tls-socket: Allow configuring both minimum and maximum TLS versions
authorTobias Brunner <tobias@strongswan.org>
Wed, 26 Aug 2020 12:40:51 +0000 (14:40 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 12 Feb 2021 10:45:44 +0000 (11:45 +0100)
scripts/tls_test.c
src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
src/libpttls/pt_tls_client.c
src/libpttls/pt_tls_server.c
src/libtls/tests/suites/test_socket.c
src/libtls/tls_socket.c
src/libtls/tls_socket.h

index c47c1ca..5e9e954 100644 (file)
@@ -106,7 +106,7 @@ static int run_client(host_t *host, identification_t *server,
                        close(fd);
                        return 1;
                }
-               tls = tls_socket_create(FALSE, server, client, fd, cache,
+               tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_0,
                                                            TLS_1_3, TRUE);
                if (!tls)
                {
@@ -164,7 +164,8 @@ static int serve(host_t *host, identification_t *server,
                }
                DBG1(DBG_TLS, "%#H connected", host);
 
-               tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE);
+               tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_0,
+                                                               TLS_1_2, TRUE);
                if (!tls)
                {
                        close(fd);
index 8e69de0..ab8c727 100644 (file)
@@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
        /* open TLS socket */
        this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
-                                                                 NULL, TLS_1_2, FALSE);
+                                                                 NULL, TLS_1_0, TLS_1_2, FALSE);
        if (!this->tls)
        {
                DBG1(DBG_TNC, "creating TLS socket failed");
index b79b927..5984236 100644 (file)
@@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
        }
 
        this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
-                                                                 NULL, TLS_1_2, FALSE);
+                                                                 NULL, TLS_1_0, TLS_1_2, FALSE);
        if (!this->tls)
        {
                close(fd);
index 0168b18..4c484fb 100644 (file)
@@ -532,7 +532,8 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
                        .destroy = _destroy,
                },
                .state = PT_TLS_SERVER_VERSION,
-               .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE),
+               .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_0, TLS_1_2,
+                                                                FALSE),
                .tnccs = (tls_t*)tnccs,
                .auth = auth,
        );
index a637096..a5f80e5 100644 (file)
@@ -298,7 +298,7 @@ static job_requeue_t serve_echo(echo_server_config_t *config)
                }
 
                tls = tls_socket_create(TRUE, server, client, cfd, NULL,
-                                                               config->version, TRUE);
+                                                               TLS_1_0, config->version, TRUE);
                ck_assert(tls != NULL);
 
                while (TRUE)
@@ -374,7 +374,7 @@ static void run_echo_client(echo_server_config_t *config)
        ck_assert(connect(fd, host->get_sockaddr(host),
                                          *host->get_sockaddr_len(host)) != -1);
        tls = tls_socket_create(FALSE, server, client, fd, NULL,
-                                                       config->version, TRUE);
+                                                       TLS_1_0, config->version, TRUE);
        ck_assert(tls != NULL);
 
        wr = rd = 0;
index 100475c..f29a369 100644 (file)
@@ -405,8 +405,9 @@ METHOD(tls_socket_t, destroy, void,
  * See header
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
-                                                       identification_t *peer, int fd, tls_cache_t *cache,
-                                                       tls_version_t max_version, bool nullok)
+                                                               identification_t *peer, int fd,
+                                                               tls_cache_t *cache, tls_version_t min_version,
+                                                               tls_version_t max_version, bool nullok)
 {
        private_tls_socket_t *this;
        tls_purpose_t purpose;
@@ -442,12 +443,11 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
 
        this->tls = tls_create(is_server, server, peer, purpose,
                                                   &this->app.application, cache);
-       if (!this->tls)
+       if (!this->tls ||
+               !this->tls->set_version(this->tls, min_version, max_version))
        {
                free(this);
                return NULL;
        }
-       this->tls->set_version(this->tls, TLS_1_0, max_version);
-
        return &this->public;
 }
index 7924c58..2026cba 100644 (file)
@@ -104,12 +104,14 @@ struct tls_socket_t {
  * @param peer                         client identity, NULL for no client authentication
  * @param fd                           socket to read/write from
  * @param cache                                session cache to use, or NULL
+ * @param min_version          minimum TLS version to negotiate
  * @param max_version          maximum TLS version to negotiate
  * @param nullok                       accept NULL encryption ciphers
  * @return                                     TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
-                                                       identification_t *peer, int fd, tls_cache_t *cache,
-                                                       tls_version_t max_version, bool nullok);
+                                                               identification_t *peer, int fd,
+                                                               tls_cache_t *cache, tls_version_t min_version,
+                                                               tls_version_t max_version, bool nullok);
 
 #endif /** TLS_SOCKET_H_ @}*/