diff options
author | David Benjamin <davidben@google.com> | 2016-09-21 23:53:09 +0300 |
---|---|---|
committer | CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> | 2016-09-22 00:41:49 +0300 |
commit | e34bcc91c07c0bf65ecc53a814d51f5246007150 (patch) | |
tree | 267d2b289a5d347ab906a417b9175cec7fd6f1c5 | |
parent | c8b6b4fe4afbcd31b61007b1288de380c7f51b4c (diff) |
Support default versions with set_{min,max}_proto_version.
Upstream makes 0 mean "min/max supported version". Match that behavior,
although call it "default" instead. It shouldn't get you TLS 1.3 until
we're ready to turn it on everywhere.
BUG=90
Change-Id: I9f122fceb701b7d4de2ff70afbc1ffdf370cb97e
Reviewed-on: https://boringssl-review.googlesource.com/11181
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
-rw-r--r-- | include/openssl/ssl.h | 18 | ||||
-rw-r--r-- | ssl/ssl_lib.c | 45 | ||||
-rw-r--r-- | ssl/ssl_test.cc | 26 |
3 files changed, 70 insertions, 19 deletions
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index d629b8f3..8454c307 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -565,19 +565,25 @@ OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl); #define TLS1_3_DRAFT_VERSION 14 /* SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to - * |version|. It returns one on success and zero if |version| is invalid. */ -OPENSSL_EXPORT int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version); + * |version|. If |version| is zero, the default minimum version is used. It + * returns one on success and zero if |version| is invalid. */ +OPENSSL_EXPORT int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, + uint16_t version); /* SSL_CTX_set_max_proto_version sets the maximum protocol version for |ctx| to - * |version|. It returns one on success and zero if |version| is invalid. */ -OPENSSL_EXPORT int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version); + * |version|. If |version| is zero, the default maximum version is used. It + * returns one on success and zero if |version| is invalid. */ +OPENSSL_EXPORT int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, + uint16_t version); /* SSL_set_min_proto_version sets the minimum protocol version for |ssl| to - * |version|. It returns one on success and zero if |version| is invalid. */ + * |version|. If |version| is zero, the default minimum version is used. It + * returns one on success and zero if |version| is invalid. */ OPENSSL_EXPORT int SSL_set_min_proto_version(SSL *ssl, uint16_t version); /* SSL_set_max_proto_version sets the maximum protocol version for |ssl| to - * |version|. It returns one on success and zero if |version| is invalid. */ + * |version|. If |version| is zero, the default maximum version is used. It + * returns one on success and zero if |version| is invalid. */ OPENSSL_EXPORT int SSL_set_max_proto_version(SSL *ssl, uint16_t version); /* SSL_version returns the TLS or DTLS protocol version used by |ssl|, which is diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 82325322..6ec7d257 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -305,17 +305,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { ret->options |= SSL_OP_NO_TICKET; } - ret->min_version = ret->method->min_version; - ret->max_version = ret->method->max_version; - /* Lock the SSL_CTX to the specified version, for compatibility with legacy * uses of SSL_METHOD. */ - if (method->version != 0) { - SSL_CTX_set_max_proto_version(ret, method->version); - SSL_CTX_set_min_proto_version(ret, method->version); - } else if (!method->method->is_dtls) { - /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */ - SSL_CTX_set_max_proto_version(ret, TLS1_2_VERSION); + if (!SSL_CTX_set_max_proto_version(ret, method->version) || + !SSL_CTX_set_min_proto_version(ret, method->version)) { + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + goto err2; } return ret; @@ -949,20 +944,44 @@ int SSL_get_error(const SSL *ssl, int ret_code) { return SSL_ERROR_SYSCALL; } +static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, + uint16_t version) { + if (version == 0) { + *out = method->min_version; + return 1; + } + + return method->version_from_wire(out, version); +} + +static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, + uint16_t version) { + if (version == 0) { + *out = method->max_version; + /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */ + if (*out > TLS1_2_VERSION) { + *out = TLS1_2_VERSION; + } + return 1; + } + + return method->version_from_wire(out, version); +} + int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { - return ctx->method->version_from_wire(&ctx->min_version, version); + return set_min_version(ctx->method, &ctx->min_version, version); } int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { - return ctx->method->version_from_wire(&ctx->max_version, version); + return set_max_version(ctx->method, &ctx->max_version, version); } int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { - return ssl->method->version_from_wire(&ssl->min_version, version); + return set_min_version(ssl->method, &ssl->min_version, version); } int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { - return ssl->method->version_from_wire(&ssl->max_version, version); + return set_max_version(ssl->method, &ssl->max_version, version); } uint32_t SSL_CTX_set_options(SSL_CTX *ctx, uint32_t options) { diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index a90e9935..48dbbac4 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc @@ -2106,6 +2106,19 @@ static bool TestSetVersion() { return false; } + if (!SSL_CTX_set_max_proto_version(ctx.get(), 0) || + !SSL_CTX_set_min_proto_version(ctx.get(), 0)) { + fprintf(stderr, "Could not set default TLS version.\n"); + return false; + } + + if (ctx->min_version != SSL3_VERSION || + ctx->max_version != TLS1_2_VERSION) { + fprintf(stderr, "Default TLS versions were incorrect (%04x and %04x).\n", + ctx->min_version, ctx->max_version); + return false; + } + ctx.reset(SSL_CTX_new(DTLS_method())); if (!ctx) { return false; @@ -2131,6 +2144,19 @@ static bool TestSetVersion() { return false; } + if (!SSL_CTX_set_max_proto_version(ctx.get(), 0) || + !SSL_CTX_set_min_proto_version(ctx.get(), 0)) { + fprintf(stderr, "Could not set default DTLS version.\n"); + return false; + } + + if (ctx->min_version != TLS1_1_VERSION || + ctx->max_version != TLS1_2_VERSION) { + fprintf(stderr, "Default DTLS versions were incorrect (%04x and %04x).\n", + ctx->min_version, ctx->max_version); + return false; + } + return true; } |