forked from wolfSSL/wolfssl
Code review changes
This commit is contained in:
Juliusz Sosinowicz
85
src/ssl.c
85
src/ssl.c
@@ -16754,45 +16754,52 @@ int wolfSSL_get_server_tmp_key(const WOLFSSL* ssl, WOLFSSL_EVP_PKEY** pkey)
|
|||||||
|
|
||||||
#endif /* !NO_WOLFSSL_SERVER */
|
#endif /* !NO_WOLFSSL_SERVER */
|
||||||
|
|
||||||
static int sanityCheckProtoVersion(WOLFSSL_CTX* ctx)
|
/**
|
||||||
|
* This function checks if any compiled in protocol versions are
|
||||||
|
* left enabled after calls to set_min or set_max API.
|
||||||
|
* @param ctx The WOLFSSL_CTX to check
|
||||||
|
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
|
||||||
|
* protocol versions are left enabled.
|
||||||
|
*/
|
||||||
|
static int CheckSslMethodVersion(byte major, unsigned long options)
|
||||||
{
|
{
|
||||||
int sanityConfirmed = 0;
|
int sanityConfirmed = 0;
|
||||||
|
|
||||||
|
(void)options;
|
||||||
|
|
||||||
|
switch (major) {
|
||||||
#ifndef NO_TLS
|
#ifndef NO_TLS
|
||||||
if (ctx->method->version.major == SSLv3_MAJOR) {
|
case SSLv3_MAJOR:
|
||||||
#ifdef WOLFSSL_ALLOW_SSLV3
|
#ifdef WOLFSSL_ALLOW_SSLV3
|
||||||
if (!(ctx->mask & WOLFSSL_OP_NO_SSLv3)) {
|
if (!(options & WOLFSSL_OP_NO_SSLv3)) {
|
||||||
sanityConfirmed = 1;
|
sanityConfirmed = 1;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifndef NO_OLD_TLS
|
#ifndef NO_OLD_TLS
|
||||||
if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1)) {
|
if (!(options & WOLFSSL_OP_NO_TLSv1))
|
||||||
sanityConfirmed = 1;
|
sanityConfirmed = 1;
|
||||||
}
|
if (!(options & WOLFSSL_OP_NO_TLSv1_1))
|
||||||
if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_1)) {
|
|
||||||
sanityConfirmed = 1;
|
sanityConfirmed = 1;
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
#ifndef WOLFSSL_NO_TLS12
|
#ifndef WOLFSSL_NO_TLS12
|
||||||
if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_2)) {
|
if (!(options & WOLFSSL_OP_NO_TLSv1_2))
|
||||||
sanityConfirmed = 1;
|
sanityConfirmed = 1;
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_3)) {
|
if (!(options & WOLFSSL_OP_NO_TLSv1_3))
|
||||||
sanityConfirmed = 1;
|
sanityConfirmed = 1;
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
}
|
break;
|
||||||
#endif
|
#endif
|
||||||
#ifdef WOLFSSL_DTLS
|
#ifdef WOLFSSL_DTLS
|
||||||
if (ctx->method->version.major == DTLS_MAJOR) {
|
case DTLS_MAJOR:
|
||||||
if (!sanityConfirmed) {
|
|
||||||
WOLFSSL_MSG("Only DTLS enabled");
|
|
||||||
sanityConfirmed = 1;
|
sanityConfirmed = 1;
|
||||||
}
|
break;
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
|
default:
|
||||||
|
WOLFSSL_MSG("Invalid major version");
|
||||||
|
return WOLFSSL_FAILURE;
|
||||||
|
}
|
||||||
if (!sanityConfirmed) {
|
if (!sanityConfirmed) {
|
||||||
WOLFSSL_MSG("All compiled in TLS versions disabled");
|
WOLFSSL_MSG("All compiled in TLS versions disabled");
|
||||||
return WOLFSSL_FAILURE;
|
return WOLFSSL_FAILURE;
|
||||||
@@ -16800,6 +16807,25 @@ static int sanityCheckProtoVersion(WOLFSSL_CTX* ctx)
|
|||||||
return WOLFSSL_SUCCESS;
|
return WOLFSSL_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This function attempts to set the minimum protocol version to use by SSL
|
||||||
|
* objects created from this WOLFSSL_CTX. This API guarantees that a version
|
||||||
|
* of SSL/TLS lower than specified here will not be allowed. If the version
|
||||||
|
* specified is not compiled in then this API sets the lowest compiled in
|
||||||
|
* protocol version. CheckSslMethodVersion() is called to check if any
|
||||||
|
* remaining protocol versions are enabled.
|
||||||
|
* @param ctx
|
||||||
|
* @param version Any of the following
|
||||||
|
* * SSL3_VERSION
|
||||||
|
* * TLS1_VERSION
|
||||||
|
* * TLS1_1_VERSION
|
||||||
|
* * TLS1_2_VERSION
|
||||||
|
* * TLS1_3_VERSION
|
||||||
|
* * DTLS1_VERSION
|
||||||
|
* * DTLS1_2_VERSION
|
||||||
|
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
|
||||||
|
* protocol versions are left enabled.
|
||||||
|
*/
|
||||||
int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
|
int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
|
||||||
{
|
{
|
||||||
WOLFSSL_ENTER("wolfSSL_CTX_set_min_proto_version");
|
WOLFSSL_ENTER("wolfSSL_CTX_set_min_proto_version");
|
||||||
@@ -16809,12 +16835,12 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
|
|||||||
}
|
}
|
||||||
|
|
||||||
switch (version) {
|
switch (version) {
|
||||||
|
#ifndef NO_TLS
|
||||||
case SSL3_VERSION:
|
case SSL3_VERSION:
|
||||||
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
|
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
|
||||||
ctx->minDowngrade = SSLv3_MINOR;
|
ctx->minDowngrade = SSLv3_MINOR;
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
#ifndef NO_TLS
|
|
||||||
case TLS1_VERSION:
|
case TLS1_VERSION:
|
||||||
#ifdef WOLFSSL_ALLOW_TLSV10
|
#ifdef WOLFSSL_ALLOW_TLSV10
|
||||||
ctx->minDowngrade = TLSv1_MINOR;
|
ctx->minDowngrade = TLSv1_MINOR;
|
||||||
@@ -16880,9 +16906,28 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
|
|||||||
return WOLFSSL_FAILURE;
|
return WOLFSSL_FAILURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
return sanityCheckProtoVersion(ctx);
|
return CheckSslMethodVersion(ctx->method->version.major, ctx->mask);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This function attempts to set the maximum protocol version to use by SSL
|
||||||
|
* objects created from this WOLFSSL_CTX. This API guarantees that a version
|
||||||
|
* of SSL/TLS higher than specified here will not be allowed. If the version
|
||||||
|
* specified is not compiled in then this API sets the highest compiled in
|
||||||
|
* protocol version. CheckSslMethodVersion() is called to check if any
|
||||||
|
* remaining protocol versions are enabled.
|
||||||
|
* @param ctx
|
||||||
|
* @param version Any of the following
|
||||||
|
* * SSL3_VERSION
|
||||||
|
* * TLS1_VERSION
|
||||||
|
* * TLS1_1_VERSION
|
||||||
|
* * TLS1_2_VERSION
|
||||||
|
* * TLS1_3_VERSION
|
||||||
|
* * DTLS1_VERSION
|
||||||
|
* * DTLS1_2_VERSION
|
||||||
|
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
|
||||||
|
* protocol versions are left enabled.
|
||||||
|
*/
|
||||||
int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
|
int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
|
||||||
{
|
{
|
||||||
WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version");
|
WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version");
|
||||||
@@ -16923,7 +16968,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
|
|||||||
return WOLFSSL_FAILURE;
|
return WOLFSSL_FAILURE;
|
||||||
}
|
}
|
||||||
|
|
||||||
return sanityCheckProtoVersion(ctx);
|
return CheckSslMethodVersion(ctx->method->version.major, ctx->mask);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int GetMinProtoVersion(int minDowngrade)
|
static int GetMinProtoVersion(int minDowngrade)
|
||||||
|
|||||||
53
tests/api.c
53
tests/api.c
@@ -42653,55 +42653,46 @@ static void test_wolfSSL_CTX_get_min_proto_version(void)
|
|||||||
|
|
||||||
printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()");
|
printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()");
|
||||||
|
|
||||||
#ifndef NO_OLD_TLS
|
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
|
||||||
#ifdef WOLFSSL_ALLOW_SSLV3
|
|
||||||
#ifdef NO_WOLFSSL_SERVER
|
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
|
|
||||||
#else
|
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
|
|
||||||
#endif
|
|
||||||
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS);
|
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS);
|
||||||
|
#ifdef WOLFSSL_ALLOW_SSLV3
|
||||||
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
|
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
|
||||||
wolfSSL_CTX_free(ctx);
|
|
||||||
#endif
|
|
||||||
#ifdef WOLFSSL_ALLOW_TLSV10
|
|
||||||
#ifdef NO_WOLFSSL_SERVER
|
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_client_method()));
|
|
||||||
#else
|
#else
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_server_method()));
|
AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
|
||||||
|
#endif
|
||||||
|
wolfSSL_CTX_free(ctx);
|
||||||
|
|
||||||
|
#ifdef WOLFSSL_ALLOW_TLSV10
|
||||||
|
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_method()));
|
||||||
|
#else
|
||||||
|
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
|
||||||
#endif
|
#endif
|
||||||
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS);
|
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS);
|
||||||
|
#ifdef WOLFSSL_ALLOW_TLSV10
|
||||||
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
|
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
|
||||||
wolfSSL_CTX_free(ctx);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef NO_WOLFSSL_SERVER
|
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_client_method()));
|
|
||||||
#else
|
#else
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_server_method()));
|
AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
|
||||||
#endif
|
#endif
|
||||||
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS);
|
|
||||||
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
|
|
||||||
wolfSSL_CTX_free(ctx);
|
wolfSSL_CTX_free(ctx);
|
||||||
|
|
||||||
|
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
|
||||||
|
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS);
|
||||||
|
#ifndef NO_OLD_TLS
|
||||||
|
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
|
||||||
|
#else
|
||||||
|
AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
|
||||||
#endif
|
#endif
|
||||||
|
wolfSSL_CTX_free(ctx);
|
||||||
|
|
||||||
#ifndef WOLFSSL_NO_TLS12
|
#ifndef WOLFSSL_NO_TLS12
|
||||||
#ifdef NO_WOLFSSL_SERVER
|
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_method()));
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
|
|
||||||
#else
|
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method()));
|
|
||||||
#endif
|
|
||||||
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION), WOLFSSL_SUCCESS);
|
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION), WOLFSSL_SUCCESS);
|
||||||
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION);
|
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION);
|
||||||
wolfSSL_CTX_free(ctx);
|
wolfSSL_CTX_free(ctx);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef WOLFSSL_TLS13
|
#ifdef WOLFSSL_TLS13
|
||||||
#ifdef NO_WOLFSSL_SERVER
|
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_method()));
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
|
|
||||||
#else
|
|
||||||
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
|
|
||||||
#endif
|
|
||||||
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION), WOLFSSL_SUCCESS);
|
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION), WOLFSSL_SUCCESS);
|
||||||
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_3_VERSION);
|
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_3_VERSION);
|
||||||
wolfSSL_CTX_free(ctx);
|
wolfSSL_CTX_free(ctx);
|
||||||
|
|||||||
@@ -10974,6 +10974,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
|||||||
XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 ||
|
XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 ||
|
||||||
beginEnd - headerEnd > PEM_LINE_LEN) {
|
beginEnd - headerEnd > PEM_LINE_LEN) {
|
||||||
WOLFSSL_MSG("Couldn't find PEM header");
|
WOLFSSL_MSG("Couldn't find PEM header");
|
||||||
|
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
|
||||||
return ASN_NO_PEM_HEADER;
|
return ASN_NO_PEM_HEADER;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -10986,6 +10987,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
|||||||
(unsigned int)((char*)buff + sz - beginEnd));
|
(unsigned int)((char*)buff + sz - beginEnd));
|
||||||
if (!footer) {
|
if (!footer) {
|
||||||
WOLFSSL_MSG("Couldn't find PEM footer");
|
WOLFSSL_MSG("Couldn't find PEM footer");
|
||||||
|
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
|
||||||
return ASN_NO_PEM_HEADER;
|
return ASN_NO_PEM_HEADER;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -11011,6 +11013,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
|||||||
|
|
||||||
if (!headerEnd) {
|
if (!headerEnd) {
|
||||||
WOLFSSL_MSG("Couldn't find PEM header");
|
WOLFSSL_MSG("Couldn't find PEM header");
|
||||||
|
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
|
||||||
return ASN_NO_PEM_HEADER;
|
return ASN_NO_PEM_HEADER;
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
|
|||||||
@@ -1262,7 +1262,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
|
|||||||
case AES_128_GCM_TYPE:
|
case AES_128_GCM_TYPE:
|
||||||
case AES_192_GCM_TYPE:
|
case AES_192_GCM_TYPE:
|
||||||
case AES_256_GCM_TYPE:
|
case AES_256_GCM_TYPE:
|
||||||
return WOLFSSL_EVP_CIPH_GCM_MODE &
|
return WOLFSSL_EVP_CIPH_GCM_MODE |
|
||||||
WOLFSSL_EVP_CIPH_FLAG_AEAD_CIPHER;
|
WOLFSSL_EVP_CIPH_FLAG_AEAD_CIPHER;
|
||||||
#endif
|
#endif
|
||||||
#if defined(WOLFSSL_AES_COUNTER)
|
#if defined(WOLFSSL_AES_COUNTER)
|
||||||
@@ -1319,7 +1319,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
|
|||||||
unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
|
unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
|
||||||
{
|
{
|
||||||
if (cipher == NULL) return 0;
|
if (cipher == NULL) return 0;
|
||||||
return WOLFSSL_CIPHER_mode(cipher);
|
return WOLFSSL_CIPHER_mode(cipher) & WOLFSSL_EVP_CIPH_MODE;
|
||||||
}
|
}
|
||||||
|
|
||||||
void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags)
|
void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags)
|
||||||
|
|||||||
@@ -938,7 +938,7 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX;
|
|||||||
|
|
||||||
#define EVP_PKEY_NONE NID_undef
|
#define EVP_PKEY_NONE NID_undef
|
||||||
#define EVP_PKEY_DH 28
|
#define EVP_PKEY_DH 28
|
||||||
#define EVP_CIPHER_mode WOLFSSL_CIPHER_mode
|
#define EVP_CIPHER_mode WOLFSSL_EVP_CIPHER_mode
|
||||||
/* WOLFSSL_EVP_CIPHER is just the string name of the cipher */
|
/* WOLFSSL_EVP_CIPHER is just the string name of the cipher */
|
||||||
#define EVP_CIPHER_name(x) x
|
#define EVP_CIPHER_name(x) x
|
||||||
#define EVP_MD_CTX_reset wolfSSL_EVP_MD_CTX_cleanup
|
#define EVP_MD_CTX_reset wolfSSL_EVP_MD_CTX_cleanup
|
||||||
|
|||||||
Reference in New Issue
Block a user