diff --git a/src/ssl.c b/src/ssl.c index 108b3aca4..9845a183a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16754,45 +16754,52 @@ int wolfSSL_get_server_tmp_key(const WOLFSSL* ssl, WOLFSSL_EVP_PKEY** pkey) #endif /* !NO_WOLFSSL_SERVER */ -static int sanityCheckProtoVersion(WOLFSSL_CTX* ctx) +/** + * This function checks if any compiled in protocol versions are + * left enabled after calls to set_min or set_max API. + * @param ctx The WOLFSSL_CTX to check + * @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no + * protocol versions are left enabled. + */ +static int CheckSslMethodVersion(byte major, unsigned long options) { int sanityConfirmed = 0; -#ifndef NO_TLS - if (ctx->method->version.major == SSLv3_MAJOR) { - #ifdef WOLFSSL_ALLOW_SSLV3 - if (!(ctx->mask & WOLFSSL_OP_NO_SSLv3)) { - sanityConfirmed = 1; - } + (void)options; + + switch (major) { + #ifndef NO_TLS + case SSLv3_MAJOR: + #ifdef WOLFSSL_ALLOW_SSLV3 + if (!(options & WOLFSSL_OP_NO_SSLv3)) { + sanityConfirmed = 1; + } + #endif + #ifndef NO_OLD_TLS + if (!(options & WOLFSSL_OP_NO_TLSv1)) + sanityConfirmed = 1; + if (!(options & WOLFSSL_OP_NO_TLSv1_1)) + sanityConfirmed = 1; + #endif + #ifndef WOLFSSL_NO_TLS12 + if (!(options & WOLFSSL_OP_NO_TLSv1_2)) + sanityConfirmed = 1; + #endif + #ifdef WOLFSSL_TLS13 + if (!(options & WOLFSSL_OP_NO_TLSv1_3)) + sanityConfirmed = 1; + #endif + break; #endif - #ifndef NO_OLD_TLS - if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1)) { + #ifdef WOLFSSL_DTLS + case DTLS_MAJOR: sanityConfirmed = 1; - } - if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_1)) { - sanityConfirmed = 1; - } - #endif - #ifndef WOLFSSL_NO_TLS12 - if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_2)) { - sanityConfirmed = 1; - } - #endif - #ifdef WOLFSSL_TLS13 - if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_3)) { - sanityConfirmed = 1; - } + break; #endif + default: + WOLFSSL_MSG("Invalid major version"); + return WOLFSSL_FAILURE; } -#endif -#ifdef WOLFSSL_DTLS - if (ctx->method->version.major == DTLS_MAJOR) { - if (!sanityConfirmed) { - WOLFSSL_MSG("Only DTLS enabled"); - sanityConfirmed = 1; - } - } -#endif if (!sanityConfirmed) { WOLFSSL_MSG("All compiled in TLS versions disabled"); return WOLFSSL_FAILURE; @@ -16800,6 +16807,25 @@ static int sanityCheckProtoVersion(WOLFSSL_CTX* ctx) return WOLFSSL_SUCCESS; } +/** + * This function attempts to set the minimum protocol version to use by SSL + * objects created from this WOLFSSL_CTX. This API guarantees that a version + * of SSL/TLS lower than specified here will not be allowed. If the version + * specified is not compiled in then this API sets the lowest compiled in + * protocol version. CheckSslMethodVersion() is called to check if any + * remaining protocol versions are enabled. + * @param ctx + * @param version Any of the following + * * SSL3_VERSION + * * TLS1_VERSION + * * TLS1_1_VERSION + * * TLS1_2_VERSION + * * TLS1_3_VERSION + * * DTLS1_VERSION + * * DTLS1_2_VERSION + * @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no + * protocol versions are left enabled. + */ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) { WOLFSSL_ENTER("wolfSSL_CTX_set_min_proto_version"); @@ -16809,12 +16835,12 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) } switch (version) { +#ifndef NO_TLS case SSL3_VERSION: #if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) ctx->minDowngrade = SSLv3_MINOR; break; #endif -#ifndef NO_TLS case TLS1_VERSION: #ifdef WOLFSSL_ALLOW_TLSV10 ctx->minDowngrade = TLSv1_MINOR; @@ -16880,9 +16906,28 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) return WOLFSSL_FAILURE; } - return sanityCheckProtoVersion(ctx); + return CheckSslMethodVersion(ctx->method->version.major, ctx->mask); } +/** + * This function attempts to set the maximum protocol version to use by SSL + * objects created from this WOLFSSL_CTX. This API guarantees that a version + * of SSL/TLS higher than specified here will not be allowed. If the version + * specified is not compiled in then this API sets the highest compiled in + * protocol version. CheckSslMethodVersion() is called to check if any + * remaining protocol versions are enabled. + * @param ctx + * @param version Any of the following + * * SSL3_VERSION + * * TLS1_VERSION + * * TLS1_1_VERSION + * * TLS1_2_VERSION + * * TLS1_3_VERSION + * * DTLS1_VERSION + * * DTLS1_2_VERSION + * @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no + * protocol versions are left enabled. + */ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) { WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version"); @@ -16923,7 +16968,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) return WOLFSSL_FAILURE; } - return sanityCheckProtoVersion(ctx); + return CheckSslMethodVersion(ctx->method->version.major, ctx->mask); } static int GetMinProtoVersion(int minDowngrade) diff --git a/tests/api.c b/tests/api.c index 18bc717d1..70d8b04be 100644 --- a/tests/api.c +++ b/tests/api.c @@ -42653,55 +42653,46 @@ static void test_wolfSSL_CTX_get_min_proto_version(void) printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()"); - #ifndef NO_OLD_TLS - #ifdef WOLFSSL_ALLOW_SSLV3 - #ifdef NO_WOLFSSL_SERVER - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); - #else - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); - #endif - AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS); - AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION); - wolfSSL_CTX_free(ctx); - #endif - #ifdef WOLFSSL_ALLOW_TLSV10 - #ifdef NO_WOLFSSL_SERVER - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_client_method())); - #else - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_server_method())); - #endif - AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS); - AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION); - wolfSSL_CTX_free(ctx); - #endif - - #ifdef NO_WOLFSSL_SERVER - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_client_method())); - #else - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_server_method())); - #endif - AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS); - AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION); - wolfSSL_CTX_free(ctx); + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method())); + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS); + #ifdef WOLFSSL_ALLOW_SSLV3 + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION); + #else + AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION); #endif + wolfSSL_CTX_free(ctx); + + #ifdef WOLFSSL_ALLOW_TLSV10 + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS); + #ifdef WOLFSSL_ALLOW_TLSV10 + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION); + #else + AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION); + #endif + wolfSSL_CTX_free(ctx); + + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method())); + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS); + #ifndef NO_OLD_TLS + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION); + #else + AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION); + #endif + wolfSSL_CTX_free(ctx); #ifndef WOLFSSL_NO_TLS12 - #ifdef NO_WOLFSSL_SERVER - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); - #else - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); - #endif + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_method())); AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION), WOLFSSL_SUCCESS); AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION); wolfSSL_CTX_free(ctx); #endif #ifdef WOLFSSL_TLS13 - #ifdef NO_WOLFSSL_SERVER - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); - #else - AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); - #endif + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_method())); AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION), WOLFSSL_SUCCESS); AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_3_VERSION); wolfSSL_CTX_free(ctx); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 718ec2162..8038f6557 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -10974,6 +10974,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 || beginEnd - headerEnd > PEM_LINE_LEN) { WOLFSSL_MSG("Couldn't find PEM header"); + WOLFSSL_ERROR(ASN_NO_PEM_HEADER); return ASN_NO_PEM_HEADER; } @@ -10986,6 +10987,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, (unsigned int)((char*)buff + sz - beginEnd)); if (!footer) { WOLFSSL_MSG("Couldn't find PEM footer"); + WOLFSSL_ERROR(ASN_NO_PEM_HEADER); return ASN_NO_PEM_HEADER; } @@ -11011,6 +11013,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, if (!headerEnd) { WOLFSSL_MSG("Couldn't find PEM header"); + WOLFSSL_ERROR(ASN_NO_PEM_HEADER); return ASN_NO_PEM_HEADER; } #else diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 684ece0d6..4bddc8967 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -1262,7 +1262,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher) case AES_128_GCM_TYPE: case AES_192_GCM_TYPE: case AES_256_GCM_TYPE: - return WOLFSSL_EVP_CIPH_GCM_MODE & + return WOLFSSL_EVP_CIPH_GCM_MODE | WOLFSSL_EVP_CIPH_FLAG_AEAD_CIPHER; #endif #if defined(WOLFSSL_AES_COUNTER) @@ -1319,7 +1319,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher) unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher) { if (cipher == NULL) return 0; - return WOLFSSL_CIPHER_mode(cipher); + return WOLFSSL_CIPHER_mode(cipher) & WOLFSSL_EVP_CIPH_MODE; } void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags) diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 55cb03123..c3361e106 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -938,7 +938,7 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX; #define EVP_PKEY_NONE NID_undef #define EVP_PKEY_DH 28 -#define EVP_CIPHER_mode WOLFSSL_CIPHER_mode +#define EVP_CIPHER_mode WOLFSSL_EVP_CIPHER_mode /* WOLFSSL_EVP_CIPHER is just the string name of the cipher */ #define EVP_CIPHER_name(x) x #define EVP_MD_CTX_reset wolfSSL_EVP_MD_CTX_cleanup