GitList

Browse code

Warn if tls-version-max < tls-version-min

This adds warnings for when a user or our code tries to set a maximum
TLS version that's smaller then the current configured minimum TLS
version.

(And fixes some related whitespace now I touch it anyway.)

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20180224170449.25194-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16545.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Steffan Karger authored on 2018/02/25 02:04:49
Showing 3 changed files

src/openvpn/cryptoapi.c index 1097286..28f217f 100644
src/openvpn/openssl_compat.h index 8ef8664..d375fab 100644
src/openvpn/options.c index 95fb4de..41a42cf 100644

src/openvpn/cryptoapi.c

History View file @ f8a92a4

@@ -610,12 +610,18 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
                          if ((!max_version || max_version > TLS1_1_VERSION)
                              && cd->key_spec != CERT_NCRYPT_KEY_SPEC)
+                         {
                     -        msg(M_WARN,"WARNING: cryptoapicert: private key is in a legacy store."
                     +        msg(M_WARN, "WARNING: cryptoapicert: private key is in a legacy store."
                                  " Restricting TLS version to 1.1");
                     +        if (SSL_CTX_get_min_proto_version(ssl_ctx) > TLS1_1_VERSION)
                     +        {
                     +            msg(M_NONFATAL,
                     +                "ERROR: cryptoapicert: min TLS version larger than 1.1."
                     +                " Try config option --tls-version-min 1.1");
                     +            goto err;
                     +        }
                              if (!SSL_CTX_set_max_proto_version(ssl_ctx, TLS1_1_VERSION))
+                             {
                     -            msg(M_NONFATAL,"ERROR: cryptoapicert: unable to set max TLS version"
                     -                " to 1.1. Try config option --tls-version-min 1.1");
                     +            msg(M_NONFATAL, "ERROR: cryptoapicert: set max TLS version failed");
                                  goto err;
+                             }
+                         }

src/openvpn/openssl_compat.h

History View file @ f8a92a4

@@ -662,10 +662,24 @@ EC_GROUP_order_bits(const EC_GROUP *group)
 #endif
 
 #ifndef SSL_CTX_get_min_proto_version
-/** Dummy SSL_CTX_get_min_proto_version for OpenSSL < 1.1 (not really needed) */
+/** Return the min SSL protocol version currently enabled in the context.
+ *  If no valid version >= TLS1.0 is found, return 0. */
 static inline int
 SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
 {
+    long sslopt = SSL_CTX_get_options(ctx);
+    if (!(sslopt & SSL_OP_NO_TLSv1))
+    {
+        return TLS1_VERSION;
+    }
+    if (!(sslopt & SSL_OP_NO_TLSv1_1))
+    {
+        return TLS1_1_VERSION;
+    }
+    if (!(sslopt & SSL_OP_NO_TLSv1_2))
+    {
+        return TLS1_2_VERSION;
+    }
     return 0;
 }
 #endif /* SSL_CTX_get_min_proto_version */
@@ -679,15 +693,15 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
     long sslopt = SSL_CTX_get_options(ctx);
     if (!(sslopt & SSL_OP_NO_TLSv1_2))
     {
-	return TLS1_2_VERSION;
+        return TLS1_2_VERSION;
     }
     if (!(sslopt & SSL_OP_NO_TLSv1_1))
     {
-	return TLS1_1_VERSION;
+        return TLS1_1_VERSION;
     }
     if (!(sslopt & SSL_OP_NO_TLSv1))
     {
-	return TLS1_VERSION;
+        return TLS1_VERSION;
     }
     return 0;
 }

src/openvpn/options.c

History View file @ f8a92a4

@@ -2522,6 +2522,18 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
                                  "in the configuration file, which is the recommended approach.");
+                         }
                     +    const int tls_version_max =
                     +        (options->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT)
                     +        & SSLF_TLS_VERSION_MAX_MASK;
                     +    const int tls_version_min =
                     +        (options->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT)
                     +        & SSLF_TLS_VERSION_MIN_MASK;
+                    +
                     +    if (tls_version_max > 0 && tls_version_max < tls_version_min)
                     +    {
                     +        msg(M_USAGE, "--tls-version-min bigger than --tls-version-max");
                     +    }
+                    +
                          if (options->tls_server || options->tls_client)
+                         {
                      #ifdef ENABLE_PKCS11

...	...	@@ -662,10 +662,24 @@ EC_GROUP_order_bits(const EC_GROUP *group)
662	662	#endif
663	663
664	664	#ifndef SSL_CTX_get_min_proto_version
665		-/** Dummy SSL_CTX_get_min_proto_version for OpenSSL < 1.1 (not really needed) */
	665	+/** Return the min SSL protocol version currently enabled in the context.
	666	+ * If no valid version >= TLS1.0 is found, return 0. */
666	667	static inline int
667	668	SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
668	669	{
	670	+ long sslopt = SSL_CTX_get_options(ctx);
	671	+ if (!(sslopt & SSL_OP_NO_TLSv1))
	672	+ {
	673	+ return TLS1_VERSION;
	674	+ }
	675	+ if (!(sslopt & SSL_OP_NO_TLSv1_1))
	676	+ {
	677	+ return TLS1_1_VERSION;
	678	+ }
	679	+ if (!(sslopt & SSL_OP_NO_TLSv1_2))
	680	+ {
	681	+ return TLS1_2_VERSION;
	682	+ }
669	683	return 0;
670	684	}
671	685	#endif /* SSL_CTX_get_min_proto_version */
...	...	@@ -679,15 +693,15 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx)
679	679	long sslopt = SSL_CTX_get_options(ctx);
680	680	if (!(sslopt & SSL_OP_NO_TLSv1_2))
681	681	{
682		- return TLS1_2_VERSION;
	682	+ return TLS1_2_VERSION;
683	683	}
684	684	if (!(sslopt & SSL_OP_NO_TLSv1_1))
685	685	{
686		- return TLS1_1_VERSION;
	686	+ return TLS1_1_VERSION;
687	687	}
688	688	if (!(sslopt & SSL_OP_NO_TLSv1))
689	689	{
690		- return TLS1_VERSION;
	690	+ return TLS1_VERSION;
691	691	}
692	692	return 0;
693	693	}