From 10181b7bbf427b80b9b1294ed64ad42d692e1347 Mon Sep 17 00:00:00 2001 From: Hayden Roche Date: Fri, 19 Feb 2021 14:26:46 -0600 Subject: [PATCH] Add support for OpenSSL compatibility function SSL_CTX_get_min_proto_version. This is needed by socat-1.7.4.1. --- src/ssl.c | 56 ++++++++++++++++++++++++++++++++++++ tests/api.c | 67 +++++++++++++++++++++++++++++++++++++++++++ wolfssl/openssl/ssl.h | 1 + wolfssl/ssl.h | 1 + 4 files changed, 125 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 5ef8c4f21..1900358e1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16663,6 +16663,62 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) return sanityCheckProtoVersion(ctx); } +static int GetMinProtoVersion(int minDowngrade) +{ + int ret; + + switch (minDowngrade) { +#ifndef NO_OLD_TLS + #ifdef WOLFSSL_ALLOW_SSLV3 + case SSLv3_MINOR: + ret = SSL3_VERSION; + break; + #endif + #ifdef WOLFSSL_ALLOW_TLSV10 + case TLSv1_MINOR: + ret = TLS1_VERSION; + break; + #endif + case TLSv1_1_MINOR: + ret = TLS1_1_VERSION; + break; +#endif +#ifndef WOLFSSL_NO_TLS12 + case TLSv1_2_MINOR: + ret = TLS1_2_VERSION; + break; +#endif +#ifdef WOLFSSL_TLS13 + case TLSv1_3_MINOR: + ret = TLS1_3_VERSION; + break; +#endif + default: + ret = 0; + break; + } + + return ret; +} + +WOLFSSL_API int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX* ctx) +{ + int ret = 0; + + WOLFSSL_ENTER("wolfSSL_CTX_get_min_proto_version"); + + if (ctx != NULL) { + ret = GetMinProtoVersion(ctx->minDowngrade); + } + if (ret == 0) { + ret = GetMinProtoVersion(WOLFSSL_MIN_DOWNGRADE); + } + + WOLFSSL_LEAVE("wolfSSL_CTX_get_min_proto_version", ret); + + return ret; +} + #endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) diff --git a/tests/api.c b/tests/api.c index 85436a5ff..64906642c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -40412,6 +40412,71 @@ static void test_export_keying_material(void) } #endif /* HAVE_KEYING_MATERIAL */ +static void test_wolfSSL_CTX_get_min_proto_version(void) +{ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) + WOLFSSL_CTX *ctx; + + printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()"); + + #ifndef NO_OLD_TLS + #ifdef WOLFSSL_ALLOW_SSLV3 + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION); + wolfSSL_CTX_free(ctx); + #endif + #ifdef WOLFSSL_ALLOW_TLSV10 + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION); + wolfSSL_CTX_free(ctx); + #endif + + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION); + wolfSSL_CTX_free(ctx); + #endif + + #ifndef WOLFSSL_NO_TLS12 + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION); + wolfSSL_CTX_free(ctx); + #endif + + #ifdef WOLFSSL_TLS13 + #ifdef NO_WOLFSSL_SERVER + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())); + #else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method())); + #endif + AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_3_VERSION); + wolfSSL_CTX_free(ctx); + #endif + + printf(resultFmt, passed); +#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) */ +} + /*----------------------------------------------------------------------------* | Main *----------------------------------------------------------------------------*/ @@ -40830,6 +40895,8 @@ void ApiTest(void) test_export_keying_material(); #endif /* HAVE_KEYING_MATERIAL */ + test_wolfSSL_CTX_get_min_proto_version(); + /*wolfcrypt */ printf("\n-----------------wolfcrypt unit tests------------------\n"); AssertFalse(test_wolfCrypt_Init()); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 623930bda..8b7604ea3 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -1071,6 +1071,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_CTX_set_min_proto_version wolfSSL_CTX_set_min_proto_version #define SSL_CTX_set_max_proto_version wolfSSL_CTX_set_max_proto_version +#define SSL_CTX_get_min_proto_version wolfSSL_CTX_get_min_proto_version #define SSL_get_tlsext_status_exts wolfSSL_get_tlsext_status_exts diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 9d32bb222..c3372b3f0 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3555,6 +3555,7 @@ WOLFSSL_API int wolfSSL_get_server_tmp_key(const WOLFSSL*, WOLFSSL_EVP_PKEY**); WOLFSSL_API int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX*, int); WOLFSSL_API int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX*, int); +WOLFSSL_API int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey); WOLFSSL_API WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, pem_password_cb *cb, void *u);