From fc7533fe5e51bf263d8bb557566452dd33ac96fe Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Tue, 6 Jul 2021 15:39:18 +0200
Subject: [PATCH] Code review changes

---
 src/internal.c        |  15 ++++-
 src/ssl.c             | 153 +++++++++++++++++++++++++++++++++++++++---
 src/tls13.c           |   4 +-
 wolfssl/openssl/ssl.h |   4 +-
 4 files changed, 160 insertions(+), 16 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index a460a513a..0a7b973d3 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -8423,6 +8423,17 @@ retry:
     if (recvd < 0) {
         switch (recvd) {
             case WOLFSSL_CBIO_ERR_GENERAL:        /* general/unknown error */
+                #ifdef WOLFSSL_APACHE_HTTPD
+                #ifndef NO_BIO
+                    if (ssl->biord) {
+                        /* If retry and read flags are set, return WANT_READ */
+                        if ((ssl->biord->flags & WOLFSSL_BIO_FLAG_READ) &&
+                            (ssl->biord->flags & WOLFSSL_BIO_FLAG_RETRY)) {
+                            return WANT_READ;
+                        }
+                    }
+                #endif
+                #endif
                 return -1;
 
             case WOLFSSL_CBIO_ERR_WANT_READ:      /* want read, would block */
@@ -28633,7 +28644,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
             if (!ssl->options.downgrade) {
                 WOLFSSL_MSG("Client trying to connect with lesser version");
-#ifdef OPENSSL_EXTRA
+#if defined(WOLFSSL_EXTRA_ALERTS) ||  defined(OPENSSL_EXTRA)
                 SendAlert(ssl, alert_fatal, handshake_failure);
 #endif
                 ret = VERSION_ERROR;
@@ -28641,7 +28652,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
             }
             if (pv.minor < ssl->options.minDowngrade) {
                 WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
-#ifdef OPENSSL_EXTRA
+#if defined(WOLFSSL_EXTRA_ALERTS) ||  defined(OPENSSL_EXTRA)
                 SendAlert(ssl, alert_fatal, handshake_failure);
 #endif
                 ret = VERSION_ERROR;
diff --git a/src/ssl.c b/src/ssl.c
index 94d8ca326..59a60e2f5 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -7641,6 +7641,10 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
 #endif /* !NO_CHECK_PRIVATE_KEY */
 
 #ifdef OPENSSL_ALL
+/**
+ * Return the private key of the WOLFSSL_CTX struct
+ * @return WOLFSSL_EVP_PKEY* The caller doesn *NOT*` free the returned object.
+ */
 WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(const WOLFSSL_CTX* ctx)
 {
     const unsigned char *key;
@@ -10471,6 +10475,16 @@ err_cleanup:
     return NULL;
 }
 
+/**
+ * Create a WOLFSSL_X509_EXTENSION from the input arguments.
+ * @param conf  Not used
+ * @param ctx   Not used
+ * @param nid   Interprets the value parameter as the x509 extension that
+ *              corresponds to this NID.
+ * @param value A NULL terminated string that is taken as the value of the
+ *              newly created extension object.
+ * @return WOLFSSL_X509_EXTENSION* on success or NULL on failure.
+ */
 WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_nconf_nid(WOLFSSL_CONF* conf,
         WOLFSSL_X509V3_CTX *ctx, int nid, const char *value)
 {
@@ -10489,6 +10503,16 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_nconf_nid(WOLFSSL_CONF* conf,
     return createExtFromStr(nid, value);
 }
 
+/**
+ * Create a WOLFSSL_X509_EXTENSION from the input arguments.
+ * @param conf  Not used
+ * @param ctx   Not used
+ * @param sName The textual representation of the NID that the value parameter
+ *              should be interpreted as.
+ * @param value A NULL terminated string that is taken as the value of the
+ *              newly created extension object.
+ * @return WOLFSSL_X509_EXTENSION* on success or NULL on failure.
+ */
 WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_nconf(WOLFSSL_CONF *conf,
         WOLFSSL_X509V3_CTX *ctx, const char *sName, const char *value)
 {
@@ -17336,20 +17360,129 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
 
 int wolfSSL_set_min_proto_version(WOLFSSL* ssl, int ver)
 {
-    /* TODO Return true for now because proto version selection logic
-     *      is refactored in https://github.com/wolfSSL/wolfssl/pull/3871 */
-    (void)ssl;
-    (void)ver;
-    return WOLFSSL_SUCCESS;
+    WOLFSSL_ENTER("wolfSSL_set_min_proto_version");
+
+    if (ssl == NULL) {
+        return WOLFSSL_FAILURE;
+    }
+
+    switch (ver) {
+#ifndef NO_TLS
+        case SSL3_VERSION:
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
+            ssl->options.minDowngrade = SSLv3_MINOR;
+            break;
+#endif
+        case TLS1_VERSION:
+        #ifdef WOLFSSL_ALLOW_TLSV10
+            ssl->options.minDowngrade = TLSv1_MINOR;
+            break;
+        #endif
+        case TLS1_1_VERSION:
+        #ifndef NO_OLD_TLS
+            ssl->options.minDowngrade = TLSv1_1_MINOR;
+            break;
+        #endif
+        case TLS1_2_VERSION:
+        #ifndef WOLFSSL_NO_TLS12
+            ssl->options.minDowngrade = TLSv1_2_MINOR;
+            break;
+        #endif
+        case TLS1_3_VERSION:
+        #ifdef WOLFSSL_TLS13
+            ssl->options.minDowngrade = TLSv1_3_MINOR;
+            break;
+        #endif
+#endif
+#ifdef WOLFSSL_DTLS
+        case DTLS1_VERSION:
+    #ifndef NO_OLD_TLS
+            ssl->options.minDowngrade = DTLS_MINOR;
+            break;
+    #endif
+        case DTLS1_2_VERSION:
+            ssl->options.minDowngrade = DTLSv1_2_MINOR;
+            break;
+#endif
+        default:
+            WOLFSSL_MSG("Unrecognized protocol version or not compiled in");
+            return WOLFSSL_FAILURE;
+    }
+
+    switch (ver) {
+#ifndef NO_TLS
+    case TLS1_3_VERSION:
+        ssl->options.mask |= WOLFSSL_OP_NO_TLSv1_2;
+        FALL_THROUGH;
+    case TLS1_2_VERSION:
+        ssl->options.mask |= WOLFSSL_OP_NO_TLSv1_1;
+        FALL_THROUGH;
+    case TLS1_1_VERSION:
+        ssl->options.mask |= WOLFSSL_OP_NO_TLSv1;
+        FALL_THROUGH;
+    case TLS1_VERSION:
+        ssl->options.mask |= WOLFSSL_OP_NO_SSLv3;
+        break;
+    case SSL3_VERSION:
+    case SSL2_VERSION:
+        /* Nothing to do here */
+        break;
+#endif
+#ifdef WOLFSSL_DTLS
+    case DTLS1_VERSION:
+    case DTLS1_2_VERSION:
+        break;
+#endif
+    default:
+        WOLFSSL_MSG("Unrecognized protocol version or not compiled in");
+        return WOLFSSL_FAILURE;
+    }
+
+    return CheckSslMethodVersion(ssl->version.major, ssl->options.mask);
 }
 
 int wolfSSL_set_max_proto_version(WOLFSSL* ssl, int ver)
 {
-    /* TODO Return true for now because proto version selection logic
-     *      is refactored in https://github.com/wolfSSL/wolfssl/pull/3871 */
-    (void)ssl;
-    (void)ver;
-    return WOLFSSL_SUCCESS;
+
+    WOLFSSL_ENTER("wolfSSL_set_max_proto_version");
+
+    if (!ssl) {
+        WOLFSSL_MSG("Bad parameter");
+        return WOLFSSL_FAILURE;
+    }
+
+    switch (ver) {
+    case SSL2_VERSION:
+        WOLFSSL_MSG("wolfSSL does not support SSLv2");
+        return WOLFSSL_FAILURE;
+#ifndef NO_TLS
+    case SSL3_VERSION:
+        ssl->options.mask |= WOLFSSL_OP_NO_TLSv1;
+        FALL_THROUGH;
+    case TLS1_VERSION:
+        ssl->options.mask |= WOLFSSL_OP_NO_TLSv1_1;
+        FALL_THROUGH;
+    case TLS1_1_VERSION:
+        ssl->options.mask |= WOLFSSL_OP_NO_TLSv1_2;
+        FALL_THROUGH;
+    case TLS1_2_VERSION:
+        ssl->options.mask |= WOLFSSL_OP_NO_TLSv1_3;
+        FALL_THROUGH;
+    case TLS1_3_VERSION:
+        /* Nothing to do here */
+        break;
+#endif
+#ifdef WOLFSSL_DTLS
+    case DTLS1_VERSION:
+    case DTLS1_2_VERSION:
+        break;
+#endif
+    default:
+        WOLFSSL_MSG("Unrecognized protocol version or not compiled in");
+        return WOLFSSL_FAILURE;
+    }
+
+    return CheckSslMethodVersion(ssl->version.major, ssl->options.mask);
 }
 
 static int GetMinProtoVersion(int minDowngrade)
diff --git a/src/tls13.c b/src/tls13.c
index b3845c922..9170b5323 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -4626,7 +4626,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         if (!ssl->options.downgrade) {
             WOLFSSL_MSG("Client trying to connect with lesser version than "
                         "TLS v1.3");
-#ifdef OPENSSL_EXTRA
+#if defined(WOLFSSL_EXTRA_ALERTS) ||  defined(OPENSSL_EXTRA)
             SendAlert(ssl, alert_fatal, handshake_failure);
 #endif
             ERROR_OUT(VERSION_ERROR, exit_dch);
@@ -4634,7 +4634,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
         if (args->pv.minor < ssl->options.minDowngrade) {
             WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
-#ifdef OPENSSL_EXTRA
+#if defined(WOLFSSL_EXTRA_ALERTS) ||  defined(OPENSSL_EXTRA)
             SendAlert(ssl, alert_fatal, handshake_failure);
 #endif
             ERROR_OUT(VERSION_ERROR, exit_dch);
diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h
index 2cce7af2d..d4e7009a3 100644
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@@ -444,10 +444,10 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
 #define X509_REQ_get_pubkey             wolfSSL_X509_get_pubkey
 #define X509_get_notBefore              wolfSSL_X509_get_notBefore
 #define X509_get0_notBefore             wolfSSL_X509_get_notBefore
-#define X509_getm_notBefore             (ASN1_TIME*)wolfSSL_X509_get_notBefore
+#define X509_getm_notBefore             wolfSSL_X509_get_notBefore
 #define X509_get_notAfter               wolfSSL_X509_get_notAfter
 #define X509_get0_notAfter              wolfSSL_X509_get_notAfter
-#define X509_getm_notAfter              (ASN1_TIME*)wolfSSL_X509_get_notAfter
+#define X509_getm_notAfter              wolfSSL_X509_get_notAfter
 #define X509_get_serialNumber           wolfSSL_X509_get_serialNumber
 #define X509_get0_pubkey_bitstr         wolfSSL_X509_get0_pubkey_bitstr
 #define X509_get_ex_new_index           wolfSSL_X509_get_ex_new_index