From: Tobias Brunner Date: Wed, 26 Aug 2020 12:40:51 +0000 (+0200) Subject: tls-socket: Allow configuring both minimum and maximum TLS versions X-Git-Tag: 5.9.2rc1~23^2~74 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7f2818832a18ec5965ab7634610e5e997d0c20d;p=thirdparty%2Fstrongswan.git tls-socket: Allow configuring both minimum and maximum TLS versions --- diff --git a/scripts/tls_test.c b/scripts/tls_test.c index c47c1cae19..5e9e95462b 100644 --- a/scripts/tls_test.c +++ b/scripts/tls_test.c @@ -106,7 +106,7 @@ static int run_client(host_t *host, identification_t *server, close(fd); return 1; } - tls = tls_socket_create(FALSE, server, client, fd, cache, + tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_0, TLS_1_3, TRUE); if (!tls) { @@ -164,7 +164,8 @@ static int serve(host_t *host, identification_t *server, } DBG1(DBG_TLS, "%#H connected", host); - tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE); + tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_0, + TLS_1_2, TRUE); if (!tls) { close(fd); diff --git a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c index 8e69de0959..ab8c7273b4 100644 --- a/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c +++ b/src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c @@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this) /* open TLS socket */ this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd, - NULL, TLS_1_2, FALSE); + NULL, TLS_1_0, TLS_1_2, FALSE); if (!this->tls) { DBG1(DBG_TNC, "creating TLS socket failed"); diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c index b79b92763e..59842368f9 100644 --- a/src/libpttls/pt_tls_client.c +++ b/src/libpttls/pt_tls_client.c @@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this) } this->tls = tls_socket_create(FALSE, this->server, this->client, fd, - NULL, TLS_1_2, FALSE); + NULL, TLS_1_0, TLS_1_2, FALSE); if (!this->tls) { close(fd); diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c index 0168b18020..4c484fbb8e 100644 --- a/src/libpttls/pt_tls_server.c +++ b/src/libpttls/pt_tls_server.c @@ -532,7 +532,8 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd, .destroy = _destroy, }, .state = PT_TLS_SERVER_VERSION, - .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE), + .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_0, TLS_1_2, + FALSE), .tnccs = (tls_t*)tnccs, .auth = auth, ); diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c index a637096cda..a5f80e59ef 100644 --- a/src/libtls/tests/suites/test_socket.c +++ b/src/libtls/tests/suites/test_socket.c @@ -298,7 +298,7 @@ static job_requeue_t serve_echo(echo_server_config_t *config) } tls = tls_socket_create(TRUE, server, client, cfd, NULL, - config->version, TRUE); + TLS_1_0, config->version, TRUE); ck_assert(tls != NULL); while (TRUE) @@ -374,7 +374,7 @@ static void run_echo_client(echo_server_config_t *config) ck_assert(connect(fd, host->get_sockaddr(host), *host->get_sockaddr_len(host)) != -1); tls = tls_socket_create(FALSE, server, client, fd, NULL, - config->version, TRUE); + TLS_1_0, config->version, TRUE); ck_assert(tls != NULL); wr = rd = 0; diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c index 100475c7dc..f29a369f14 100644 --- a/src/libtls/tls_socket.c +++ b/src/libtls/tls_socket.c @@ -405,8 +405,9 @@ METHOD(tls_socket_t, destroy, void, * See header */ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, - identification_t *peer, int fd, tls_cache_t *cache, - tls_version_t max_version, bool nullok) + identification_t *peer, int fd, + tls_cache_t *cache, tls_version_t min_version, + tls_version_t max_version, bool nullok) { private_tls_socket_t *this; tls_purpose_t purpose; @@ -442,12 +443,11 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, this->tls = tls_create(is_server, server, peer, purpose, &this->app.application, cache); - if (!this->tls) + if (!this->tls || + !this->tls->set_version(this->tls, min_version, max_version)) { free(this); return NULL; } - this->tls->set_version(this->tls, TLS_1_0, max_version); - return &this->public; } diff --git a/src/libtls/tls_socket.h b/src/libtls/tls_socket.h index 7924c585c7..2026cba415 100644 --- a/src/libtls/tls_socket.h +++ b/src/libtls/tls_socket.h @@ -104,12 +104,14 @@ struct tls_socket_t { * @param peer client identity, NULL for no client authentication * @param fd socket to read/write from * @param cache session cache to use, or NULL + * @param min_version minimum TLS version to negotiate * @param max_version maximum TLS version to negotiate * @param nullok accept NULL encryption ciphers * @return TLS socket wrapper */ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, - identification_t *peer, int fd, tls_cache_t *cache, - tls_version_t max_version, bool nullok); + identification_t *peer, int fd, + tls_cache_t *cache, tls_version_t min_version, + tls_version_t max_version, bool nullok); #endif /** TLS_SOCKET_H_ @}*/