Additional TLS min/max version sanity checks#3422
Additional TLS min/max version sanity checks#3422kaduk wants to merge 2 commits intoopenssl:masterfrom
Conversation
|
Is there a reason not to move this in ssl_set_version_bound() itself? It would also cover the ssl_conf case. |
|
Oh, I guess you need to know the max version. |
|
Well, we could change the prototype of ssl_set_version_bound(), since it's just an internal helper. |
ssl/ssl_lib.c
Outdated
There was a problem hiding this comment.
Please add some minimal comment at least documenting the return value.
ssl/ssl_lib.c
Outdated
There was a problem hiding this comment.
I prefer that nothing is modified in the error case, and so that you first call ssl_check_allowed_versions().
|
Should we check that a version between min and max is enabled? |
I thought (briefly) about it, and my first reaction was that it would be a lot of complexity, especially since we have to handle the case where one or the other is 0/any. But I could put something together if you think it's worthwhile. |
|
I don't think there is much point in making it more complex. |
|
Modified version force-pushed, to comment ssl_check_allowed_versions() and put the calls to it before anything is written to, per @kroeckx review |
ssl/ssl_lib.c
Outdated
There was a problem hiding this comment.
You need to pass larg here instead of the old value.
There was a problem hiding this comment.
Whoops, worrying too hard about efficient editor use and not enough about reading the logic. Thanks for spotting it.
|
Anyone want to be a second reviewer here? |
ssl/ssl_lib.c
Outdated
There was a problem hiding this comment.
Is this good enough? What if min_version != max_version but both are disabled (and all versions in between)?
There was a problem hiding this comment.
I actually asked the same question. It would get a complex function, and I don't see an easy way to reuse the existing functions.
This is just a case of giving an error earlier, they'd get an error later anyway.
There was a problem hiding this comment.
It's a tradeoff between comprehensiveness of check and complexity of code. Handling the case where one or the other is zero gets kind of awkward. (Kurt had asked a similar question.) But let me know if you want me to put something together.
There was a problem hiding this comment.
I'm not really convinced it needs to be that complicated. Check if max_version is 0 at the beginning and if so set it to TLS1_3_VERSION. Check if min_version is 0 at the beginning and if so set it to SSL3_VERSION. Then a series of checks like this:
#ifdef OPENSSL_NO_TLS1_3
if (max_version == TLS1_3_VERSION)
max_version = TLS1_2_VERSION;
#endif
#ifdef OPENSSL_NO_TLS1_2
if (max_version == TLS1_2_VERSION)
max_version = TLS1_1_VERSION;
#endif
...and so on...
#ifdef OPENSSL_NO_SSL3
if (max_version == SSL3_VERSION)
max_version = 0;
#endif
if (max_version < min_version)
return 0;
return 1;
There was a problem hiding this comment.
Although, thinking about it you need to cope with DTLS too which this PR doesn't at the moment.
|
@kaduk: Care to address Matt's comment? At least the part about DTLS. |
|
Yes, I'll work on an update. |
|
ping @kaduk for update (and no second reviewer needed now:) |
|
I got distracted fixing some issues I noticed while reviewing the "allow ciphersuites to change on resumption" change, sorry. |
If the result of a SSL_{CTX_,}set_{min,max}_proto_version() call
leaves the min and max version identical, and support for that version
is compiled out of the library, return an error. Such an object has
no hope of successfully completing a handshake, and this error may
be easier to decipher than the resulting handshake failure.
So let that succeed.
|
I think I have to detect whether we're doing DTLS or TLS and have separate checking logic for the two cases. |
|
Yes, default to DTLS1_VERSION not DTLS1_BAD_VER. DTLS1_BAD_VER will only ever be used where it is known in advance that that's exactly what we're going to use — hence being used for max and min simultaneously. We never do in-band negotiation and settle on DTLS1_BAD_VER. As long as bad_dtls_test is working, I think we're fine there. It's basically the only use case. |
|
@kroeckx this is more like a re-review than a reconfirm at this point, if you're interested. |
|
+1 from me. |
If the result of a SSL_{CTX_,}set_{min,max}_proto_version() call
leaves the min and max version identical, and support for that version
is compiled out of the library, return an error. Such an object has
no hope of successfully completing a handshake, and this error may
be easier to decipher than the resulting handshake failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from #3422)
|
c8feba7 on master. |
If the result of a SSL_{CTX_,}set_{min,max}_proto_version() call
leaves the min and max version identical, and support for that version
is compiled out of the library, return an error. Such an object has
no hope of successfully completing a handshake, and this error may
be easier to decipher than the resulting handshake failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl#3422)
(cherry picked from commit c8feba7)
Updated the cherry-pick to not reference TLS1_3_VERSION, which does
not exist on this branch.
If the application sets an identical minimum and maximum supported protocol version on an SSL/SSL_CTX, but support for that version was disabled at configure-time, there is no chance of a handshake succeeding; we should error out immediately.
(A previous version of this patchset that errored out when only one of the min/max was an unsupported version failed
make test, in one of the configurations that does an exhaustive cross product of the version matrix.)