From 6a16e2b38b4c2329e78053486be431a1ce8bddf5 Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 2 Aug 2024 15:00:01 +0000 Subject: [PATCH] libtls: fix legacy protocol parsing Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the accompanying regress tests. The protocol string all:tlsv1.0 would disable TLSv1.2 (so only enable TLSv1.3) and tlsv1.2:!tlsv1.1 would disable all protocols. It makes more sense to ignore any setting of TLSv1.0 and TLSv1.1, so if you request 'tlsv1.1' you get no protocol, but 'all:!tlsv1.1' will enable the two supported protocols TLSv1.3 and TLSv1.2. Restore the defines to their original values and adjust the parsing code to set/unset them. Issue reported by Kenjiro Nakayama Fixes https://github.com/libressl/openbsd/issues/151 with/ok jsing --- lib/libtls/tls.h | 6 +++--- lib/libtls/tls_config.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 67804d7cd83..6b36886dc37 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.66 2024/03/27 07:35:30 joshua Exp $ */ +/* $OpenBSD: tls.h,v 1.67 2024/08/02 15:00:01 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -33,8 +33,8 @@ extern "C" { * Deprecated versions of TLS. Using these effectively selects * the minimum supported version. */ -#define TLS_PROTOCOL_TLSv1_0 (1 << 3) -#define TLS_PROTOCOL_TLSv1_1 (1 << 3) +#define TLS_PROTOCOL_TLSv1_0 (1 << 1) +#define TLS_PROTOCOL_TLSv1_1 (1 << 2) /* Supported versions of TLS */ #define TLS_PROTOCOL_TLSv1_2 (1 << 3) #define TLS_PROTOCOL_TLSv1_3 (1 << 4) diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 10dc5003cbc..22fa8455a19 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.70 2024/03/28 06:55:02 joshua Exp $ */ +/* $OpenBSD: tls_config.c,v 1.71 2024/08/02 15:00:01 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -261,9 +261,9 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr) if (strcasecmp(p, "tlsv1") == 0) proto = TLS_PROTOCOL_TLSv1; else if (strcasecmp(p, "tlsv1.0") == 0) - proto = TLS_PROTOCOL_TLSv1_2; + proto = TLS_PROTOCOL_TLSv1_0; else if (strcasecmp(p, "tlsv1.1") == 0) - proto = TLS_PROTOCOL_TLSv1_2; + proto = TLS_PROTOCOL_TLSv1_1; else if (strcasecmp(p, "tlsv1.2") == 0) proto = TLS_PROTOCOL_TLSv1_2; else if (strcasecmp(p, "tlsv1.3") == 0) -- 2.20.1