tls: remove checks for DEFAULT

Since 9d8998c99408e1adf, the setopt code changes input DEFAULT to an
actual more specific TLS version (1.2) for the backends to use and check
for.

This means that the default value (0L) cannot and should not actually be
used when the TLS backends run. This change adds asserts to verify that
and removes code that accepts the DEFAULT value as a valid version with
the TLS version functions' logic.

Applications can still set a specific lower version if they want (1, 1.0
or 1.1).

Closes #20453

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index f4cbe88080edecc6e7a4694d325aebf18c400d6c..7c6227132603f315459918ec3bab0e92cd244671 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -323,8 +323,8 @@ gnutls_set_ssl_version_min_max(struct Curl_easy *data,
   long ssl_version = conn_config->version;
   long ssl_version_max = conn_config->version_max;
 
-  if((ssl_version == CURL_SSLVERSION_DEFAULT) ||
-     (ssl_version == CURL_SSLVERSION_TLSv1))
+  DEBUGASSERT(ssl_version != CURL_SSLVERSION_DEFAULT);
+  if(ssl_version <= CURL_SSLVERSION_TLSv1)
     ssl_version = CURL_SSLVERSION_TLSv1_0;
   if((ssl_version_max == CURL_SSLVERSION_MAX_NONE) ||
      (ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT))

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index b4ef84799d7403b505cccc68489a50b24bbdbcb1..8e4912a45fd412d2313c7bc380b589b49bad07ec 100644 (file)
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -198,8 +198,8 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data,
 #endif
     ;
 
+  DEBUGASSERT(conn_config->version != CURL_SSLVERSION_DEFAULT);
   switch(conn_config->version) {
-  case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
   case CURL_SSLVERSION_TLSv1_1:

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index ae1fe6cbb1ab15c203fb396d64d8740a47f308f5..d6996d680fb95aad581d5b1a536755e14840eb5e 100644 (file)
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3620,11 +3620,11 @@ static CURLcode ossl_init_method(struct Curl_cfilter *cf,
 
   *pmethod = NULL;
   *pssl_version_min = conn_config->version;
+  DEBUGASSERT(conn_config->version != CURL_SSLVERSION_DEFAULT);
   switch(peer->transport) {
   case TRNSPRT_TCP:
     /* check to see if we have been told to use an explicit SSL/TLS version */
     switch(*pssl_version_min) {
-    case CURL_SSLVERSION_DEFAULT:
     case CURL_SSLVERSION_TLSv1:
     case CURL_SSLVERSION_TLSv1_0:
     case CURL_SSLVERSION_TLSv1_1:
@@ -3770,13 +3770,13 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
   if(!ssl_config->enable_beast)
     ctx_options &= ~(ctx_option_t)SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 
+  DEBUGASSERT(ssl_version_min != CURL_SSLVERSION_DEFAULT);
   switch(ssl_version_min) {
   case CURL_SSLVERSION_SSLv2:
   case CURL_SSLVERSION_SSLv3:
     return CURLE_NOT_BUILT_IN;
 
     /* "--tlsv<x.y>" options mean TLS >= version <x.y> */
-  case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1:   /* TLS >= version 1.0 */
   case CURL_SSLVERSION_TLSv1_0: /* TLS >= version 1.0 */
   case CURL_SSLVERSION_TLSv1_1: /* TLS >= version 1.1 */

diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c
index 79c8146b0d37151f84ce43c74070917182219825..a326aae87795f10cdcc939443e4862aefcf8b5a5 100644 (file)
--- a/lib/vtls/rustls.c
+++ b/lib/vtls/rustls.c
@@ -533,8 +533,8 @@ init_config_builder(struct Curl_easy *data,
   CURLcode result = CURLE_OK;
   rustls_result rr;
 
+  DEBUGASSERT(conn_config->version != CURL_SSLVERSION_DEFAULT);
   switch(conn_config->version) {
-  case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
   case CURL_SSLVERSION_TLSv1_1:

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index fd268c92a376607547592c0f33591356ca832301..d90c86d99ffc230d79a5e2b1981c08abe17450e2 100644 (file)
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -428,8 +428,8 @@ static CURLcode schannel_acquire_credential_handle(struct Curl_cfilter *cf,
   else
     infof(data, "schannel: enabled automatic use of client certificate");
 
+  DEBUGASSERT(conn_config->version != CURL_SSLVERSION_DEFAULT);
   switch(conn_config->version) {
-  case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
   case CURL_SSLVERSION_TLSv1_1:

diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 84180cad4ecae9c2ec17b027ebd7c731b223f4b2..a90b5bf439af30afffcee1fcd88e922a142f054b 100644 (file)
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -1028,8 +1028,9 @@ static CURLcode ssl_version(struct Curl_easy *data,
 {
   int res;
   *min_version = *max_version = 0;
+  DEBUGASSERT(conn_config->version != CURL_SSLVERSION_DEFAULT);
+
   switch(conn_config->version) {
-  case CURL_SSLVERSION_DEFAULT:
   case CURL_SSLVERSION_TLSv1:
   case CURL_SSLVERSION_TLSv1_0:
     *min_version = TLS1_VERSION;