[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 209/220: openssl: use SSL_CTX_set_<min|max>_proto_v
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnurl] 209/220: openssl: use SSL_CTX_set_<min|max>_proto_version() when available |
|
Date: |
Thu, 12 Sep 2019 17:29:29 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit ffe34b7b59e842fc37f2d19418dc2d7a5075e7ca
Author: Clément Notin <address@hidden>
AuthorDate: Sun Sep 8 16:44:54 2019 +0200
openssl: use SSL_CTX_set_<min|max>_proto_version() when available
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available. Existing code is preserved for older versions of
OpenSSL.
Closes #4304
---
lib/vtls/openssl.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 105 insertions(+), 11 deletions(-)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index dbba1ea96..385f28179 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2156,15 +2156,96 @@ get_ssl_version_txt(SSL *ssl)
}
#endif
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
+static CURLcode
+set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn)
+{
+ /* first, TLS min version... */
+ long curl_ssl_version_min = SSL_CONN_CONFIG(version);
+ long curl_ssl_version_max;
+
+ /* convert cURL min SSL version option to OpenSSL constant */
+ long ossl_ssl_version_min = 0;
+ long ossl_ssl_version_max = 0;
+ switch(curl_ssl_version_min) {
+ case CURL_SSLVERSION_TLSv1: /* TLS 1.x */
+ case CURL_SSLVERSION_TLSv1_0:
+ ossl_ssl_version_min = TLS1_VERSION;
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ ossl_ssl_version_min = TLS1_1_VERSION;
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ ossl_ssl_version_min = TLS1_2_VERSION;
+ break;
+#ifdef TLS1_3_VERSION
+ case CURL_SSLVERSION_TLSv1_3:
+ ossl_ssl_version_min = TLS1_3_VERSION;
+ break;
+#endif
+ }
+
+ /* CURL_SSLVERSION_DEFAULT means that no option was selected.
+ We don't want to pass 0 to SSL_CTX_set_min_proto_version as
+ it would enable all versions down to the lowest supported by
+ the library.
+ So we skip this, and stay with the OS default
+ */
+ if(curl_ssl_version_min != CURL_SSLVERSION_DEFAULT) {
+ if(!SSL_CTX_set_min_proto_version(ctx, ossl_ssl_version_min)) {
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+
+ /* ... then, TLS max version */
+ curl_ssl_version_max = SSL_CONN_CONFIG(version_max);
+
+ /* convert cURL max SSL version option to OpenSSL constant */
+ ossl_ssl_version_max = 0;
+ switch(curl_ssl_version_max) {
+ case CURL_SSLVERSION_MAX_TLSv1_0:
+ ossl_ssl_version_max = TLS1_VERSION;
+ break;
+ case CURL_SSLVERSION_MAX_TLSv1_1:
+ ossl_ssl_version_max = TLS1_1_VERSION;
+ break;
+ case CURL_SSLVERSION_MAX_TLSv1_2:
+ ossl_ssl_version_max = TLS1_2_VERSION;
+ break;
+#ifdef TLS1_3_VERSION
+ case CURL_SSLVERSION_MAX_TLSv1_3:
+ ossl_ssl_version_max = TLS1_3_VERSION;
+ break;
+#endif
+ case CURL_SSLVERSION_MAX_NONE: /* none selected */
+ case CURL_SSLVERSION_MAX_DEFAULT: /* max selected */
+ default:
+ /* SSL_CTX_set_max_proto_version states that:
+ setting the maximum to 0 will enable
+ protocol versions up to the highest version
+ supported by the library */
+ ossl_ssl_version_max = 0;
+ break;
+ }
+
+ if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ return CURLE_OK;
+}
+#endif
+
#ifdef OPENSSL_IS_BORINGSSL
typedef uint32_t ctx_option_t;
#else
typedef long ctx_option_t;
#endif
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */
static CURLcode
-set_ssl_version_min_max(ctx_option_t *ctx_options, struct connectdata *conn,
- int sockindex)
+set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
+ struct connectdata *conn, int sockindex)
{
#if (OPENSSL_VERSION_NUMBER < 0x1000100FL) || !defined(TLS1_3_VERSION)
/* convoluted #if condition just to avoid compiler warnings on unused
@@ -2236,6 +2317,7 @@ set_ssl_version_min_max(ctx_option_t *ctx_options, struct
connectdata *conn,
}
return CURLE_OK;
}
+#endif
/* The "new session" callback must return zero if the session can be removed
* or non-zero if the session has been put into the session cache.
@@ -2468,30 +2550,37 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
switch(ssl_version) {
/* "--sslv2" option means SSLv2 only, disable all others */
case CURL_SSLVERSION_SSLv2:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
+ SSL_CTX_set_min_proto_version(BACKEND->ctx, SSL2_VERSION);
+ SSL_CTX_set_max_proto_version(BACKEND->ctx, SSL2_VERSION);
+#else
ctx_options |= SSL_OP_NO_SSLv3;
ctx_options |= SSL_OP_NO_TLSv1;
-#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
+# if OPENSSL_VERSION_NUMBER >= 0x1000100FL
ctx_options |= SSL_OP_NO_TLSv1_1;
ctx_options |= SSL_OP_NO_TLSv1_2;
-#ifdef TLS1_3_VERSION
+# ifdef TLS1_3_VERSION
ctx_options |= SSL_OP_NO_TLSv1_3;
-#endif
+# endif
+# endif
#endif
break;
/* "--sslv3" option means SSLv3 only, disable all others */
case CURL_SSLVERSION_SSLv3:
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
SSL_CTX_set_min_proto_version(BACKEND->ctx, SSL3_VERSION);
-#endif
+ SSL_CTX_set_max_proto_version(BACKEND->ctx, SSL3_VERSION);
+#else
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_TLSv1;
-#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
+# if OPENSSL_VERSION_NUMBER >= 0x1000100FL
ctx_options |= SSL_OP_NO_TLSv1_1;
ctx_options |= SSL_OP_NO_TLSv1_2;
-#ifdef TLS1_3_VERSION
+# ifdef TLS1_3_VERSION
ctx_options |= SSL_OP_NO_TLSv1_3;
-#endif
+# endif
+# endif
#endif
break;
@@ -2506,7 +2595,12 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
allowed */
ctx_options |= SSL_OP_NO_SSLv2;
ctx_options |= SSL_OP_NO_SSLv3;
- result = set_ssl_version_min_max(&ctx_options, conn, sockindex);
+
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
+ result = set_ssl_version_min_max(BACKEND->ctx, conn);
+#else
+ result = set_ssl_version_min_max_legacy(&ctx_options, conn, sockindex);
+#endif
if(result != CURLE_OK)
return result;
break;
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [GNUnet-SVN] [gnurl] 212/220: curl: make sure the parallel transfers do them all, (continued)
- [GNUnet-SVN] [gnurl] 212/220: curl: make sure the parallel transfers do them all, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 199/220: RELEASE-NOTES: synced, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 217/220: update sed script, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 151/220: http: remove chunked-encoding and expect header use for HTTP/3, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 189/220: CI: remove duplicate configure flag for LGTM.com, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 195/220: smtp: check for and bail out on too short EHLO response, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 205/220: Curl_fillreadbuffer: avoid double-free trailer buf on error, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 204/220: tool_setopt: handle a libcurl build without netrc support, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 194/220: smb: init *msg to NULL in smb_send_and_recv(), gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 207/220: sspi: fix memory leaks, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 209/220: openssl: use SSL_CTX_set_<min|max>_proto_version() when available,
gnunet <=
- [GNUnet-SVN] [gnurl] 210/220: urlapi: verify the IPv6 numerical address, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 218/220: docs: curl->gnurl sed, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 220/220: doc: man 3 rename., gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 219/220: rename man 3 file, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 208/220: openssl: indent, re-organize and add comments, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 203/220: security:read_data fix bad realloc(), gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 196/220: cleanup: move functions out of url.c and make them static, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 214/220: RELEASE-NOTES: curl 7.66.0, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 216/220: Merge tag 'curl-7_66_0', gnunet, 2019/09/12