[GNUnet-SVN] [gnurl] 208/220: openssl: indent, re-organize and add comme

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 208/220: openssl: indent, re-organize and add comme

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 208/220: openssl: indent, re-organize and add comments
Date:	Thu, 12 Sep 2019 17:29:28 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit 9136542d3323468a76c68c1b3bfec5d8f1bff8fb
Author: Clément Notin <address@hidden>
AuthorDate: Sun Sep 8 15:09:32 2019 +0200

    openssl: indent, re-organize and add comments
---
 lib/vtls/openssl.c | 70 +++++++++++++++++++++++++++++-------------------------
 1 file changed, 38 insertions(+), 32 deletions(-)

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 20eae6c9e..dbba1ea96 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2466,48 +2466,54 @@ static CURLcode ossl_connect_step1(struct connectdata 
*conn, int sockindex)
 #endif
 
   switch(ssl_version) {
-  case CURL_SSLVERSION_SSLv3:
-    ctx_options |= SSL_OP_NO_SSLv2;
-    ctx_options |= SSL_OP_NO_TLSv1;
+    /* "--sslv2" option means SSLv2 only, disable all others */
+    case CURL_SSLVERSION_SSLv2:
+      ctx_options |= SSL_OP_NO_SSLv3;
+      ctx_options |= SSL_OP_NO_TLSv1;
 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
-    ctx_options |= SSL_OP_NO_TLSv1_1;
-    ctx_options |= SSL_OP_NO_TLSv1_2;
+      ctx_options |= SSL_OP_NO_TLSv1_1;
+      ctx_options |= SSL_OP_NO_TLSv1_2;
 #ifdef TLS1_3_VERSION
-    ctx_options |= SSL_OP_NO_TLSv1_3;
+      ctx_options |= SSL_OP_NO_TLSv1_3;
 #endif
 #endif
-    break;
-
-  case CURL_SSLVERSION_DEFAULT:
-  case CURL_SSLVERSION_TLSv1:
-  case CURL_SSLVERSION_TLSv1_0:
-  case CURL_SSLVERSION_TLSv1_1:
-  case CURL_SSLVERSION_TLSv1_2:
-  case CURL_SSLVERSION_TLSv1_3:
-    /* asking for any TLS version as the minimum, means no SSL versions
-       allowed */
-    ctx_options |= SSL_OP_NO_SSLv2;
-    ctx_options |= SSL_OP_NO_SSLv3;
-    result = set_ssl_version_min_max(&ctx_options, conn, sockindex);
-    if(result != CURLE_OK)
-       return result;
-    break;
+      break;
 
-  case CURL_SSLVERSION_SSLv2:
-    ctx_options |= SSL_OP_NO_SSLv3;
-    ctx_options |= SSL_OP_NO_TLSv1;
+    /* "--sslv3" option means SSLv3 only, disable all others */
+    case CURL_SSLVERSION_SSLv3:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+      SSL_CTX_set_min_proto_version(BACKEND->ctx, SSL3_VERSION);
+#endif
+      ctx_options |= SSL_OP_NO_SSLv2;
+      ctx_options |= SSL_OP_NO_TLSv1;
 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
-    ctx_options |= SSL_OP_NO_TLSv1_1;
-    ctx_options |= SSL_OP_NO_TLSv1_2;
+      ctx_options |= SSL_OP_NO_TLSv1_1;
+      ctx_options |= SSL_OP_NO_TLSv1_2;
 #ifdef TLS1_3_VERSION
-    ctx_options |= SSL_OP_NO_TLSv1_3;
+      ctx_options |= SSL_OP_NO_TLSv1_3;
 #endif
 #endif
-    break;
+      break;
 
-  default:
-    failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
-    return CURLE_SSL_CONNECT_ERROR;
+    /* "--tlsv<x.y>" options mean TLS >= version <x.y> */
+    case CURL_SSLVERSION_DEFAULT:
+    case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */
+    case CURL_SSLVERSION_TLSv1_0: /* TLS >= version 1.0 */
+    case CURL_SSLVERSION_TLSv1_1: /* TLS >= version 1.1 */
+    case CURL_SSLVERSION_TLSv1_2: /* TLS >= version 1.2 */
+    case CURL_SSLVERSION_TLSv1_3: /* TLS >= version 1.3 */
+      /* asking for any TLS version as the minimum, means no SSL versions
+        allowed */
+      ctx_options |= SSL_OP_NO_SSLv2;
+      ctx_options |= SSL_OP_NO_SSLv3;
+      result = set_ssl_version_min_max(&ctx_options, conn, sockindex);
+      if(result != CURLE_OK)
+        return result;
+      break;
+
+    default:
+      failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
+      return CURLE_SSL_CONNECT_ERROR;
   }
 
   SSL_CTX_set_options(BACKEND->ctx, ctx_options);

-- 
To stop receiving notification emails like this one, please contact
address@hidden.

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 195/220: smtp: check for and bail out on too short EHLO response, (continued)
- [GNUnet-SVN] [gnurl] 195/220: smtp: check for and bail out on too short EHLO response, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 205/220: Curl_fillreadbuffer: avoid double-free trailer buf on error, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 204/220: tool_setopt: handle a libcurl build without netrc support, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 194/220: smb: init *msg to NULL in smb_send_and_recv(), gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 207/220: sspi: fix memory leaks, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 209/220: openssl: use SSL_CTX_set_<min|max>_proto_version() when available, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 210/220: urlapi: verify the IPv6 numerical address, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 218/220: docs: curl->gnurl sed, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 220/220: doc: man 3 rename., gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 219/220: rename man 3 file, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 208/220: openssl: indent, re-organize and add comments, gnunet <=
- [GNUnet-SVN] [gnurl] 203/220: security:read_data fix bad realloc(), gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 196/220: cleanup: move functions out of url.c and make them static, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 214/220: RELEASE-NOTES: curl 7.66.0, gnunet, 2019/09/12
- [GNUnet-SVN] [gnurl] 216/220: Merge tag 'curl-7_66_0', gnunet, 2019/09/12

Prev by Date: [GNUnet-SVN] [gnurl] 219/220: rename man 3 file
Next by Date: [GNUnet-SVN] [gnurl] 203/220: security:read_data fix bad realloc()
Previous by thread: [GNUnet-SVN] [gnurl] 219/220: rename man 3 file
Next by thread: [GNUnet-SVN] [gnurl] 203/220: security:read_data fix bad realloc()
Index(es):
- Date
- Thread