tls-socket: Allow configuring both minimum and maximum TLS versions

diff --git a/scripts/tls_test.c b/scripts/tls_test.c
index c47c1cae19037c964b4578cb221a5ea3c5253cf1..5e9e95462bdfe0d3729421d19bdd41cb99ed97a8 100644 (file)
--- a/scripts/tls_test.c
+++ b/scripts/tls_test.c
@@ -106,7 +106,7 @@ static int run_client(host_t *host, identification_t *server,
                        close(fd);
                        return 1;
                }
-               tls = tls_socket_create(FALSE, server, client, fd, cache,
+               tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_0,
                                                            TLS_1_3, TRUE);
                if (!tls)
                {
@@ -164,7 +164,8 @@ static int serve(host_t *host, identification_t *server,
                }
                DBG1(DBG_TLS, "%#H connected", host);
 
-               tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE);
+               tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_0,
+                                                               TLS_1_2, TRUE);
                if (!tls)
                {
                        close(fd);

diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
index 8e69de095960e7c9a9490d6c1ab6483b66a215dd..ab8c7273b42b116a3919dd14607b4710ef841e81 100644 (file)
--- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
+++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
@@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
        /* open TLS socket */
        this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
-                                                                 NULL, TLS_1_2, FALSE);
+                                                                 NULL, TLS_1_0, TLS_1_2, FALSE);
        if (!this->tls)
        {
                DBG1(DBG_TNC, "creating TLS socket failed");

diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index b79b92763e6df13312e2e33081da6a3e0677b2f9..59842368f9712a16b104e462f97810e6afe557ee 100644 (file)
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
        }
 
        this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
-                                                                 NULL, TLS_1_2, FALSE);
+                                                                 NULL, TLS_1_0, TLS_1_2, FALSE);
        if (!this->tls)
        {
                close(fd);

diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index 0168b180209036bb6ad5c208c9532979330259c1..4c484fbb8e34e0b0d37699f6be4ee45d5a7a575a 100644 (file)
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -532,7 +532,8 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
                        .destroy = _destroy,
                },
                .state = PT_TLS_SERVER_VERSION,
-               .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE),
+               .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_0, TLS_1_2,
+                                                                FALSE),
                .tnccs = (tls_t*)tnccs,
                .auth = auth,
        );

diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
index a637096cdad76538cfe5469b14f1bf4d5b2f37ed..a5f80e59ef3ffb503f51e237e59e4110b707c7cf 100644 (file)
--- a/src/libtls/tests/suites/test_socket.c
+++ b/src/libtls/tests/suites/test_socket.c
@@ -298,7 +298,7 @@ static job_requeue_t serve_echo(echo_server_config_t *config)
                }
 
                tls = tls_socket_create(TRUE, server, client, cfd, NULL,
-                                                               config->version, TRUE);
+                                                               TLS_1_0, config->version, TRUE);
                ck_assert(tls != NULL);
 
                while (TRUE)
@@ -374,7 +374,7 @@ static void run_echo_client(echo_server_config_t *config)
        ck_assert(connect(fd, host->get_sockaddr(host),
                                          *host->get_sockaddr_len(host)) != -1);
        tls = tls_socket_create(FALSE, server, client, fd, NULL,
-                                                       config->version, TRUE);
+                                                       TLS_1_0, config->version, TRUE);
        ck_assert(tls != NULL);
 
        wr = rd = 0;

diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c
index 100475c7dc9d6d3af525299f0ab595bae3eb5e89..f29a369f14415c31845f465796b63fff0b481945 100644 (file)
--- a/src/libtls/tls_socket.c
+++ b/src/libtls/tls_socket.c
@@ -405,8 +405,9 @@ METHOD(tls_socket_t, destroy, void,
  * See header
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
-                                                       identification_t *peer, int fd, tls_cache_t *cache,
-                                                       tls_version_t max_version, bool nullok)
+                                                               identification_t *peer, int fd,
+                                                               tls_cache_t *cache, tls_version_t min_version,
+                                                               tls_version_t max_version, bool nullok)
 {
        private_tls_socket_t *this;
        tls_purpose_t purpose;
@@ -442,12 +443,11 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 
        this->tls = tls_create(is_server, server, peer, purpose,
                                                   &this->app.application, cache);
-       if (!this->tls)
+       if (!this->tls ||
+               !this->tls->set_version(this->tls, min_version, max_version))
        {
                free(this);
                return NULL;
        }
-       this->tls->set_version(this->tls, TLS_1_0, max_version);
-
        return &this->public;
 }

diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h
index 7924c585c751ae3ce678adc98741e82efe9825f5..2026cba4156ea3366ae1ac810033006126c0d98c 100644 (file)
--- a/src/libtls/tls_socket.h
+++ b/src/libtls/tls_socket.h
@@ -104,12 +104,14 @@ struct tls_socket_t {
  * @param peer                         client identity, NULL for no client authentication
  * @param fd                           socket to read/write from
  * @param cache                                session cache to use, or NULL
+ * @param min_version          minimum TLS version to negotiate
  * @param max_version          maximum TLS version to negotiate
  * @param nullok                       accept NULL encryption ciphers
  * @return                                     TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
-                                                       identification_t *peer, int fd, tls_cache_t *cache,
-                                                       tls_version_t max_version, bool nullok);
+                                                               identification_t *peer, int fd,
+                                                               tls_cache_t *cache, tls_version_t min_version,
+                                                               tls_version_t max_version, bool nullok);
 
 #endif /** TLS_SOCKET_H_ @}*/