adjust wolfSSL_set_options and test case

src/internal.c

@@ -5328,6 +5328,32 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     }
 #endif
 
+#ifdef OPENSSL_EXTRA
+    /* case where specific protocols are turned off */
+    if (!ssl->options.dtls && ssl->options.mask > 0) {
+        if (rh->pvMinor == SSLv3_MINOR &&
+            (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) {
+            WOLFSSL_MSG("Option set to not allow SSLv3");
+            return VERSION_ERROR;
+        }
+        if (rh->pvMinor == TLSv1_MINOR &&
+            (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
+            WOLFSSL_MSG("Option set to not allow TLSv1");
+            return VERSION_ERROR;
+        }
+        if (rh->pvMinor == TLSv1_1_MINOR &&
+            (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
+            WOLFSSL_MSG("Option set to not allow TLSv1.1");
+            return VERSION_ERROR;
+        }
+        if (rh->pvMinor == TLSv1_2_MINOR &&
+            (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
+            WOLFSSL_MSG("Option set to not allow TLSv1.2");
+            return VERSION_ERROR;
+        }
+    }
+#endif /* OPENSSL_EXTRA */
+
     /* catch version mismatch */
     if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){
         if (ssl->options.side == WOLFSSL_SERVER_END &&

src/ssl.c

@@ -14086,24 +14086,77 @@ int wolfSSL_PEM_def_callback(char* name, int num, int w, void* key)
 }
 
 
-/* wolfSSL options are set through API calls and macros.
- * return 0 for no options set */
 unsigned long wolfSSL_set_options(WOLFSSL* ssl, unsigned long op)
 {
-    (void)ssl;
-    (void)op;
-    WOLFSSL_MSG("Set options in wolfSSL through API and macros");
-    return 0;
+    WOLFSSL_ENTER("wolfSSL_set_options");
+
+    if (ssl == NULL) {
+        return 0;
+    }
+
+    /* if SSL_OP_ALL then turn all bug workarounds one */
+    if ((op & SSL_OP_ALL) == SSL_OP_ALL) {
+        WOLFSSL_MSG("\tSSL_OP_ALL");
+
+        op |= SSL_OP_MICROSOFT_SESS_ID_BUG;
+        op |= SSL_OP_NETSCAPE_CHALLENGE_BUG;
+        op |= SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
+        op |= SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG;
+        op |= SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER;
+        op |= SSL_OP_MSIE_SSLV2_RSA_PADDING;
+        op |= SSL_OP_SSLEAY_080_CLIENT_DH_BUG;
+        op |= SSL_OP_TLS_D5_BUG;
+        op |= SSL_OP_TLS_BLOCK_PADDING_BUG;
+        op |= SSL_OP_TLS_ROLLBACK_BUG;
+        op |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+    }
+
+
+    /* by default cookie exchange is on with DTLS */
+    if ((op & SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE) {
+        WOLFSSL_MSG("\tSSL_OP_COOKIE_EXCHANGE : on by default");
+    }
+
+    if ((op & SSL_OP_NO_SSLv2) == SSL_OP_NO_SSLv2) {
+        WOLFSSL_MSG("\tSSL_OP_NO_SSLv2 : wolfSSL does not support SSLv2");
+    }
+
+    if ((op & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) {
+        WOLFSSL_MSG("\tSSL_OP_NO_SSLv3");
+    }
+
+    if ((op & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
+        WOLFSSL_MSG("\tSSL_OP_NO_TLSv1");
+    }
+
+    if ((op & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
+        WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_1");
+    }
+
+    if ((op & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
+        WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_2");
+    }
+
+    if ((op & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) {
+    #ifdef HAVE_LIBZ
+        WOLFSSL_MSG("SSL_OP_NO_COMPRESSION");
+        ssl->options.usingCompression = 0;
+    #else
+        WOLFSSL_MSG("SSL_OP_NO_COMPRESSION: compression not compiled in");
+    #endif
+    }
+
+    ssl->options.mask |= op;
+
+    return ssl->options.mask;
 }
 
 
-/* wolfSSL options are set through API calls and macros.
- * return 0 for no options set */
-WOLFSSL_API unsigned long wolfSSL_get_options(const WOLFSSL* ssl)
+unsigned long wolfSSL_get_options(const WOLFSSL* ssl)
 {
-    (void)ssl;
-    WOLFSSL_MSG("Set options in wolfSSL through API and macros");
-    return 0;
+    WOLFSSL_ENTER("wolfSSL_get_options");
+
+    return ssl->options.mask;
 }
 
 /*** TBD ***/

tests/api.c

@@ -2690,7 +2690,7 @@ static void test_wolfSSL_ERR_peek_last_error_line(void)
 static void test_wolfSSL_X509_STORE_set_flags(void)
 {
     #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
-       !defined(NO_FILESYSTEM)
+       !defined(NO_FILESYSTEM) && !defined(NO_RSA)
 
     X509_STORE* store;
     X509* x509;
@@ -2713,7 +2713,7 @@ static void test_wolfSSL_X509_STORE_set_flags(void)
 
     printf(resultFmt, passed);
     #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
-             !defined(NO_FILESYSTEM) */
+             !defined(NO_FILESYSTEM) && !defined(NO_RSA) */
 }
 
 
@@ -2760,6 +2760,42 @@ static void test_wolfSSL_BN(void)
     #endif /* defined(OPENSSL_EXTRA) */
 }
 
+
+static void test_wolfSSL_set_options(void)
+{
+    #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+       !defined(NO_FILESYSTEM) && !defined(NO_RSA)
+    SSL*     ssl;
+    SSL_CTX* ctx;
+
+    printf(testingFmt, "wolfSSL_set_options()");
+
+    AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method()));
+    AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM));
+    AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM));
+    AssertNotNull(ssl = SSL_new(ctx));
+
+    AssertTrue(SSL_set_options(ssl, SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1);
+    AssertTrue(SSL_get_options(ssl) == SSL_OP_NO_TLSv1);
+
+    AssertIntGT((int)SSL_set_options(ssl, (SSL_OP_COOKIE_EXCHANGE |
+                                                          SSL_OP_NO_SSLv2)), 0);
+    AssertTrue((SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE) &
+                             SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE);
+    AssertTrue((SSL_set_options(ssl, SSL_OP_NO_TLSv1_2) &
+                                       SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2);
+    AssertTrue((SSL_set_options(ssl, SSL_OP_NO_COMPRESSION) &
+                               SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION);
+
+    SSL_free(ssl);
+    SSL_CTX_free(ctx);
+
+    printf(resultFmt, passed);
+    #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
+             !defined(NO_FILESYSTEM) && !defined(NO_RSA) */
+}
+
+
 /*----------------------------------------------------------------------------*
  | Main
  *----------------------------------------------------------------------------*/
@@ -2815,6 +2851,7 @@ void ApiTest(void)
     test_wolfSSL_ERR_peek_last_error_line();
     test_wolfSSL_X509_STORE_set_flags();
     test_wolfSSL_BN();
+    test_wolfSSL_set_options();
 
     AssertIntEQ(test_wolfSSL_Cleanup(), SSL_SUCCESS);
     printf(" End API Tests\n");

wolfssl/internal.h

@@ -2379,6 +2379,9 @@ typedef struct Options {
     wc_psk_server_callback server_psk_cb;
     word16            havePSK:1;            /* psk key set by user */
 #endif /* NO_PSK */
+#ifdef OPENSSL_EXTRA
+    unsigned long     mask; /* store SSL_OP_ flags */
+#endif
 
     /* on/off or small bit flags, optimize layout */
     word16            sendVerify:2;     /* false = 0, true = 1, sendBlank = 2 */

wolfssl/ssl.h

@@ -728,6 +728,41 @@ WOLFSSL_API unsigned long wolfSSL_get_verify_result(const WOLFSSL *ssl);
 #define WOLFSSL_DEFAULT_CIPHER_LIST ""   /* default all */
 #define WOLFSSL_RSA_F4 0x10001L
 
+/* seperated out from other enums because of size */
+enum {
+    /* bit flags (ie 0001 vs 0010) : each is 2 times previous value */
+    SSL_OP_MICROSOFT_SESS_ID_BUG            = 1,
+    SSL_OP_NETSCAPE_CHALLENGE_BUG           = 2,
+    SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 4,
+    SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG      = 8,
+    SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER       = 16,
+    SSL_OP_MSIE_SSLV2_RSA_PADDING           = 32,
+    SSL_OP_SSLEAY_080_CLIENT_DH_BUG         = 64,
+    SSL_OP_TLS_D5_BUG                       = 128,
+    SSL_OP_TLS_BLOCK_PADDING_BUG            = 256,
+    SSL_OP_TLS_ROLLBACK_BUG                 = 512,
+    SSL_OP_ALL                              = 1024,
+    SSL_OP_EPHEMERAL_RSA                    = 2048,
+    SSL_OP_NO_SSLv3                         = 4096,
+    SSL_OP_NO_TLSv1                         = 8192,
+    SSL_OP_PKCS1_CHECK_1                    = 16384,
+    SSL_OP_PKCS1_CHECK_2                    = 32768,
+    SSL_OP_NETSCAPE_CA_DN_BUG               = 65536,
+    SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG  = 131072,
+    SSL_OP_SINGLE_DH_USE                    = 262144,
+    SSL_OP_NO_TICKET                        = 524288,
+    SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS      = 1048576,
+    SSL_OP_NO_QUERY_MTU                     = 2097152,
+    SSL_OP_COOKIE_EXCHANGE                  = 4194304,
+    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 8388608,
+    SSL_OP_SINGLE_ECDH_USE                  = 16777216,
+    SSL_OP_CIPHER_SERVER_PREFERENCE         = 33554432,
+    SSL_OP_NO_TLSv1_1                       = 67108864,
+    SSL_OP_NO_TLSv1_2                       = 134217728,
+    SSL_OP_NO_COMPRESSION                   = 268435456,
+};
+
+
 enum {
     OCSP_NOCERTS     = 1,
     OCSP_NOINTERN    = 2,
@@ -755,34 +790,6 @@ enum {
     WOLFSSL_CRL_CHECK    = 27,
 
     ASN1_GENERALIZEDTIME = 4,
-
-    SSL_OP_MICROSOFT_SESS_ID_BUG = 1,
-    SSL_OP_NETSCAPE_CHALLENGE_BUG = 2,
-    SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 3,
-    SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 4,
-    SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 5,
-    SSL_OP_MSIE_SSLV2_RSA_PADDING = 6,
-    SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 7,
-    SSL_OP_TLS_D5_BUG = 8,
-    SSL_OP_TLS_BLOCK_PADDING_BUG = 9,
-    SSL_OP_TLS_ROLLBACK_BUG = 10,
-    SSL_OP_ALL = 11,
-    SSL_OP_EPHEMERAL_RSA = 12,
-    SSL_OP_NO_SSLv3 = 13,
-    SSL_OP_NO_TLSv1 = 14,
-    SSL_OP_PKCS1_CHECK_1 = 15,
-    SSL_OP_PKCS1_CHECK_2 = 16,
-    SSL_OP_NETSCAPE_CA_DN_BUG = 17,
-    SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 18,
-    SSL_OP_SINGLE_DH_USE = 19,
-    SSL_OP_NO_TICKET = 20,
-    SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 21,
-    SSL_OP_NO_QUERY_MTU = 22,
-    SSL_OP_COOKIE_EXCHANGE = 23,
-    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 24,
-    SSL_OP_SINGLE_ECDH_USE = 25,
-    SSL_OP_CIPHER_SERVER_PREFERENCE = 26,
-
     SSL_MAX_SSL_SESSION_ID_LENGTH = 32,
 
     EVP_R_BAD_DECRYPT = 2,