negotiated_tls_version < + S3I(s)->hs.our_max_tls_version) { SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INAPPROPRIATE_FALLBACK); diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 97418f1ac74..06941530c6e 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.85 2021/03/10 18:27:01 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.86 2021/03/11 17:14:46 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -859,7 +859,6 @@ ssl3_get_server_hello(SSL *s) { CBS cbs, server_random, session_id; uint16_t server_version, cipher_suite; - uint16_t max_version; uint8_t compression_method; const SSL_CIPHER *cipher; const SSL_METHOD *method; @@ -930,10 +929,8 @@ ssl3_get_server_hello(SSL *s) sizeof(s->s3->server_random), NULL)) goto err; - if (!ssl_downgrade_max_version(s, &max_version)) - goto err; - if (!SSL_is_dtls(s) && max_version >= TLS1_2_VERSION && - s->version < max_version) { + if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && + S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { /* * RFC 8446 section 4.1.3. We must not downgrade if the server * random value contains the TLS 1.2 or TLS 1.1 magical value. @@ -941,7 +938,7 @@ ssl3_get_server_hello(SSL *s) if (!CBS_skip(&server_random, CBS_len(&server_random) - sizeof(tls13_downgrade_12))) goto err; - if (s->version == TLS1_2_VERSION && + if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION && CBS_mem_equal(&server_random, tls13_downgrade_12, sizeof(tls13_downgrade_12))) { al = SSL_AD_ILLEGAL_PARAMETER; diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 6f66a8932e7..fed14b4b196 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.325 2021/03/10 18:27:01 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.326 2021/03/11 17:14:47 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1131,7 +1131,6 @@ int ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); int ssl_supported_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver); uint16_t ssl_tls_version(uint16_t version); uint16_t ssl_effective_tls_version(SSL *s); -int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); int ssl_max_supported_version(SSL *s, uint16_t *max_ver); int ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver); int ssl_check_version_from_server(SSL *s, uint16_t server_version); diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 373a20d61b4..19fedde87ab 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.96 2021/03/10 18:27:02 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.97 2021/03/11 17:14:47 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -799,7 +799,7 @@ ssl3_get_client_hello(SSL *s) STACK_OF(SSL_CIPHER) *ciphers = NULL; unsigned long alg_k; const SSL_METHOD *method; - uint16_t max_version, shared_version; + uint16_t shared_version; /* * We do this so that we will respond with our native type. @@ -850,8 +850,6 @@ ssl3_get_client_hello(SSL *s) * Use version from inside client hello, not from record header. * (may differ: see RFC 2246, Appendix E, second paragraph) */ - if (!ssl_downgrade_max_version(s, &max_version)) - goto err; if (!ssl_max_shared_version(s, client_version, &shared_version)) { if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && !tls12_record_layer_write_protected(s->internal->rl)) { @@ -1051,8 +1049,8 @@ ssl3_get_client_hello(SSL *s) */ arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); - if (!SSL_is_dtls(s) && max_version >= TLS1_2_VERSION && - s->version < max_version) { + if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && + S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { /* * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 * we must set the last 8 bytes of the server random to magical @@ -1061,7 +1059,7 @@ ssl3_get_client_hello(SSL *s) */ size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); uint8_t *magic = &s->s3->server_random[index]; - if (s->version == TLS1_2_VERSION) { + if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION) { /* Indicate we chose to downgrade to 1.2. */ memcpy(magic, tls13_downgrade_12, sizeof(tls13_downgrade_12)); diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c index 37957fd0ab4..45e468f0d8b 100644 --- a/lib/libssl/ssl_versions.c +++ b/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.14 2021/03/10 18:27:02 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.15 2021/03/11 17:14:47 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -251,38 +251,6 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) return 1; } -int -ssl_downgrade_max_version(SSL *s, uint16_t *max_ver) -{ - uint16_t min_version, max_version; - - /* - * The downgrade maximum version is based on the versions that are - * enabled, however we also have to then limit to the versions - * supported by the method. The SSL method will be changed during - * version negotiation and when switching from the new stack to - * the legacy context, as such we want to use the method from the - * context. - */ - - if (SSL_is_dtls(s)) { - *max_ver = DTLS1_VERSION; - return 1; - } - - if (!ssl_enabled_tls_version_range(s, &min_version, &max_version)) - return 0; - - if (!ssl_clamp_tls_version_range(&min_version, &max_version, - s->ctx->method->internal->min_tls_version, - s->ctx->method->internal->max_tls_version)) - return 0; - - *max_ver = max_version; - - return 1; -} - int ssl_check_version_from_server(SSL *s, uint16_t server_version) { -- 2.20.1