Skip to content

Commit

Permalink
QUIC SSL: Version setting restrictions
Browse files Browse the repository at this point in the history 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from #20061)
  • Loading branch information
@hlandau @paulidale
hlandau authored and paulidale committed Jul 4, 2023
1 parent 38c0ff1 commit 0eecf84
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 6 deletions.
26 changes: 20 additions & 6 deletions ssl/ssl_lib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -425,7 +425,8 @@ static int dane_tlsa_add(SSL_DANE *dane,
* Return 0 if there is only one version configured and it was disabled
* at configure time. Return 1 otherwise.
*/
static int ssl_check_allowed_versions(int min_version, int max_version)
static int ssl_check_allowed_versions(int min_version, int max_version,
int is_quic)
{
int minisdtls = 0, maxisdtls = 0;

Expand Down Expand Up @@ -473,7 +474,7 @@ static int ssl_check_allowed_versions(int min_version, int max_version)
} else {
/* Regular TLS version checks. */
if (min_version == 0)
min_version = SSL3_VERSION;
min_version = is_quic ? TLS1_3_VERSION : SSL3_VERSION;
if (max_version == 0)
max_version = TLS1_3_VERSION;
#ifdef OPENSSL_NO_TLS1_3
Expand Down Expand Up @@ -757,6 +758,15 @@ SSL *ossl_ssl_connection_new_int(SSL_CTX *ctx, const SSL_METHOD *method)
s->min_proto_version = ctx->min_proto_version;
s->max_proto_version = ctx->max_proto_version;
}

s->min_proto_version = ctx->min_proto_version;
if (IS_QUIC_CTX(ctx) && s->min_proto_version < TLS1_3_VERSION)
s->min_proto_version = TLS1_3_VERSION;

s->max_proto_version = ctx->max_proto_version;
if (IS_QUIC_CTX(ctx) && s->max_proto_version < TLS1_3_VERSION)
s->max_proto_version = 0;

s->mode = ctx->mode;
s->max_cert_list = ctx->max_cert_list;

Expand Down Expand Up @@ -2980,13 +2990,17 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
else
return 0;
case SSL_CTRL_SET_MIN_PROTO_VERSION:
return ssl_check_allowed_versions(larg, sc->max_proto_version)
return ssl_check_allowed_versions(larg, sc->max_proto_version,
IS_QUIC_SSL(s))
&& ssl_set_version_bound(s->defltmeth->version, (int)larg,
&sc->min_proto_version);
case SSL_CTRL_GET_MIN_PROTO_VERSION:
return sc->min_proto_version;
case SSL_CTRL_SET_MAX_PROTO_VERSION:
return ssl_check_allowed_versions(sc->min_proto_version, larg)
if (IS_QUIC_SSL(s) && larg < TLS1_3_VERSION)
return 0;
return ssl_check_allowed_versions(sc->min_proto_version, larg,
IS_QUIC_SSL(s))
&& ssl_set_version_bound(s->defltmeth->version, (int)larg,
&sc->max_proto_version);
case SSL_CTRL_GET_MAX_PROTO_VERSION:
Expand Down Expand Up @@ -3119,13 +3133,13 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
case SSL_CTRL_CLEAR_CERT_FLAGS:
return (ctx->cert->cert_flags &= ~larg);
case SSL_CTRL_SET_MIN_PROTO_VERSION:
return ssl_check_allowed_versions(larg, ctx->max_proto_version)
return ssl_check_allowed_versions(larg, ctx->max_proto_version, 0)
&& ssl_set_version_bound(ctx->method->version, (int)larg,
&ctx->min_proto_version);
case SSL_CTRL_GET_MIN_PROTO_VERSION:
return ctx->min_proto_version;
case SSL_CTRL_SET_MAX_PROTO_VERSION:
return ssl_check_allowed_versions(ctx->min_proto_version, larg)
return ssl_check_allowed_versions(ctx->min_proto_version, larg, 0)
&& ssl_set_version_bound(ctx->method->version, (int)larg,
&ctx->max_proto_version);
case SSL_CTRL_GET_MAX_PROTO_VERSION:
Expand Down
5 changes: 5 additions & 0 deletions test/quicapitest.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,11 @@ static int test_quic_forbidden_options(void)
|| !TEST_false(SSL_set_max_pipelines(ssl, 2)))
goto err;

/* Protocol Version */
if (!TEST_false(SSL_set_max_proto_version(ssl, TLS1_2_VERSION))
|| !TEST_true(SSL_set_max_proto_version(ssl, TLS1_3_VERSION)))
goto err;

/* HRR */
if (!TEST_false(SSL_stateless(ssl)))
goto err;
Expand Down

0 comments on commit 0eecf84

Please sign in to comment.