From: Tobias Brunner Date: Wed, 26 Aug 2020 12:37:59 +0000 (+0200) Subject: tls: Allow setting both minimum and maximum TLS versions X-Git-Tag: 5.9.2rc1~23^2~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4576a1f5789804c272439dd12626aecd3623fc7;p=thirdparty%2Fstrongswan.git tls: Allow setting both minimum and maximum TLS versions This allows to increase the initial minimum version and also prevents sending a list of versions during retries when 1.3 was already negotiated. --- diff --git a/src/libtls/tls.c b/src/libtls/tls.c index 30f4786d5c..fc313e08e2 100644 --- a/src/libtls/tls.c +++ b/src/libtls/tls.c @@ -436,26 +436,24 @@ METHOD(tls_t, get_version_min, tls_version_t, } METHOD(tls_t, set_version, bool, - private_tls_t *this, tls_version_t version) + private_tls_t *this, tls_version_t min_version, tls_version_t max_version) { - if (version > this->version_max) + if (min_version < this->version_min || + max_version > this->version_max || + min_version > max_version || + min_version < TLS_1_0) { return FALSE; } - switch (version) + + this->version_min = min_version; + this->version_max = max_version; + + if (min_version == max_version) { - case TLS_1_0: - case TLS_1_1: - case TLS_1_2: - case TLS_1_3: - this->version_max = version; - this->protection->set_version(this->protection, version); - return TRUE; - case SSL_2_0: - case SSL_3_0: - default: - return FALSE; + this->protection->set_version(this->protection, max_version); } + return TRUE; } METHOD(tls_t, get_purpose, tls_purpose_t, @@ -545,8 +543,8 @@ tls_t *tls_create(bool is_server, identification_t *server, .destroy = _destroy, }, .is_server = is_server, - .version_max = TLS_1_3, .version_min = TLS_1_0, + .version_max = TLS_1_3, .application = application, .purpose = purpose, ); diff --git a/src/libtls/tls.h b/src/libtls/tls.h index 005497f5a9..b8903af5d9 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -263,26 +263,29 @@ struct tls_t { identification_t* (*get_peer_id)(tls_t *this); /** - * Get the maximum and negotiated TLS/SSL version. + * Get the maximum and negotiated TLS version. * * @return max and negotiated TLS version */ tls_version_t (*get_version_max)(tls_t *this); /** - * Get the minimum TLS/SSL version. + * Get the minimum TLS version. * * @return min TLS version */ tls_version_t (*get_version_min)(tls_t *this); /** - * Set the negotiated TLS/SSL version. + * Set the initial minimum/maximum TLS version, or set both to the same + * value once negotiated. * - * @param version negotiated TLS version - * @return TRUE if version acceptable + * @param min_version minimum (or negotiated) TLS version + * @param max_version maximum (or negotiated) TLS version + * @return TRUE if version(s) acceptable */ - bool (*set_version)(tls_t *this, tls_version_t version); + bool (*set_version)(tls_t *this, tls_version_t min_version, + tls_version_t max_version); /** * Get the purpose of this TLS stack instance. diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index bc1857f69a..50326d3f15 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -279,7 +279,7 @@ static status_t process_server_hello(private_tls_peer_t *this, } extensions->destroy(extensions); - if (!this->tls->set_version(this->tls, version)) + if (!this->tls->set_version(this->tls, version, version)) { DBG1(DBG_TLS, "negotiated version %N not supported", tls_version_names, version); diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index 3e97d37996..f0bbb1a590 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -282,7 +282,7 @@ static status_t process_client_hello(private_tls_server_t *this, } rng->destroy(rng); - if (!this->tls->set_version(this->tls, version)) + if (!this->tls->set_version(this->tls, version, version)) { DBG1(DBG_TLS, "negotiated version %N not supported", tls_version_names, version); diff --git a/src/libtls/tls_socket.c b/src/libtls/tls_socket.c index d065bdb280..100475c7dc 100644 --- a/src/libtls/tls_socket.c +++ b/src/libtls/tls_socket.c @@ -447,7 +447,7 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server, free(this); return NULL; } - this->tls->set_version(this->tls, max_version); + this->tls->set_version(this->tls, TLS_1_0, max_version); return &this->public; }