From b81375cc4fbad88a54ed47f4efafc0802c58445f Mon Sep 17 00:00:00 2001 From: jsing Date: Sun, 7 Feb 2021 15:04:10 +0000 Subject: [PATCH] Factor out the legacy stack version checks. Also check for explicit version numbers, rather than just the major version value. ok tb@ --- lib/libssl/ssl_clnt.c | 18 +++++------------- lib/libssl/ssl_locl.h | 3 ++- lib/libssl/ssl_srvr.c | 19 ++++++------------- lib/libssl/ssl_versions.c | 12 +++++++++++- 4 files changed, 24 insertions(+), 28 deletions(-) diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 4a6e8b06a8a..25164ea012a 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.76 2020/10/14 16:57:33 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.77 2021/02/07 15:04:10 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -212,18 +212,10 @@ ssl3_connect(SSL *s) if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_START, 1); - if (SSL_is_dtls(s)) { - if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - } else { - if ((s->version & 0xff00) != 0x0300) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } + if (!ssl_legacy_stack_version(s, s->version)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; } /* s->version=SSL3_VERSION; */ diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index d5298d7af17..b56a99bb798 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.318 2021/01/28 17:00:39 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.319 2021/02/07 15:04:10 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1115,6 +1115,7 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, uint16_t *out_ver); int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); +int ssl_legacy_stack_version(SSL *s, uint16_t version); int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, uint16_t max_ver); diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index 3551ee41ee0..15768bb5650 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.90 2021/01/26 14:22:20 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.91 2021/02/07 15:04:10 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -213,19 +213,12 @@ ssl3_accept(SSL *s) if (cb != NULL) cb(s, SSL_CB_HANDSHAKE_START, 1); - if (SSL_is_dtls(s)) { - if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - } else { - if ((s->version >> 8) != 3) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } + if (!ssl_legacy_stack_version(s, s->version)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; } + s->internal->type = SSL_ST_ACCEPT; if (!ssl3_setup_init_buffer(s)) { diff --git a/lib/libssl/ssl_versions.c b/lib/libssl/ssl_versions.c index c5de9d0cde7..83d0d06af50 100644 --- a/lib/libssl/ssl_versions.c +++ b/lib/libssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.8 2021/01/04 19:19:12 tb Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.9 2021/02/07 15:04:10 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -231,3 +231,13 @@ ssl_downgrade_max_version(SSL *s, uint16_t *max_ver) return 1; } + +int +ssl_legacy_stack_version(SSL *s, uint16_t version) +{ + if (SSL_is_dtls(s)) + return version == DTLS1_VERSION; + + return version == TLS1_VERSION || version == TLS1_1_VERSION || + version == TLS1_2_VERSION; +} -- 2.20.1