generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use minimum and maximum protocol version instead of version fixed methods

Browse Source 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
This commit is contained in:
Kurt Roeckx
2016-02-02 23:58:49 +01:00
parent 1fc7d6664a
commit 0d5301aff9
5 changed files with 107 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
apps/ciphers.c
View File

@@ -126,6 +126,7 @@ int ciphers_main(int argc, char **argv)
char *ciphers = NULL, *prog; char *ciphers = NULL, *prog;
char buf[512]; char buf[512];
OPTION_CHOICE o; OPTION_CHOICE o;
int min_version = 0, max_version = 0;
prog = opt_init(argc, argv, ciphers_options); prog = opt_init(argc, argv, ciphers_options);
while ((o = opt_next()) != OPT_EOF) { while ((o = opt_next()) != OPT_EOF) {
@@ -154,24 +155,20 @@ int ciphers_main(int argc, char **argv)
#endif #endif
break; break;
case OPT_SSL3: case OPT_SSL3:
#ifndef OPENSSL_NO_SSL3 min_version = SSL3_VERSION;
meth = SSLv3_client_method(); max_version = SSL3_VERSION;
#endif
break; break;
case OPT_TLS1: case OPT_TLS1:
#ifndef OPENSSL_NO_TLS1 min_version = TLS1_VERSION;
meth = TLSv1_client_method(); max_version = TLS1_VERSION;
#endif
break; break;
case OPT_TLS1_1: case OPT_TLS1_1:
#ifndef OPENSSL_NO_TLS1_1 min_version = TLS1_1_VERSION;
meth = TLSv1_1_client_method(); max_version = TLS1_1_VERSION;
#endif
break; break;
case OPT_TLS1_2: case OPT_TLS1_2:
#ifndef OPENSSL_NO_TLS1_2 min_version = TLS1_2_VERSION;
meth = TLSv1_2_client_method(); max_version = TLS1_2_VERSION;
#endif
break; break;
case OPT_PSK: case OPT_PSK:
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
@@ -191,6 +188,11 @@ int ciphers_main(int argc, char **argv)
ctx = SSL_CTX_new(meth); ctx = SSL_CTX_new(meth);
if (ctx == NULL) if (ctx == NULL)
goto err; goto err;
if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto err;
if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
goto err;
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
if (psk) if (psk)
SSL_CTX_set_psk_client_callback(ctx, dummy_psk); SSL_CTX_set_psk_client_callback(ctx, dummy_psk);

49
apps/s_client.c
View File

@@ -928,6 +928,7 @@ int s_client_main(int argc, char **argv)
char *ctlog_file = NULL; char *ctlog_file = NULL;
ct_validation_cb ct_validation = NULL; ct_validation_cb ct_validation = NULL;
#endif #endif
int min_version = 0, max_version = 0;
FD_ZERO(&readfds); FD_ZERO(&readfds);
FD_ZERO(&writefds); FD_ZERO(&writefds);
@@ -1199,25 +1200,30 @@ int s_client_main(int argc, char **argv)
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
case OPT_SRPUSER: case OPT_SRPUSER:
srp_arg.srplogin = opt_arg(); srp_arg.srplogin = opt_arg();
meth = TLSv1_client_method(); if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break; break;
case OPT_SRPPASS: case OPT_SRPPASS:
srppass = opt_arg(); srppass = opt_arg();
meth = TLSv1_client_method(); if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break; break;
case OPT_SRP_STRENGTH: case OPT_SRP_STRENGTH:
srp_arg.strength = atoi(opt_arg()); srp_arg.strength = atoi(opt_arg());
BIO_printf(bio_err, "SRP minimal length for N is %d\n", BIO_printf(bio_err, "SRP minimal length for N is %d\n",
srp_arg.strength); srp_arg.strength);
meth = TLSv1_client_method(); if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break; break;
case OPT_SRP_LATEUSER: case OPT_SRP_LATEUSER:
srp_lateuser = 1; srp_lateuser = 1;
meth = TLSv1_client_method(); if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break; break;
case OPT_SRP_MOREGROUPS: case OPT_SRP_MOREGROUPS:
srp_arg.amp = 1; srp_arg.amp = 1;
meth = TLSv1_client_method(); if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
break; break;
#else #else
case OPT_SRPUSER: case OPT_SRPUSER:
@@ -1231,24 +1237,20 @@ int s_client_main(int argc, char **argv)
ssl_config = opt_arg(); ssl_config = opt_arg();
break; break;
case OPT_SSL3: case OPT_SSL3:
#ifndef OPENSSL_NO_SSL3 min_version = SSL3_VERSION;
meth = SSLv3_client_method(); max_version = SSL3_VERSION;
#endif
break; break;
case OPT_TLS1_2: case OPT_TLS1_2:
#ifndef OPENSSL_NO_TLS1_2 min_version = TLS1_2_VERSION;
meth = TLSv1_2_client_method(); max_version = TLS1_2_VERSION;
#endif
break; break;
case OPT_TLS1_1: case OPT_TLS1_1:
#ifndef OPENSSL_NO_TLS1_1 min_version = TLS1_1_VERSION;
meth = TLSv1_1_client_method(); max_version = TLS1_1_VERSION;
#endif
break; break;
case OPT_TLS1: case OPT_TLS1:
#ifndef OPENSSL_NO_TLS1 min_version = TLS1_VERSION;
meth = TLSv1_client_method(); max_version = TLS1_VERSION;
#endif
break; break;
case OPT_DTLS: case OPT_DTLS:
#ifndef OPENSSL_NO_DTLS #ifndef OPENSSL_NO_DTLS
@@ -1258,13 +1260,17 @@ int s_client_main(int argc, char **argv)
break; break;
case OPT_DTLS1: case OPT_DTLS1:
#ifndef OPENSSL_NO_DTLS1 #ifndef OPENSSL_NO_DTLS1
meth = DTLSv1_client_method(); meth = DTLS_client_method();
min_version = DTLS1_VERSION;
max_version = DTLS1_VERSION;
socket_type = SOCK_DGRAM; socket_type = SOCK_DGRAM;
#endif #endif
break; break;
case OPT_DTLS1_2: case OPT_DTLS1_2:
#ifndef OPENSSL_NO_DTLS1_2 #ifndef OPENSSL_NO_DTLS1_2
meth = DTLSv1_2_client_method(); meth = DTLS_client_method();
min_version = DTLS1_2_VERSION;
max_version = DTLS1_2_VERSION;
socket_type = SOCK_DGRAM; socket_type = SOCK_DGRAM;
#endif #endif
break; break;
@@ -1566,6 +1572,11 @@ int s_client_main(int argc, char **argv)
} }
} }
if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
goto end;
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
BIO_printf(bio_err, "Error setting verify params\n"); BIO_printf(bio_err, "Error setting verify params\n");
ERR_print_errors(bio_err); ERR_print_errors(bio_err);

43
apps/s_server.c
View File

@@ -1066,6 +1066,7 @@ int s_server_main(int argc, char *argv[])
char *srpuserseed = NULL; char *srpuserseed = NULL;
char *srp_verifier_file = NULL; char *srp_verifier_file = NULL;
#endif #endif
int min_version = 0, max_version = 0;
local_argc = argc; local_argc = argc;
local_argv = argv; local_argv = argv;
@@ -1389,13 +1390,15 @@ int s_server_main(int argc, char *argv[])
case OPT_SRPVFILE: case OPT_SRPVFILE:
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
srp_verifier_file = opt_arg(); srp_verifier_file = opt_arg();
meth = TLSv1_server_method(); if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
#endif #endif
break; break;
case OPT_SRPUSERSEED: case OPT_SRPUSERSEED:
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
srpuserseed = opt_arg(); srpuserseed = opt_arg();
meth = TLSv1_server_method(); if (min_version < TLS1_VERSION)
min_version = TLS1_VERSION;
#endif #endif
break; break;
case OPT_REV: case OPT_REV:
@@ -1414,24 +1417,20 @@ int s_server_main(int argc, char *argv[])
ssl_config = opt_arg(); ssl_config = opt_arg();
break; break;
case OPT_SSL3: case OPT_SSL3:
#ifndef OPENSSL_NO_SSL3 min_version = SSL3_VERSION;
meth = SSLv3_server_method(); max_version = SSL3_VERSION;
#endif
break; break;
case OPT_TLS1_2: case OPT_TLS1_2:
#ifndef OPENSSL_NO_TLS1_2 min_version = TLS1_2_VERSION;
meth = TLSv1_2_server_method(); max_version = TLS1_2_VERSION;
#endif
break; break;
case OPT_TLS1_1: case OPT_TLS1_1:
#ifndef OPENSSL_NO_TLS1_1 min_version = TLS1_1_VERSION;
meth = TLSv1_1_server_method(); max_version = TLS1_1_VERSION;
#endif
break; break;
case OPT_TLS1: case OPT_TLS1:
#ifndef OPENSSL_NO_TLS1 min_version = TLS1_VERSION;
meth = TLSv1_server_method(); max_version = TLS1_VERSION;
#endif
break; break;
case OPT_DTLS: case OPT_DTLS:
#ifndef OPENSSL_NO_DTLS #ifndef OPENSSL_NO_DTLS
@@ -1440,14 +1439,18 @@ int s_server_main(int argc, char *argv[])
#endif #endif
break; break;
case OPT_DTLS1: case OPT_DTLS1:
#ifndef OPENSSL_NO_DTLS1 #ifndef OPENSSL_NO_DTLS
meth = DTLSv1_server_method(); meth = DTLS_server_method();
min_version = DTLS1_VERSION;
max_version = DTLS1_VERSION;
socket_type = SOCK_DGRAM; socket_type = SOCK_DGRAM;
#endif #endif
break; break;
case OPT_DTLS1_2: case OPT_DTLS1_2:
#ifndef OPENSSL_NO_DTLS1_2 #ifndef OPENSSL_NO_DTLS
meth = DTLSv1_2_server_method(); meth = DTLS_server_method();
min_version = DTLS1_2_VERSION;
max_version = DTLS1_2_VERSION;
socket_type = SOCK_DGRAM; socket_type = SOCK_DGRAM;
#endif #endif
break; break;
@@ -1728,6 +1731,10 @@ int s_server_main(int argc, char *argv[])
goto end; goto end;
} }
} }
if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
goto end;
if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
goto end;
if (session_id_prefix) { if (session_id_prefix) {
if (strlen(session_id_prefix) >= 32) if (strlen(session_id_prefix) >= 32)

9
apps/s_time.c
View File

@@ -132,7 +132,7 @@ OPTIONS s_time_options[] = {
{"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"}, {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
{"verify", OPT_VERIFY, 'p', {"verify", OPT_VERIFY, 'p',
"Turn on peer certificate verification, set depth"}, "Turn on peer certificate verification, set depth"},
{"time", OPT_TIME, 'p', "Sf seconds to collect data, default" SECONDSSTR}, {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR},
{"www", OPT_WWW, 's', "Fetch specified page from the site"}, {"www", OPT_WWW, 's', "Fetch specified page from the site"},
#ifndef OPENSSL_NO_SSL3 #ifndef OPENSSL_NO_SSL3
{"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
@@ -162,6 +162,7 @@ int s_time_main(int argc, char **argv)
0, ver; 0, ver;
long bytes_read = 0, finishtime = 0; long bytes_read = 0, finishtime = 0;
OPTION_CHOICE o; OPTION_CHOICE o;
int max_version = 0;
meth = TLS_client_method(); meth = TLS_client_method();
verify_depth = 0; verify_depth = 0;
@@ -230,9 +231,7 @@ int s_time_main(int argc, char **argv)
} }
break; break;
case OPT_SSL3: case OPT_SSL3:
#ifndef OPENSSL_NO_SSL3 max_version = SSL3_VERSION;
meth = SSLv3_client_method();
#endif
break; break;
} }
} }
@@ -251,6 +250,8 @@ int s_time_main(int argc, char **argv)
goto end; goto end;
SSL_CTX_set_quiet_shutdown(ctx, 1); SSL_CTX_set_quiet_shutdown(ctx, 1);
if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
goto end;
if (st_bugs) if (st_bugs)
SSL_CTX_set_options(ctx, SSL_OP_ALL); SSL_CTX_set_options(ctx, SSL_OP_ALL);

64
test/ssltest.c
View File

@@ -1056,6 +1056,7 @@ int main(int argc, char *argv[])
int fips_mode = 0; int fips_mode = 0;
#endif #endif
int no_protocol; int no_protocol;
int min_version = 0, max_version = 0;
#ifndef OPENSSL_NO_CT #ifndef OPENSSL_NO_CT
/* /*
@@ -1186,12 +1187,12 @@ int main(int argc, char *argv[])
goto bad; goto bad;
srp_server_arg.expected_user = srp_client_arg.srplogin = srp_server_arg.expected_user = srp_client_arg.srplogin =
*(++argv); *(++argv);
tls1 = 1; min_version = TLS1_VERSION;
} else if (strcmp(*argv, "-srppass") == 0) { } else if (strcmp(*argv, "-srppass") == 0) {
if (--argc < 1) if (--argc < 1)
goto bad; goto bad;
srp_server_arg.pass = srp_client_arg.srppassin = *(++argv); srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
tls1 = 1; min_version = TLS1_VERSION;
} }
#endif #endif
else if (strcmp(*argv, "-tls1") == 0) { else if (strcmp(*argv, "-tls1") == 0) {
@@ -1495,37 +1496,27 @@ int main(int argc, char *argv[])
} }
#endif #endif
/* #ifndef OPENSSL_NO_TLS
* At this point, ssl3/tls1 is only set if the protocol is available.
* (Otherwise we exit early.) However the compiler doesn't know this, so
* we ifdef.
*/
#ifndef OPENSSL_NO_DTLS
#ifndef OPENSSL_NO_DTLS1
if (dtls1)
meth = DTLSv1_method();
else
#endif
#ifndef OPENSSL_NO_DTLS1_2
if (dtls12)
meth = DTLSv1_2_method();
else
#endif
if (dtls)
meth = DTLS_method();
else
#endif
#ifndef OPENSSL_NO_SSL3
if (ssl3)
meth = SSLv3_method();
else
#endif
#ifndef OPENSSL_NO_TLS1
if (tls1)
meth = TLSv1_method();
else
#endif
meth = TLS_method(); meth = TLS_method();
if (ssl3) {
min_version = SSL3_VERSION;
max_version = SSL3_VERSION;
} else if (tls1) {
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
}
#endif
#ifndef OPENSSL_NO_DTLS
if (dtls || dtls1 || dtls12)
meth = DTLS_method();
if (dtls1) {
min_version = DTLS1_VERSION;
max_version = DTLS1_VERSION;
} else if (dtls12) {
min_version = DTLS1_2_VERSION;
max_version = DTLS1_2_VERSION;
}
#endif
c_ctx = SSL_CTX_new(meth); c_ctx = SSL_CTX_new(meth);
s_ctx = SSL_CTX_new(meth); s_ctx = SSL_CTX_new(meth);
@@ -1543,6 +1534,15 @@ int main(int argc, char *argv[])
SSL_CTX_set_security_level(s_ctx, 0); SSL_CTX_set_security_level(s_ctx, 0);
SSL_CTX_set_security_level(s_ctx2, 0); SSL_CTX_set_security_level(s_ctx2, 0);
if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
goto end;
if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
goto end;
if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
goto end;
if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
goto end;
if (cipher != NULL) { if (cipher != NULL) {
if (!SSL_CTX_set_cipher_list(c_ctx, cipher) if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
|| !SSL_CTX_set_cipher_list(s_ctx, cipher) || !SSL_CTX_set_cipher_list(s_ctx, cipher)