tls: Support a maximum TLS version to negotiate using TLS socket abstraction
authorMartin Willi <martin@revosec.ch>
Tue, 25 Mar 2014 09:12:51 +0000 (10:12 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 1 Apr 2014 12:28:55 +0000 (14:28 +0200)
scripts/tls_test.c
src/libcharon/plugins/tnc_ifmap/tnc_ifmap_soap.c
src/libpttls/pt_tls_client.c
src/libpttls/pt_tls_server.c
src/libtls/tls_socket.c
src/libtls/tls_socket.h

index 3d47f6f..84a32f9 100644 (file)
@@ -105,7 +105,7 @@ static int run_client(host_t *host, identification_t *server,
                        close(fd);
                        return 1;
                }
-               tls = tls_socket_create(FALSE, server, client, fd, cache, TRUE);
+               tls = tls_socket_create(FALSE, server, client, fd, cache, TLS_1_2, TRUE);
                if (!tls)
                {
                        close(fd);
@@ -162,7 +162,7 @@ static int serve(host_t *host, identification_t *server,
                }
                DBG1(DBG_TLS, "%#H connected", host);
 
-               tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TRUE);
+               tls = tls_socket_create(TRUE, server, NULL, cfd, cache, TLS_1_2, TRUE);
                if (!tls)
                {
                        close(fd);
index af1b28a..a652e70 100644 (file)
@@ -877,7 +877,7 @@ static bool soap_init(private_tnc_ifmap_soap_t *this)
 
        /* open TLS socket */
        this->tls = tls_socket_create(FALSE, server_id, client_id, this->fd,
-                                                                 NULL, FALSE);
+                                                                 NULL, TLS_1_2, FALSE);
        if (!this->tls)
        {
                DBG1(DBG_TNC, "creating TLS socket failed");
index 98a2f4b..315129d 100644 (file)
@@ -85,7 +85,7 @@ static bool make_connection(private_pt_tls_client_t *this)
        }
 
        this->tls = tls_socket_create(FALSE, this->server, this->client, fd,
-                                                                 NULL, FALSE);
+                                                                 NULL, TLS_1_2, FALSE);
        if (!this->tls)
        {
                close(fd);
index 3c07475..cedc263 100644 (file)
@@ -532,7 +532,7 @@ pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
                        .destroy = _destroy,
                },
                .state = PT_TLS_SERVER_VERSION,
-               .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, FALSE),
+               .tls = tls_socket_create(TRUE, server, NULL, fd, NULL, TLS_1_2, FALSE),
                .tnccs = (tls_t*)tnccs,
                .auth = auth,
        );
index 4b18fa6..648771e 100644 (file)
@@ -407,7 +407,7 @@ METHOD(tls_socket_t, destroy, void,
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                                                        identification_t *peer, int fd, tls_cache_t *cache,
-                                                       bool nullok)
+                                                       tls_version_t max_version, bool nullok)
 {
        private_tls_socket_t *this;
        tls_purpose_t purpose;
@@ -448,6 +448,7 @@ tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                free(this);
                return NULL;
        }
+       this->tls->set_version(this->tls, max_version);
 
        return &this->public;
 }
index 54278dd..0d4db3b 100644 (file)
@@ -104,11 +104,12 @@ struct tls_socket_t {
  * @param peer                         client identity, NULL for no client authentication
  * @param fd                           socket to read/write from
  * @param cache                                session cache to use, or NULL
+ * @param max_version          maximun TLS version to negotiate
  * @param nullok                       accept NULL encryption ciphers
  * @return                                     TLS socket wrapper
  */
 tls_socket_t *tls_socket_create(bool is_server, identification_t *server,
                                                        identification_t *peer, int fd, tls_cache_t *cache,
-                                                       bool nullok);
+                                                       tls_version_t max_version, bool nullok);
 
 #endif /** TLS_SOCKET_H_ @}*/